opentelemetry-cpp icon indicating copy to clipboard operation
opentelemetry-cpp copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[Trace SDK] OTLP Trace Exporter secure connection configuration options

Open marcalff opened this issue 2 years ago • 4 comments

Greetings,

In the spec, for the OpenTelemetry Protocol Exporter configurations options:

https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md#specifying-headers-via-environment-variables

The spec says:

The following configuration options MUST be available to configure the OTLP exporter. Each configuration option MUST be overridable by a signal specific option.

(...)

(1) Certificate File:

Env vars: OTEL_EXPORTER_OTLP_CERTIFICATE OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE ...

(2) Client key file:

Env vars: OTEL_EXPORTER_OTLP_CLIENT_KEY OTEL_EXPORTER_OTLP_TRACES_CLIENT_KEY ...

(3) Client certificate file:

Env vars: OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE OTEL_EXPORTER_OTLP_TRACES_CLIENT_CERTIFICATE ...

Currently, opentelemetry-cpp supports the following environment variables:

  • OTEL_EXPORTER_OTLP_CERTIFICATE
  • OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE which covers (1), per the spec.
  • OTEL_EXPORTER_OTLP_CERTIFICATE_STRING
  • OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE_STRING which covers (1), in addition to the spec (great).

Implementation for (2) and (3) appear to be missing.

Also, secure connection options are only used for the OtlpGrpcExporter

Should the OtlpHttpExporter honor the same variables as well ?

Currently there are no security options in OtlpHttpExporterOptions.

My understanding from the spec is that secure options apply to the OTLP exporter in general: that is, to both OTLP/gRPC and OTLP/HTTP end points.

Regards.

marcalff avatar May 17 '22 14:05 marcalff

Implementation for (2) and (3) appear to be missing.

Client authentication is missing. There is open issue for that - #389, and some work done in #938

Should the OtlpHttpExporter honor the same variables as well ?

Yes security options should be there for both gRPC and HTTP.

lalitb avatar May 17 '22 18:05 lalitb

Thanks @lalitb for the clarifications. Sorry I missed the existing issues.

marcalff avatar May 17 '22 20:05 marcalff

No problem. We can use this issue to track supporting secure options for OtlpHttpExporter.

lalitb avatar May 18 '22 19:05 lalitb

This issue was marked as stale due to lack of activity.

github-actions[bot] avatar Jul 18 '22 02:07 github-actions[bot]

Otlp grpc exporter is also missing default options for SSL: https://grpc.io/docs/guides/auth/#using-client-side-ssltls

// Create a default SSL ChannelCredentials object. auto channel_creds = grpc::SslCredentials(grpc::SslCredentialsOptions());

Update: According to this: https://github.com/grpc/grpc/issues/25829#issuecomment-1166067743 certificate needs to be given explicitly.

rgc183 avatar Nov 08 '22 09:11 rgc183