opentelemetry-dotnet icon indicating copy to clipboard operation
opentelemetry-dotnet copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Add OTLP Exporter TLS/mTLS configuration options

Open cijothomas opened this issue 4 years ago • 13 comments

The OTLP exporter (both HTTP and gRPC) need to support the following configuration options from the spec:

  • Certificate file
  • Client key file
  • Client certificate file

See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md#configuration-options

cijothomas avatar Apr 23 '21 22:04 cijothomas

I don't think just being able to specify the cert path is good enough. I want to control how the cert validation is done and ideally I might want to control the underlying HttpClient as well. I would think this integration would wire up to DI for the GrpcChannel to pick up the HttpClient just like the HTTP side of the otlp exporter already does.

ejsmith avatar Jun 24 '22 05:06 ejsmith

Hi @cijothomas and @alanwest, Is there any progress on this?

fhubi avatar May 15 '23 13:05 fhubi

Hi, we also have an use case where we need to use mTLS with OTLP, and thus need to set client certificate. Right now it's not possible to do it with GRPC.
I've made a CR to make HttpClientFactory work with GRPC also: https://github.com/open-telemetry/opentelemetry-dotnet/pull/4625 .
The only issue that I see is that this change will not have effect on netstadard2.0 (and other .NET Framework targets). This is due to the fact that netstadard2.0 for some reason used the old Grpc.Core library which does not use HttpClient. This will create a discrepancy in API functionalities between different targets, which I'm not sure is acceptable.

dhhoang avatar Jun 29 '23 18:06 dhhoang

I've updated the issue description to make it more clear that this issue is specifically about supporting the three TLS related OTLP configuration options that we do not yet support. Exposing the HttpClientFactory to the gRPC exporter is not part of the scope of this issue.

@matt-hensley has offered to help out with implementing these configuration options.

alanwest avatar Jul 28 '23 17:07 alanwest

I currently working on a (draft) PR: https://github.com/open-telemetry/opentelemetry-dotnet/pull/4731 Some things I'm still trying to figure out:

  • How to build custom trust store with HttpClient to verify server Certificate file
  • How to load PEM file (with different key algo) in .NET Framework.

dhhoang avatar Jul 29 '23 01:07 dhhoang

Old .NET (netstandard2.0) lacks the PEM-support APIs. Parsing and loading PEM certificates and keys is quite tricky. The only (easy) solution I've managed to find is to use BouncyCastle https://github.com/bcgit/bc-csharp. I've updated to PR with this method. I'm wondering if we have any constraints for using in dependency libraries?

dhhoang avatar Jul 30 '23 17:07 dhhoang

Curious about the status of this issue, saw that above pr is closed. Do we support exporting over tls now?

varkey98 avatar Jan 12 '24 08:01 varkey98