[otlp] Add mTLS Support for OTLP Exporter

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/.publicApi/Stable/PublicAPI.Unshipped.txt

@@ -0,0 +1,6 @@
+OpenTelemetry.Exporter.OtlpExporterOptions.CertificateFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.CertificateFile.set -> void
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientCertificateFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientCertificateFile.set -> void
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientKeyFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientKeyFile.set -> void

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpHttpLogExportClient.cs

@@ -19,7 +19,7 @@ internal sealed class OtlpHttpLogExportClient : BaseOtlpHttpExportClient<OtlpCol
     private const string LogsExportPath = "v1/logs";
 
     public OtlpHttpLogExportClient(OtlpExporterOptions options, HttpClient httpClient)
-        : base(options, httpClient, LogsExportPath)
+        : base(options, ModifyHttpClient(options, httpClient), LogsExportPath)
     {
     }
 
@@ -28,6 +28,26 @@ protected override HttpContent CreateHttpContent(OtlpCollector.ExportLogsService
         return new ExportRequestContent(exportRequest);
     }
 
+    private static HttpClient ModifyHttpClient(OtlpExporterOptions options, HttpClient httpClient)
+    {
+        // Create a new handler using the existing method that configures mTLS
+        var handler = options.CreateDefaultHttpMessageHandler();
+
+        // Create a new HttpClient with the mTLS-enabled handler
+        var newHttpClient = new HttpClient(handler, disposeHandler: true);
+
+        // Copy existing headers from the original HttpClient
+        foreach (var header in httpClient.DefaultRequestHeaders)
+        {
+            newHttpClient.DefaultRequestHeaders.Add(header.Key, header.Value);
+        }
+
+        // Copy other properties, such as timeout, if needed
+        newHttpClient.Timeout = httpClient.Timeout;
+
+        return newHttpClient;
+    }
+
     internal sealed class ExportRequestContent : HttpContent
     {
         private static readonly MediaTypeHeaderValue ProtobufMediaTypeHeader = new(MediaContentType);

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpHttpMetricsExportClient.cs

@@ -19,7 +19,7 @@ internal sealed class OtlpHttpMetricsExportClient : BaseOtlpHttpExportClient<Otl
     private const string MetricsExportPath = "v1/metrics";
 
     public OtlpHttpMetricsExportClient(OtlpExporterOptions options, HttpClient httpClient)
-        : base(options, httpClient, MetricsExportPath)
+        : base(options, ModifyHttpClient(options, httpClient), MetricsExportPath)
     {
     }
 
@@ -28,6 +28,26 @@ protected override HttpContent CreateHttpContent(OtlpCollector.ExportMetricsServ
         return new ExportRequestContent(exportRequest);
     }
 
+    private static HttpClient ModifyHttpClient(OtlpExporterOptions options, HttpClient httpClient)
+    {
+        // Create a new handler using the existing method that configures mTLS
+        var handler = options.CreateDefaultHttpMessageHandler();
+
+        // Create a new HttpClient with the mTLS-enabled handler
+        var newHttpClient = new HttpClient(handler, disposeHandler: true);
+
+        // Copy existing headers from the original HttpClient
+        foreach (var header in httpClient.DefaultRequestHeaders)
+        {
+            newHttpClient.DefaultRequestHeaders.Add(header.Key, header.Value);
+        }
+
+        // Copy other properties, such as timeout, if needed
+        newHttpClient.Timeout = httpClient.Timeout;
+
+        return newHttpClient;
+    }
+
     internal sealed class ExportRequestContent : HttpContent
     {
         private static readonly MediaTypeHeaderValue ProtobufMediaTypeHeader = new(MediaContentType);

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpHttpTraceExportClient.cs

@@ -19,7 +19,7 @@ internal sealed class OtlpHttpTraceExportClient : BaseOtlpHttpExportClient<OtlpC
     private const string TracesExportPath = "v1/traces";
 
     public OtlpHttpTraceExportClient(OtlpExporterOptions options, HttpClient httpClient)
-        : base(options, httpClient, TracesExportPath)
+        : base(options, ModifyHttpClient(options, httpClient), TracesExportPath)
     {
     }
 
@@ -28,6 +28,26 @@ protected override HttpContent CreateHttpContent(OtlpCollector.ExportTraceServic
         return new ExportRequestContent(exportRequest);
     }
 
+    private static HttpClient ModifyHttpClient(OtlpExporterOptions options, HttpClient httpClient)
+    {
+        // Create a new handler using the existing method that configures mTLS
+        var handler = options.CreateDefaultHttpMessageHandler();
+
+        // Create a new HttpClient with the mTLS-enabled handler
+        var newHttpClient = new HttpClient(handler, disposeHandler: true);
+
+        // Copy existing headers from the original HttpClient
+        foreach (var header in httpClient.DefaultRequestHeaders)
+        {
+            newHttpClient.DefaultRequestHeaders.Add(header.Key, header.Value);
+        }
+
+        // Copy other properties, such as timeout, if needed
+        newHttpClient.Timeout = httpClient.Timeout;
+
+        return newHttpClient;
+    }
+
     internal sealed class ExportRequestContent : HttpContent
     {
         private static readonly MediaTypeHeaderValue ProtobufMediaTypeHeader = new(MediaContentType);

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/OtlpExporterOptions.cs

@@ -11,6 +11,9 @@
 using OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;
 using OpenTelemetry.Internal;
 using OpenTelemetry.Trace;
+#if NET6_0_OR_GREATER
+using System.Security.Cryptography.X509Certificates;
+#endif
 
 namespace OpenTelemetry.Exporter;
 
@@ -27,6 +30,9 @@
     internal const string DefaultGrpcEndpoint = "http://localhost:4317";
     internal const string DefaultHttpEndpoint = "http://localhost:4318";
     internal const OtlpExportProtocol DefaultOtlpExportProtocol = OtlpExportProtocol.Grpc;
+    internal const string CertificateFileEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE";
+    internal const string ClientKeyFileEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
+    internal const string ClientCertificateFileEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
 
     internal static readonly KeyValuePair<string, string>[] StandardHeaders = new KeyValuePair<string, string>[]
     {
@@ -75,6 +81,36 @@
         };
 
         this.BatchExportProcessorOptions = defaultBatchOptions!;
+
+        // Load CertificateFile from environment variable
+        if (Environment.GetEnvironmentVariable(CertificateFileEnvVarName) is string certificateFile)
+        {
+            this.CertificateFile = certificateFile;
+        }
+        else
+        {
+            this.CertificateFile = string.Empty;
+        }
+
+        // Load ClientKeyFile from environment variable
+        if (Environment.GetEnvironmentVariable(ClientKeyFileEnvVarName) is string clientKeyFile)
+        {
+            this.ClientKeyFile = clientKeyFile;
+        }
+        else
+        {
+            this.ClientKeyFile = string.Empty;
+        }
+
+        // Load ClientCertificateFile from environment variable
+        if (Environment.GetEnvironmentVariable(ClientCertificateFileEnvVarName) is string clientCertificateFile)
+        {
+            this.ClientCertificateFile = clientCertificateFile;
+        }
+        else
+        {
+            this.ClientCertificateFile = string.Empty;
+        }
     }
 
     /// <inheritdoc/>
@@ -142,6 +178,21 @@
         }
     }
 
+    /// <summary>
+    /// Gets or sets the trusted certificate to use when verifying a server's TLS credentials.
+    /// </summary>
+    public string CertificateFile { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the private key to use in mTLS communication in PEM format.
+    /// </summary>
+    public string ClientKeyFile { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the certificate/chain trust for client's private key to use in mTLS communication in PEM format.
+    /// </summary>
+    public string ClientCertificateFile { get; set; }
+
     /// <summary>
     /// Gets a value indicating whether or not the signal-specific path should
     /// be appended to <see cref="Endpoint"/>.
@@ -220,6 +271,37 @@
         return this;
     }
 
+    internal HttpMessageHandler CreateDefaultHttpMessageHandler()
+    {
+        var handler = new HttpClientHandler();
+
+#if NET6_0_OR_GREATER
+        if (!string.IsNullOrEmpty(this.CertificateFile))
+        {
+            var trustedCertificate = new X509Certificate2(this.CertificateFile);
+
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
+            {
+                chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                chain.ChainPolicy.CustomTrustStore.Add(trustedCertificate);
+                return chain.Build(cert);
+            };
+        }
+
+        if (!string.IsNullOrEmpty(this.ClientCertificateFile) && !string.IsNullOrEmpty(this.ClientKeyFile))
+        {
+            var clientCertificate = X509Certificate2.CreateFromPemFile(this.ClientCertificateFile, this.ClientKeyFile);
+            handler.ClientCertificates.Add(clientCertificate);
+        }
+#else
+        // Implement alternative methods for earlier .NET versions
+        throw new PlatformNotSupportedException("mTLS support requires .NET 6.0 or later.");
+#endif
+
+#pragma warning disable CS0162 // Unreachable code detected
+        return handler;
+    }
+
     private static string GetUserAgentString()
     {
         var assembly = typeof(OtlpExporterOptions).Assembly;

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/OtlpExporterOptionsExtensions.cs

@@ -17,6 +17,9 @@
 using LogOtlpCollector = OpenTelemetry.Proto.Collector.Logs.V1;
 using MetricsOtlpCollector = OpenTelemetry.Proto.Collector.Metrics.V1;
 using TraceOtlpCollector = OpenTelemetry.Proto.Collector.Trace.V1;
+#if NET6_0_OR_GREATER
+using System.Security.Cryptography.X509Certificates;
+#endif
 
 namespace OpenTelemetry.Exporter;
 
@@ -33,7 +36,36 @@
             throw new NotSupportedException($"Endpoint URI scheme ({options.Endpoint.Scheme}) is not supported. Currently only \"http\" and \"https\" are supported.");
         }
 
-#if NETSTANDARD2_1 || NET
+#if NET6_0_OR_GREATER
+        var handler = new HttpClientHandler();
+
+        // Set up custom certificate validation if CertificateFile is provided
+        if (!string.IsNullOrEmpty(options.CertificateFile))
+        {
+            var trustedCertificate = new X509Certificate2(options.CertificateFile);
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
+            {
+                chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                chain.ChainPolicy.CustomTrustStore.Add(trustedCertificate);
+                return chain.Build(cert);
+            };
+        }
+
+        // Set up client certificate if provided
+        if (!string.IsNullOrEmpty(options.ClientCertificateFile) && !string.IsNullOrEmpty(options.ClientKeyFile))
+        {
+            var clientCertificate = X509Certificate2.CreateFromPemFile(options.ClientCertificateFile, options.ClientKeyFile);
+            handler.ClientCertificates.Add(clientCertificate);
+        }
+
+        var grpcChannelOptions = new GrpcChannelOptions
+        {
+            HttpHandler = handler,
+            DisposeHttpClient = true,
+        };
+
+        return GrpcChannel.ForAddress(options.Endpoint, grpcChannelOptions);
+#elif NETSTANDARD2_1 || NET
         return GrpcChannel.ForAddress(options.Endpoint);
 #else
         ChannelCredentials channelCredentials;