Skip to content

chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…#2

Closed
sandy2008 wants to merge 53 commits intomainfrom
feat/tls-mtls
Closed

chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…#2
sandy2008 wants to merge 53 commits intomainfrom
feat/tls-mtls

Conversation

@sandy2008
Copy link
Owner

@sandy2008 sandy2008 commented Dec 15, 2025
edited
Loading

Fixes open-telemetry#6764
Design discussion issue open-telemetry#6764

Changes

  • Split TLS vs mTLS config: OtlpTlsOptions for server trust (OTEL_EXPORTER_OTLP_CERTIFICATE) and OtlpMtlsOptions for client auth (OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE/OTEL_EXPORTER_OTLP_CLIENT_KEY).
  • Refactor HttpClient security setup to Strategy + Factory: IHttpClientSecurityConfigurer + OtlpHttpClientSecurityConfigurerFactory (trusted CA + client cert configurers).
  • Rename internal helpers to remove “mTLS” from CA-trust flow (OtlpCertificateManager, OtlpTlsHttpClientFactory) and update docs/tests accordingly.

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

sandy2008 and others added 30 commits June 20, 2025 17:34
@sandy2008
feat(): add mtls support
a363508
@sandy2008
refactor(mtls): extract repeated string literals to constants in Otlp…
faba6ab 
…MtlsCertificateManager
@sandy2008
feat(): add mtls support
3044fc3
@sandy2008
feat(): add mtls configurations for certs
7368c9e
@sandy2008 @martincostello
fix(mtls): include filePath in FileNotFoundException for better diagn…
c488394 
…ostics

Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008 @martincostello
fix(mtls): use string.Equals to safely compare thumbprints and avoid …
472205a 
…null reference

Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008
fix(): remove redundant comment
2d69b7c
@sandy2008
fix(): remove redundant comment
960037e
@sandy2008
fix(): remove redundant comment
6226ac5
@sandy2008
feat(): add support for client key w/ password
966d076
@sandy2008
refactor(mtls): extract HttpClient default configuration to separate …
879cd6c 
…method
@sandy2008
refactor(mtls): eliminate magic strings in OtlpMtlsHttpClientFactory
c1405cb
@sandy2008 @martincostello
feat(mtls): adjust error msg
02b9240 
Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008 @martincostello
feat(mtls): adjust error msg
6ae5efe 
Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008
feat(mtls): adjust error msg
eadf9c2
@sandy2008
chore(mtls): when mTLS file permission validation is skipped on unsup…
2c759c6 
…ported platforms
@sandy2008
chore(mtls); Remove preemptive file permission validation from mTLS
87633ba
@sandy2008
refactor(mtls): optimize mTLS HttpClient creation to reduce allocations
af26417
@sandy2008
fix(mtls): format issue
0bd7c5e
@sandy2008
fix(mtls): format issue
487d517
@sandy2008
chore(mtls): Make OtlpMtlsOptions sealed
59cea03
@sandy2008
fix(mtls): format issue
b80cd21
@sandy2008
fix(mtls): format issue
6e78148
@sandy2008
chore(README): table inline
0fca40b
@sandy2008
fix(): clean up shipped file
fc25a73
@sandy2008 @martincostello
chore(mtls): fix README doc
c8a5a55 
Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008 @martincostello
chore(mtls): adjust return mtlsClient to 1-liner
464201b 
Co-authored-by: Martin Costello <martin@martincostello.com>
@sandy2008
chore(mtls): simplify new OtlpMtlsOptions()
ec0db21
@sandy2008
refactor(mtls): simplify null check and add comment for ExcludeRoot d…
84764e8 
…efault
@sandy2008
fix(mtls): Fix client certificate loading when ClientKeyPath is not p…
3ec30f9 
…rovided
sandy2008 and others added 23 commits June 25, 2025 18:49
@sandy2008
chore(mtls): Improve certificate disposal in OtlpMtlsHttpClientFactory
f30b6f8
@sandy2008
fix(mtls): Add missing using Xunit statements to mTLS test files
b948ce1
@sandy2008
fix(mtls): suppress SYSLIB0057 warnings in certificate loading code
3d75694
@sandy2008
fix(mtls): fix test
4d8b83e
@sandy2008
chore(): replace #if NET
3611145
@sandy2008
chore(mtls): remove needless pragma warning restore SYSLIB0057
3f7a6bb
@sandy2008
fix(): Remove support for client key password and certificate revocat…
6135c33 
…ion configuration
@sandy2008
Merge branch 'main' into main
e8f122f
@sandy2008
Merge branch 'main' into main
cabc172
@sandy2008
resolve conflict
2825069
@sandy2008
chore(): Removed the unused CreateExpiredCertificate helper
b3830a5
@sandy2008
chore(): mTLS tests: cover CA-only config, server cert validation, an…
92a4ee0 
…d expired cert failure
@sandy2008
chore(): Enforce mTLS requirement in CreateMtlsHttpClient and update …
70a5ce4 
…tests
@sandy2008
chore(): Added explicit logging for mTLS HttpClient creation failures…
9055c05 
… via a new event source entry
@sandy2008
chore(): Preserve mTLS cert lifetimes, add creation logging, and test…
07e7e59 
… server validation callback
@sandy2008
chore(): Remove duplicate export failure log in mTLS client factory
803c09b
@sandy2008
fix(): Fix OTLP mTLS trust handling for self-signed CA
977d88f
@sandy2008
chore(): add CHANGELOG
bceda1a
@sandy2008
chore(): Remove non-public OtlpMtlsOptions column from mTLS env var t…
3e09c5d 
…able in README
@sandy2008
Merge branch 'open-telemetry:main' into main
c8630b2
@sandy2008
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
73817bd 
…rter

- Removed the OtlpMtlsHttpClientFactory and integrated its functionality into a new OtlpTlsHttpClientFactory to handle both TLS and mTLS configurations.
- Updated OtlpExporterOptions to include TlsOptions alongside MtlsOptions, allowing for more flexible configuration.
- Introduced OtlpTlsOptions class to manage TLS-specific settings, including certificate path and validation options.
- Modified environment variable handling to support both TLS and mTLS configurations.
- Updated tests to cover new TLS functionality and ensure proper handling of certificates and options.
- Removed unnecessary mTLS options and streamlined the logic for enabling mTLS based solely on client certificate presence.
@sandy2008
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
ce9cb1c 
…rter

- Removed the OtlpMtlsHttpClientFactory and integrated its functionality into a new OtlpTlsHttpClientFactory to handle both TLS and mTLS configurations.
- Updated OtlpExporterOptions to include TlsOptions alongside MtlsOptions, allowing for more flexible configuration.
- Introduced OtlpTlsOptions class to manage TLS-specific settings, including certificate path and validation options.
- Modified environment variable handling to support both TLS and mTLS configurations.
- Updated tests to cover new TLS functionality and ensure proper handling of certificates and options.
- Removed unnecessary mTLS options and streamlined the logic for enabling mTLS based solely on client certificate presence.
@sandy2008
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
8fa7f24 
…rter

- Removed the OtlpMtlsHttpClientFactory and integrated its functionality into a new OtlpTlsHttpClientFactory to handle both TLS and mTLS configurations.
- Updated OtlpExporterOptions to include TlsOptions alongside MtlsOptions, allowing for more flexible configuration.
- Introduced OtlpTlsOptions class to manage TLS-specific settings, including certificate path and validation options.
- Modified environment variable handling to support both TLS and mTLS configurations.
- Updated tests to cover new TLS functionality and ensure proper handling of certificates and options.
- Removed unnecessary mTLS options and streamlined the logic for enabling mTLS based solely on client certificate presence.
@github-actions
Copy link

github-actions bot commented Dec 29, 2025

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

@github-actions github-actions bot added the Stale label Dec 29, 2025
@sandy2008 sandy2008 closed this Dec 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[OTLP] Make OTEL_EXPORTER_OTLP_CERTIFICATE independent from mTLS

1 participant

@sandy2008