Skip to content

chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo… #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sandy2008 wants to merge 53 commits into from
Closed

chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo… #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
a363508
feat(): add mtls support
sandy2008 Jun 20, 2025
faba6ab
refactor(mtls): extract repeated string literals to constants in Otlp…
sandy2008 Jun 20, 2025
3044fc3
feat(): add mtls support
sandy2008 Jun 20, 2025
7368c9e
feat(): add mtls configurations for certs
sandy2008 Jun 20, 2025
c488394
fix(mtls): include filePath in FileNotFoundException for better diagn…
sandy2008 Jun 23, 2025
472205a
fix(mtls): use string.Equals to safely compare thumbprints and avoid …
sandy2008 Jun 23, 2025
2d69b7c
fix(): remove redundant comment
sandy2008 Jun 23, 2025
960037e
fix(): remove redundant comment
sandy2008 Jun 23, 2025
6226ac5
fix(): remove redundant comment
sandy2008 Jun 23, 2025
966d076
feat(): add support for client key w/ password
sandy2008 Jun 23, 2025
879cd6c
refactor(mtls): extract HttpClient default configuration to separate …
sandy2008 Jun 23, 2025
c1405cb
refactor(mtls): eliminate magic strings in OtlpMtlsHttpClientFactory
sandy2008 Jun 23, 2025
02b9240
feat(mtls): adjust error msg
sandy2008 Jun 24, 2025
6ae5efe
feat(mtls): adjust error msg
sandy2008 Jun 24, 2025
eadf9c2
feat(mtls): adjust error msg
sandy2008 Jun 24, 2025
2c759c6
chore(mtls): when mTLS file permission validation is skipped on unsup…
sandy2008 Jun 24, 2025
87633ba
chore(mtls); Remove preemptive file permission validation from mTLS
sandy2008 Jun 24, 2025
af26417
refactor(mtls): optimize mTLS HttpClient creation to reduce allocations
sandy2008 Jun 24, 2025
0bd7c5e
fix(mtls): format issue
sandy2008 Jun 24, 2025
487d517
fix(mtls): format issue
sandy2008 Jun 24, 2025
59cea03
chore(mtls): Make OtlpMtlsOptions sealed
sandy2008 Jun 24, 2025
b80cd21
fix(mtls): format issue
sandy2008 Jun 24, 2025
6e78148
fix(mtls): format issue
sandy2008 Jun 24, 2025
0fca40b
chore(README): table inline
sandy2008 Jun 24, 2025
fc25a73
fix(): clean up shipped file
sandy2008 Jun 24, 2025
c8a5a55
chore(mtls): fix README doc
sandy2008 Jun 25, 2025
464201b
chore(mtls): adjust return mtlsClient to 1-liner
sandy2008 Jun 25, 2025
ec0db21
chore(mtls): simplify new OtlpMtlsOptions()
sandy2008 Jun 25, 2025
84764e8
refactor(mtls): simplify null check and add comment for ExcludeRoot d…
sandy2008 Jun 25, 2025
3ec30f9
fix(mtls): Fix client certificate loading when ClientKeyPath is not p…
sandy2008 Jun 25, 2025
f30b6f8
chore(mtls): Improve certificate disposal in OtlpMtlsHttpClientFactory
sandy2008 Jun 25, 2025
b948ce1
fix(mtls): Add missing using Xunit statements to mTLS test files
sandy2008 Jun 25, 2025
3d75694
fix(mtls): suppress SYSLIB0057 warnings in certificate loading code
sandy2008 Jun 25, 2025
4d8b83e
fix(mtls): fix test
sandy2008 Jun 25, 2025
3611145
chore(): replace #if NET
sandy2008 Jun 25, 2025
3f7a6bb
chore(mtls): remove needless pragma warning restore SYSLIB0057
sandy2008 Jun 25, 2025
6135c33
fix(): Remove support for client key password and certificate revocat…
sandy2008 Jun 25, 2025
e8f122f
Merge branch 'main' into main
sandy2008 Jul 12, 2025
cabc172
Merge branch 'main' into main
sandy2008 Aug 6, 2025
2825069
resolve conflict
sandy2008 Dec 5, 2025
b3830a5
chore(): Removed the unused CreateExpiredCertificate helper
sandy2008 Dec 5, 2025
92a4ee0
chore(): mTLS tests: cover CA-only config, server cert validation, an…
sandy2008 Dec 5, 2025
70a5ce4
chore(): Enforce mTLS requirement in CreateMtlsHttpClient and update …
sandy2008 Dec 7, 2025
9055c05
chore(): Added explicit logging for mTLS HttpClient creation failures…
sandy2008 Dec 7, 2025
07e7e59
chore(): Preserve mTLS cert lifetimes, add creation logging, and test…
sandy2008 Dec 7, 2025
803c09b
chore(): Remove duplicate export failure log in mTLS client factory
sandy2008 Dec 9, 2025
977d88f
fix(): Fix OTLP mTLS trust handling for self-signed CA
sandy2008 Dec 9, 2025
bceda1a
chore(): add CHANGELOG
sandy2008 Dec 10, 2025
3e09c5d
chore(): Remove non-public OtlpMtlsOptions column from mTLS env var t…
sandy2008 Dec 11, 2025
c8630b2
Merge branch 'open-telemetry:main' into main
sandy2008 Dec 15, 2025
73817bd
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
sandy2008 Dec 15, 2025
ce9cb1c
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
sandy2008 Dec 15, 2025
8fa7f24
chore(): Refactor TLS and mTLS support in OpenTelemetry Protocol Expo…
sandy2008 Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions ...nTelemetry.Exporter.OpenTelemetryProtocol/Implementation/IHttpClientSecurityConfigurer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
// Copyright The OpenTelemetry Authors
// SPDX-License-Identifier: Apache-2.0

#if NET

namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;

internal interface IHttpClientSecurityConfigurer
{
void Apply(HttpClientHandler handler);
}

#endif
7 changes: 7 additions & 0 deletions ...Exporter.OpenTelemetryProtocol/Implementation/OpenTelemetryProtocolExporterEventSource.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,5 +325,12 @@ internal void MtlsHttpClientCreationFailed(Exception ex)
Level = EventLevel.Error)]
internal void MtlsHttpClientCreationFailed(string exception) =>
this.WriteEvent(34, exception);

[Event(
35,
Message = "TLS configuration enabled. Trusted CA certificate: '{0}'.",
Level = EventLevel.Informational)]
internal void TlsConfigurationEnabled(string caCertificateSubject) =>
this.WriteEvent(35, caCertificateSubject);
#endif
}
4 changes: 2 additions & 2 deletions ...lementation/OtlpMtlsCertificateManager.cs → .../Implementation/OtlpCertificateManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@
namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;

/// <summary>
/// Manages certificate loading, validation, and security checks for mTLS connections.
/// Manages certificate loading, validation, and security checks for TLS connections.
/// </summary>
internal static class OtlpMtlsCertificateManager
internal static class OtlpCertificateManager
{
internal const string CaCertificateType = "CA certificate";
internal const string ClientCertificateType = "Client certificate";
Expand Down
157 changes: 157 additions & 0 deletions ....Exporter.OpenTelemetryProtocol/Implementation/OtlpHttpClientSecurityConfigurerFactory.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
// Copyright The OpenTelemetry Authors
// SPDX-License-Identifier: Apache-2.0

#if NET
using System.Security.Cryptography.X509Certificates;

namespace OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;

internal static class OtlpHttpClientSecurityConfigurerFactory
{
public static IHttpClientSecurityConfigurer? Create(
OtlpTlsOptions? tlsOptions,
OtlpMtlsOptions? mtlsOptions)
{
IHttpClientSecurityConfigurer? trustedCertConfigurer =
tlsOptions?.IsEnabled == true
? new TrustedCertConfigurer(tlsOptions)
: null;

IHttpClientSecurityConfigurer? clientCertConfigurer =
mtlsOptions?.IsEnabled == true
? new ClientCertConfigurer(mtlsOptions)
: null;

if (trustedCertConfigurer == null)
{
return clientCertConfigurer;
}

if (clientCertConfigurer == null)
{
return trustedCertConfigurer;
}

return new CompositeConfigurer(trustedCertConfigurer, clientCertConfigurer);
}

private sealed class CompositeConfigurer : IHttpClientSecurityConfigurer
{
private readonly IHttpClientSecurityConfigurer first;
private readonly IHttpClientSecurityConfigurer second;

internal CompositeConfigurer(IHttpClientSecurityConfigurer first, IHttpClientSecurityConfigurer second)
{
this.first = first;
this.second = second;
}

public void Apply(HttpClientHandler handler)
{
this.first.Apply(handler);
this.second.Apply(handler);
}
}

private sealed class TrustedCertConfigurer : IHttpClientSecurityConfigurer
{
private readonly OtlpTlsOptions tlsOptions;

internal TrustedCertConfigurer(OtlpTlsOptions tlsOptions)
{
this.tlsOptions = tlsOptions;
}

public void Apply(HttpClientHandler handler)
{
ArgumentNullException.ThrowIfNull(handler);

if (handler is not OtlpTlsHttpClientFactory.TlsHttpClientHandler tlsHandler)
{
throw new ArgumentException(
$"Expected handler type '{typeof(OtlpTlsHttpClientFactory.TlsHttpClientHandler)}'.",
nameof(handler));
}

X509Certificate2? caCertificate = null;
try
{
caCertificate = OtlpCertificateManager.LoadCaCertificate(this.tlsOptions.CertificatePath!);

if (this.tlsOptions.EnableCertificateChainValidation)
{
OtlpCertificateManager.ValidateCertificateChain(
caCertificate,
OtlpCertificateManager.CaCertificateType);
}

OpenTelemetryProtocolExporterEventSource.Log.TlsConfigurationEnabled(
caCertificate.Subject);

tlsHandler.ConfigureTrustedCaCertificate(caCertificate);

// Handler now owns the certificate and will dispose it when disposed.
caCertificate = null;
}
finally
{
caCertificate?.Dispose();
}
}
}

private sealed class ClientCertConfigurer : IHttpClientSecurityConfigurer
{
private readonly OtlpMtlsOptions mtlsOptions;

internal ClientCertConfigurer(OtlpMtlsOptions mtlsOptions)
{
this.mtlsOptions = mtlsOptions;
}

public void Apply(HttpClientHandler handler)
{
ArgumentNullException.ThrowIfNull(handler);

if (handler is not OtlpTlsHttpClientFactory.TlsHttpClientHandler tlsHandler)
{
throw new ArgumentException(
$"Expected handler type '{typeof(OtlpTlsHttpClientFactory.TlsHttpClientHandler)}'.",
nameof(handler));
}

X509Certificate2? clientCertificate = null;
try
{
clientCertificate = string.IsNullOrEmpty(this.mtlsOptions.ClientKeyPath)
? OtlpCertificateManager.LoadClientCertificate(
this.mtlsOptions.ClientCertificatePath!,
null)
: OtlpCertificateManager.LoadClientCertificate(
this.mtlsOptions.ClientCertificatePath!,
this.mtlsOptions.ClientKeyPath);

if (this.mtlsOptions.EnableCertificateChainValidation)
{
OtlpCertificateManager.ValidateCertificateChain(
clientCertificate,
OtlpCertificateManager.ClientCertificateType);
}

OpenTelemetryProtocolExporterEventSource.Log.MtlsConfigurationEnabled(
clientCertificate.Subject);

tlsHandler.ConfigureClientCertificate(clientCertificate);

// Handler now owns the certificate and will dispose it when disposed.
clientCertificate = null;
}
finally
{
clientCertificate?.Dispose();
}
}
}
}

#endif
167 changes: 0 additions & 167 deletions src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/OtlpMtlsHttpClientFactory.cs
View file
Open in desktop

This file was deleted.

4 changes: 3 additions & 1 deletion src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/OtlpSpecConfigDefinitions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,10 @@ internal static class OtlpSpecConfigDefinitions
public const string TracesTimeoutEnvVarName = "OTEL_EXPORTER_OTLP_TRACES_TIMEOUT";
public const string TracesProtocolEnvVarName = "OTEL_EXPORTER_OTLP_TRACES_PROTOCOL";

// mTLS certificate environment variables
// TLS certificate environment variables
public const string CertificateEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE";

// mTLS client certificate environment variables
public const string ClientKeyEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
public const string ClientCertificateEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
}
Loading
Loading