opentelemetry-util-http: add http client header attribute env vars

[herin049]

Description

This PR adds constants for two new environment variables:

• OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_CLIENT_REQUEST
• OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_CLIENT_RESPONSE

to the opentelemetry-util-http library. These changes are required in order to add support for capturing certain HTTP headers for HTTP client requests & responses as described in #3962.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

N/A

Does This PR Require a Core Repo Change?

• Yes. - Link to PR:
• No.

Checklist:

See contributing.md for styleguide, changelog guidelines, and more.

• Followed the style guidelines of this project
• Changelogs have been updated

[tammy-baylis-swi]

I think this is fair given the existing OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SERVER_* as you mentioned in the issue, and it's confined to the contrib/instrumentation.

I appreciate a small PR but it would be good to see how these will be supported with security mindfulness. Wdyt?

[herin049]

@tammy-baylis-swi I created a separate PR since I'm assuming the team wants to stick with one changelog entry per PR, but I'm happy to group the implementation for client libraries with the PR to add these constants to the HTTP utility library.

With regards to security mindfulness, the implementations for the client libraries will by default capture no headers at all, unless the OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_CLIENT_* environment variables are set. So the default behavior is not changing and is Opt-in only. This is analogous to how this behavior is handled for server headers as well.

As far as the implementation goes, it will utilize the get_custom_headers() and sanitize_header_values() in the SanitizeValue class. For reference you can look at the asgi instrumentation library, in particular here

[tammy-baylis-swi]

As far as the implementation goes, it will utilize the get_custom_headers() and sanitize_header_values() in the SanitizeValue class. For reference you can look at the asgi instrumentation library, in particular here

That answers my question 👍 Sounds like a plan!

[tammy-baylis-swi]

I think this looks good, pinging @open-telemetry/python-maintainers -- is this ok to have separate from implementation of support? Or one PR?