Add configuration for client TLS auth and rename variable for trusted… #1375
Conversation
|
Changelog? |
|
@iNikem Yeah generally add it after some approvals since until then it just causes daily merge conflicts :P |
specification/protocol/exporter.md
Outdated
| / Client certificate / key | The TLS certificate and private key to authenticate the client for mTLS. Should only be used for a secure connection.. | n/a | `OTLP_EXPORTER_OTLP_TLS_CERTIFICATE` `OTLP_EXPORTER_OTLP_SPAN_TLS_CERTIFICATE` `OTLP_EXPORTER_OTLP_METRIC_TLS_CERTIFICATE`, `OTLP_EXPORTER_OTLP_TLS_PRIVATE_KEY` `OTLP_EXPORTER_OTLP_SPAN_TLS_PRIVATE_KEY` `OTLP_EXPORTER_OTLP_METRIC_TLS_PRIVATE_KEY` | | ||
| | Trusted certificate | The trusted certificate to use when verifying a server's TLS credentials. Should only be used for a secure connection. | n/a | `OTEL_EXPORTER_OTLP_TLS_TRUSTED_CERTIFICATE` `OTEL_EXPORTER_OTLP_SPAN_TLS_TRUSTED_CERTIFICATE` `OTEL_EXPORTER_OTLP_METRIC_TLS_TRUSTED_CERTIFICATE` | |
There was a problem hiding this comment.
As per #1362 this should all be _TRACE_ instead of _SPAN_. Please don't forget updating the PR that gets merged last.
Co-authored-by: Armin Ruech <armin.ruech@dynatrace.com>
|
Lets use |
specification/protocol/exporter.md
Outdated
| @@ -10,7 +10,8 @@ The following configuration options MUST be available to configure the OTLP expo | |||
| | -------------------- | ------------------------------------------------------------ | ----------------- | ------------------------------------------------------------ | | |||
| | Endpoint | Target to which the exporter is going to send spans or metrics. The endpoint MUST be a valid URL with scheme (http or https) and host, and MAY contain a port and path. A scheme of https indicates a secure connection. When using `OTEL_EXPORTER_ENDPOINT` with OTLP/HTTP, exporters SHOULD follow the collector convention of appending the version and signal to the path (e.g. `v1/traces` or `v1/metrics`). The per-signal endpoint configuration options take precedence and can be used to override this behavior. See the [OTLP Specification][otlphttp-req] for more details. | `https://localhost:4317` | `OTEL_EXPORTER_OTLP_ENDPOINT` `OTEL_EXPORTER_OTLP_SPAN_ENDPOINT` `OTEL_EXPORTER_OTLP_METRIC_ENDPOINT` | | |||
| | Protocol | The protocol used to transmit the data. One of `grpc`,`http/json`,`http/protobuf`. | `grpc` | `OTEL_EXPORTER_OTLP_PROTOCOL` `OTEL_EXPORTER_OTLP_SPAN_PROTOCOL` `OTEL_EXPORTER_OTLP_METRIC_PROTOCOL` | | |||
| | Certificate File | Path to certificate file for TLS credentials of gRPC client. Should only be used for a secure connection. | n/a | `OTEL_EXPORTER_OTLP_CERTIFICATE` `OTEL_EXPORTER_OTLP_SPAN_CERTIFICATE` `OTEL_EXPORTER_OTLP_METRIC_CERTIFICATE` | | |||
| | Client certificate / key | The TLS certificate and private key to authenticate the client for mTLS. Should only be used for a secure connection. | n/a | `OTEL_EXPORTER_OTLP_TLS_CERTIFICATE` `OTEL_EXPORTER_OTLP_SPAN_TLS_CERTIFICATE` `OTEL_EXPORTER_OTLP_METRIC_TLS_CERTIFICATE`, `OTEL_EXPORTER_OTLP_TLS_PRIVATE_KEY` `OTEL_EXPORTER_OTLP_SPAN_TLS_PRIVATE_KEY` `OTEL_EXPORTER_OTLP_METRIC_TLS_PRIVATE_KEY` | | |||
There was a problem hiding this comment.
Found a usage of this variable, example here: https://github.com/open-telemetry/opentelemetry-python/blob/db74594d93b7e42d26ed2061b7672d1ad823f30c/exporter/opentelemetry-exporter-otlp/tests/test_otlp_metric_exporter.py#L74 Can you please make sure to check that this is fine to change
There was a problem hiding this comment.
That would be renamed to OTEL_EXPORTER_OTLP_METRIC_TLS_TRUSTED_CERTIFICATE I think. Is that what you'd like to confirm?
There was a problem hiding this comment.
Could we still allow the old Environment variable but mark it deprecated with a migration?
Given how CLOSE we are to 1.0 I think it'd be good if we pretend we have users we don't want to break, to get in the habit of how these changes will have to be made going forward.
There was a problem hiding this comment.
If languages want to support multiple variables I think they could, even without it being mentioned in the spec right?
There was a problem hiding this comment.
My comment was about checking with python maintainers whether it is already heavily in use. As @jsuereth pointed we need to be careful with renaming. If not much adoption so far, PR good with me.
There was a problem hiding this comment.
Well, there aren't any open source usage
https://github.com/search?q=OTEL_EXPORTER_OTLP_METRIC_CERTIFICATE&type=code
And if we were done making changes, we'd already be 1.0 - this doc doesn't have any label on it, not even feature-freeze like some of the other ones so it seems a bit unfair to require too much process. The variable seems to be a bug really since the description doesn't describe it, these are credentials of a server, not a client.
Languages can use a deprecation cycle to change the variable if they wish, but I don't think that's something to have here, or if we did, it would be a much more general document detailing a mandate for and how to deprecate features.
There was a problem hiding this comment.
Not asking for much process. Maybe just a ack from @open-telemetry/python-approvers
There was a problem hiding this comment.
Ok - @open-telemetry/python-approvers does this change look ok? Thanks!
…ication into client-tls
…ication into client-tls
|
Any more updates needed on this? |
|
@codeboten @ocelotl @lzchen Could you take a look at this PR? Thanks! |
|
Sure, will do this tonight 👍 |
| @@ -10,7 +10,8 @@ The following configuration options MUST be available to configure the OTLP expo | |||
| | -------------------- | ------------------------------------------------------------ | ----------------- | ------------------------------------------------------------ | | |||
| | Endpoint | Target to which the exporter is going to send spans or metrics. The endpoint MUST be a valid URL with scheme (http or https) and host, and MAY contain a port and path. A scheme of https indicates a secure connection. When using `OTEL_EXPORTER_ENDPOINT` with OTLP/HTTP, exporters SHOULD follow the collector convention of appending the version and signal to the path (e.g. `v1/traces` or `v1/metrics`). The per-signal endpoint configuration options take precedence and can be used to override this behavior. See the [OTLP Specification][otlphttp-req] for more details. | `https://localhost:4317` | `OTEL_EXPORTER_OTLP_ENDPOINT` `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` `OTEL_EXPORTER_OTLP_METRICS_ENDPOINT` | | |||
| | Protocol | The protocol used to transmit the data. One of `grpc`,`http/json`,`http/protobuf`. | `grpc` | `OTEL_EXPORTER_OTLP_PROTOCOL` `OTEL_EXPORTER_OTLP_TRACES_PROTOCOL` `OTEL_EXPORTER_OTLP_METRICS_PROTOCOL` | | |||
| | Certificate File | Path to certificate file for TLS credentials of gRPC client. Should only be used for a secure connection. | n/a | `OTEL_EXPORTER_OTLP_CERTIFICATE` `OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE` `OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE` | | |||
| | Client certificate / key | The TLS certificate and private key to authenticate the client for mTLS. Should only be used for a secure connection. | n/a | `OTEL_EXPORTER_OTLP_TLS_CERTIFICATE` `OTEL_EXPORTER_OTLP_TRACES_TLS_CERTIFICATE` `OTEL_EXPORTER_OTLP_METRICS_TLS_CERTIFICATE`, `OTEL_EXPORTER_OTLP_TLS_PRIVATE_KEY` `OTEL_EXPORTER_OTLP_TRACES_TLS_PRIVATE_KEY` `OTEL_EXPORTER_OTLP_METRICS_TLS_PRIVATE_KEY` | | |||
There was a problem hiding this comment.
Just a question, mostly out of curiosity. I see a replacing of Path to certificate file... for The TLS certificate and private key.... The idea behind that is to use the contents of the certificate as the value of the environment variable?
There was a problem hiding this comment.
Thanks for calling this out. This was tough for me since this table has both configuration options and environment variables. I don't think the SDK has to expose a programmatic interface that only accepts a path, and often it'd probably not a good idea since it makes it difficult to provide credentials in non-file ways such as embedding into the binary or using a KMS client. The environment variable makes sense to point to a path though. So I made the description generic to not specify the type to apply to both.
There was a problem hiding this comment.
Perhaps we should move the environment variables out of here to the sdk-environment-variables doc since they seem somewhat mysterious to be defined here and would give us the flexibility when describing. That'd be for another PR though I think.
|
@jsuereth Any opinion on this one? 😄 |
…ication into client-tls
The current version of the specification makes me think that Certificate File is intended to be used as part of the client authentication, which it is not. This change addresses part of the confusion discussed in open-telemetry#1363, the certificate file option and environment variable points to the certificate used to verify the server's certificate. See also open-telemetry#1375.
* clarify meaning of "Certificate File" The current version of the specification makes me think that Certificate File is intended to be used as part of the client authentication, which it is not. This change addresses part of the confusion discussed in #1363, the certificate file option and environment variable points to the certificate used to verify the server's certificate. See also #1375. * update changelog * Update CHANGELOG.md Co-authored-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
* clarify meaning of "Certificate File" The current version of the specification makes me think that Certificate File is intended to be used as part of the client authentication, which it is not. This change addresses part of the confusion discussed in open-telemetry/opentelemetry-specification#1363, the certificate file option and environment variable points to the certificate used to verify the server's certificate. See also open-telemetry/opentelemetry-specification#1375. * update changelog * Update CHANGELOG.md Co-authored-by: Sergey Kanzhelev <S.Kanzhelev@live.com>
… cert of server.
Fixes #1363
Changes
Adds variables for configuring client TLS auth and rename / clarify the current configuration for a server's trusted certificate.