New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for mutual TLS. #1556
base: main
Are you sure you want to change the base?
Conversation
|
@megabus-tobin Thank you for your contribution! Please consider separating the error handling changes in a separate PR. We will be able to review and release that change independent of verifying the correctness of the changes required for mTLS support. Happy Holidays! |
a848635
to
2ef502a
Compare
@arielvalentin I've split the small logging change off into #1557 Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @megabus-tobin!
For anyone who's interested, the specs for these env vars can be found here: https://opentelemetry.io/docs/specs/otel/protocol/exporter/
Could you incorporate the new environment variables into the exporter tests? (here's the file for the OTLP library)
Anywhere the certificate_file
is mentioned may be a good place to add content for the client certificate and key.
2ef502a
to
2e40941
Compare
The I'm not sure what the best approach would be. Should I add a test certificate and key to the repository or refactor The latter would be very similar to what |
Sorry for my delated response. Great questions! I think adding the test certificate and key seems the least intrusive to what you've already built if that's not too much effort. If other approvers/maintainers disagree, please chime in! I like your idea about following the pattern in |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Add support for specifying client certificate and key for mutual TLS when exporting.
e84e75c
to
384a6a9
Compare
@kaylareopelle I have updated the tests to check that the client certificate and key are handled correctly. Some small notes:
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
http = Net::HTTP.new(uri.host, uri.port) | ||
http.use_ssl = uri.scheme == 'https' | ||
http.verify_mode = ssl_verify_mode | ||
http.ca_file = certificate_file unless certificate_file.nil? | ||
http.cert = OpenSSL::X509::Certificate.new(File.read(client_certificate_file)) unless client_certificate_file.nil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Especially when running in containers, and using environment variables, it would be nice to be able to load the PEM encoded cert/key directly from environment variables, instead of having to find a way to write it to a file first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree but at least one file will still be needed for many/most users because it's assigned to Net::HTTP#ca_file
which can only be a path. Should I make the change to support either for the client cert and key despite that?
Would be nice to update the gRPC exporter as well. creds = if mtls_config_provided
GRPC::Core::ChannelCredentials.new(ca, key, cert)
else
:this_channel_is_insecure
end
@client = Opentelemetry::Proto::Collector::Trace::V1::TraceService::Stub.new(
"#{uri.host}:#{uri.port}",
creds
) |
@megabus-tobin, thank you for updating the tests! I think this is a solid approach. Are you planning to make the GRPC changes mentioned here as part of this PR? |
Add support for specifying client certificate and key for mutual TLS when exporting.
Also log more information about why an SSL error occured as this can be very difficult to diagnose. This is logged in the same way as other probably fatal issues are, e.g. HTTP 404s.