feat: Add support for mutual TLS. #1556
Conversation
megabus-tobin
requested review from
fbogsany,
mwear,
robertlaurin,
dazuma,
ericmustin,
arielvalentin,
ahayworth,
plantfansam and
robbkidd
as code owners
|
|
|
@megabus-tobin Thank you for your contribution! Please consider separating the error handling changes in a separate PR. We will be able to review and release that change independent of verifying the correctness of the changes required for mTLS support. Happy Holidays! |
megabus-tobin
force-pushed
the
mutual-tls
branch
from
a848635
to
2ef502a
Compare
megabus-tobin
changed the title
|
@arielvalentin I've split the small logging change off into #1557 Thanks! |
There was a problem hiding this comment.
Thank you, @megabus-tobin!
For anyone who's interested, the specs for these env vars can be found here: https://opentelemetry.io/docs/specs/otel/protocol/exporter/
Could you incorporate the new environment variables into the exporter tests? (here's the file for the OTLP library)
Anywhere the certificate_file is mentioned may be a good place to add content for the client certificate and key.
kaylareopelle
force-pushed
the
mutual-tls
branch
from
2ef502a
to
2e40941
Compare
The I'm not sure what the best approach would be. Should I add a test certificate and key to the repository or refactor The latter would be very similar to what |
Sorry for my delated response. Great questions! I think adding the test certificate and key seems the least intrusive to what you've already built if that's not too much effort. If other approvers/maintainers disagree, please chime in! I like your idea about following the pattern in |
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Add support for specifying client certificate and key for mutual TLS when exporting.
megabus-tobin
force-pushed
the
mutual-tls
branch
from
e84e75c
to
384a6a9
Compare
|
@kaylareopelle I have updated the tests to check that the client certificate and key are handled correctly. Some small notes:
|
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
| http = Net::HTTP.new(uri.host, uri.port) | ||
| http.use_ssl = uri.scheme == 'https' | ||
| http.verify_mode = ssl_verify_mode | ||
| http.ca_file = certificate_file unless certificate_file.nil? | ||
| http.cert = OpenSSL::X509::Certificate.new(File.read(client_certificate_file)) unless client_certificate_file.nil? |
There was a problem hiding this comment.
Especially when running in containers, and using environment variables, it would be nice to be able to load the PEM encoded cert/key directly from environment variables, instead of having to find a way to write it to a file first.
There was a problem hiding this comment.
I agree but at least one file will still be needed for many/most users because it's assigned to Net::HTTP#ca_file which can only be a path. Should I make the change to support either for the client cert and key despite that?
|
Would be nice to update the gRPC exporter as well. creds = if mtls_config_provided
GRPC::Core::ChannelCredentials.new(ca, key, cert)
else
:this_channel_is_insecure
end
@client = Opentelemetry::Proto::Collector::Trace::V1::TraceService::Stub.new(
"#{uri.host}:#{uri.port}",
creds
) |
@megabus-tobin, thank you for updating the tests! I think this is a solid approach. Are you planning to make the GRPC changes mentioned here as part of this PR? |
Add support for specifying client certificate and key for mutual TLS when exporting.
Also log more information about why an SSL error occured as this can be very difficult to diagnose. This is logged in the same way as other probably fatal issues are, e.g. HTTP 404s.