Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EXPORTER] OTLP GRPC mTLS support #1785

Closed
konicasaini opened this issue Nov 18, 2022 · 7 comments · Fixed by #2120
Closed

[EXPORTER] OTLP GRPC mTLS support #1785

konicasaini opened this issue Nov 18, 2022 · 7 comments · Fixed by #2120
Assignees
@lalitb
Labels
area:exporter:otlp OpenTelemetry Protocol (OTLP) Exporter area:exporter do-not-stale

Comments

@konicasaini
Copy link

Is your feature request related to a problem?
Wanted to setup mtls connection between opentelemetry collector and opentelemetry-cpp client.

But was receiving error like

E1116 16:33:08.044460991 1642002 ssl_transport_security.cc:555] Corruption detected.
E1116 16:33:08.044507949 1642002 ssl_transport_security.cc:531] error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
E1116 16:33:08.044518471 1642002 secure_endpoint.cc:306]     Decryption error: TSI_DATA_CORRUPTED
E1116 16:33:08.048551622 1642002 ssl_transport_security.cc:555] Corruption detected.
E1116 16:33:08.048570967 1642002 ssl_transport_security.cc:531] error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
E1116 16:33:08.048579525 1642002 secure_endpoint.cc:306]     Decryption error: TSI_DATA_CORRUPTED

Upon research found out there is no mtls support from opentelemetry-cpp client side to enable connection with otel collector.

Steps to reproduce Issue
otel config should be:

receivers:
  otlp:
    protocols:
      grpc:
        tls:
          client_ca_file: "path to client.pem"
          cert_file: "path to server.crt"
          key_file: "path to server.key"
processors:
  batch:

exporters:
  logging:
    logLevel: debug

service:
  pipelines:
    logs:
      receivers: [otlp]
      processors: [batch]
      exporters: [logging]

    traces:
      receivers: [otlp]
      processors: [batch]
      exporters: [logging]

    metrics:
      receivers: [otlp]
      processors: [batch]
      exporters: [logging]

Run Client as following:

<path_to_dir>/opentelemetry-cpp/build/examples/otlp$ ./example_otlp_grpc localhost:4317 <path_to_ca_cert>

Please enable mTLS support on opentelemetry-cpp client side.
@konicasaini konicasaini mentioned this issue Nov 18, 2022
Closed
@sirzooro
Copy link

Related: #1756

@konicasaini
Copy link
Author

@sirzooro this is in regards with grpc mtls support.
However, tls is supported in grpc on client opentelemetry-cpp.

@lalitb lalitb added help wanted Good for taking. Extra help will be provided by maintainers good first issue Good for newcomers area:exporter area:exporter:otlp OpenTelemetry Protocol (OTLP) Exporter labels Nov 21, 2022
@marcalff
Copy link
Member

Analysis

The OTLP GRPC client options are:

struct OtlpGrpcExporterOptions
{
  // The endpoint to export to. By default the OpenTelemetry Collector's default endpoint.
  std::string endpoint = GetOtlpDefaultGrpcEndpoint();
  // By default when false, uses grpc::InsecureChannelCredentials(); If true,
  // uses ssl_credentials_cacert_path if non-empty, else uses ssl_credentials_cacert_as_string
  bool use_ssl_credentials = GetOtlpDefaultIsSslEnable();
  // ssl_credentials_cacert_path specifies path to .pem file to be used for SSL encryption.
  std::string ssl_credentials_cacert_path = GetOtlpDefaultSslCertificatePath();
  // ssl_credentials_cacert_as_string in-memory string representation of .pem file to be used for
  // SSL encryption.
  std::string ssl_credentials_cacert_as_string = GetOtlpDefaultSslCertificateString();
  // Timeout for grpc deadline
  std::chrono::system_clock::duration timeout = GetOtlpDefaultTimeout();
  // Additional HTTP headers
  OtlpHeaders metadata = GetOtlpDefaultHeaders();
  // User agent
  std::string user_agent = GetOtlpDefaultUserAgent();
};

There are options for the CA_CERT, as a path or a string.

Options for the client key (path or string), and client cert (path or string) are missing.

@lalitb lalitb self-assigned this Dec 14, 2022
@lalitb lalitb removed help wanted Good for taking. Extra help will be provided by maintainers good first issue Good for newcomers labels Dec 14, 2022
@konicasaini
Copy link
Author

@lalitb Any update on this

@marcalff
Copy link
Member

marcalff commented Jan 4, 2023

For OTLP HTTP, there is work in progress to implement mTLS, see PR #1793

For OTLP GRPC, this is not started yet.

@github-actions
Copy link

github-actions bot commented Mar 6, 2023

This issue was marked as stale due to lack of activity.

@github-actions github-actions bot added the Stale label Mar 6, 2023
@lalitb lalitb added do-not-stale and removed Stale labels Mar 6, 2023
@kylepl kylepl mentioned this issue Apr 25, 2023
Merged
3 tasks
@marcalff marcalff changed the title To enable mtls support on client opentelemtry-cpp side. [EXPORTER] OTLP GRPC mTLS support Jun 29, 2023
@kylepl
Copy link
Contributor

kylepl commented Jun 29, 2023

And just a note for folks trying it out, as you'll see in the code, it is disabled by-default currently, need to define the macro ENABLE_OTLP_GRPC_SSL_MTLS_PREVIEW (or Cmake option of DWITH_OTLP_GRPC_SSL_MTLS_PREVIEW=ON) to enable it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lalitb lalitb

Labels
area:exporter:otlp OpenTelemetry Protocol (OTLP) Exporter area:exporter do-not-stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[EXPORTER] OTLP GRPC mTLS support kylepl/opentelemetry-cpp
5 participants
@lalitb @kylepl @sirzooro @marcalff @konicasaini