Add skaffolding for low level exporter SSL API #5362
Conversation
exporters/common/src/main/java/io/opentelemetry/exporter/internal/TlsConfigHelper.java
Show resolved
Hide resolved
exporters/common/src/main/java/io/opentelemetry/exporter/internal/grpc/ManagedChannelUtil.java
Show resolved
Hide resolved
exporters/common/src/main/java/io/opentelemetry/exporter/internal/TlsUtil.java
Show resolved
Hide resolved
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #5362 +/- ##
============================================
+ Coverage 91.20% 91.24% +0.04%
+ Complexity 4865 4862 -3
============================================
Files 546 546
Lines 14369 14324 -45
Branches 1351 1352 +1
============================================
- Hits 13105 13070 -35
+ Misses 875 865 -10
Partials 389 389
... and 1 file with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report in Codecov by Sentry. |
| * <p>Must not be called multiple times, or if {@link #setSslContext(SSLContext, | ||
| * X509TrustManager)} has been previously called. |
There was a problem hiding this comment.
Seems like the better option would be to have multiple constructors with the various argument permutations. That would result in multiple calls being independent instances and not require explicit callout.
There was a problem hiding this comment.
Another option would be to have these as static methods that return the constructed object.
There was a problem hiding this comment.
Nah, this is an internal class. Think of it like a stateful builder, or really a collaborator for a stateful builder. I think a bunch of overloaded constructors is a muddier option in this case.
exporters/common/src/main/java/io/opentelemetry/exporter/internal/TlsConfigHelper.java
Outdated
Show resolved
Hide resolved
| tlsConfigHelper.configureWithSocketFactory(clientBuilder::sslSocketFactory); | ||
| SSLContext sslContext = tlsConfigHelper.getSslContext(); | ||
| X509TrustManager trustManager = tlsConfigHelper.getTrustManager(); | ||
| if (sslContext != null && trustManager != null) { |
There was a problem hiding this comment.
Any risk that one of these being unexpectedly/accidentally null breaks things? The builders don't seem to be covered in the tests.
There was a problem hiding this comment.
Any risk that one of these being unexpectedly/accidentally null breaks things?
If you look closely at TlsConfigHelper both getSslContext and getTrustManager are non-null as long as either setTrustManagerFromCerts or setSslContext is called. These are always called in any valid TLS configuration.
The builders don't seem to be covered in the tests.
Are you referring to OkHttpExporterBuilder#setSslContext not being called in tests? There's a bit of a chicken and an egg problem. Trying to figure out the low level API before exposing it at the higher level (i.e. adding setSslContext methods to OtlpHttp{Signal}Exporterbuilder). Once the API is added in the higher level builders, AbstractHttpTelemetryExporterTest should be extended to call setSslContext.
There was a problem hiding this comment.
Cool stuff @jack-berg this is aligned with what we chatted about. Thanks for sticking it out, I think the API is finally shaping up here. Appreciate it.
| * <p>Must not be called multiple times, or if {@link #setSslContext(SSLContext, | ||
| * X509TrustManager)} has been previously called. |
There was a problem hiding this comment.
Nah, this is an internal class. Think of it like a stateful builder, or really a collaborator for a stateful builder. I think a bunch of overloaded constructors is a muddier option in this case.
exporters/common/src/main/java/io/opentelemetry/exporter/internal/TlsConfigHelper.java
Outdated
Show resolved
Hide resolved
exporters/common/src/main/java/io/opentelemetry/exporter/internal/TlsConfigHelper.java
Outdated
Show resolved
Hide resolved
.../io/opentelemetry/exporter/otlp/testing/internal/ManagedChannelTelemetryExporterBuilder.java
Outdated
Show resolved
Hide resolved
Related to #5280 and this comment.
The overall goal is to provide a low level API for configuring SSL on the exporters for when configuring a static certificate or static mTLS isn't good enough. This should be the last API we add, acting as a catch all for other TLS scenarios.
Ideally we'd be able to just expose a
setSslContext(SSLContext)method. SSLContext is initialized usingKeyManager(s) andTrustManager(s), and produces aSSLSocketFactoryviaSSLContext#getSocketFactory().However, our dependence on okhttp complicates this, since okhttp requires TLS to be configured via
OkHttpClient.Builder#sslSocketFactory(SSLSocketFactory, X509TrustManager). You'd think that because aSSLContextis comprised ofX509TrustManagerand produces aSSLSocketFactory, thatSSLContextwould be enough, but its unfortunately not possible to access theX509TrustManagerfromSSLContext.This means that our low level API has to instead be
setSslContext(SSLContext, X509TrustManager). Including theX509TrustManagerwill feel repetitive to users, since they have likely already included it while initializingSSLContext, but its the best we can do with okhttp.Note, other http libraries like jdk httpclient and apache httpclient accept
SSLContextfor configuration, so okhttp's API is really rather strange. There's a stackoverflow post that hints at the okhttp maintainers working through the API contract.