-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(trace-otlp-grpc): configure security with env vars #2827
feat(trace-otlp-grpc): configure security with env vars #2827
Conversation
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Codecov Report
@@ Coverage Diff @@
## main #2827 +/- ##
==========================================
- Coverage 92.52% 92.51% -0.01%
==========================================
Files 183 183
Lines 5980 6029 +49
Branches 1268 1283 +15
==========================================
+ Hits 5533 5578 +45
- Misses 447 451 +4
|
This PR doesn't break anything when it comes to setting up transport security. I would like some feedback on the following items:
|
Discussed in SIG yesterday and spent a little more time reading the spec today. The spec states "The endpoint SHOULD accept any form allowed by the underlying gRPC client implementation" and also only specifies |
@svetlanabrennan what's the current status here? |
I just need confirmations on these use cases before I push up my changes to this pr:
Do you (and anyone else) agree with this configuration? |
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
According to @tigrannajaryan open-telemetry/opentelemetry-specification#2420 it should be insecure to localhost. Tigran agrees spec should be clarified.
This seems reasonable
Yes
This is not as clear. I'll ask Tigran. The spec says insecure is false by default, but
Yes
Yes. I think this will also be the answer for "user sets http scheme and no other items" but we'll wait for Tigran.
Yes
Yes
Yes |
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Thank you for that feedback @dyladan. I'll wait for clarification on use case 4 and 6. Note: this pr is also held up by the two lerna configurations issue. |
Tigran has clarified that the intention of the spec was for the default to be an insecure localhost connection.
Tigran's comment here clarifies that endpoint with http scheme overrides insecure setting. Insecure setting is only used if no scheme is provided.
The same clarification above also applies to this. The insecure config is only used if a scheme is not provided. |
…use cases Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
…telemetry-js into add-insecure-config
Perfect. Thanks for the clarification. |
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Sorry for the delay on review here. i've got this on my list for the morning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for doing the significant research and spec legwork on this. Sorry it took so long to get reviewed.
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work, Thank you! LGTM % nits.
@@ -55,7 +54,7 @@ export class OTLPTraceExporter | |||
? validateAndNormalizeUrl(getEnv().OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) | |||
: getEnv().OTEL_EXPORTER_OTLP_ENDPOINT.length > 0 | |||
? validateAndNormalizeUrl(getEnv().OTEL_EXPORTER_OTLP_ENDPOINT) | |||
: DEFAULT_COLLECTOR_URL; | |||
: validateAndNormalizeUrl(DEFAULT_COLLECTOR_URL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to validate a hardcoded default URL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes because the DEFAULT_COLLECTOR_URL
didn't have a scheme so we didn't need to pass it to validateAndNormalizeUrl
like we do when user adds a url to config.url
or when using env vars.
Now that I updated DEFAULT_COLLECTOR_URL
to have an http scheme (like we discussed in the sig so it matches the spec) so we need to pass it to validateAndNormalizeUrl
to remove the scheme.
@@ -59,7 +57,7 @@ class OTLPMetricExporterProxy extends OTLPGRPCExporterNodeBase<ResourceMetrics, | |||
? validateAndNormalizeUrl(getEnv().OTEL_EXPORTER_OTLP_METRICS_ENDPOINT) | |||
: getEnv().OTEL_EXPORTER_OTLP_ENDPOINT.length > 0 | |||
? validateAndNormalizeUrl(getEnv().OTEL_EXPORTER_OTLP_ENDPOINT) | |||
: DEFAULT_COLLECTOR_URL; | |||
: validateAndNormalizeUrl(DEFAULT_COLLECTOR_URL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same answer as this one
Signed-off-by: Svetlana Brennan <svetlana.svn@gmail.com>
Co-authored-by: Chengzhong Wu <legendecas@gmail.com>
Fixes #2420 ## Changes - Clarify the insecure option for gRPC exporters Related issues - open-telemetry/opentelemetry-js#2827
Fixes #2420 ## Changes - Clarify the insecure option for gRPC exporters Related issues - open-telemetry/opentelemetry-js#2827
Fixes #2420 ## Changes - Clarify the insecure option for gRPC exporters Related issues - open-telemetry/opentelemetry-js#2827
Which problem is this PR solving?
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Partially Fixes #2706 (issue)
Currently the transport security for the gRPC exporter can be set either programmatically or the default insecure transport is used. This PR adds insecure environment variables and certificate file environment variables that related to security configuration.
Short description of the changes
configureSecurity
function that sets up the transport security configuration.localhost:4317
tohttp://localhost:4317
as discussed during the SIG.grpc(s)
scheme and tests related to checking `grpc(s) scheme.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Checklist:
TODO:
OTEL_EXPORTER_OTLP_SPAN_INSECURE
as part ofconfigureSecurity
function.