-
Notifications
You must be signed in to change notification settings - Fork 773
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Spec Compliance] OTLP Exporter Configuration Options #1778
Comments
Another option is to trim the current public options to accept only generic options like a |
I wonder if we can get away with a single exporter but a different options class for each of the protocol i.e., I think I like the idea of maintaining direct access to the underlying protocol options e.g. |
I actually have not played around with this. Though I had assumed that setting the credentials with the ChannelOptions (< netstandard2.1) or the HttpClientHandler (netstandard2.1) would be sufficient to meet the requirements of the spec. Are we thinking that this is not sufficient and that we need an explicit cert file option? In order to support the |
We can start with not exposing these, and based on needs, consider exposing more. If the requirement is not .NET specific, we can get it updated in the spec. |
#1781 Makes Headers generic enough, and in compliance with spec. and also added timeout as per spec. I propose the following: @alanwest @CodeBlanch @pjanotti @reyang @SergeyKanzhelev Please share any concerns with this. (This is the last blocker for 1.0) |
I agree with the approach.
One thing to keep in mind here is that the Grpc.Net.Client library (netstandard2.1) requires the scheme to be declared e.g., |
If we remove ChannelOptions & ChannelCredentials will still be able to do SSL? I'm not too familiar with the google client. |
We need to vet this out, but my thought was that if someone provided a cert file via configuration then we'd set the ChannelCredentials appropriately. Here are some examples https://grpc.io/docs/guides/auth/#csharp Seems the spec has conceived of the first two variations |
IIRC it should be possible to enable it via metadata - that said I think it is fine for a client library to not have this capability.
As already noted by @alanwest and @CodeBlanch will block SSL. If we can just choose between insecure and |
I think we could cover all the cases if the logic were something like Google gRPC library: if (cfg.Endpoint.StartsWith("https") && cfg.CertificateFile == null)
{
var channel = new Channel(cfg.Endpoint, new SslCredentials());
}
else if (cfg.Endpoint.StartsWith("https") && cfg.CertificateFile != null)
{
var channelCredentials = new SslCredentials(File.ReadAllText(cfg.CertificateFile));
var channel = new Channel(cfg.Endpoint, channelCredentials);
}
else
{
var channel = new Channel(cfg.Endpoint, ChannelCredentials.Insecure);
} Grpc.Net.Client (netstandard2.1) // see https://docs.microsoft.com/aspnet/core/grpc/authn-and-authz?view=aspnetcore-5.0#client-certificate-authentication
if (cfg.CertificateFile != null)
{
var certificate = ReadTheFile(cfg.CertificateFile); // Probably a way to do this...
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(certificate);
var channel = GrpcChannel.ForAddress(cfg.Endpoint, new GrpcChannelOptions
{
HttpHandler = handler
});
}
else
{
var channel = GrpcChannel.ForAddress(cfg.Endpoint)
} Update I had some wrong assumptions regarding the Google gRPC library. The channel cannot be constructed with a URI that includes the http/https scheme. So something like the following should work if (cfg.CertificateFile != null)
{
var channelCredentials = new SslCredentials(File.ReadAllText(cfg.CertificateFile));
var channel = new Channel(cfg.Endpoint, channelCredentials);
}
else
{
var channel = new Channel(cfg.Endpoint, ChannelCredentials.Insecure);
} However, I'm uncertain whether it should be possible to use a secure channel without the need for supplying a certificate file. If this is possible, then it seems to me the specification is insufficient to allow this. |
Sorry if I'm missing some context but why not simply delegate to the user, something like (hand compiled code): .AddOtlpExporter(otlpOptions =>
{
otlpOptions.Endpoint = new Uri(this.Configuration.GetValue<string>("Otlp:Endpoint"));
otlpOptions.GrpcChannelOptions.Credentials = new Grpc.Core.SslCredentials();
})); |
@pjanotti One of the goal is to avoid Grpc specific things from the Options. That means removing |
@pjanotti That's effectively what we have now. The concern is that, in your example, 😄 Cijo beat me... |
Spoke offline with Reiley, Alan about this more and we need to take more time to explore the best way to handle OTLPExporterOptions. To keep up the original plan of releasing 1.0 this week (spec is marked stable, so we are not blocked from there), here are our options:
|
If we make Endpoint a var channel;
if (cfg.Endpoint.Scheme == Uri.UriSchemeHttps)
{
if (cfg.CertificateFile == null)
{
channel = new Channel(cfg.Endpoint.Authority, new SslCredentials());
}
else
{
channel = new Channel(cfg.Endpoint.Authority, new SslCredentials(File.ReadAllText(cfg.CertificateFile)));
}
}
else
{
channel = new Channel(cfg.Endpoint.Authority, ChannelCredentials.Insecure);
} I think allowing for the |
@cijothomas I am good with either 1 or 2... leaning towards 2. |
I prefer option 2, @CodeBlanch suggestion above is good. |
Yep, this is the use case we're trying to sort out. I think there's a little more to it than just a check like Ideally I think we go with option 2 giving us some time to push for some clarification with the spec. |
@alanwest We can close this issue right? we currently support everything 1.0 spec requires. |
@cijothomas We do not currently support the option to set a certificate file. Might make sense to capture this in an issue of its own and close this one. Also, we don't currently support configuring the OTLP exporter via environment variables - I thought we had an issue for this... not finding it off hand. |
Opening this to discuss the OTLP Exporter compliance issue
The spec for OTLP Exporter mentions these configuration options to be present: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md
OTLP Exporter options currently support these options:
Issue1:
The configuration options that we have currently are gRPC specific.
For eg. the spec says that the options Headers could be used for both gRPC and HTTP. We have set the data type for Headers as Metadata which is from the Grpc client. If we add support for Http later we cannot use this option.
Issue2:
The user cannot provide the certificate file as an option
Currently, the user is expected to provide either the Credentials along with ChannelOptions for non-netstandard2.1, or the GrpcChannelOptions object with the HttpClientHandler which includes the user provided certificate. The spec says to add Certificate File as a configuration option. This would require require generating Credentials from the user provided Certificate for non-netstandard2.1 and creating the appropriate HttpClientHandler for netstandard2.1
Possible solutions to Issue 1
The text was updated successfully, but these errors were encountered: