Skip to content

Document how to use OTLP exporters with self-signed certificates #6882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Document how to use OTLP exporters with self-signed certificates #6882

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
75aa70a
Document how to use OTLP exporters with self-signed certificates (#6661)
xue20xi Jun 8, 2025
abea74a
Add comments about self-signed certificate, modify misleading comment…
xue20xi Jun 9, 2025
f33b175
Update exporters/otlp/otlplog/otlploggrpc/doc.go
xue20xi Jun 9, 2025
100a26c
Update exporters/otlp/otlplog/otlploggrpc/example_test.go
xue20xi Jun 9, 2025
9b16b57
load ca cert with new cert pool
xue20xi Jun 10, 2025
f99d373
remove changelog entry for example doc
xue20xi Jun 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions exporters/otlp/otlplog/otlploggrpc/example_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ package otlploggrpc_test

import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"os"

"google.golang.org/grpc/credentials"

"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc"
"go.opentelemetry.io/otel/log/global"
Expand All @@ -31,3 +37,65 @@ func Example() {
// From here, the provider can be used by instrumentation to collect
// telemetry.
}

// Demonstrates how to configure the exporter using self-signed certificates.
func Example_selfSignedCertificates() {
ctx := context.Background()
var grpcExpOpt []otlploggrpc.Option
// the filepath to the server's CA certificate
caFile := os.Getenv("CUSTOM_SERVER_CA_CERTIFICATE")
// the filepath to the client's certificate
clientCert := os.Getenv("CUSTOM_CLIENT_CERTIFICATE")
// the filepath to the client's private key
clientKey := os.Getenv("CUSTOM_CLIENT_KEY")
if caFile != "" && clientCert != "" && clientKey != "" {
// mTLS connection
tlsCfg := tls.Config{
InsecureSkipVerify: false,
Copy link
Member

@pellared pellared Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it needed if we add CA certificate to root CA pool?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use new cert pool instead

Copy link
Member

@pellared pellared Jun 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sill, do we need to set InsecureSkipVerify to false?

Is this not the only thing that is needed?

pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(data) {
	panic("failed to add CA certificate to root CA pool")
}
tlsCfg := &tls.Config{
	RootCAs:    certs,
}
creds := credentials.NewTLS(tlsCfg)

}
// loads CA certificate
pool := x509.NewCertPool()
data, err := os.ReadFile(caFile)
if err != nil {
panic(err)
}
if !pool.AppendCertsFromPEM(data) {
panic(errors.New("failed to add CA certificate to root CA pool"))
}
tlsCfg.RootCAs = pool
// load client cert and key
keypair, err := tls.LoadX509KeyPair(clientCert, clientKey)
if err != nil {
panic(err)
}
tlsCfg.Certificates = []tls.Certificate{keypair}
creds := credentials.NewTLS(&tlsCfg)
option := otlploggrpc.WithTLSCredentials(creds)
grpcExpOpt = append(grpcExpOpt, option)
} else if caFile != "" {
// TLS connection
creds, err := credentials.NewClientTLSFromFile(caFile, "")
if err != nil {
panic(err)
}
option := otlploggrpc.WithTLSCredentials(creds)
grpcExpOpt = append(grpcExpOpt, option)
}
exp, err := otlploggrpc.New(ctx, grpcExpOpt...)
if err != nil {
panic(err)
}

processor := log.NewBatchProcessor(exp)
provider := log.NewLoggerProvider(log.WithProcessor(processor))
defer func() {
if err := provider.Shutdown(ctx); err != nil {
panic(err)
}
}()

global.SetLoggerProvider(provider)

// From here, the provider can be used by instrumentation to collect
// telemetry.
}