Document how to use OTLP exporters with self-signed certificates

CHANGELOG.md

@@ -20,7 +20,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Add `EventName` to `EnabledParameters` in `go.opentelemetry.io/otel/log`. (#6825)
 - Add `EventName` to `EnabledParameters` in `go.opentelemetry.io/otel/sdk/log`. (#6825)
 - Changed handling of `go.opentelemetry.io/otel/exporters/prometheus` metric renaming to add unit suffixes when it doesn't match one of the pre-defined values in the unit suffix map. (#6839)
-
+- Add example doc for `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc` Document how to use OTLP exporters with self-signed certificates. (#6661)
 ### Removed
 
 - `go.opentelemetry.io/otel/exporters/prometheus` no longer exports `otel_scope_info` metric. (#6770)

exporters/otlp/otlplog/otlploggrpc/doc.go

@@ -47,6 +47,7 @@ OTEL_EXPORTER_OTLP_CERTIFICATE, OTEL_EXPORTER_OTLP_LOGS_CERTIFICATE (default: no
 the filepath to the trusted certificate to use when verifying a server's TLS credentials.
 OTEL_EXPORTER_OTLP_LOGS_CERTIFICATE takes precedence over OTEL_EXPORTER_OTLP_CERTIFICATE.
 The configuration can be overridden by [WithTLSCredentials], [WithGRPCConn] options.
+For self-signed certificates, this configuration should be used together with [WithTLSCredentials].
 
 OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, OTEL_EXPORTER_OTLP_LOGS_CLIENT_CERTIFICATE (default: none) -
 the filepath to the client certificate/chain trust for client's private key to use in mTLS communication in PEM format.

exporters/otlp/otlplog/otlploggrpc/example_test.go

@@ -5,6 +5,12 @@ package otlploggrpc_test
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"os"
+
+	"google.golang.org/grpc/credentials"
 
 	"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc"
 	"go.opentelemetry.io/otel/log/global"
@@ -31,3 +37,64 @@ func Example() {
 	// From here, the provider can be used by instrumentation to collect
 	// telemetry.
 }
+
+func ExampleWithTLSCredentials() {
+	ctx := context.Background()
+	var grpcExpOpt []otlploggrpc.Option
+	// the trusted certificate to use when verifying a server's TLS credentials
+	caFile := os.Getenv("OTEL_EXPORTER_OTLP_CERTIFICATE")
+	// the filepath to the client certificate
+	clientCert := os.Getenv("OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE")
+	// the filepath to the client's private key
+	clientKey := os.Getenv("OTEL_EXPORTER_OTLP_CLIENT_KEY")
+	if caFile != "" && clientCert != "" && clientKey != "" {
+		// mTLS connection
+		tlsCfg := tls.Config{
+			InsecureSkipVerify: false,
+		}
+		// loads CA certificate
+		pool, _ := x509.SystemCertPool()
+		data, err := os.ReadFile(caFile)
+		if err != nil {
+			panic(err)
+		}
+		if !pool.AppendCertsFromPEM(data) {
+			panic(errors.New("failed to add CA certificate to root CA pool"))
+		}
+		tlsCfg.RootCAs = pool
+		// load client cert and key
+		keypair, err := tls.LoadX509KeyPair(clientCert, clientKey)
+		if err != nil {
+			panic(err)
+		}
+		tlsCfg.Certificates = []tls.Certificate{keypair}
+		creds := credentials.NewTLS(&tlsCfg)
+		option := otlploggrpc.WithTLSCredentials(creds)
+		grpcExpOpt = append(grpcExpOpt, option)
+	} else if caFile != "" {
+		// TLS connection
+		creds, err := credentials.NewClientTLSFromFile(caFile, "")
+		if err != nil {
+			panic(err)
+		}
+		option := otlploggrpc.WithTLSCredentials(creds)
+		grpcExpOpt = append(grpcExpOpt, option)
+	}
+	exp, err := otlploggrpc.New(ctx, grpcExpOpt...)
+	if err != nil {
+		panic(err)
+	}
+
+	processor := log.NewBatchProcessor(exp)
+	provider := log.NewLoggerProvider(log.WithProcessor(processor))
+	defer func() {
+		if err := provider.Shutdown(ctx); err != nil {
+			panic(err)
+		}
+	}()
+
+	global.SetLoggerProvider(provider)
+
+	// From here, the provider can be used by instrumentation to collect
+	// telemetry.
+}