feat(otlp): support INSECURE environment variables for gRPC#3365
Open
bryantbiggs wants to merge 2 commits intoopen-telemetry:mainfrom
Open
feat(otlp): support INSECURE environment variables for gRPC#3365bryantbiggs wants to merge 2 commits intoopen-telemetry:mainfrom
bryantbiggs wants to merge 2 commits intoopen-telemetry:mainfrom
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3365 +/- ##
=====================================
Coverage 83.2% 83.3%
=====================================
Files 128 128
Lines 25045 25144 +99
=====================================
+ Hits 20858 20956 +98
- Misses 4187 4188 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
13 tasks
bryantbiggs
force-pushed
the
feat/otlp-insecure-env-var
branch
4 times, most recently
from
c473874 to
d638639
Compare
Add support for 4 INSECURE environment variables per the OTLP exporter specification (SHOULD-level): - OTEL_EXPORTER_OTLP_INSECURE (generic) - OTEL_EXPORTER_OTLP_TRACES_INSECURE - OTEL_EXPORTER_OTLP_METRICS_INSECURE - OTEL_EXPORTER_OTLP_LOGS_INSECURE Per the spec, INSECURE only applies to gRPC (not HTTP - HTTP security is determined by URL scheme). There is intentionally no programmatic builder method - this is env-var-only per spec. When an endpoint has no explicit scheme: - INSECURE=true: connect without TLS (prepend http://) - INSECURE=false (default): connect with TLS (prepend https://, auto- apply ClientTlsConfig::new() when TLS features are enabled) Endpoints with explicit http:// or https:// scheme ignore the INSECURE flag entirely. Scheme detection is case-insensitive. Note: Schemeless endpoints (e.g., collector.example.com:4317) now default to https:// instead of being passed as-is. Set OTEL_EXPORTER_OTLP_INSECURE=true for plaintext connections. Refs: open-telemetry#774, open-telemetry#984
bryantbiggs
force-pushed
the
feat/otlp-insecure-env-var
branch
from
a4a54f1 to
e976192
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for 4 INSECURE environment variables per the OTLP exporter specification (SHOULD-level):
OTEL_EXPORTER_OTLP_INSECURE(generic)OTEL_EXPORTER_OTLP_TRACES_INSECUREOTEL_EXPORTER_OTLP_METRICS_INSECUREOTEL_EXPORTER_OTLP_LOGS_INSECUREPer the spec, INSECURE only applies to gRPC (not HTTP — HTTP security is determined by URL scheme). There is intentionally no programmatic builder method — this is env-var-only per spec.
Behavior
When an endpoint has no explicit scheme (e.g.,
collector.example.com:4317):INSECURE=true→ prependshttp://(plaintext)INSECURE=false(default) → prependshttps://and auto-appliesClientTlsConfig::new()when TLS features are enabledEndpoints with an explicit
http://orhttps://scheme are unaffected (scheme detection is case-insensitive).Signal-specific env var takes precedence over generic;
"true"(case-insensitive) = insecure, anything else = secure.Breaking behavior change
Schemeless endpoints (e.g.,
collector.example.com:4317) now default tohttps://instead of being passed as-is toChannel::from_shared. Users with schemeless endpoints connecting to plaintext gRPC servers should setOTEL_EXPORTER_OTLP_INSECURE=true. Endpoints with an explicithttp://scheme (including the defaulthttp://localhost:4317) are unaffected.Test plan
cargo clippy -p opentelemetry-otlp --all-targets --all-features -- -D warningspassescargo test -p opentelemetry-otlp --all-features— 117 unit + 2 integration + 21 doc-tests passresolve_insecure(): signal overrides generic, default is false, case-insensitive, non-true values return false, falls back to genericbuild_channelwith INSECURE: schemeless+secure errors without TLS, schemeless+insecure succeeds, schemeless defaults to https, explicit http:// ignores INSECURE envtemp_env::with_var_unsetfor signal-specific var to prevent parallel test interferenceResolves: #774
Resolves: #984