You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Docs portion shipped in PR #116 — docs/configuration.md now has a full OTel section covering WH_OTEL_ADDR and every other env var, plus an explicit note on the WithInsecure() constraint and the sidecar workaround. docs/deployment.md covers the SigNoz/Honeycomb (OTLP-native) and Grafana Cloud / Alloy (Prometheus scrape + OTLP traces via Alloy) wiring patterns.
This issue is staying open and re-scoped to the actual feature work that the original docs note pointed at: making WaveHouse able to ship OTLP directly to TLS-protected cloud endpoints without an intermediate sidecar.
Problem (re-scoped)
internal/observability/provider.go calls otlptracegrpc.WithInsecure() (and the equivalents for metrics + logs). That means WaveHouse can ship OTLP only to plaintext receivers — typically a local OTel collector or Grafana Alloy on 127.0.0.1:4317. Operators who want to ship directly to:
Any cloud OTLP endpoint that requires TLS or auth headers
…can't. The standard workaround is a sidecar collector that receives plaintext on localhost and re-exports with TLS + auth configured locally. Annoying for operators running on Fly/Railway/Cloud Run / etc. where adding a sidecar is non-trivial.
Proposed Solution
Two related additions:
Endpoint scheme sniffing — if otel.addr starts with https://, configure the gRPC exporters with TLS credentials (grpc.WithTransportCredentials(credentials.NewTLS(...))) instead of WithInsecure(). If it starts with http://, behave as today. If no scheme, keep current behavior (plaintext) for backward compat.
Headers env var — WH_OTEL_HEADERS (yaml otel.headers) accepting comma-separated key=value pairs (or repeated env var pattern), wired to otlptracegrpc.WithHeaders(map[string]string) etc. on all three exporters.
Together these unlock WH_OTEL_ADDR=https://otlp-gateway-prod-us-east-0.grafana.net/otlp WH_OTEL_HEADERS=Authorization=Basic\ <base64> working end-to-end — no sidecar.
Alternatives Considered
Separate otel.tls.enabled boolean — explicit but more knobs than necessary. Scheme sniffing is the standard OTel-SDK pattern (some language SDKs do this natively).
A per-signal endpoint override (different addr for traces vs metrics vs logs) — Grafana Cloud actually does this (different gateway URLs per signal). Worth scoping in: maybe otel.{traces,metrics,logs}.addr overrides the top-level otel.addr when set. Lower priority; can be follow-up.
mTLS (client cert auth) — niche; defer until requested.
Original issue (pre-rescoping) asked for just the docs change — that part is done. Re-scoping rather than closing+filing-new because the conversation is here.
Status
Docs portion shipped in PR #116 —
docs/configuration.mdnow has a full OTel section coveringWH_OTEL_ADDRand every other env var, plus an explicit note on theWithInsecure()constraint and the sidecar workaround.docs/deployment.mdcovers the SigNoz/Honeycomb (OTLP-native) and Grafana Cloud / Alloy (Prometheus scrape + OTLP traces via Alloy) wiring patterns.This issue is staying open and re-scoped to the actual feature work that the original docs note pointed at: making WaveHouse able to ship OTLP directly to TLS-protected cloud endpoints without an intermediate sidecar.
Problem (re-scoped)
internal/observability/provider.gocallsotlptracegrpc.WithInsecure()(and the equivalents for metrics + logs). That means WaveHouse can ship OTLP only to plaintext receivers — typically a local OTel collector or Grafana Alloy on127.0.0.1:4317. Operators who want to ship directly to:https://otlp-gateway-prod-us-east-0.grafana.net/otlp— TLS + Basic auth)https://api.honeycomb.io:443— TLS +x-honeycomb-teamheader)…can't. The standard workaround is a sidecar collector that receives plaintext on localhost and re-exports with TLS + auth configured locally. Annoying for operators running on Fly/Railway/Cloud Run / etc. where adding a sidecar is non-trivial.
Proposed Solution
Two related additions:
otel.addrstarts withhttps://, configure the gRPC exporters with TLS credentials (grpc.WithTransportCredentials(credentials.NewTLS(...))) instead ofWithInsecure(). If it starts withhttp://, behave as today. If no scheme, keep current behavior (plaintext) for backward compat.WH_OTEL_HEADERS(yamlotel.headers) accepting comma-separatedkey=valuepairs (or repeated env var pattern), wired tootlptracegrpc.WithHeaders(map[string]string)etc. on all three exporters.Together these unlock
WH_OTEL_ADDR=https://otlp-gateway-prod-us-east-0.grafana.net/otlp WH_OTEL_HEADERS=Authorization=Basic\ <base64>working end-to-end — no sidecar.Alternatives Considered
otel.tls.enabledboolean — explicit but more knobs than necessary. Scheme sniffing is the standard OTel-SDK pattern (some language SDKs do this natively).otel.{traces,metrics,logs}.addroverrides the top-levelotel.addrwhen set. Lower priority; can be follow-up.Additional Context
docs/configuration.mdso operators aren't surprised, and link to this issue.