New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default TLS credentials using system certificates for OTLP GRPC #1584
Comments
Note that if you pass nil as the first argument to
|
From the SIG meeting: we would like to have this fixed for the RC, but it is something we can add after with backwards compatible support. |
A possible first step might be to update the documentation to at least describe the solution here. |
@MrAlias should system certificates be the default or there is some other plan how this should be fixed? It is not obvious what was decided... |
@vmihailenco We talked more about priority of getting this in for the RC, but I think there was a tacit agreement from the SIG meeting yesterday that this having the system certificates be the default makes sense. We would want to be sure to still provide the ability to override this by setting the credentials or setting insecure. @seh mentioned that it is an error to set both credentials and insecure. We should add a test to accompany the change to ensure we support all user situations. |
Slight correction: It's an error to set neither option as well. The gRPC client requires that the caller tell it either to behave insecurely, or to use a specific set of credentials (which in this case really means which CAs to trust as issuers for the server's X.509 certificate, with the client not presenting a certificate of its own to the server). |
This is the current behavior. Looks like there is nothing to change after all...
This is true and this is what I suggested to change for OTLP exporter. PS @seh I am confused whether you are just describing current situation (i.e. GRPC client behavior) or describing how OTLP should work in the end... |
Hi, I'd like to bump this issue. I believe the problem I'm facing is related. I want to use environment variables to control where my app sends traces: if I'm working locally this would be a local stack running on Unfortunately I can't switch between them without doing a code change because I need to set Config for local stackEnvironment variables:
Code needed to setup the exporter is nice and tidy: exporter, err := otlptracegrpc.New(ctx) Config for remote endpoint with TLSEnvironment variables:
If I don't change the code I get:
Correct code: exporter, err := otlptracegrpc.New(
ctx,
otlptracegrpc.WithTLSCredentials(credentials.NewClientTLSFromCert(nil, ""))
) The only place I found this solution btw is in the Honeycomb docs: https://docs.honeycomb.io/getting-data-in/go/opentelemetry/#installation-and-exporter-configuration SolutionI can see two solutions that would work for me:
|
What do you think about using system certificates for GRPC OTLP exporter by default? E.g. now I have to
But I would expect GRPC to use system certificate by default. And
otlpgrpc.WithInsecure
can be used to disable TLS. I can send a PR if this is accepted.The text was updated successfully, but these errors were encountered: