diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock index 4209b8f39f..1bba07c7b6 100644 --- a/codex-rs/Cargo.lock +++ b/codex-rs/Cargo.lock @@ -1367,6 +1367,7 @@ dependencies = [ "codex-app-server-protocol", "codex-protocol", "eventsource-stream", + "http", "opentelemetry", "opentelemetry-otlp", "opentelemetry-semantic-conventions", @@ -5174,6 +5175,7 @@ version = "0.23.29" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1" dependencies = [ + "log", "once_cell", "ring", "rustls-pki-types", @@ -6601,8 +6603,10 @@ dependencies = [ "percent-encoding", "pin-project", "prost", + "rustls-native-certs", "socket2 0.5.10", "tokio", + "tokio-rustls", "tokio-stream", "tower", "tower-layer", diff --git a/codex-rs/core/src/config/types.rs b/codex-rs/core/src/config/types.rs index 9c2cd03d13..c502cfeb19 100644 --- a/codex-rs/core/src/config/types.rs +++ b/codex-rs/core/src/config/types.rs @@ -282,6 +282,14 @@ pub enum OtelHttpProtocol { Json, } +#[derive(Deserialize, Debug, Clone, PartialEq, Default)] +#[serde(rename_all = "kebab-case")] +pub struct OtelTlsConfig { + pub ca_certificate: Option, + pub client_certificate: Option, + pub client_private_key: Option, +} + /// Which OTEL exporter to use. #[derive(Deserialize, Debug, Clone, PartialEq)] #[serde(rename_all = "kebab-case")] @@ -289,12 +297,18 @@ pub enum OtelExporterKind { None, OtlpHttp { endpoint: String, + #[serde(default)] headers: HashMap, protocol: OtelHttpProtocol, + #[serde(default)] + tls: Option, }, OtlpGrpc { endpoint: String, + #[serde(default)] headers: HashMap, + #[serde(default)] + tls: Option, }, } diff --git a/codex-rs/core/src/otel_init.rs b/codex-rs/core/src/otel_init.rs index 5931d7caf9..5900c9b4a6 100644 --- a/codex-rs/core/src/otel_init.rs +++ b/codex-rs/core/src/otel_init.rs @@ -5,6 +5,7 @@ use crate::default_client::originator; use codex_otel::config::OtelExporter; use codex_otel::config::OtelHttpProtocol; use codex_otel::config::OtelSettings; +use codex_otel::config::OtelTlsConfig as OtelTlsSettings; use codex_otel::otel_provider::OtelProvider; use std::error::Error; @@ -21,6 +22,7 @@ pub fn build_provider( endpoint, headers, protocol, + tls, } => { let protocol = match protocol { Protocol::Json => OtelHttpProtocol::Json, @@ -34,14 +36,28 @@ pub fn build_provider( .map(|(k, v)| (k.clone(), v.clone())) .collect(), protocol, + tls: tls.as_ref().map(|config| OtelTlsSettings { + ca_certificate: config.ca_certificate.clone(), + client_certificate: config.client_certificate.clone(), + client_private_key: config.client_private_key.clone(), + }), } } - Kind::OtlpGrpc { endpoint, headers } => OtelExporter::OtlpGrpc { + Kind::OtlpGrpc { + endpoint, + headers, + tls, + } => OtelExporter::OtlpGrpc { endpoint: endpoint.clone(), headers: headers .iter() .map(|(k, v)| (k.clone(), v.clone())) .collect(), + tls: tls.as_ref().map(|config| OtelTlsSettings { + ca_certificate: config.ca_certificate.clone(), + client_certificate: config.client_certificate.clone(), + client_private_key: config.client_private_key.clone(), + }), }, }; diff --git a/codex-rs/otel/Cargo.toml b/codex-rs/otel/Cargo.toml index ea518c2e4f..2ab170c917 100644 --- a/codex-rs/otel/Cargo.toml +++ b/codex-rs/otel/Cargo.toml @@ -27,18 +27,26 @@ opentelemetry-otlp = { workspace = true, features = [ "grpc-tonic", "http-proto", "http-json", + "logs", "reqwest", "reqwest-rustls", + "tls", + "tls-roots", ], optional = true } opentelemetry-semantic-conventions = { workspace = true } opentelemetry_sdk = { workspace = true, features = [ "logs", "rt-tokio", ], optional = true } +http = { workspace = true } reqwest = { workspace = true } serde = { workspace = true, features = ["derive"] } serde_json = { workspace = true } strum_macros = { workspace = true } tokio = { workspace = true } -tonic = { workspace = true, optional = true } +tonic = { workspace = true, optional = true, features = [ + "transport", + "tls-native-roots", + "tls-ring", +] } tracing = { workspace = true } diff --git a/codex-rs/otel/src/config.rs b/codex-rs/otel/src/config.rs index 77063ed09d..b6336b3a5c 100644 --- a/codex-rs/otel/src/config.rs +++ b/codex-rs/otel/src/config.rs @@ -18,16 +18,25 @@ pub enum OtelHttpProtocol { Json, } +#[derive(Clone, Debug, Default)] +pub struct OtelTlsConfig { + pub ca_certificate: Option, + pub client_certificate: Option, + pub client_private_key: Option, +} + #[derive(Clone, Debug)] pub enum OtelExporter { None, OtlpGrpc { endpoint: String, headers: HashMap, + tls: Option, }, OtlpHttp { endpoint: String, headers: HashMap, protocol: OtelHttpProtocol, + tls: Option, }, } diff --git a/codex-rs/otel/src/otel_provider.rs b/codex-rs/otel/src/otel_provider.rs index 222322a2ea..8be2431ea9 100644 --- a/codex-rs/otel/src/otel_provider.rs +++ b/codex-rs/otel/src/otel_provider.rs @@ -1,8 +1,13 @@ use crate::config::OtelExporter; use crate::config::OtelHttpProtocol; use crate::config::OtelSettings; +use crate::config::OtelTlsConfig; +use http::Uri; use opentelemetry::KeyValue; use opentelemetry_otlp::LogExporter; +use opentelemetry_otlp::OTEL_EXPORTER_OTLP_LOGS_TIMEOUT; +use opentelemetry_otlp::OTEL_EXPORTER_OTLP_TIMEOUT; +use opentelemetry_otlp::OTEL_EXPORTER_OTLP_TIMEOUT_DEFAULT; use opentelemetry_otlp::Protocol; use opentelemetry_otlp::WithExportConfig; use opentelemetry_otlp::WithHttpConfig; @@ -10,11 +15,23 @@ use opentelemetry_otlp::WithTonicConfig; use opentelemetry_sdk::Resource; use opentelemetry_sdk::logs::SdkLoggerProvider; use opentelemetry_semantic_conventions as semconv; +use reqwest::Certificate as ReqwestCertificate; +use reqwest::Identity as ReqwestIdentity; use reqwest::header::HeaderMap; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; +use std::env; use std::error::Error; +use std::fs; +use std::io::ErrorKind; +use std::io::{self}; +use std::path::Path; +use std::path::PathBuf; +use std::time::Duration; use tonic::metadata::MetadataMap; +use tonic::transport::Certificate as TonicCertificate; +use tonic::transport::ClientTlsConfig; +use tonic::transport::Identity as TonicIdentity; use tracing::debug; const ENV_ATTRIBUTE: &str = "env"; @@ -47,8 +64,12 @@ impl OtelProvider { debug!("No exporter enabled in OTLP settings."); return Ok(None); } - OtelExporter::OtlpGrpc { endpoint, headers } => { - debug!("Using OTLP Grpc exporter: {}", endpoint); + OtelExporter::OtlpGrpc { + endpoint, + headers, + tls, + } => { + debug!("Using OTLP Grpc exporter: {endpoint}"); let mut header_map = HeaderMap::new(); for (key, value) in headers { @@ -59,10 +80,25 @@ impl OtelProvider { } } + let base_tls_config = ClientTlsConfig::new() + .with_enabled_roots() + .assume_http2(true); + + let tls_config = match tls.as_ref() { + Some(tls) => build_grpc_tls_config( + endpoint, + base_tls_config, + tls, + settings.codex_home.as_path(), + )?, + None => base_tls_config, + }; + let exporter = LogExporter::builder() .with_tonic() .with_endpoint(endpoint) .with_metadata(MetadataMap::from_headers(header_map)) + .with_tls_config(tls_config) .build()?; builder = builder.with_batch_exporter(exporter); @@ -71,20 +107,27 @@ impl OtelProvider { endpoint, headers, protocol, + tls, } => { - debug!("Using OTLP Http exporter: {}", endpoint); + debug!("Using OTLP Http exporter: {endpoint}"); let protocol = match protocol { OtelHttpProtocol::Binary => Protocol::HttpBinary, OtelHttpProtocol::Json => Protocol::HttpJson, }; - let exporter = LogExporter::builder() + let mut exporter_builder = LogExporter::builder() .with_http() .with_endpoint(endpoint) .with_protocol(protocol) - .with_headers(headers.clone()) - .build()?; + .with_headers(headers.clone()); + + if let Some(tls) = tls.as_ref() { + let client = build_http_client(tls, settings.codex_home.as_path())?; + exporter_builder = exporter_builder.with_http_client(client); + } + + let exporter = exporter_builder.build()?; builder = builder.with_batch_exporter(exporter); } @@ -101,3 +144,127 @@ impl Drop for OtelProvider { let _ = self.logger.shutdown(); } } + +fn build_grpc_tls_config( + endpoint: &str, + tls_config: ClientTlsConfig, + tls: &OtelTlsConfig, + codex_home: &Path, +) -> Result> { + let uri: Uri = endpoint.parse()?; + let host = uri.host().ok_or_else(|| { + config_error(format!( + "OTLP gRPC endpoint {endpoint} does not include a host" + )) + })?; + + let mut config = tls_config.domain_name(host.to_owned()); + + if let Some(path) = tls.ca_certificate.as_ref() { + let (pem, _) = read_bytes(codex_home, path)?; + config = config.ca_certificate(TonicCertificate::from_pem(pem)); + } + + match (&tls.client_certificate, &tls.client_private_key) { + (Some(cert_path), Some(key_path)) => { + let (cert_pem, _) = read_bytes(codex_home, cert_path)?; + let (key_pem, _) = read_bytes(codex_home, key_path)?; + config = config.identity(TonicIdentity::from_pem(cert_pem, key_pem)); + } + (Some(_), None) | (None, Some(_)) => { + return Err(config_error( + "client_certificate and client_private_key must both be provided for mTLS", + )); + } + (None, None) => {} + } + + Ok(config) +} + +fn build_http_client( + tls: &OtelTlsConfig, + codex_home: &Path, +) -> Result> { + let mut builder = + reqwest::Client::builder().timeout(resolve_otlp_timeout(OTEL_EXPORTER_OTLP_LOGS_TIMEOUT)); + + if let Some(path) = tls.ca_certificate.as_ref() { + let (pem, location) = read_bytes(codex_home, path)?; + let certificate = ReqwestCertificate::from_pem(pem.as_slice()).map_err(|error| { + config_error(format!( + "failed to parse certificate {}: {error}", + location.display() + )) + })?; + builder = builder.add_root_certificate(certificate); + } + + match (&tls.client_certificate, &tls.client_private_key) { + (Some(cert_path), Some(key_path)) => { + let (mut cert_pem, cert_location) = read_bytes(codex_home, cert_path)?; + let (key_pem, key_location) = read_bytes(codex_home, key_path)?; + cert_pem.extend_from_slice(key_pem.as_slice()); + let identity = ReqwestIdentity::from_pem(cert_pem.as_slice()).map_err(|error| { + config_error(format!( + "failed to parse client identity using {} and {}: {error}", + cert_location.display(), + key_location.display() + )) + })?; + builder = builder.identity(identity); + } + (Some(_), None) | (None, Some(_)) => { + return Err(config_error( + "client_certificate and client_private_key must both be provided for mTLS", + )); + } + (None, None) => {} + } + + builder + .build() + .map_err(|error| Box::new(error) as Box) +} + +fn resolve_otlp_timeout(signal_var: &str) -> Duration { + if let Some(timeout) = read_timeout_env(signal_var) { + return timeout; + } + if let Some(timeout) = read_timeout_env(OTEL_EXPORTER_OTLP_TIMEOUT) { + return timeout; + } + OTEL_EXPORTER_OTLP_TIMEOUT_DEFAULT +} + +fn read_timeout_env(var: &str) -> Option { + let value = env::var(var).ok()?; + let parsed = value.parse::().ok()?; + if parsed < 0 { + return None; + } + Some(Duration::from_millis(parsed as u64)) +} + +fn read_bytes(base: &Path, provided: &PathBuf) -> Result<(Vec, PathBuf), Box> { + let resolved = resolve_config_path(base, provided); + match fs::read(&resolved) { + Ok(bytes) => Ok((bytes, resolved)), + Err(error) => Err(Box::new(io::Error::new( + error.kind(), + format!("failed to read {}: {error}", resolved.display()), + ))), + } +} + +fn resolve_config_path(base: &Path, provided: &PathBuf) -> PathBuf { + if provided.is_absolute() { + provided.clone() + } else { + base.join(provided) + } +} + +fn config_error(message: impl Into) -> Box { + Box::new(io::Error::new(ErrorKind::InvalidData, message.into())) +} diff --git a/docs/config.md b/docs/config.md index ed5aed6fc7..0b1a38dce3 100644 --- a/docs/config.md +++ b/docs/config.md @@ -651,6 +651,23 @@ Set `otel.exporter` to control where events go: }} ``` +Both OTLP exporters accept an optional `tls` block so you can trust a custom CA +or enable mutual TLS. Relative paths are resolved against `~/.codex/`: + +```toml +[otel] +exporter = { otlp-http = { + endpoint = "https://otel.example.com/v1/logs", + protocol = "binary", + headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }, + tls = { + ca-certificate = "certs/otel-ca.pem", + client-certificate = "/etc/codex/certs/client.pem", + client-private-key = "/etc/codex/certs/client-key.pem", + } +}} +``` + If the exporter is `none` nothing is written anywhere; otherwise you must run or point to your own collector. All exporters run on a background batch worker that is flushed on shutdown. diff --git a/docs/example-config.md b/docs/example-config.md index 43a12a3b5e..c8c5a4cac0 100644 --- a/docs/example-config.md +++ b/docs/example-config.md @@ -368,4 +368,17 @@ exporter = "none" # endpoint = "https://otel.example.com:4317", # headers = { "x-otlp-meta" = "abc123" } # }} + +# Example OTLP exporter with mutual TLS +# [otel] +# exporter = { otlp-http = { +# endpoint = "https://otel.example.com/v1/logs", +# protocol = "binary", +# headers = { "x-otlp-api-key" = "${OTLP_TOKEN}" }, +# tls = { +# ca-certificate = "certs/otel-ca.pem", +# client-certificate = "/etc/codex/certs/client.pem", +# client-private-key = "/etc/codex/certs/client-key.pem", +# } +# }} ```