[otlp] Add mTLS Support for OTLP Exporter

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/.publicApi/Stable/PublicAPI.Unshipped.txt

@@ -0,0 +1,6 @@
+OpenTelemetry.Exporter.OtlpExporterOptions.CertificateFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.CertificateFile.set -> void
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientCertificateFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientCertificateFile.set -> void
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientKeyFile.get -> string!
+OpenTelemetry.Exporter.OtlpExporterOptions.ClientKeyFile.set -> void

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/OtlpExporterOptions.cs

@@ -11,6 +11,9 @@
 using OpenTelemetry.Exporter.OpenTelemetryProtocol.Implementation;
 using OpenTelemetry.Internal;
 using OpenTelemetry.Trace;
+#if NET6_0_OR_GREATER
+using System.Security.Cryptography.X509Certificates;
+#endif
 
 namespace OpenTelemetry.Exporter;
 
@@ -28,6 +31,10 @@ public class OtlpExporterOptions : IOtlpExporterOptions
     internal const string DefaultHttpEndpoint = "http://localhost:4318";
     internal const OtlpExportProtocol DefaultOtlpExportProtocol = OtlpExportProtocol.Grpc;
 
+    internal const string CertificateFileEnvVarName = "OTEL_EXPORTER_OTLP_CERTIFICATE";
+    internal const string ClientKeyFileEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
+    internal const string ClientCertificateFileEnvVarName = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
+
     internal static readonly KeyValuePair<string, string>[] StandardHeaders = new KeyValuePair<string, string>[]
     {
         new("User-Agent", GetUserAgentString()),
@@ -68,13 +75,26 @@ internal OtlpExporterOptions(
 
         this.DefaultHttpClientFactory = () =>
         {
+#if NET6_0_OR_GREATER
+            var handler = new HttpClientHandler();
+            HttpClient client = this.AddCertificatesToHttpClient(handler);
+            client.Timeout = TimeSpan.FromMilliseconds(this.TimeoutMilliseconds);
+            return client;
+#else
+            // For earlier .NET versions
             return new HttpClient
             {
                 Timeout = TimeSpan.FromMilliseconds(this.TimeoutMilliseconds),
             };
+#endif
         };
 
         this.BatchExportProcessorOptions = defaultBatchOptions!;
+
+        // Load certificate-related environment variables
+        this.CertificateFile = Environment.GetEnvironmentVariable(CertificateFileEnvVarName) ?? string.Empty;
+        this.ClientKeyFile = Environment.GetEnvironmentVariable(ClientKeyFileEnvVarName) ?? string.Empty;
+        this.ClientCertificateFile = Environment.GetEnvironmentVariable(ClientCertificateFileEnvVarName) ?? string.Empty;
     }
 
     /// <inheritdoc/>
@@ -142,6 +162,21 @@ public Func<HttpClient> HttpClientFactory
         }
     }
 
+    /// <summary>
+    /// Gets or sets the trusted certificate to use when verifying a server's TLS credentials.
+    /// </summary>
+    public string CertificateFile { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the private key to use in mTLS communication in PEM format.
+    /// </summary>
+    public string ClientKeyFile { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the certificate/chain trust for client's private key to use in mTLS communication in PEM format.
+    /// </summary>
+    public string ClientCertificateFile { get; set; }
+
     /// <summary>
     /// Gets a value indicating whether or not the signal-specific path should
     /// be appended to <see cref="Endpoint"/>.
@@ -220,6 +255,41 @@ internal OtlpExporterOptions ApplyDefaults(OtlpExporterOptions defaultExporterOp
         return this;
     }
 
+#if NET6_0_OR_GREATER
+    internal HttpClient AddCertificatesToHttpClient(HttpClientHandler handler)
+    {
+        // Configure server certificate validation if CertificateFile is provided
+        if (!string.IsNullOrEmpty(this.CertificateFile))
+        {
+            // Load the certificate from the file
+            var trustedCertificate = X509Certificate2.CreateFromPemFile(this.CertificateFile);
+
+            // Set custom server certificate validation callback
+            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
+            {
+                if (cert != null && chain != null)
+                {
+                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                    chain.ChainPolicy.CustomTrustStore.Add(trustedCertificate);
+                    return chain.Build(cert);
+                }
+
+                return false;
+            };
+        }
+
+        // Add client certificate if both files are provided
+        if (!string.IsNullOrEmpty(this.ClientCertificateFile) && !string.IsNullOrEmpty(this.ClientKeyFile))
+        {
+            var clientCertificate = X509Certificate2.CreateFromPemFile(this.ClientCertificateFile, this.ClientKeyFile);
+            handler.ClientCertificates.Add(clientCertificate);
+        }
+
+        // Create and return an HttpClient with the modified handler
+        return new HttpClient(handler);
+    }
+#endif
+
     private static string GetUserAgentString()
     {
         var assembly = typeof(OtlpExporterOptions).Assembly;

src/OpenTelemetry.Exporter.OpenTelemetryProtocol/OtlpExporterOptionsExtensions.cs

@@ -36,7 +36,30 @@ public static Channel CreateChannel(this OtlpExporterOptions options)
         ChannelCredentials channelCredentials;
         if (options.Endpoint.Scheme == Uri.UriSchemeHttps)
         {
-            channelCredentials = new SslCredentials();
+            if (!string.IsNullOrEmpty(options.ClientCertificateFile) && !string.IsNullOrEmpty(options.ClientKeyFile))
+            {
+                string clientCertPem = File.ReadAllText(options.ClientCertificateFile);
+                string clientKeyPem = File.ReadAllText(options.ClientKeyFile);
+                var keyPair = new KeyCertificatePair(clientCertPem, clientKeyPem);
+
+                string rootCertPem = string.Empty;
+                if (!string.IsNullOrEmpty(options.CertificateFile))
+                {
+                    rootCertPem = File.ReadAllText(options.CertificateFile);
+                }
+
+                channelCredentials = new SslCredentials(rootCertPem, keyPair);
+            }
+            else
+            {
+                string rootCertPem = string.Empty;
+                if (!string.IsNullOrEmpty(options.CertificateFile))
+                {
+                    rootCertPem = File.ReadAllText(options.CertificateFile);
+                }
+
+                channelCredentials = new SslCredentials(rootCertPem);
+            }
         }
         else
         {

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/IntegrationTests.cs

@@ -46,7 +46,7 @@
     [InlineData(OtlpExportProtocol.HttpProtobuf, ":5318/v1/traces", ExportProcessorType.Simple, true, "https")]
     [Trait("CategoryName", "CollectorIntegrationTests")]
     [SkipUnlessEnvVarFoundTheory(CollectorHostnameEnvVarName)]
     public void TraceExportResultIsSuccess(OtlpExportProtocol protocol, string endpoint, ExportProcessorType exportProcessorType, bool forceFlush, string scheme = "http")
     {
         using EventWaitHandle handle = new ManualResetEvent(false);
 
@@ -208,9 +208,16 @@
     [InlineData(OtlpExportProtocol.HttpProtobuf, ":4318/v1/logs", ExportProcessorType.Simple)]
     [InlineData(OtlpExportProtocol.Grpc, ":5317", ExportProcessorType.Simple, "https")]
     [InlineData(OtlpExportProtocol.HttpProtobuf, ":5318/v1/logs", ExportProcessorType.Simple, "https")]
+    [InlineData(OtlpExportProtocol.Grpc, ":7317", ExportProcessorType.Batch, "https")]
+    [InlineData(OtlpExportProtocol.HttpProtobuf, ":7318/v1/traces", ExportProcessorType.Batch, "https")]
     [Trait("CategoryName", "CollectorIntegrationTests")]
     [SkipUnlessEnvVarFoundTheory(CollectorHostnameEnvVarName)]
-    public void LogExportResultIsSuccess(OtlpExportProtocol protocol, string endpoint, ExportProcessorType exportProcessorType, string scheme = "http")
+    public void TraceExportResultIsSuccess(
+        OtlpExportProtocol protocol,
+        string endpoint,
+        ExportProcessorType exportProcessorType,
+        string scheme = "http",
+        bool useMtls = false)
     {
         using EventWaitHandle handle = new ManualResetEvent(false);
 
@@ -220,6 +227,13 @@
             Protocol = protocol,
         };
 
+        if (useMtls)
+        {
+            exporterOptions.CertificateFile = "/cfg/certs/otel-test-server-cert.pem";
+            exporterOptions.ClientCertificateFile = "/cfg/certs/otel-test-client-cert.pem";
+            exporterOptions.ClientKeyFile = "/cfg/certs/otel-test-client-key.pem";
+        }
+
         DelegatingExporter<LogRecord> delegatingExporter;
         var exportResults = new List<ExportResult>();
         var processorOptions = new LogRecordExportProcessorOptions