Skip to content

Internal Telemetry Authenticator Extension Support#13779

Closed
marcsnid wants to merge 4 commits into
open-telemetry:mainfrom
marcsnid:authenticators_internal_telemetry
Closed

Internal Telemetry Authenticator Extension Support#13779
marcsnid wants to merge 4 commits into
open-telemetry:mainfrom
marcsnid:authenticators_internal_telemetry

Conversation

@marcsnid
Copy link
Copy Markdown

@marcsnid marcsnid commented Sep 5, 2025

Description

Adding authentication support for internal telemetry exports. This feature allows users to specify an authenticator extension in their telemetry configuration to secure internal telemetry exports (traces, metrics, and logs) sent to external endpoints.

Link to tracking issue

Fixes #13778

Testing

  • Added and ran unit tests for authenticator manager and provider
  • Added service-level tests for authentication configuration
  • Added configuration parsing tests
  • Validated end-to-end functionality with comprehensive integration testing (not committed per repo conventions)
  • All existing tests pass, ensuring no regressions

Documentation

  • Commented new configuration and added test to show functionality

@marcsnid marcsnid requested a review from a team as a code owner September 5, 2025 17:33
@marcsnid marcsnid requested a review from dmathieu September 5, 2025 17:33
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Sep 5, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@marcsnid marcsnid force-pushed the authenticators_internal_telemetry branch from c4095a1 to 7fffba3 Compare September 5, 2025 18:25
@marcsnid marcsnid force-pushed the authenticators_internal_telemetry branch from 7fffba3 to bdbb3db Compare September 5, 2025 18:33
jmacd
jmacd reviewed Sep 8, 2025
View reviewed changes
Comment thread internal/telemetry/authenticator.go
Comment on lines +75 to +78
type DefaultAuthenticatorProvider struct {
httpClient extensionauth.HTTPClient
grpcClient extensionauth.GRPCClient
}
Copy link
Copy Markdown
Contributor

@jmacd jmacd Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be able to replace this type with an unexported form.

type authenticatorProvider struct {
  extensionauth.ClientRoundTripperFunc
  extensionauth.ClientPerRPCCredentialsFunc
}

Reviewers, see this evidently-stalled RFC on the topic of how we construct these default implementations: #13263

jmacd
jmacd reviewed Sep 8, 2025
View reviewed changes
Comment thread internal/telemetry/authenticator.go
Comment on lines +88 to +102
// GetHTTPRoundTripper implements AuthenticatorProvider.
func (p *DefaultAuthenticatorProvider) GetHTTPRoundTripper(base http.RoundTripper) (http.RoundTripper, error) {
if p.httpClient == nil {
return base, nil
}
return p.httpClient.RoundTripper(base)
}

// GetGRPCCredentials implements AuthenticatorProvider.
func (p *DefaultAuthenticatorProvider) GetGRPCCredentials() (credentials.PerRPCCredentials, error) {
if p.grpcClient == nil {
return nil, nil
}
return p.grpcClient.PerRPCCredentials()
}
Copy link
Copy Markdown
Contributor

@jmacd jmacd Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion above means we can remove all this.

jmacd
jmacd reviewed Sep 8, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jmacd jmacd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seeking input from @axw
Thanks @marcsnid

@axw
Copy link
Copy Markdown
Contributor

axw commented Sep 9, 2025

I think it's a worthy problem to solve, but I'm not convinced this is the right solution. In my ideal world, SDK exporters would be able to use OIDC/OAuth2 (workload identity federation), SigV4, reload bearer tokens from a file, mTLS with certificate reloading on rotation, etc. That would come for free to internal telemetry since it uses the SDK. If the SDK authenticator interface were made generic enough, then it could be used by the collector's exporters too. See #13778 (comment)

Also related:

@marcsnid
Copy link
Copy Markdown
Author

marcsnid commented Sep 9, 2025

Thank you @jmacd and @axw for the reviews, I commented a reply in #13778 to continue discussion on this issue. I think while this is the faster solution, I'm happy to help with the SDK exporter solution as long as we can address the same problem.

@axw
Copy link
Copy Markdown
Contributor

axw commented Sep 10, 2025

@marcsnid may I suggest either closing this or moving it to draft until the conversation in #13778 is resolved?

@marcsnid marcsnid closed this Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmacd jmacd jmacd left review comments

@dmathieu dmathieu Awaiting requested review from dmathieu dmathieu is a code owner automatically assigned from open-telemetry/collector-approvers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authentication Support for Internal Telemetry Exports

3 participants

@marcsnid @axw @jmacd