-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify env variables in otlp exporter #975
Clarify env variables in otlp exporter #975
Conversation
Why do we need to change the default for |
Thanks for the reviews! Hi @tigrannajaryan, Also, I think we can be more clear by having |
To be precise
This does not look unnatural to me if the goal is to force the user to think whether they want it to be secure or no and act on it. The defaults are chosen in a way that if the user doesn't make the choice then it won't work at all. With the change proposed in this PR it will no longer be the case. The user will not necessarily be deliberately making the choice anymore. They may not even be aware of the options. I don't know which of the approaches is desirable for us (force the user to make the choice or make it easy to run in the insecure mode). The answer is is not obvious to me.
I would stay with |
I support the argument of @tigrannajaryan about forcing users to make the conscious choice. |
Just to confirm, does Also from what I can tell, Java has a bug where TLS is disabled when insecure is false. Please check my work, but the positive and negative seem to be flipped right? So for Java we currently set OTLP exporter to default to pointing at localhost at the well defined port without TLS. This allows quickly playing with OTel, which has works pretty nicely so far, I assumed it was intentional :) I think it's basically inconceivable for localhost to have TLS set up. So if we were to default to TLS on, I would remove the default for the endpoint - I think it's unidiomatic to have a default of localhost also have TLS default to on, it basically never works in practice. |
Supposedly yes, if the client uses its local CA-cert repository to verify the server. The spec does not define this, but I'd expect most implementations to behave like that. |
Yes, I think the confusion is from a the name |
This is a good point. |
I looked through few existing tools for TLS setting:
As mentioned in previous comment, with I think we can go with maintainers opinion on this. I'll revert changing the |
I don't know if we got a clear advice from maintainers yet. Apparently my point was a good one though :) Even in production, in sidecar deployment, it's really rare to use TLS. I think a default endpoint of |
I don't have a strong opinion on what should be the default. There are cons and pros for either approach. However, I do want to see a wider discussion before accepting the change. |
Signed-off-by: Abhilash Gnan <[email protected]>
Signed-off-by: Abhilash Gnan <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in current form.
@tigrannajaryan thanks! I've opened an issue #1002 to further discuss on insecure mode defaults |
Signed-off-by: Abhilash Gnan <[email protected]>
We can merge this today or after spec freeze. I consider this an editorial change so it is OK to merge it after. |
I also consider this an editorial change since #1002 was carved out. |
Changes summary
Makeinsecure=true
as default, so supplying certificate file is not mandatory and can be supplied on settinginsecure=false
explicitly.OTEL_EXPORTER_OTLP_CERTIFICATE
takes path to certificate file.OTEL_EXPORTER_OTLP_HEADERS
take key-value pairs.Related issues
open-telemetry/opentelemetry-python#1004 which is about implementing the exporter spec to have env variables.
Notes
We may have to update existing implementations to follow newinsecure
variable default. How to ensure libraries catchup with this?