feat: configure TLS with environment variables.

Cargo.toml

@@ -50,3 +50,5 @@ tracing = { version = ">=0.1.40", default-features = false }
 tracing-core = { version = ">=0.1.33", default-features = false } 
 tracing-subscriber = { version = "0.3", default-features = false }
 url = { version = "2.5", default-features = false }
+rcgen = { version = "0.13", features = ["crypto"] }
+tempfile = "3.14"

opentelemetry-otlp/CHANGELOG.md

@@ -10,6 +10,7 @@
   "reqwest-blocking-client" features as default, to align with the
   specification.
   [2516](https://github.com/open-telemetry/opentelemetry-rust/pull/2516)
+- TLS configuration via environment variables for GRPC exporters.
 
 ## 0.27.0
 

opentelemetry-otlp/Cargo.toml

@@ -51,6 +51,8 @@ opentelemetry_sdk = { features = ["trace", "rt-tokio", "testing"], path = "../op
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 futures-util = { workspace = true }
 temp-env = { workspace = true }
+rcgen = { workspace = true }
+tempfile = { workspace = true }
 
 [features]
 # telemetry pillars and functions

opentelemetry-otlp/src/exporter/mod.rs

@@ -28,6 +28,19 @@
 /// Compression algorithm to use, defaults to none.
 pub const OTEL_EXPORTER_OTLP_COMPRESSION: &str = "OTEL_EXPORTER_OTLP_COMPRESSION";
 
+/// Certificate file to validate the OTLP server connection
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CERTIFICATE: &str = "OTEL_EXPORTER_OTLP_CERTIFICATE";
+/// Path to the certificate file to use for client authentication (mTLS).
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE: &str = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE";
+/// Path to the key file to use for client authentication (mTLS).
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_CLIENT_KEY: &str = "OTEL_EXPORTER_OTLP_CLIENT_KEY";
+/// Use insecure connection. Disable TLS
+#[cfg(feature = "tls")]
+pub const OTEL_EXPORTER_OTLP_INSECURE: &str = "OTEL_EXPORTER_OTLP_INSECURE";
+
 #[cfg(feature = "http-json")]
 /// Default protocol, using http-json.
 pub const OTEL_EXPORTER_OTLP_PROTOCOL_DEFAULT: &str = OTEL_EXPORTER_OTLP_PROTOCOL_HTTP_JSON;
@@ -76,6 +89,22 @@
 
     /// The timeout to the collector.
     pub timeout: Duration,
+
+    /// Disable TLS
+    #[cfg(feature = "tls")]
+    pub insecure: Option<bool>,
+
+    /// The certificate file to validate the OTLP server connection
+    #[cfg(feature = "tls")]
+    pub certificate: Option<String>,
+
+    /// The path to the certificate file to use for client authentication (mTLS).
+    #[cfg(feature = "tls")]
+    pub client_certificate: Option<String>,
+
+    /// The path to the key file to use for client authentication (mTLS).
+    #[cfg(feature = "tls")]
+    pub client_key: Option<String>,
 }
 
 impl Default for ExportConfig {
@@ -88,6 +117,14 @@
             // won't know if user provided a value
             protocol,
             timeout: Duration::from_secs(OTEL_EXPORTER_OTLP_TIMEOUT_DEFAULT),
+            #[cfg(feature = "tls")]
+            insecure: None,
+            #[cfg(feature = "tls")]
+            certificate: None,
+            #[cfg(feature = "tls")]
+            client_certificate: None,
+            #[cfg(feature = "tls")]
+            client_key: None,
         }
     }
 }
@@ -195,6 +232,21 @@
     fn with_timeout(self, timeout: Duration) -> Self;
     /// Set export config. This will override all previous configuration.
     fn with_export_config(self, export_config: ExportConfig) -> Self;
+    /// Set insecure connection. Disable TLS
+    #[cfg(feature = "tls")]
+    fn with_insecure(self) -> Self;
+    /// Set the certificate file to validate the OTLP server connection
+    /// This is only available when the `tls` feature is enabled.
+    #[cfg(feature = "tls")]
+    fn with_certificate<T: Into<String>>(self, certificate: T) -> Self;
+    /// Set the path to the certificate file to use for client authentication (mTLS).
+    /// This is only available when the `tls` feature is enabled.
+    #[cfg(feature = "tls")]
+    fn with_client_certificate<T: Into<String>>(self, client_certificate: T) -> Self;
+    /// Set the path to the key file to use for client authentication (mTLS).
+    /// This is only available when the `tls` feature is enabled.
+    #[cfg(feature = "tls")]
+    fn with_client_key<T: Into<String>>(self, client_key: T) -> Self;
 }
 
 impl<B: HasExportConfig> WithExportConfig for B {
@@ -217,6 +269,34 @@
         self.export_config().endpoint = exporter_config.endpoint;
         self.export_config().protocol = exporter_config.protocol;
         self.export_config().timeout = exporter_config.timeout;
+        #[cfg(feature = "tls")]
+        {
+            self.export_config().insecure = Some(true);
+        }
+        self
+    }
+
+    #[cfg(feature = "tls")]
+    fn with_insecure(mut self) -> Self {
+        self.export_config().insecure = Some(true);
+        self
+    }
+
+    #[cfg(feature = "tls")]
+    fn with_certificate<T: Into<String>>(mut self, certificate: T) -> Self {
+        self.export_config().certificate = Some(certificate.into());
+        self
+    }
+
+    #[cfg(feature = "tls")]
+    fn with_client_certificate<T: Into<String>>(mut self, client_certificate: T) -> Self {
+        self.export_config().client_certificate = Some(client_certificate.into());
+        self
+    }
+
+    #[cfg(feature = "tls")]
+    fn with_client_key<T: Into<String>>(mut self, client_key: T) -> Self {
+        self.export_config().client_key = Some(client_key.into());
         self
     }
 }