Client-side security is an essential aspect of the OpenTelemetry .NET project. This document will discuss the possible options for employing security strategies on the client side, with examples for each option, using the provided code snippets and documentation.
OpenTelemetry .NET
OpenTelemetry .NET is a language-specific implementation of OpenTelemetry in .NET. It supports all officially supported versions of .NET and .NET Framework, except for .NET Core 3.1, which reached end-of-life on December 13, 2022 (source: https://opentelemetry.io/docs/instrumentation/net/#version-support).
Authenticators
The OpenTelemetry Collector allows receivers and exporters to be connected to authenticators, providing a way to both authenticate incoming connections at the receiver’s side and add authentication data to outgoing requests at the exporter’s side (source: https://opentelemetry.io/docs/collector/custom-auth/#building-a-custom-authenticator).
Example
To build a custom authenticator, you can follow the guide provided by OpenTelemetry. Here’s an example of how to create a custom authenticator using the extensions framework:
import (
"context"
"fmt"
"go.opentelemetry.io/collector/component"
"go.opentelemetry.io/collector/config/configmodels"
"go.opentelemetry.io/collector/exporter/exporterhelper"
"go.opentelemetry.io/collector/model/pdata"
)
type customAuthenticator struct {
config *configmodels.CustomAuthenticatorConfig
}
func newCustomAuthenticator(cfg *configmodels.CustomAuthenticatorConfig) (*customAuthenticator, error) {
return &customAuthenticator{config: cfg}, nil
}
func (c *customAuthenticator) ConsumeTraces(ctx context.Context, td pdata.Traces) error {
// Add authentication data to outgoing requests
for _, span := range td.Spans() {
span.SetAttribute("my.custom.auth", "my-secret-token")
}
return nil
}
func (c *customAuthenticator) createTraceExporter(_ context.Context, params component.TraceExporterCreateParams, cfg configmodels.TraceExporterConfig) (component.TraceExporter, error) {
return exporterhelper.NewTraceExporter(cfg, c.ConsumeTraces)
}
func createTraceAuthenticator(_ context.Context, params component.TraceAuthenticatorCreateParams, cfg configmodels.CustomAuthenticatorConfig) (component.TraceAuthenticator, error) {
authenticator, err := newCustomAuthenticator(&cfg)
if err != nil {
return nil, fmt.Errorf("failed to create custom authenticator: %w", err)
}
return authenticator, nil
}
func createCustomAuthenticator(_ context.Context, params component.ComponentCreateParams, cfg configmodels.CustomAuthenticatorConfig) (component.Component, error) {
authenticator, err := newCustomAuthenticator(&cfg)
if err != nil {
return nil, fmt.Errorf("failed to create custom authenticator: %w", err)
}
return component.NewTraceAuthenticator(params, createTraceAuthenticator, authenticator)
}
Automatic Instrumentation
OpenTelemetry .NET Automatic Instrumentation supports a wide variety of libraries and frameworks, including ASP.NET, ASP.NET Core, and HttpClient (source: https://opentelemetry.io/docs/instrumentation/net/automatic/#supported-libraries-and-frameworks).
Example
To use the OpenTelemetry .NET Automatic Instrumentation, you can follow the instructions provided by OpenTelemetry. Here’s an example of how to install and configure the automatic instrumentation for ASP.NET Core and HttpClient:
# PowerShell 5.1 or higher is required
$module_url = "https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/releases/latest/download/OpenTelemetry.DotNet.Auto.psm1"
$download_path = Join-Path $env:temp "OpenTelemetry.DotNet.Auto.psm1"
Invoke-WebRequest -Uri $module_url -OutFile $download_path -UseBasicParsing
# Import the module to use its functions
Import-Module $download_path
# Install core files (online vs offline method)
Install-OpenTelemetryCore
Install-OpenTelemetryCore -LocalPath "C:\Path\To\OpenTelemetry.zip"
# Set up the instrumentation for the current PowerShell session
Register-OpenTelemetryForCurrentSession -OTelServiceName "MyServiceDisplayName"
# Run your application with instrumentation
Exporters
OpenTelemetry .NET provides various exporters for sending telemetry data to different backends, such as OTLP Exporter, Prometheus Exporter, Zipkin Exporter, and Stackdriver Exporter (source: https://opentelemetry.io/docs/instrumentation/net/exporters/).
Example
To configure an OTLP exporter that sends data to a specific endpoint, you can follow the guide provided by OpenTelemetry:
using OpenTelemetry.Resources ;
using OpenTelemetry.Trace ;
var builder = WebApplication . CreateBuilder ( args );
builder . Services . AddOpenTelemetry ()
. WithTracing ( b =>
{
b . AddOtlpExporter ( opt =>
{
opt . Endpoint = new Uri ( "http://my-otlp-endpoint.com:4317" );
opt . Protocol = OpenTelemetry.Exporter.OpenTelemetryProtocol.Protobuf ;
});
// The rest of your setup code goes here too
});
Conclusion
Client-side security in OpenTelemetry .NET can be achieved through custom authenticators, automatic instrumentation, and exporters. By following the examples provided in this document, you can ensure that your .NET applications and services are secure and compliant with the OpenTelemetry specifications.
