[OTLP] add mTLS receiver for otel collector for integration test

Author: dhhoang

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/.gitignore

@@ -1,3 +1,6 @@
 # Self-signed cert generated by integration test
 otel-collector.crt
 otel-collector.key
+otel-client-cert.pem
+otel-client-key.pem
+otel-ca-cert.pem

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/create-cert.sh

@@ -11,6 +11,38 @@ cp /otel-collector.crt /otel-collector.key /cfg
 
 chmod 644 /cfg/otel-collector.key
 
+# Generate CA and client cert for mTLS
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated CA Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+" > /ca_cert_ext.cnf
+
+openssl ecparam -genkey -name prime256v1 -out /otel-ca-key.pem
+openssl req -new -sha256 -key /otel-ca-key.pem -out /otel-ca-csr.pem -subj "/CN=otel-test-ca"
+openssl x509 -req -in /otel-ca-csr.pem -sha256 -days 365 -signkey /otel-ca-key.pem -out /otel-ca-cert.pem -extfile /ca_cert_ext.cnf
+
+echo "\
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+" > client_cert_ext.cnf
+
+openssl ecparam -genkey -name prime256v1 -out /otel-client-key.pem
+openssl req -new -key /otel-client-key.pem -out /otel-client-csr.pem -subj "/CN=otel-test-client"
+openssl x509 -req -in /otel-client-csr.pem -CA /otel-ca-cert.pem -CAkey /otel-ca-key.pem -out /otel-client-cert.pem -CAcreateserial -days 365 -sha256 -extfile /client_cert_ext.cnf
+
+cp /otel-ca-cert.pem /otel-client-cert.pem /otel-client-key.pem /cfg
+cp /otel-ca-cert.pem /usr/local/share/ca-certificates/otel-ca-cert.pem
+
 # The integration test is run via docker-compose with the --exit-code-from
 # option. The --exit-code-from option implies --abort-on-container-exit
 # which means when any container exits then all containers are stopped.

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/IntegrationTest/otel-collector-config.yaml

@@ -23,6 +23,20 @@ receivers:
         tls:
           cert_file: /cfg/otel-collector.crt
           key_file: /cfg/otel-collector.key
+  otlp/mtls:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:6317
+        tls:
+          cert_file: /cfg/otel-collector.crt
+          key_file: /cfg/otel-collector.key
+          client_ca_file: /cfg/otel-ca-cert.pem
+      http:
+        endpoint: 0.0.0.0:6318
+        tls:
+          cert_file: /cfg/otel-collector.crt
+          key_file: /cfg/otel-collector.key
+          client_ca_file: /cfg/otel-ca-cert.pem
 
 exporters:
   logging:
@@ -31,8 +45,8 @@ exporters:
 service:
   pipelines:
     traces:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/mtls]
       exporters: [logging]
     metrics:
-      receivers: [otlp, otlp/tls]
+      receivers: [otlp, otlp/tls, otlp/mtls]
       exporters: [logging]

test/OpenTelemetry.Exporter.OpenTelemetryProtocol.Tests/OtlpExporterOptionsExtensionsTests.cs

@@ -181,7 +181,7 @@ public void CreateGrpcChannel_WithCertificates_ReturnsChannelWithoutException()
         {
             CertificateFile = trustedCACertPath,
             ClientCertificateFile = certPath,
-            ClientKeyFile = pKeyPath
+            ClientKeyFile = pKeyPath,
         };
 
         using var channel = OtlpExporterOptionsExtensions.CreateChannel(otlpOptions);