[OTLP] Add mTLS Support for OTLP Exporter

[sandy2008]

Fixes #2009
Design discussion issue #5918

Changes

This PR adds support for mutual TLS (mTLS) configuration to the OTLP exporter on .NET 8 and later. This allows users to specify certificate paths, enable validation, and inject custom server certificate validation logic.

Key changes include:

• OtlpMtlsOptions class with properties like ClientCertificatePath, ClientKeyPath, CaCertificatePath, EnableFilePermissionChecks, etc.
• OtlpMtlsHttpClientFactory for creating HttpClient instances configured for mTLS.
• OtlpMtlsCertificateManager for certificate loading, validation, and file permission checks.
• Extended event logging via OpenTelemetryProtocolExporterEventSource for mTLS events.
• Unit tests for configuration handling and certificate behavior.
• Initial integration and performance test stubs added.

mTLS support is only enabled for builds targeting NET8_0_OR_GREATER.

Merge requirement checklist

• [CONTRIBUTING](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/CONTRIBUTING.md) guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• Unit tests added/updated
• Appropriate CHANGELOG.md files updated for non-trivial changes
• Changes in public API reviewed (if applicable)

License Information

THIS SOFTWARE IS CONTRIBUTED SUBJECT TO THE TERMS OF THE APACHE LICENSE V.2.0. YOU MAY OBTAIN A COPY OF THE LICENSE AT https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/LICENSE.TXT.

THIS SOFTWARE IS LICENSED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS SOFTWARE MAY BE REDISTRIBUTED TO OTHERS ONLY BY EFFECTIVELY USING THIS OR ANOTHER EQUIVALENT DISCLAIMER IN ADDITION TO ANY OTHER REQUIRED LICENSE TERMS.

[codecov]

Codecov Report

❌ Patch coverage is 82.62548% with 45 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.85%. Comparing base (f630c55) to head (3e09c5d).
⚠️ Report is 11 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...tocol/Implementation/OtlpMtlsCertificateManager.cs	75.93%	32 Missing ⚠️
...otocol/Implementation/OtlpMtlsHttpClientFactory.cs	86.66%	10 Missing ⚠️
...tation/OpenTelemetryProtocolExporterEventSource.cs	75.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6343      +/-   ##
==========================================
- Coverage   86.88%   86.85%   -0.03%     
==========================================
  Files         259      262       +3     
  Lines       12066    12414     +348     
==========================================
+ Hits        10483    10782     +299     
- Misses       1583     1632      +49     

Flag	Coverage Δ
unittests-Project-Experimental	86.53% <82.62%> (-0.25%)	⬇️
unittests-Project-Stable	86.33% <82.62%> (-0.46%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...orter.OpenTelemetryProtocol/OtlpExporterOptions.cs	99.27% <100.00%> (+0.16%)	⬆️
....Exporter.OpenTelemetryProtocol/OtlpMtlsOptions.cs	100.00% <100.00%> (ø)
...tation/OpenTelemetryProtocolExporterEventSource.cs	82.29% <75.00%> (-2.24%)	⬇️
...otocol/Implementation/OtlpMtlsHttpClientFactory.cs	86.66% <86.66%> (ø)
...tocol/Implementation/OtlpMtlsCertificateManager.cs	75.93% <75.93%> (ø)

... and 5 files with indirect coverage changes

[rajkumar-rangaraj]

@sandy2008 I have finished my review and provided feedback. This is almost done; once the feedback is addressed, we can plan to merge before the end of next week.

[sandy2008]

@sandy2008 I have finished my review and provided feedback. This is almost done; once the feedback is addressed, we can plan to merge before the end of next week.

@rajkumar-rangaraj Hi! All the comments are resolved, please take a look and merge it!

[rajkumar-rangaraj]

LGTM — left a minor comment on event source logging.

Thanks a lot for your patience and perseverance on this PR.
You’ve waited far too long for reviews, and every time we shared feedback you came back with thoughtful fixes and improvements. I really appreciate your persistence, responsiveness, and the quality of changes throughout this process.

Approved — thanks again for hanging in there and contributing to the project!

[sandy2008]

LGTM — left a minor comment on event source logging.

Thanks a lot for your patience and perseverance on this PR. You’ve waited far too long for reviews, and every time we shared feedback you came back with thoughtful fixes and improvements. I really appreciate your persistence, responsiveness, and the quality of changes throughout this process.

Approved — thanks again for hanging in there and contributing to the project!

@rajkumar-rangaraj Thank you! Do you know when can we get it merged?

[rajkumar-rangaraj]

@rajkumar-rangaraj Thank you! Do you know when can we get it merged?

Within a week, Thanks again for your contributions!

[Kielek]

There is a chance that you have discussed it already, but some CHANGELOG entry can be beneficial.. If I missed the comment, feel free to merge as is.

[Kielek]

I do not want to block this PR, consider adding also support for OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE OTEL_EXPORTER_OTLP_LOGS_CERTIFICATE and other signal specific vars.

There is a chance that cover all cases will required breaking changes (signal specific OTLP options), but the best effort should be also possible.

I have seen at least one method guess which env. var. is appropriate.

[rajkumar-rangaraj]

I recommend considering this as a follow-up, given the length of the PR. If the core part changes again, we'll need to review it from the beginning.

[rajkumar-rangaraj]

There is a chance that you have discussed it already, but some CHANGELOG entry can be beneficial.. If I missed the comment, feel free to merge as is.

Thanks for catching it. @sandy2008 Could you please update CHANGELOG entry?

[sandy2008]

There is a chance that you have discussed it already, but some CHANGELOG entry can be beneficial.. If I missed the comment, feel free to merge as is.

Thanks for catching it. @sandy2008 Could you please update CHANGELOG entry?

Done! Thank you!

[alanwest]

LGTM with a couple small comments. Thanks for your immense patience @sandy2008!

[alanwest]

The OTEL_EXPORTER_OTLP_CERTIFICATE configuration option does not strictly apply to mTLS.

mTLS is an authentication system in which both the client and server authenticate each other.

The OTEL_EXPORTER_OTLP_CERTIFICATE option should be able to be used independently of an mTLS scenario. Common use case is where a server has a self-signed certificate that has not been verified by a third-party certificate authority. In this scenario you can use the OTEL_EXPORTER_OTLP_CERTIFICATE setting to enable the client to trust the certificate. This is not considered mTLS.

This is not a blocker for this PR since all this code is internal, but for clarity I'd suggest a small refactor reorganizing the code to decouple the the OTEL_EXPORTER_OTLP_CERTIFICATE from any classes with mTLS in their name.

[sandy2008]

@alanwest Thx! I will submit another PR once this one is merged :)

[Kielek]

Tracked under: #6764

[github-actions]

Thank you for your contribution @sandy2008! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey.