[SDK] Add credentials option to OTLP gRPC client (#3402)

[DouglasHeriot]

Adds a credentials option to OtlpGrpcClientOptions that allows specifying a ChannelCredentials object, rather than it being created in OtlpGrpcClient::MakeChannel with either grpc::SslCredentials() or grpc::InsecureChannelCredentials().

It allows using a custom MetadataCredentialsPlugin subclass to support arbitrary authentication methods, or an existing implementation like GoogleDefaultCredentials() for use with the GCP OTLP API.

This is similar to the solution used by OpenTelemetry Python – its OTLP exporters have a credentials parameter.

Fixes #3402

Changes

For significant contributions please make sure you have completed the following items:

• CHANGELOG.md updated for non-trivial changes
• Unit tests have been added
• Changes in public API reviewed

[netlify]

✅ Deploy Preview for opentelemetry-cpp-api-docs canceled.

Name	Link
🔨 Latest commit	2b1ef0c
🔍 Latest deploy log	https://app.netlify.com/projects/opentelemetry-cpp-api-docs/deploys/684359d11f6a420007377ccb

[DouglasHeriot]

Am I correct that the ABI Policy says this change is exempt because it is to the SDK, rather then API?

[lalitb]

Am I correct that the ABI Policy says this change is exempt because it is to the SDK, rather then API?

That's correct.

[lalitb]

LGTM. We need one more approval to get this through.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.92%. Comparing base (53b153c) to head (2b1ef0c).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3403   +/-   ##
=======================================
  Coverage   89.92%   89.92%           
=======================================
  Files         219      219           
  Lines        7041     7041           
=======================================
  Hits         6331     6331           
  Misses        710      710           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marcalff]

Please clarify:

• How does this proposal fits with OTEP open-telemetry/opentelemetry-specification#4500

• This seem to cover the programmatic configuration only. I assume configuration of custom credentials using environment variables is out of scope at this point, please confirm.

• How, probably not yet but in the long term, would custom credential work with declarative configuration (see https://github.com/open-telemetry/opentelemetry-configuration/blob/f27ee13bbc7ee8156954aea79b1d8bfb0312b7cc/schema/common.json#L82), where the Grpc configuration is expressed in yaml ?

I support this change, but we need to make sure it fits the overall picture.

[marcalff]

Thanks for the PR.

To be able to merge this to the main branch, the following changes are necessary.

Please try a forward declaration instead of an include of grpc++ headers.
User code creating a grpc exporter may not have the grpc++ headers installed,
so this change can be breaking, especially for people who will not be using this feature.

This will also resolve the CI issues.

Given that this feature is not stable in the specs, it needs a feature flag.

Suggested naming:

• CMake option WITH_OTLP_GRPC_CREDENTIAL_PREVIEW
• define ENABLE_OTLP_GRPC_CREDENTIAL_PREVIEW

See the existing option WITH_OTLP_GRPC_SSL_MTLS_PREVIEW for how to implement this.

[DouglasHeriot]

Ok, I’ve had some time to work on this again. I’ve addressed the failing tests and comments above with a forward declaration. I’ve also added a warning log if both credentials and use_ssl_credentials are configured.

It is behind a feature flag supported by both CMake -DWITH_OTLP_GRPC_CREDENTIAL_PREVIEW=ON and Bazel --@io_opentelemetry_cpp//exporters/otlp:with_otlp_grpc_credential_preview=true. The current CI tests appear a bit inconsistent – in CMake I’ve enabled it where WITH_OTLP_GRPC_SSL_MTLS_PREVIEW was, but this does not appear to be enabled in any of the Bazel tests. So I’ve enabled it in Bazel where ENABLE_METRICS_EXEMPLAR_PREVIEW is.

How this related to OTEP, environment variables and other types of declarative configuration is an open question. I see this new credentials option as a low-level option that these other higher-level specifications can use to be implemented on top of. It will take some consideration how best to approach this, given the wide variety of possible gRPC credential configurations, and support for application-specific custom credential objects.

[marcalff]

LGTM, thanks for the feature.