open-telemetry · dmitryax · Nov 18, 2022 · Nov 18, 2022 · Nov 18, 2022 · Nov 18, 2022
@@ -0,0 +1,19 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: exporter/signalfxexporter
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Allow user to add a custom CA so the ingest and api clients can verify and communicate with custom TLS servers.
+
+# One or more tracking issues related to the change
+issues: [16250]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  "`ingest_tls`" and "`api_tls`" can be used to set the absolute path to the CA file "`ca_file`".
+  This is needed when the exporter is pointing to a TLS enabled signalfx receiver or/and TLS enabled http_forwarder 
+  and the CA is not in the system cert pool
@@ -90,6 +90,24 @@ that are allowed to be used as a dimension key in addition to alphanumeric
 characters. Each nonalphanumeric dimension key character that isn't in this string 
 will be replaced with a `_`.
 - `max_connections` (default = 100):  The maximum number of idle HTTP connection the exporter can keep open.
+- `ingest_tls`: (no default) exposes a list of TLS settings to establish a secure connection with signafx receiver configured on another collector instance.
+  - `ca_file` needs to be set if the exporter's `ingest_url` is pointing to a signalfx receiver
+  with TLS enabled and using a self-signed certificate where its CA is not loaded in the system cert pool.
+  Full list of TLS options can be found in the configtls [README](https://github.com/open-telemetry/opentelemetry-collector/tree/main/config/configtls#client-configuration) 
+  The following example instructs the signalfx exporter ingest client to use a custom `ca_file` to verify the server certificate.
+  ```yaml
+  ingest_tls:
+      ca_file: "/etc/opt/certs/ca.pem"
+  ```
+- `api_tls`: (no default) exposes a list of TLS settings to establish a secure connection with http_forwarder extension configured on another collector instance.
+  - `ca_file` needs to be set if the exporter's `api_url` is pointing to a http_forwarder extension
+  with TLS enabled and using a self-signed certificate where its CA is not loaded in the system cert pool.
+  Full list of TLS options can be found in the configtls [README](https://github.com/open-telemetry/opentelemetry-collector/tree/main/config/configtls#client-configuration)
+  The following example instructs the signalfx exporter api client to use a custom `ca_file` to verify the server certificate.
+  ```yaml
+  api_tls:
+      ca_file: "/etc/opt/certs/ca.pem"
+  ```
 
 In addition, this exporter offers queued retry which is enabled by default.
 Information about queued retry configuration parameters can be found

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"go.opentelemetry.io/collector/config"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/confmap"
 	"go.opentelemetry.io/collector/exporter/exporterhelper"
 
@@ -55,10 +56,18 @@ type Config struct {
 	// path: "/v2/datapoint" for metrics, and "/v2/event" for events.
 	IngestURL string `mapstructure:"ingest_url"`
 
+	// ingest_tls needs to be set if the exporter's IngestURL is pointing to a signalfx receiver
+	// with TLS enabled and using a self-signed certificate where its CA is not loaded in the system cert pool.
+	IngestTLSSettings configtls.TLSClientSetting `mapstructure:"ingest_tls,omitempty"`
+
 	// APIURL is the destination to where SignalFx metadata will be sent. This
 	// value takes precedence over the value of Realm
 	APIURL string `mapstructure:"api_url"`
 
+	// api_tls needs to be set if the exporter's APIURL is pointing to a httforwarder extension
+	// with TLS enabled and using a self-signed certificate where its CA is not loaded in the system cert pool.
+	APITLSSettings configtls.TLSClientSetting `mapstructure:"api_tls,omitempty"`
+
 	// Headers are a set of headers to be added to the HTTP request sending
 	// trace data. These can override pre-defined header values used by the
 	// exporter, eg: "User-Agent" can be set to a custom value if specified
@@ -137,13 +146,15 @@ func (cfg *Config) getOptionsFromConfig() (*exporterOptions, error) {
 	}
 
 	return &exporterOptions{
-		ingestURL:        ingestURL,
-		apiURL:           apiURL,
-		httpTimeout:      cfg.Timeout,
-		token:            cfg.AccessToken,
-		logDataPoints:    cfg.LogDataPoints,
-		logDimUpdate:     cfg.LogDimensionUpdates,
-		metricTranslator: metricTranslator,
+		ingestURL:         ingestURL,
+		ingestTLSSettings: cfg.IngestTLSSettings,
+		apiURL:            apiURL,
+		apiTLSSettings:    cfg.APITLSSettings,
+		httpTimeout:       cfg.Timeout,
+		token:             cfg.AccessToken,
+		logDataPoints:     cfg.LogDataPoints,
+		logDimUpdate:      cfg.LogDimensionUpdates,
+		metricTranslator:  metricTranslator,
 	}, nil
 }
 

@@ -25,6 +25,7 @@ import (
 	"time"
 
 	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/consumer"
 	"go.opentelemetry.io/collector/pdata/plog"
 	"go.opentelemetry.io/collector/pdata/pmetric"
@@ -65,13 +66,15 @@ type signalfxExporter struct {
 }
 
 type exporterOptions struct {
-	ingestURL        *url.URL
-	apiURL           *url.URL
-	httpTimeout      time.Duration
-	token            string
-	logDataPoints    bool
-	logDimUpdate     bool
-	metricTranslator *translation.MetricTranslator
+	ingestURL         *url.URL
+	ingestTLSSettings configtls.TLSClientSetting
+	apiURL            *url.URL
+	apiTLSSettings    configtls.TLSClientSetting
+	httpTimeout       time.Duration
+	token             string
+	logDataPoints     bool
+	logDimUpdate      bool
+	metricTranslator  *translation.MetricTranslator
 }
 
 // newSignalFxExporter returns a new SignalFx exporter.
@@ -108,6 +111,12 @@ func newSignalFxExporter(
 	transport.MaxIdleConnsPerHost = config.MaxConnections
 	transport.IdleConnTimeout = 30 * time.Second
 
+	ingestTLSCfg, err := config.IngestTLSSettings.LoadTLSConfig()
+	if err != nil {
+		return nil, fmt.Errorf("could not load Ingest TLS config: %w", err)
+	}
+	transport.TLSClientConfig = ingestTLSCfg
+
 	dpClient := &sfxDPClient{
 		sfxClientBase: sfxClientBase{
 			ingestURL: options.ingestURL,
@@ -124,13 +133,19 @@ func newSignalFxExporter(
 		converter:              converter,
 	}
 
+	apiTLSCfg, err := config.APITLSSettings.LoadTLSConfig()
+	if err != nil {
+		return nil, fmt.Errorf("could not load API TLS config: %w", err)
+	}
+
 	dimClient := dimensions.NewDimensionClient(
 		context.Background(),
 		dimensions.DimensionClientOptions{
-			Token:      options.token,
-			APIURL:     options.apiURL,
-			LogUpdates: options.logDimUpdate,
-			Logger:     logger,
+			Token:        options.token,
+			APIURL:       options.apiURL,
+			APITLSConfig: apiTLSCfg,
+			LogUpdates:   options.logDimUpdate,
+			Logger:       logger,
 			// Duration to wait between property updates. This might be worth
 			// being made configurable.
 			SendDelay: 10,
@@ -178,6 +193,12 @@ func newEventExporter(config *Config, logger *zap.Logger) (*signalfxExporter, er
 	transport.MaxIdleConnsPerHost = config.MaxConnections
 	transport.IdleConnTimeout = 30 * time.Second
 
+	ingestTLSCfg, err := config.IngestTLSSettings.LoadTLSConfig()
+	if err != nil {
+		return nil, fmt.Errorf("could not load Ingest TLS config: %w", err)
+	}
+	transport.TLSClientConfig = ingestTLSCfg
+
 	eventClient := &sfxEventClient{
 		sfxClientBase: sfxClientBase{
 			ingestURL: options.ingestURL,