Skip to content

Support pluggable rustls crypto providers (ring, aws-lc-rs, OpenSSL) …#2269

Merged
drewrelmas merged 10 commits intoopen-telemetry:mainfrom
pritishnahar95:pnahar/otap-rust-tls-refactor
Mar 12, 2026
Merged

Support pluggable rustls crypto providers (ring, aws-lc-rs, OpenSSL) …#2269
drewrelmas merged 10 commits intoopen-telemetry:mainfrom
pritishnahar95:pnahar/otap-rust-tls-refactor

Conversation

@pritishnahar95
Copy link
Copy Markdown
Contributor

@pritishnahar95 pritishnahar95 commented Mar 11, 2026

Change Summary

Support pluggable rustls crypto providers (ring, aws-lc-rs, OpenSSL) via
compile-time feature flags. TLS support previously hardcoded ring as the
rustls crypto backend. This PR introduces three mutually exclusive feature
flags (crypto-ring, crypto-aws-lc, crypto-openssl) so users can select
their preferred CryptoProvider at build time, enabling compliance with
environments that require OpenSSL or FIPS-validated cryptography.

What issue does this PR close?

How are these changes tested?

  • cargo check passes with default features (crypto-ring).
  • cargo check --no-default-features --features jemalloc,crypto-openssl,experimental-tls passes.
  • All existing TLS tests (tls_utils, mtls_tests, tls_stream, tls_reload,
    otlp_exporter_tls, otlp_exporter_proxy_tls) now use the centralized
    install_crypto_provider() helper and will exercise whichever backend is
    selected by feature flags.
  • compile_error! guards prevent enabling multiple crypto features simultaneously.

Are there any user-facing changes?

Yes:

  • New feature flags on the root crate and otap-df-otap:
    • crypto-ring (default) — uses ring, backward-compatible.
    • crypto-aws-lc — uses aws-lc-rs for AWS environments.
    • crypto-openssl — uses rustls-openssl for regulated/FIPS environments.
  • Default behavior is unchangedcrypto-ring is included in the default
    feature set, so existing builds are unaffected.
  • To build with OpenSSL: cargo build --no-default-features --features jemalloc,crypto-openssl
  • Transitive ring dependencies from opentelemetry-otlp (via reqwest 0.12)
    and weaver (via ureq) remain and are tracked for resolution as upstream
    crates release updates. Weaver is dev/test tooling only, not a production
    pipeline component.

@pritishnahar95 pritishnahar95 requested a review from a team as a code owner March 11, 2026 18:21
@github-actions github-actions bot added the rust Pull requests that update Rust code label Mar 11, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 11, 2026

Codecov Report

❌ Patch coverage is 92.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.55%. Comparing base (e46f91a) to head (4be43b1).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2269      +/-   ##
==========================================
- Coverage   87.56%   87.55%   -0.01%     
==========================================
  Files         570      571       +1     
  Lines      193480   193505      +25     
==========================================
+ Hits       169414   169423       +9     
- Misses      23540    23556      +16     
  Partials      526      526              
Components Coverage Δ
otap-dataflow 89.58% <92.85%> (-0.01%) ⬇️
query_abstraction 80.61% <ø> (ø)
query_engine 90.63% <ø> (ø)
syslog_cef_receivers ∅ <ø> (∅)
otel-arrow-go 52.44% <ø> (ø)
quiver 91.91% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pritishnahar95 pritishnahar95 marked this pull request as draft March 11, 2026 18:27
@github-actions github-actions bot added the ci-repo Repository maintenance, build, GH workflows, repo cleanup, or other chores label Mar 11, 2026
@pritishnahar95 pritishnahar95 force-pushed the pnahar/otap-rust-tls-refactor branch 2 times, most recently from 553b19b to 3fbdfcb Compare March 11, 2026 22:22
@pritishnahar95 pritishnahar95 marked this pull request as ready for review March 11, 2026 22:59
Comment thread rust/otap-dataflow/crates/contrib-nodes/src/lib.rs Outdated
Comment thread rust/otap-dataflow/crates/otap/Cargo.toml
Comment thread rust/otap-dataflow/Cargo.toml
@pritishnahar95 pritishnahar95 force-pushed the pnahar/otap-rust-tls-refactor branch from 18fe76a to 5355f5b Compare March 12, 2026 00:09
Copy link
Copy Markdown
Contributor

@drewrelmas drewrelmas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, we can take my questions on removal of experimental-tls feature flag up in later PR.

Would like to wait for @lalitb's approval as well before merging.

Comment thread .github/workflows/rust-ci.yml
@pritishnahar95 pritishnahar95 force-pushed the pnahar/otap-rust-tls-refactor branch from 5355f5b to 5c30c5b Compare March 12, 2026 17:28
Comment thread rust/otap-dataflow/crates/otap/src/crypto.rs
Copy link
Copy Markdown
Member

@lalitb lalitb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Clean abstraction for pluggable crypto providers - nice work @pritishnahar95.

@pritishnahar95 pritishnahar95 force-pushed the pnahar/otap-rust-tls-refactor branch from ff22bb3 to 76e2386 Compare March 12, 2026 22:23
Comment thread rust/otap-dataflow/crates/otap/src/crypto.rs Outdated
@pritishnahar95 pritishnahar95 force-pushed the pnahar/otap-rust-tls-refactor branch from 76e2386 to 4be43b1 Compare March 12, 2026 22:25
@drewrelmas drewrelmas enabled auto-merge March 12, 2026 22:33
@lquerel
Copy link
Copy Markdown
Contributor

lquerel commented Mar 12, 2026

@pritishnahar95 @jmacd

Transitive ring dependencies from opentelemetry-otlp (via reqwest 0.12)
and weaver (via ureq) remain and are tracked for resolution as upstream
crates release updates. Weaver is dev/test tooling only, not a production
pipeline component.

I'm wondering whether we actually have a real problem here. In the medium term, I expected that we would no longer have opentelemetry-otlp as a dependency once the refactoring of the internal telemetry pipeline is completed. OTLP and OTAP export would be handled by our exporters, which would rely on the encryption layer defined by these new feature flags.

Regarding Weaver, we could imagine introducing a feature that enables dev-only capabilities (disabled by default). If we do that, it seems to me that nothing would remain that is not configured through the feature flags introduced in this PR.

@drewrelmas drewrelmas disabled auto-merge March 12, 2026 22:49
Copy link
Copy Markdown
Contributor

@lquerel lquerel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread rust/otap-dataflow/crates/otap/src/crypto.rs
@pritishnahar95
Copy link
Copy Markdown
Contributor Author

@pritishnahar95 @jmacd

Transitive ring dependencies from opentelemetry-otlp (via reqwest 0.12)
and weaver (via ureq) remain and are tracked for resolution as upstream
crates release updates. Weaver is dev/test tooling only, not a production
pipeline component.

I'm wondering whether we actually have a real problem here. In the medium term, I expected that we would no longer have opentelemetry-otlp as a dependency once the refactoring of the internal telemetry pipeline is completed. OTLP and OTAP export would be handled by our exporters, which would rely on the encryption layer defined by these new feature flags.

Regarding Weaver, we could imagine introducing a feature that enables dev-only capabilities (disabled by default). If we do that, it seems to me that nothing would remain that is not configured through the feature flags introduced in this PR.

That's a good point @lquerel! Let's tackle the weaver feature-gating in a separate issue/PR since it seems to touch the fake_data_generator module, its linkme registrations, and test/validation configs — better as a focused follow-up.

@drewrelmas drewrelmas added this pull request to the merge queue Mar 12, 2026
Merged via the queue into open-telemetry:main with commit ae86507 Mar 12, 2026
67 checks passed
@pritishnahar95 pritishnahar95 deleted the pnahar/otap-rust-tls-refactor branch March 16, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci-repo Repository maintenance, build, GH workflows, repo cleanup, or other chores rust Pull requests that update Rust code

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

Support pluggable rustls crypto providers (ring, aws-lc-rs, OpenSSL) via feature flags

4 participants