feat: opentelemetry-otlp: Add provider-agnostic TLS feature for custom crypto backends (#3423)

lalitb · web-flow · commit 965078315b58 · 2026-03-18T20:40:29.000Z
diff --git a/opentelemetry-otlp/CHANGELOG.md b/opentelemetry-otlp/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## vNext
 
+- Add `tls-provider-agnostic` feature flag for environments that require a custom crypto backend (e.g., OpenSSL for FIPS compliance). Enables TLS code paths without bundling `ring` or `aws-lc-rs`.
 - Add `build()` directly on `SpanExporterBuilder`, `MetricExporterBuilder`, and `LogExporterBuilder`
   (before selecting a transport), which auto-selects the transport based on the
   `OTEL_EXPORTER_OTLP_PROTOCOL` environment variable or enabled features.
diff --git a/opentelemetry-otlp/Cargo.toml b/opentelemetry-otlp/Cargo.toml
@@ -80,9 +80,13 @@ experimental-grpc-retry = ["grpc-tonic", "opentelemetry_sdk/experimental_async_r
 # http compression
 gzip-http = ["flate2"]
 zstd-http = ["zstd"]
-tls = ["tls-ring"] # Deprecated: use tls-ring or tls-aws-lc.
+tls = ["tls-ring"] # Deprecated: use tls-ring or tls-aws-lc or tls-provider-agnostic
 tls-ring = ["tonic/tls-ring"]
 tls-aws-lc = ["tonic/tls-aws-lc"]
+# Provider-agnostic TLS: enables TLS code paths without bundling a specific 
+# crypto provider. Use this when you install a
+# CryptoProvider globally (e.g., via rustls-openssl for FIPS/OpenSSL environments).
+tls-provider-agnostic = ["tonic/_tls-any"]
 tls-roots = ["tonic/tls-native-roots"]
 tls-webpki-roots = ["tonic/tls-webpki-roots"]
 
diff --git a/opentelemetry-otlp/src/exporter/tonic/mod.rs b/opentelemetry-otlp/src/exporter/tonic/mod.rs
@@ -8,7 +8,12 @@ use tonic::codec::CompressionEncoding;
 use tonic::metadata::{KeyAndValueRef, MetadataMap};
 use tonic::service::Interceptor;
 use tonic::transport::Channel;
-#[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+#[cfg(any(
+    feature = "tls",
+    feature = "tls-ring",
+    feature = "tls-aws-lc",
+    feature = "tls-provider-agnostic"
+))]
 use tonic::transport::ClientTlsConfig;
 
 use super::{default_headers, parse_header_string, OTEL_EXPORTER_OTLP_GRPC_ENDPOINT_DEFAULT};
@@ -52,7 +57,12 @@ pub(crate) struct TonicConfig {
     /// Custom metadata entries to send to the collector.
     pub(crate) metadata: Option<MetadataMap>,
     /// TLS settings for the collector endpoint.
-    #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     pub(crate) tls_config: Option<ClientTlsConfig>,
     /// The compression algorithm to use when communicating with the collector.
     pub(crate) compression: Option<Compression>,
@@ -90,7 +100,7 @@ impl TryFrom<Compression> for tonic::codec::CompressionEncoding {
 ///
 /// It allows you to
 /// - add additional metadata
-/// - set tls config (via the `tls-ring` or `tls-aws-lc` features)
+/// - set tls config (via the `tls-ring`, `tls-aws-lc`, or `tls-provider-agnostic` features)
 /// - specify custom [channel]s
 ///
 /// [tonic]: <https://github.com/hyperium/tonic>
@@ -148,7 +158,12 @@ impl Default for TonicExporterBuilder {
                         .try_into()
                         .expect("Invalid tonic headers"),
                 )),
-                #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+                #[cfg(any(
+                    feature = "tls",
+                    feature = "tls-ring",
+                    feature = "tls-aws-lc",
+                    feature = "tls-provider-agnostic"
+                ))]
                 tls_config: None,
                 compression: None,
                 channel: Option::default(),
@@ -244,20 +259,30 @@ impl TonicExporterBuilder {
             .scheme()
             .is_some_and(|s| *s == http::uri::Scheme::HTTPS);
 
-        #[cfg(not(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc")))]
+        #[cfg(not(any(
+            feature = "tls",
+            feature = "tls-ring",
+            feature = "tls-aws-lc",
+            feature = "tls-provider-agnostic"
+        )))]
         if is_https {
             return Err(ExporterBuildError::InvalidConfig {
                 name: "endpoint".to_string(),
                 reason: format!(
                     "endpoint '{}' uses HTTPS but no TLS feature is enabled; \
-                     enable one of the `tls-ring` or `tls-aws-lc` features on `opentelemetry-otlp`",
+                     enable one of the `tls-ring`, `tls-aws-lc`, or `tls-provider-agnostic` features on `opentelemetry-otlp`",
                     endpoint_clone
                 ),
             });
         }
         let timeout = resolve_timeout(signal_timeout_var, config.timeout.as_ref());
 
-        #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+        #[cfg(any(
+            feature = "tls",
+            feature = "tls-ring",
+            feature = "tls-aws-lc",
+            feature = "tls-provider-agnostic"
+        ))]
         let channel = match self.tonic_config.tls_config {
             Some(tls_config) => endpoint
                 .tls_config(tls_config)
@@ -270,7 +295,12 @@ impl TonicExporterBuilder {
         .timeout(timeout)
         .connect_lazy();
 
-        #[cfg(not(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc")))]
+        #[cfg(not(any(
+            feature = "tls",
+            feature = "tls-ring",
+            feature = "tls-aws-lc",
+            feature = "tls-provider-agnostic"
+        )))]
         let channel = endpoint.timeout(timeout).connect_lazy();
 
         otel_debug!(name: "TonicChannelBuilt", endpoint = endpoint_clone, timeout_in_millisecs = timeout.as_millis(), compression = format!("{:?}", compression), headers = format!("{:?}", headers_for_logging));
@@ -547,7 +577,12 @@ impl HasTonicConfig for TonicExporterBuilder {
 /// ```
 pub trait WithTonicConfig {
     /// Set the TLS settings for the collector endpoint.
-    #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     fn with_tls_config(self, tls_config: ClientTlsConfig) -> Self;
 
     /// Set custom metadata entries to send to the collector.
@@ -660,7 +695,12 @@ pub trait WithTonicConfig {
 }
 
 impl<B: HasTonicConfig> WithTonicConfig for B {
-    #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     fn with_tls_config(mut self, tls_config: ClientTlsConfig) -> Self {
         self.tonic_config().tls_config = Some(tls_config);
         self
@@ -970,7 +1010,12 @@ mod tests {
     }
 
     #[test]
-    #[cfg(not(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc")))]
+    #[cfg(not(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    )))]
     fn test_https_endpoint_errors_without_tls_feature() {
         use crate::exporter::ExporterBuildError;
         use crate::SpanExporter;
@@ -995,7 +1040,12 @@ mod tests {
     }
 
     #[tokio::test]
-    #[cfg(any(feature = "tls-ring", feature = "tls-aws-lc"))]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     async fn test_https_endpoint_succeeds_with_tls_feature() {
         use crate::SpanExporter;
         use crate::WithExportConfig;
diff --git a/opentelemetry-otlp/src/lib.rs b/opentelemetry-otlp/src/lib.rs
@@ -271,6 +271,9 @@
 //! * `zstd-tonic`: Use zstd compression for `tonic` grpc layer.
 //! * `tls-ring`: Enable rustls TLS support using ring for `tonic`.
 //! * `tls-aws-lc`: Enable rustls TLS support using aws-lc for `tonic`.
+//! * `tls-provider-agnostic`: Provider-agnostic TLS — enables TLS code paths without bundling a specific
+//!   crypto provider. Use this when you install a `CryptoProvider` globally
+//!   (e.g., via `rustls-openssl` for FIPS/OpenSSL environments).
 //! * `tls` (deprecated): Use `tls-ring` or `tls-aws-lc` instead.
 //! * `tls-roots`: Adds system trust roots to rustls-based gRPC clients using the rustls-native-certs crate (use with `tls-ring` or `tls-aws-lc`).
 //! * `tls-webpki-roots`: Embeds Mozilla's trust roots to rustls-based gRPC clients using the webpki-roots crate (use with `tls-ring` or `tls-aws-lc`).
@@ -811,7 +814,12 @@ pub mod tonic_types {
     }
 
     /// Re-exported types from `tonic::transport`.
-    #[cfg(any(feature = "tls", feature = "tls-ring", feature = "tls-aws-lc"))]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     pub mod transport {
         #[doc(no_inline)]
         pub use tonic::transport::{Certificate, ClientTlsConfig, Identity};
