OTEL Collector Agent security

[panthamm]

We are planning to implement traces to an existing application, the current application has two flavors. One is the thick client (written in .Net) is hosted in the customer environment, and services are hosted in Cloud(this is managed by my organization ITOPS).

Planning to install Collector Agent in the Customer environment and then Thick Client send traces to collector Agent. Collector Agent sends traces to configured observability backend (ex. Zipkins/AppInsight/DataDog etc.) Collector Agent also installs in next to services which are managed by my organization ITOPS.

I don't have a problem configuring the Instrumentation key in the Collector Agent config on the server side. The problem is Client-side collector agent install in a Customer environment. How to manage the Security of the Collector Agent Instrumentation key for a thick client installed in a customer environment?

Questions:

1. How can I secure the Instrument key in Collector Agent Config?
2. Is anybody successfully implemented OIDC Authenticator extension/Bearer token Authenticator extension in Collector Agent?
3. Is OIDC Device flow is correct option to implement?

[bogdandrutu]

/cc @tigrannajaryan @jpkrohling

[jpkrohling]

I'm not quite sure I'm following. Your .net application would send the traces to a collector located on the client-side, which would then send the traces to a collector on a remote location. Authentication between the collectors can be done with the client authenticators (bearer token, OAuth2 Client Credentials) and server authenticators (OIDC). If you have a scenario where your auth server can accept long-lived bearer tokens, that should be preferred. If you need to obtain tokens periodically, the OAuth2 Client Credentials would be more suitable.

Unfortunately, it looks like the documentation on how to achieve the scenario above has been removed from the website, but while it's not reinstated, you can probably get some information from this PR:
https://github.com/open-telemetry/opentelemetry.io/pull/649/files

Between your .net application and the local collector, you can configure them to have mutual TLS authentication, or you can set a fixed token in your configuration, sending it to the agent via extra HTTP headers. I do not know how it would work for the .net SDK, though.