Description
The OTEL_EXPORTER_OTLP_INSECURE configuration setting is defined in mcpgateway/config.py and documented in multiple places, but it is not actually used by the OTLP exporter initialization code in mcpgateway/observability.py.
Current Behavior
- Setting is defined:
mcpgateway/config.py line 2064
- Setting is documented:
docs/docs/manage/observability/opentelemetry.md line 292
- Setting is NOT passed to OTLP exporter:
mcpgateway/observability.py lines 926-945
The code comment explicitly states:
"Note: some versions of OTLP exporters may not accept 'insecure' kwarg; avoid passing it. Use endpoint scheme or env to control TLS externally."
Expected Behavior
Either:
- The
insecure parameter should be passed to the OTLP exporter constructors, OR
- The configuration setting should be removed/deprecated and documentation updated to clarify that SSL verification is controlled via Python environment variables (
REQUESTS_CA_BUNDLE, SSL_CERT_FILE)
Impact
Users attempting to disable SSL verification for OTLP exports to servers with self-signed certificates (e.g., Langfuse on OpenShift) find that setting OTEL_EXPORTER_OTLP_INSECURE=true has no effect, leading to SSL certificate verification errors.
Workaround
Use Python's standard SSL environment variables instead:
env:
- name: REQUESTS_CA_BUNDLE
value: /path/to/ca-bundle.crt
Proposed Fix
Option 1: Implement the setting
if protocol == "grpc" and OTLP_SPAN_EXPORTER:
exporter = cast(Any, OTLP_SPAN_EXPORTER)(
endpoint=endpoint,
headers=header_dict or None,
insecure=cfg.otel_exporter_otlp_insecure
)
elif HTTP_EXPORTER:
exporter = cast(Any, HTTP_EXPORTER)(
endpoint=http_ep,
headers=header_dict or None,
insecure=cfg.otel_exporter_otlp_insecure
)Option 2: Remove/deprecate
- Remove
otel_exporter_otlp_insecure from config.py
- Update documentation to clarify SSL verification is controlled via
REQUESTS_CA_BUNDLE/SSL_CERT_FILE
References
- User report: Customer attempting to export to Langfuse on OCP with self-signed certs
- Code locations:
- Config:
mcpgateway/config.py:2064
- Implementation:
mcpgateway/observability.py:926-945
- Docs:
docs/docs/manage/observability/opentelemetry.md:292
Description
The
OTEL_EXPORTER_OTLP_INSECUREconfiguration setting is defined inmcpgateway/config.pyand documented in multiple places, but it is not actually used by the OTLP exporter initialization code inmcpgateway/observability.py.Current Behavior
mcpgateway/config.pyline 2064docs/docs/manage/observability/opentelemetry.mdline 292mcpgateway/observability.pylines 926-945The code comment explicitly states:
Expected Behavior
Either:
insecureparameter should be passed to the OTLP exporter constructors, ORREQUESTS_CA_BUNDLE,SSL_CERT_FILE)Impact
Users attempting to disable SSL verification for OTLP exports to servers with self-signed certificates (e.g., Langfuse on OpenShift) find that setting
OTEL_EXPORTER_OTLP_INSECURE=truehas no effect, leading to SSL certificate verification errors.Workaround
Use Python's standard SSL environment variables instead:
Proposed Fix
Option 1: Implement the setting
Option 2: Remove/deprecate
otel_exporter_otlp_insecurefromconfig.pyREQUESTS_CA_BUNDLE/SSL_CERT_FILEReferences
mcpgateway/config.py:2064mcpgateway/observability.py:926-945docs/docs/manage/observability/opentelemetry.md:292