feat(OTLP): add tls-ring, tls-aws-lc, and tls-provider-agnostic feature flags [patch release v0.31.1] (#3426)

Author: lalitb

opentelemetry-otlp/CHANGELOG.md

@@ -2,6 +2,44 @@
 
 ## vNext
 
+## 0.31.1
+
+Released 2026-Mar-18
+
+- Add `tls-ring` and `tls-aws-lc` feature flags for explicit crypto provider selection.
+- Add `tls-provider-agnostic` feature flag for environments that require a custom crypto backend (e.g., OpenSSL for FIPS compliance). Enables TLS code paths without bundling `ring` or `aws-lc-rs`.
+
+### Feature combination guidance
+
+The new TLS features should be used **individually** — do not combine multiple
+crypto provider features. The existing `tls-roots` and `tls-webpki-roots`
+features implicitly enable `tls` (which pulls in `ring`), so combining them
+with `tls-aws-lc` or `tls-provider-agnostic` will compile both providers and
+may cause unexpected behavior.
+
+**Recommended usage:**
+
+| Goal | Features to enable |
+|---|---|
+| TLS with ring + system roots | `tls-ring`, `tls-roots` |
+| TLS with ring + Mozilla roots | `tls-ring`, `tls-webpki-roots` |
+| TLS with aws-lc + custom CA | `tls-aws-lc` (provide CA via `ClientTlsConfig`) |
+| TLS with custom provider (e.g., FIPS) | `tls-provider-agnostic` (call `CryptoProvider::install_default()` in your app) |
+
+**Avoid these combinations:**
+
+| Combination | Problem |
+|---|---|
+| `tls-aws-lc` + `tls-roots` | Pulls in `ring` via `tls-roots` → `tls`; both providers compiled, which can cause runtime panics or unpredictable provider selection |
+| `tls-aws-lc` + `tls-webpki-roots` | Same issue — both providers compiled, which can cause runtime panics or unpredictable provider selection |
+| `tls-provider-agnostic` + `tls-roots` | Defeats the purpose — bundles ring, which can cause runtime panics or unpredictable provider selection |
+| `tls-provider-agnostic` + `tls-webpki-roots` | Same issue — bundles ring, which can cause runtime panics or unpredictable provider selection |
+| `tls-ring` + `tls-aws-lc` | Both providers compiled, which can cause runtime panics or unpredictable provider selection |
+
+> **Note:** If you need root certificates with `tls-aws-lc`, depend on
+> `tonic/tls-native-roots` or `tonic/tls-webpki-roots` directly in your own
+> `Cargo.toml` instead of using `tls-roots`/`tls-webpki-roots` from this crate.
+
 ## 0.31.0
 
 Released 2025-Sep-25

opentelemetry-otlp/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opentelemetry-otlp"
-version = "0.31.0"
+version = "0.31.1"
 description = "Exporter for the OpenTelemetry Collector"
 homepage = "https://github.com/open-telemetry/opentelemetry-rust/tree/main/opentelemetry-otlp"
 repository = "https://github.com/open-telemetry/opentelemetry-rust/tree/main/opentelemetry-otlp"
@@ -77,6 +77,12 @@ zstd-tonic = ["tonic/zstd"]
 gzip-http = ["flate2"]
 zstd-http = ["zstd"]
 tls = ["tonic/tls-ring"]
+tls-ring = ["tonic/tls-ring"]
+tls-aws-lc = ["tonic/tls-aws-lc"]
+# Provider-agnostic TLS: enables TLS code paths without bundling a specific 
+# crypto provider. Use this when you install a
+# CryptoProvider globally (e.g., via rustls-openssl for FIPS/OpenSSL environments).
+tls-provider-agnostic = ["tonic/_tls-any"]
 tls-roots = ["tls", "tonic/tls-native-roots"]
 tls-webpki-roots = ["tls", "tonic/tls-webpki-roots"]
 

opentelemetry-otlp/src/exporter/tonic/mod.rs

@@ -8,7 +8,12 @@ use tonic::codec::CompressionEncoding;
 use tonic::metadata::{KeyAndValueRef, MetadataMap};
 use tonic::service::Interceptor;
 use tonic::transport::Channel;
-#[cfg(feature = "tls")]
+#[cfg(any(
+    feature = "tls",
+    feature = "tls-ring",
+    feature = "tls-aws-lc",
+    feature = "tls-provider-agnostic"
+))]
 use tonic::transport::ClientTlsConfig;
 
 use super::{default_headers, parse_header_string, OTEL_EXPORTER_OTLP_GRPC_ENDPOINT_DEFAULT};
@@ -34,7 +39,12 @@ pub struct TonicConfig {
     /// Custom metadata entries to send to the collector.
     pub(crate) metadata: Option<MetadataMap>,
     /// TLS settings for the collector endpoint.
-    #[cfg(feature = "tls")]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     pub(crate) tls_config: Option<ClientTlsConfig>,
     /// The compression algorithm to use when communicating with the collector.
     pub(crate) compression: Option<Compression>,
@@ -69,7 +79,7 @@ impl TryFrom<Compression> for tonic::codec::CompressionEncoding {
 ///
 /// It allows you to
 /// - add additional metadata
-/// - set tls config (via the  `tls` feature)
+/// - set tls config (via the `tls`, `tls-ring`, `tls-aws-lc`, or `tls-provider-agnostic` features)
 /// - specify custom [channel]s
 ///
 /// [tonic]: <https://github.com/hyperium/tonic>
@@ -127,7 +137,12 @@ impl Default for TonicExporterBuilder {
                         .try_into()
                         .expect("Invalid tonic headers"),
                 )),
-                #[cfg(feature = "tls")]
+                #[cfg(any(
+                    feature = "tls",
+                    feature = "tls-ring",
+                    feature = "tls-aws-lc",
+                    feature = "tls-provider-agnostic"
+                ))]
                 tls_config: None,
                 compression: None,
                 channel: Option::default(),
@@ -197,7 +212,12 @@ impl TonicExporterBuilder {
             .map_err(|op| ExporterBuildError::InvalidUri(endpoint_clone.clone(), op.to_string()))?;
         let timeout = resolve_timeout(signal_timeout_var, config.timeout.as_ref());
 
-        #[cfg(feature = "tls")]
+        #[cfg(any(
+            feature = "tls",
+            feature = "tls-ring",
+            feature = "tls-aws-lc",
+            feature = "tls-provider-agnostic"
+        ))]
         let channel = match self.tonic_config.tls_config {
             Some(tls_config) => endpoint
                 .tls_config(tls_config)
@@ -207,7 +227,12 @@ impl TonicExporterBuilder {
         .timeout(timeout)
         .connect_lazy();
 
-        #[cfg(not(feature = "tls"))]
+        #[cfg(not(any(
+            feature = "tls",
+            feature = "tls-ring",
+            feature = "tls-aws-lc",
+            feature = "tls-provider-agnostic"
+        )))]
         let channel = endpoint.timeout(timeout).connect_lazy();
 
         otel_debug!(name: "TonicChannelBuilt", endpoint = endpoint_clone, timeout_in_millisecs = timeout.as_millis(), compression = format!("{:?}", compression), headers = format!("{:?}", headers_for_logging));
@@ -369,7 +394,12 @@ impl HasTonicConfig for TonicExporterBuilder {
 /// ```
 pub trait WithTonicConfig {
     /// Set the TLS settings for the collector endpoint.
-    #[cfg(feature = "tls")]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     fn with_tls_config(self, tls_config: ClientTlsConfig) -> Self;
 
     /// Set custom metadata entries to send to the collector.
@@ -478,7 +508,12 @@ pub trait WithTonicConfig {
 }
 
 impl<B: HasTonicConfig> WithTonicConfig for B {
-    #[cfg(feature = "tls")]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     fn with_tls_config(mut self, tls_config: ClientTlsConfig) -> Self {
         self.tonic_config().tls_config = Some(tls_config);
         self

opentelemetry-otlp/src/lib.rs

@@ -221,6 +221,12 @@
 //! * `grpc-tonic`: Use `tonic` as grpc layer.
 //! * `gzip-tonic`: Use gzip compression for `tonic` grpc layer.
 //! * `zstd-tonic`: Use zstd compression for `tonic` grpc layer.
+//! * `tls`: Enable rustls TLS support using ring for `tonic` (default TLS feature).
+//! * `tls-ring`: Enable rustls TLS support using ring for `tonic`.
+//! * `tls-aws-lc`: Enable rustls TLS support using aws-lc for `tonic`.
+//! * `tls-provider-agnostic`: Provider-agnostic TLS — enables TLS code paths without bundling a specific
+//!   crypto provider. Use this when you install a `CryptoProvider` globally
+//!   (e.g., via `rustls-openssl` for FIPS/OpenSSL environments).
 //! * `tls-roots`: Adds system trust roots to rustls-based gRPC clients using the rustls-native-certs crate
 //! * `tls-webpki-roots`: Embeds Mozilla's trust roots to rustls-based gRPC clients using the webpki-roots crate
 //!
@@ -462,7 +468,12 @@ pub mod tonic_types {
     }
 
     /// Re-exported types from `tonic::transport`.
-    #[cfg(feature = "tls")]
+    #[cfg(any(
+        feature = "tls",
+        feature = "tls-ring",
+        feature = "tls-aws-lc",
+        feature = "tls-provider-agnostic"
+    ))]
     pub mod transport {
         #[doc(no_inline)]
         pub use tonic::transport::{Certificate, ClientTlsConfig, Identity};