feat(enterprise-telemetry): wire bearer token auth and configurable insecure flag into OTEL exporter

2026-02-09 15:10:13 -05:00 · 2026-02-09 01:29:40 -08:00
parent 51cdf37236
commit ef642b6778
1 changed files with 15 additions and 4 deletions
--- a/api/enterprise/telemetry/exporter.py
+++ b/api/enterprise/telemetry/exporter.py
@@ -64,19 +64,20 @@ def _datetime_to_ns(dt: datetime) -> int:


 class _ExporterFactory:
-    def __init__(self, protocol: str, endpoint: str, headers: dict[str, str]):
+    def __init__(self, protocol: str, endpoint: str, headers: dict[str, str], insecure: bool):
        self._protocol = protocol
        self._endpoint = endpoint
        self._headers = headers
        self._grpc_headers = tuple(headers.items()) if headers else None
        self._http_headers = headers or None
+        self._insecure = insecure

    def create_trace_exporter(self) -> HTTPSpanExporter | GRPCSpanExporter:
        if self._protocol == "grpc":
            return GRPCSpanExporter(
                endpoint=self._endpoint or None,
                headers=self._grpc_headers,
-                insecure=True,
+                insecure=self._insecure,
            )
        trace_endpoint = f"{self._endpoint}/v1/traces" if self._endpoint else ""
        return HTTPSpanExporter(endpoint=trace_endpoint or None, headers=self._http_headers)
@@ -86,7 +87,7 @@ class _ExporterFactory:
            return GRPCMetricExporter(
                endpoint=self._endpoint or None,
                headers=self._grpc_headers,
-                insecure=True,
+                insecure=self._insecure,
            )
        metric_endpoint = f"{self._endpoint}/v1/metrics" if self._endpoint else ""
        return HTTPMetricExporter(endpoint=metric_endpoint or None, headers=self._http_headers)
@@ -107,6 +108,9 @@ class EnterpriseExporter:
        service_name: str = getattr(config, "ENTERPRISE_SERVICE_NAME", "dify")
        sampling_rate: float = getattr(config, "ENTERPRISE_OTEL_SAMPLING_RATE", 1.0)
        self.include_content: bool = getattr(config, "ENTERPRISE_INCLUDE_CONTENT", True)
+        api_key: str = getattr(config, "ENTERPRISE_OTLP_API_KEY", "")
+        # Auto-detect TLS: when bearer token is configured, use secure channel
+        insecure: bool = not bool(api_key)

        resource = Resource(
            attributes={
@@ -119,7 +123,14 @@ class EnterpriseExporter:
        self._tracer_provider = TracerProvider(resource=resource, sampler=sampler, id_generator=id_generator)

        headers = _parse_otlp_headers(headers_raw)
-        factory = _ExporterFactory(protocol, endpoint, headers)
+        if api_key:
+            if "authorization" in headers:
+                logger.warning(
+                    "ENTERPRISE_OTLP_API_KEY is set but ENTERPRISE_OTLP_HEADERS also contains "
+                    "'authorization'; the API key will take precedence."
+                )
+            headers["authorization"] = f"Bearer {api_key}"
+        factory = _ExporterFactory(protocol, endpoint, headers, insecure=insecure)

        trace_exporter = factory.create_trace_exporter()
        self._tracer_provider.add_span_processor(BatchSpanProcessor(trace_exporter))