[OTLP] Add mTLS Support for OTLP Exporter

[sandy2008]

Fixes #2009
Design discussion issue #5918

Changes

This PR adds support for mutual TLS (mTLS) configuration to the OTLP exporter on .NET 8 and later. This allows users to specify certificate paths, enable validation, and inject custom server certificate validation logic.

Key changes include:

• OtlpMtlsOptions class with properties like ClientCertificatePath, ClientKeyPath, CaCertificatePath, EnableFilePermissionChecks, etc.
• OtlpMtlsHttpClientFactory for creating HttpClient instances configured for mTLS.
• OtlpMtlsCertificateManager for certificate loading, validation, and file permission checks.
• Extended event logging via OpenTelemetryProtocolExporterEventSource for mTLS events.
• Unit tests for configuration handling and certificate behavior.
• Initial integration and performance test stubs added.

mTLS support is only enabled for builds targeting NET8_0_OR_GREATER.

Merge requirement checklist

• [CONTRIBUTING](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/CONTRIBUTING.md) guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• Unit tests added/updated
• Appropriate CHANGELOG.md files updated for non-trivial changes
• Changes in public API reviewed (if applicable)

[martincostello]

Do we need to support Offline for if a user is running in a closed environment?

[sandy2008]

@martincostello Does this commit look ok? 7368c9e

[rajkumar-rangaraj]

I got the same concern as @martincostello, your commit looks fine with me. Why that's not a part of the PR?

[codecov]

Codecov Report

❌ Patch coverage is 58.54701% with 97 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.12%. Comparing base (d2f8e54) to head (cabc172).
⚠️ Report is 149 commits behind head on main.

Files with missing lines	Patch %	Lines
...tocol/Implementation/OtlpMtlsCertificateManager.cs	47.28%	68 Missing ⚠️
...otocol/Implementation/OtlpMtlsHttpClientFactory.cs	55.93%	26 Missing ⚠️
...tation/OpenTelemetryProtocolExporterEventSource.cs	62.50%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6343      +/-   ##
==========================================
- Coverage   86.67%   86.12%   -0.56%     
==========================================
  Files         258      261       +3     
  Lines       11873    12099     +226     
==========================================
+ Hits        10291    10420     +129     
- Misses       1582     1679      +97     

Flag	Coverage Δ
unittests-Project-Experimental	86.02% <58.54%> (-0.50%)	⬇️
unittests-Project-Stable	85.91% <58.54%> (-0.36%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...orter.OpenTelemetryProtocol/OtlpExporterOptions.cs	99.25% <100.00%> (+0.16%)	⬆️
....Exporter.OpenTelemetryProtocol/OtlpMtlsOptions.cs	100.00% <100.00%> (ø)
...tation/OpenTelemetryProtocolExporterEventSource.cs	86.04% <62.50%> (+0.14%)	⬆️
...otocol/Implementation/OtlpMtlsHttpClientFactory.cs	55.93% <55.93%> (ø)
...tocol/Implementation/OtlpMtlsCertificateManager.cs	47.28% <47.28%> (ø)

... and 2 files with indirect coverage changes

[sandy2008]

@alanwest Could you help change the requested change to approve~? Tyvm!

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[sandy2008]

@rajkumar-rangaraj Hi! Any updates?

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[Lemorz56]

Any updates on this?

[sandy2008]

Any updates on this?

Pending @rajkumar-rangaraj 's reviews.

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[github-actions]

This PR was marked stale due to lack of activity and will be closed in 7 days. Commenting or pushing will instruct the bot to automatically remove the label. This bot runs once per day.

[rajkumar-rangaraj]

If a user sets only OTEL_EXPORTER_OTLP_CERTIFICATE (CA cert) without a client certificate, the factory returns a plain HttpClient. The custom CA validation is completely ignored.

Users wanting to trust a private CA for server validation (one-way TLS with custom CA) won't get it unless they also provide a client certificate. Changing as below could help.

Suggested change

	public bool IsEnabled => !string.IsNullOrWhiteSpace(this.ClientCertificatePath);
	public bool IsEnabled =>
	!string.IsNullOrWhiteSpace(this.ClientCertificatePath) ||
	!string.IsNullOrWhiteSpace(this.CaCertificatePath);

[rajkumar-rangaraj]

Users with password-protected PFX/PKCS#12 keystores cannot use it here. Are you planning to follow up on OTEL_EXPORTER_OTLP_CLIENT_KEY_PASSWORD as follow up?

[rajkumar-rangaraj]

is this used anywhere?

[rajkumar-rangaraj]

nit:

Suggested change

	private const string TestCertPem =
	private const string InvalidCertPem=

[rajkumar-rangaraj]

Please plan to increase the test coverage for these areas.

• ValidateServerCertificate
• Test for CA-only configuration
• Negative test for expired certificates despite having CreateExpiredCertificate() defined