feat(storage): Add SigV4 authentication support for Elasticsearch/OpenSearch storage backends

[SoumyaRaikwar]

This PR enables Jaeger to use AWS Managed Elasticsearch/OpenSearch for trace and metrics storage by adding SigV4 HTTP authentication support to Elasticsearch and OpenSearch backends.

Summary of changes

Configuration

• Add jaeger_storage.backends.<name>.<elasticsearch|opensearch>.auth_extension.authenticator to reference an OpenTelemetry HTTP authenticator extension by name
• Add jaeger_storage.metric_backends.<name>.<elasticsearch|opensearch>.auth_extension.authenticator for metric storage backends

Elasticsearch/OpenSearch backends

• Thread the resolved HTTP authenticator through the factory chain (v1/v2 trace storage and metrics storage)
• Wrap the HTTP RoundTripper used by ES/OS clients with the extension's RoundTripper (applies SigV4 signing when using sigv4authextension )
• Updated GetHTTPRoundTripper() to accept and apply the HTTP authenticator

Configuration example

extensions:
sigv4auth:
region: us-east-1
service: es # or 'aoss' for OpenSearch Serverless
# credentials/assume-role configuration per the extension's documentation

service:
extensions: [sigv4auth]

jaeger_storage:
backends:
es-aws:
elasticsearch:
servers: ["https://my-domain.us-east-1.es.amazonaws.com/"]
auth_extension:
authenticator: sigv4auth
indices:
spans:
shards: 5
replicas: 1

metric_backends:
es-metrics:
elasticsearch:
servers: ["https://my-domain.us-east-1.es.amazonaws.com/"]
auth_extension:
authenticator: sigv4auth

Implementation

• ES/OS backends now support optional HTTP authenticators via auth_extension.authenticator
• The extension's RoundTripper wraps the base transport for SigV4 signing
• Supports trace and metrics storage for Elasticsearch 7.x/8.x and OpenSearch

Scope

• Adds authentication support to:
  • Elasticsearch trace storage (v1 and v2)
  • OpenSearch trace storage (v1 and v2)
  • Elasticsearch metrics storage
  • OpenSearch metrics storage
• Backward compatible - authentication is optional

Related issue

Part of #7468

[SoumyaRaikwar]

@yurishkuro This PR adds SigV4 authentication support for ES/OS backends (both trace and metric storage) by reusing the existing HTTP RoundTripper pattern. The smaller diff compared to #7520 is because ES/OS already has auth infrastructure, so I just threaded the httpAuth parameter through the factory chain. Let me know if you'd like any additional test coverage or have questions about the approach.

[codecov]

Codecov Report

❌ Patch coverage is 74.57627% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 96.50%. Comparing base (528476f) to head (841dea2).

Files with missing lines	Patch %	Lines
...eger/internal/extension/jaegerstorage/extension.go	72.97%	5 Missing and 5 partials ⚠️
internal/storage/elasticsearch/config/config.go	61.53%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7611      +/-   ##
==========================================
- Coverage   96.59%   96.50%   -0.10%     
==========================================
  Files         384      384              
  Lines       19404    19428      +24     
==========================================
+ Hits        18744    18749       +5     
- Misses        477      489      +12     
- Partials      183      190       +7     

Flag	Coverage Δ
badger_v1	8.82% <0.00%> (-0.01%)	⬇️
badger_v2	1.73% <0.00%> (-0.01%)	⬇️
cassandra-4.x-v1-manual	12.55% <0.00%> (-0.01%)	⬇️
cassandra-4.x-v2-auto	1.72% <0.00%> (-0.01%)	⬇️
cassandra-4.x-v2-manual	1.72% <0.00%> (-0.01%)	⬇️
cassandra-5.x-v1-manual	12.55% <0.00%> (-0.01%)	⬇️
cassandra-5.x-v2-auto	1.72% <0.00%> (-0.01%)	⬇️
cassandra-5.x-v2-manual	1.72% <0.00%> (-0.01%)	⬇️
clickhouse	1.66% <0.00%> (-0.01%)	⬇️
elasticsearch-6.x-v1	16.75% <40.00%> (-0.01%)	⬇️
elasticsearch-7.x-v1	16.79% <40.00%> (-0.01%)	⬇️
elasticsearch-8.x-v1	16.93% <55.00%> (-0.01%)	⬇️
elasticsearch-8.x-v2	1.73% <0.00%> (-0.01%)	⬇️
elasticsearch-9.x-v2	1.73% <0.00%> (-0.01%)	⬇️
grpc_v1	10.76% <0.00%> (-0.01%)	⬇️
grpc_v2	1.73% <0.00%> (-0.01%)	⬇️
kafka-3.x-v1	10.26% <0.00%> (-0.01%)	⬇️
kafka-3.x-v2	1.73% <0.00%> (-0.01%)	⬇️
memory_v2	1.73% <0.00%> (-0.01%)	⬇️
opensearch-1.x-v1	16.83% <40.00%> (-0.01%)	⬇️
opensearch-2.x-v1	16.83% <40.00%> (-0.01%)	⬇️
opensearch-2.x-v2	1.73% <0.00%> (-0.01%)	⬇️
opensearch-3.x-v2	1.73% <0.00%> (-0.01%)	⬇️
query	1.73% <0.00%> (-0.01%)	⬇️
tailsampling-processor	0.50% <0.00%> (-0.01%)	⬇️
unittests	95.40% <74.57%> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Metrics Comparison Summary

Total changes across all snapshots: 53

Detailed changes per snapshot

summary_metrics_snapshot_cassandra

📊 Metrics Diff Summary

Total Changes: 53

• 🆕 Added: 0 metrics
• ❌ Removed: 53 metrics
• 🔄 Modified: 0 metrics

❌ Removed Metrics

• http_server_request_body_size_bytes (18 variants)

View diff sample

-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="+Inf",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="0",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="10",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="100",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="1000",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="10000",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="25",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
...

- `http_server_request_duration_seconds` (17 variants)

View diff sample

-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="+Inf",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.005",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.01",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.025",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.05",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.075",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_request_duration_seconds{http_request_method="GET",http_response_status_code="503",le="0.1",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
...

- `http_server_response_body_size_bytes` (18 variants)

View diff sample

-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="+Inf",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="0",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="10",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="100",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="1000",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="10000",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
-http_server_response_body_size_bytes{http_request_method="GET",http_response_status_code="503",le="25",network_protocol_name="http",network_protocol_version="1.1",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_schema_url="",otel_scope_version="0.63.0",server_address="localhost",server_port="13133",url_scheme="http"}
...

➡️ View full metrics file

[graphite-app]

The nil parameter passed to NewFactoryBase() should be replaced with the HTTP authenticator. The function signature has been updated to accept an authenticator parameter, but this call site is still passing nil, which means SigV4 authentication won't work when using this factory.

Consider updating this to pass the authenticator through, similar to how it's done in other factory implementations in this PR.

Suggested change

	coreFactory, err := NewFactoryBase(context.Background(), *cfg, metricsFactory, logger, nil)
	coreFactory, err := NewFactoryBase(context.Background(), *cfg, metricsFactory, logger, authenticator)

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[SoumyaRaikwar]

@yurishkuro Done! Introduced resolveAuthenticator() helper to DRY up the ES/OS code, removed unnecessary comments, added unit tests, could you please re-review

[SoumyaRaikwar]

Hi @yurishkuro,

I've refactored the implementation following your suggestion to embed configauth.Config in the Authentication struct. The changes are now much cleaner:

Changes made:

• Embedded configauth.Config directly in the Authentication struct using the squash mapstructure tag
• Removed the custom AuthExtensionConfig type entirely
• Updated extension.go to access AuthenticatorID via cfg.Authentication.AuthenticatorID
• Fixed test initialization to properly initialize the embedded struct

This follows the same pattern used in other OTel collector components and keeps the code simple.
could you please review again?

[SoumyaRaikwar]

@yurishkuro Changes implemented!

Removed the AuthExtensionConfig and simplified the code as requested:

• Pass Authentication struct directly to resolveAuthenticator
• Eliminated all boilerplate wrapping code

The embedded configauth.Config with mapstructure:",squash" ensures the config structure matches OTEL pattern.

[yurishkuro]

I don't see the need for this test. First, wantErr is always false, but more importantly what is it actually validating? This package has no knowledge of "extensions".

[SoumyaRaikwar]

Fixed! Removed TestAuthExtensionConfig - you're right, it provided no real validation.
Authentication is properly tested in extension_test.go where the actual resolution logic lives.

[yurishkuro]

the fact that this is different from ES above tells me the config structure is still different. Can we make them identical? The Prometheus change was merged but not released yet, so we have an opportunity for making a consistent config API change.

[SoumyaRaikwar]

Done! Made Prometheus config identical to Elasticsearch:

• Removed custom AuthConfig wrapper
• Now uses escfg.Authentication directly (same as ES/OpenSearch)
• Eliminated boilerplate conversion code

[SoumyaRaikwar]

Prometheus config structure is slightly different from ES/OpenSearch since it wraps promcfg.Configuration with ,squash, but the Authentication field itself is now identical across all backends.

[SoumyaRaikwar]

Also added ctx context.Context parameter to prometheus.NewFactoryWithConfig() for consistency with Elasticsearch/OpenSearch backends and to enable proper context propagation for authentication and cancellation.

[SoumyaRaikwar]

@yurishkuro could you please review again when you have time .