test(otelconf): replace expiring TLS fixtures with runtime certs

[MrAlias]

Summary

This fixes the repo-wide CI failures caused by expired otelconf TLS test certificates.

The failing gRPC exporter tests in otelconf, otelconf/x, and otelconf/v0.3.0 were using static PEM fixtures that expired on April 15, 2026, which caused main and unrelated PRs to start failing with x509 certificate validity errors.

This change replaces those expiring test fixtures with runtime-generated CA, server, and client certificates created under t.TempDir().

Changes

• add a shared otelconf/internal/testtls helper to generate fresh test-only TLS materials at runtime
• update the gRPC log, metric, and trace exporter TLS tests in otelconf
• update the same TLS tests in otelconf/x
• update the same TLS tests in otelconf/v0.3.0

Why this approach

Refreshing the checked-in PEM files would only defer the outage until the next expiry date. Generating certificates during the test run removes the calendar dependency while preserving the TLS and mTLS coverage those tests are meant to exercise.

Verification

• go test ./... -run "^Test_otlpGRPC(Log|Metric|Trace)Exporter$" from otelconf/
• reran the same focused exporter suite with GOARCH=386

Both focused runs passed after the change.

[codecov]

Codecov Report

❌ Patch coverage is 91.11111% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.3%. Comparing base (15d661a) to head (1adbd9a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
otelconf/internal/testtls/testtls.go	91.1%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #8835   +/-   ##
=====================================
  Coverage   83.3%   83.3%           
=====================================
  Files        192     193    +1     
  Lines      15736   15826   +90     
=====================================
+ Hits       13111   13191   +80     
- Misses      2147    2152    +5     
- Partials     478     483    +5     

Files with missing lines	Coverage Δ
otelconf/internal/testtls/testtls.go	91.1% <91.1%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR fixes CI failures caused by expired otelconf TLS test fixtures by switching the gRPC exporter TLS/mTLS tests to use runtime-generated certificates written under t.TempDir().

Changes:

• Added otelconf/internal/testtls helper to generate CA/server/client certificates and keys at test runtime.
• Updated gRPC log/metric/trace exporter TLS tests in otelconf, otelconf/x, and otelconf/v0.3.0 to use generated cert paths instead of static testdata PEMs.
• Added unit tests for the new testtls.Write helper to validate the generated materials.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
otelconf/internal/testtls/testtls.go	New helper to generate and write CA/server/client cert/key files under t.TempDir() for TLS and mTLS tests.
otelconf/internal/testtls/testtls_test.go	Tests that the generated certs/keys load and verify correctly (SAN/EKU/chain).
otelconf/log_test.go	Swaps gRPC exporter TLS/mTLS test fixture paths to runtime-generated cert material.
otelconf/metric_test.go	Swaps gRPC exporter TLS/mTLS test fixture paths to runtime-generated cert material.
otelconf/trace_test.go	Swaps gRPC exporter TLS/mTLS test fixture paths to runtime-generated cert material.
otelconf/x/log_test.go	Same TLS fixture replacement for the x/ variant tests.
otelconf/x/metric_test.go	Same TLS fixture replacement for the x/ variant tests.
otelconf/x/trace_test.go	Same TLS fixture replacement for the x/ variant tests.
otelconf/v0.3.0/log_test.go	Same TLS fixture replacement for the v0.3.0 gRPC exporter tests (uses Certificate fields).
otelconf/v0.3.0/metric_test.go	Same TLS fixture replacement for the v0.3.0 gRPC exporter tests (uses Certificate fields).
otelconf/v0.3.0/trace_test.go	Same TLS fixture replacement for the v0.3.0 gRPC exporter tests (uses Certificate fields).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dmathieu]

It seems config_test still references those certificates. How about using the helper for them as well?
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/otelconf/config_test.go#L458-L460

Then we could remove the expired certs from the repo.

[MrAlias]

It seems config_test still references those certificates. How about using the helper for them as well? https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/otelconf/config_test.go#L458-L460

Then we could remove the expired certs from the repo.

Those tests only read the CA cert into a a root pool, it does not perform the server/client handshake paths that are failing CI.

If you want, I can look into updating all other places that reference the testdata/*.crt. It's going to expand the PR scope a bit though.

[dashpole]

I'm ok with the current scope to get tests fixed.

[pellared]

Let's merge it and address the comment in a separate PR.