Skip to content

Commit

Permalink
[cmd/opampsupervisor] Conditionally use TLS config (#35363)
Browse files Browse the repository at this point in the history 
**Description:** <Describe what has changed.>
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
Fixes an issue where TLS would be used despite the opamp server using
`ws` or `http` protocols.

Before a TLS config would always get created, causing the connection to
always use TLS settings. This change first checks which protocol we're
using before creating a TLS config.

**Link to tracking Issue:** <Issue number if applicable> Fixes #35283 

**Testing:** <Describe what testing was performed and which tests were
added.>
Removed `tls.insecure_skip_verify: true` from e2e test configs which
were using `ws` protocol since they are no longer needed.

**Documentation:** <Describe the documentation added.>
  • Loading branch information
@dpaasman00
dpaasman00 authored Oct 2, 2024
1 parent 52f731e commit 2e0d4d6
Show file tree
Hide file tree
Showing 8 changed files with 39 additions and 14 deletions.
27 changes: 27 additions & 0 deletions .chloggen/fix-opampsupervisor-tls-settings.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Use this changelog template to create an entry for release notes.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: bug_fix

# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
component: opampsupervisor

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Only use TLS config when connecting to OpAMP server if using `wss` or `https` protocols.

# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
issues: [35283]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:

# If your change doesn't affect end users or the exported elements of any package,
# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
# Optional: The change log or logs in which this entry should be included.
# e.g. '[user]' or '[user, api]'
# Include 'user' if the change is relevant to end users.
# Include 'api' if there is a change to a library API.
# Default: '[user]'
change_logs: []
14 changes: 12 additions & 2 deletions cmd/opampsupervisor/supervisor/supervisor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ package supervisor
import (
"bytes"
"context"
"crypto/tls"
_ "embed"
"errors"
"fmt"
"net"
"net/http"
"net/url"
"os"
"path/filepath"
"sort"
Expand Down Expand Up @@ -366,9 +368,17 @@ func (s *Supervisor) startOpAMP() error {
func (s *Supervisor) startOpAMPClient() error {
s.opampClient = client.NewWebSocket(newLoggerFromZap(s.logger))

tlsConfig, err := s.config.Server.TLSSetting.LoadTLSConfig(context.Background())
// determine if we need to load a TLS config or not
var tlsConfig *tls.Config
parsedURL, err := url.Parse(s.config.Server.Endpoint)
if err != nil {
return err
return fmt.Errorf("parse server endpoint: %w", err)
}
if parsedURL.Scheme == "wss" || parsedURL.Scheme == "https" {
tlsConfig, err = s.config.Server.TLSSetting.LoadTLSConfig(context.Background())
if err != nil {
return err
}
}

s.logger.Debug("Connecting to OpAMP server...", zap.String("endpoint", s.config.Server.Endpoint), zap.Any("headers", s.config.Server.Headers))
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_accepts_conn.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: true
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_agent_description.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: true
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_basic.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: true
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_healthcheck_port.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: true
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_nocap.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: false
Expand Down
2 changes: 0 additions & 2 deletions cmd/opampsupervisor/testdata/supervisor/supervisor_persistence.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
server:
endpoint: ws://{{.url}}/v1/opamp
tls:
insecure: true

capabilities:
reports_effective_config: true
Expand Down

0 comments on commit 2e0d4d6

Please sign in to comment.