Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the TLS registry to the OTEL extension #41002

Closed
cescoffier opened this issue Jun 6, 2024 · 2 comments · Fixed by #41048
Closed

Add support for the TLS registry to the OTEL extension #41002

cescoffier opened this issue Jun 6, 2024 · 2 comments · Fixed by #41048
Assignees
@geoand
Milestone
3.12.0.CR1

Comments

@cescoffier
Copy link
Member

Description

The OTEL extension has an internal HTTP client.
With the integrated TLS registry, it should be possible to configure TLS using the TLS registry instead of the specific OTEL configuration.

Implementation ideas

This is the code used for the mailer:

 private void configureTLS(String name, MailerRuntimeConfig config, TlsConfigurationRegistry tlsRegistry, MailConfig cfg,
            boolean globalTrustAll) {
        TlsConfiguration configuration = null;

        // Check if we have a named TLS configuration or a default configuration:
        if (config.tlsConfigurationName.isPresent()) {
            Optional<TlsConfiguration> maybeConfiguration = tlsRegistry.get(config.tlsConfigurationName.get());
            if (!maybeConfiguration.isPresent()) {
                throw new IllegalStateException("Unable to find the TLS configuration "
                        + config.tlsConfigurationName.get() + " for the mailer " + name + ".");
            }
            configuration = maybeConfiguration.get();
        } else if (tlsRegistry.getDefault().isPresent() && tlsRegistry.getDefault().get().isTlsEnabled()) {
            configuration = tlsRegistry.getDefault().get();
        }

       // Apply the configuration
        if (configuration != null) {
            // This part is often the same (or close) for every Vert.x client:
            cfg.setSsl(true);

            if (configuration.getTrustStoreOptions() != null) {
                cfg.setTrustOptions(configuration.getTrustStoreOptions());
            }

           // For mTLS:
            if (configuration.getKeyStoreOptions() != null) {
                cfg.setKeyCertOptions(configuration.getKeyStoreOptions());
            }

            if (configuration.isTrustAll()) {
                cfg.setTrustAll(true);
            }
            if (configuration.getHostnameVerificationAlgorithm().isPresent()) {
               // ACHTUNG HERE - this is protocol specific. The HTTP-based protocols should use HTTPS by default. 
                cfg.setHostnameVerificationAlgorithm(configuration.getHostnameVerificationAlgorithm().get());
            }

            SSLOptions sslOptions = configuration.getSSLOptions();
            if (sslOptions != null) {
                cfg.setSslHandshakeTimeout(sslOptions.getSslHandshakeTimeout());
                cfg.setSslHandshakeTimeoutUnit(sslOptions.getSslHandshakeTimeoutUnit());
                for (String suite : sslOptions.getEnabledCipherSuites()) {
                    cfg.addEnabledCipherSuite(suite);
                }
                for (Buffer buffer : sslOptions.getCrlValues()) {
                    cfg.addCrlValue(buffer);
                }
                cfg.setEnabledSecureTransportProtocols(sslOptions.getEnabledSecureTransportProtocols());

            }

        } else {
           // Mailer specific configuration (very incomplete as you can see:
            boolean trustAll = config.trustAll.isPresent() ? config.trustAll.get() : globalTrustAll;
            cfg.setSsl(config.ssl);
            cfg.setTrustAll(trustAll);
            applyTruststore(config, cfg);
        }
    }
@cescoffier cescoffier added area/housekeeping Issue type for generalized tasks not related to bugs or enhancements and removed area/housekeeping Issue type for generalized tasks not related to bugs or enhancements labels Jun 6, 2024
@geoand
Copy link
Contributor

geoand commented Jun 6, 2024

I'll take this one

@geoand geoand self-assigned this Jun 6, 2024
@geoand
Copy link
Contributor

geoand commented Jun 6, 2024

What I don't see currently is how we know if something has been configured for the default configuration. Asking because it's always resolvable so how do we know if we should choose it or not? Is that what the new isTlsEnabled flag in the mailer PR does?

@geoand geoand mentioned this issue Jun 7, 2024
Merged
geoand added a commit that referenced this issue Jun 7, 2024
@geoand
Merge pull request #41048 from geoand/#41002
f8b7bea 
Add TlsConfigurationRegistry to OTel
@quarkus-bot quarkus-bot bot added this to the 3.12 - main milestone Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geoand geoand

Labels
None yet
Projects
WG - Enhanced TLS support
Status: Done
Milestone
3.12.0.CR1
Development

Successfully merging a pull request may close this issue.

Add TlsConfigurationRegistry to OTel geoand/quarkus
2 participants
@cescoffier @geoand