Add TLS settings to all connection settings

[michel-laterman]

Add new TLSConnectionSettings across all connection settings a server can offer.

• Relates Proxy & TLS settings in OpAMPConnectionSettings, TelemetryConnectionSettings, and OtherConnectionSettings #203

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: michel-laterman / name: Michel Laterman (e8c6c76, a174175, 3946b01, 7849fe0, 2b15b10, 41ad8fb, 1af8ba5, 15fdbc0, bc3845c, 05f2846, 3500ba3, 0f7ceb9, a2918c7, 349fa55, 4d86017, ab67942, 40329c1, 09377dd)
• ✅ login: BinaryFissionGames / name: Brandon Johnson (df8b65c)
• ✅ login: tigrannajaryan / name: Tigran Najaryan (1fd13b4, bc5eb2d)

[tigrannajaryan]

Thanks for the draft @michel-laterman

I left some comments, and I would like @andykellr to also review.

[tigrannajaryan]

I would advise to break this down into 2 PRs: one that adds TLSConnectionSettings, the other that adds ProxyConnectionSettings.

If there are known uses cases for other_settings that should likely be the 3rd PR where we can discuss it.

[michel-laterman]

I'll recreate the ProxySettings in another pr

[tigrannajaryan]

@michel-laterman we had a discussion with other OpAMP approvers/maintainers and decided to follow the Otel spec's requirements for making new proposals, namely to ask for prototypes that demonstrate the new capabilities. We will be formalizing the requirements in this PR: #207

I think it is important for this particular proposal to show how the TLS settings will be used. It is not a trivial change, so a working code would help understand it better.

[michel-laterman]

@tigrannajaryan, I have a WIP demo for offering the TLS settings: open-telemetry/opamp-go#338

I have yet to add a demo for Agent-initiated CA trust Flow.

[michel-laterman]

To give a rough recap on my question about initial CA distribution during today's opamp sig meeting.

The current spec as written uses an implicit workflow where the client will connect with InsecureSkipVerify: true and the server will send offer connection settings to a new agent in response to the initial connection.
My demo implementation: open-telemetry/opamp-go#338 does this if both the client and server are started with special flags (-await-ca/-send-ca)

The idea I have for changing this is to make it explicit behaviour. We add a new attribute to OpAMPConnectionSettingsRequest (called something like ConnectionSettingsRequest) that a client can use to demand ConnectionSettingsOffers from the server.
With this approach, in order to trigger the setting being sent, the client would be started with a new flag (i.e., -request-connection-settings), and would connect to the opamp server with InsecureSkipVerify: true initially, but include OpAMPConnectionSettingsRequest.ConnectionSettingsRequest in the first message sent to the server

[michel-laterman]

I went ahead and made the intial CA distribution require a explicit signal from a client.
I have already added to my demo: open-telemetry/opamp-go#338
I'm going to mark this as ready for review

[andykellr]

Can you describe the use of the hash? It isn't used in the example implementation. When would the client request settings again? Also is the hash stored somewhere on the client?

The example implementation in opamp-go uses a sync.Once called requestConnectionSettingsOnce to ensure that there is only one request for the connection settings. If we only expect this to happen once then it should probably be stated in the spec. Regarding that implementation, I think there could be a case where the connection is dropped or the server fails to respond (could send 503 Service Unavailable) and the client will not attempt to request the settings again because the Once will have completed. I think the spec should be more clear about the circumstances under which the client will/should send a SettingsRequest.

[tigrannajaryan]

"for all" or specifically "for TLSConnectionSettings"? What does "all" mean in this context?

[michel-laterman]

All settings for OpAMP connection (this may include the hosts, and things like the heartbeat)

[michel-laterman]

Can you describe the use of the hash? It isn't used in the example implementation. When would the client request settings again? Also is the hash stored somewhere on the client?

@andykellr hash for this is meant to match ConnectionSettingsOffers.hash there's references to it in opamp-go, but I don't think it's used at the moment.

The example implementation in opamp-go uses a sync.Once called requestConnectionSettingsOnce to ensure that there is only one request for the connection settings. If we only expect this to happen once then it should probably be stated in the spec. Regarding that implementation, I think there could be a case where the connection is dropped or the server fails to respond (could send 503 Service Unavailable) and the client will not attempt to request the settings again because the Once will have completed. I think the spec should be more clear about the circumstances under which the client will/should send a SettingsRequest.

Good point, I'll remove the use of Once and leave it purely up to the client

[michel-laterman]

Notes from the SIG meeting, we're splitting this PR into:

• add TLSSettings to offered connections (also add a description on what the settings are intended for)
• add a report offered config message that mirrors remoteconfigsettings; the status enum used by remoteconfig status will be made more generic and reused between the both
• add the CA initial trust workflow

[michel-laterman]

@tigrannajaryan @andykellr, I've added a description on how TLS settings should function, and have changed the demo (open-telemetry/opamp-go#338) to reflect this.

The goal is that when TLSConnectionSettings is present, it can form the TLS config (excluding client certificate).
If no TLS settings are sent with a connection offering, the agent's defaults should be used.

[andykellr]

I'll let @tigrannajaryan merge when he has a chance to review.

[tigrannajaryan]

Thanks for you patience @michel-laterman