Skip to content

Add TLS settings to all connection settings #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tigrannajaryan merged 21 commits into from
May 6, 2025
Merged

Add TLS settings to all connection settings #205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a174175
Add TLS and proxy settings to connection settings
michel-laterman Oct 15, 2024
7849fe0
Change status to Development
michel-laterman Oct 16, 2024
15fdbc0
Only add TLSSettings with this PR
michel-laterman Oct 22, 2024
41ad8fb
Clarify ca attribute names, add ca trust on use to spec
michel-laterman Oct 23, 2024
05f2846
linter fix
michel-laterman Oct 23, 2024
2b15b10
Remove ca_file_path
michel-laterman Nov 18, 2024
bc3845c
reword ca connection settings flow
michel-laterman Jan 11, 2025
e8c6c76
Add downloading state and download_details to PackageStatus (#206)
michel-laterman Oct 23, 2024
df8b65c
Add message about available components to AgentDetails (#201)
BinaryFissionGames Oct 31, 2024
1fd13b4
Add guidelines for making new capability proposals (#207)
tigrannajaryan Nov 27, 2024
bc5eb2d
Prepare CHANGELOG.md for v0.11.0 release (#208)
tigrannajaryan Jan 6, 2025
40329c1
Add SettingsRequest message
michel-laterman Apr 2, 2025
349fa55
Merge branch 'main' into feat/tls-proxy-connection-settings
michel-laterman Apr 2, 2025
1af8ba5
Add SettingsRequest message to toc
michel-laterman Apr 2, 2025
3500ba3
Fix dead spec link
michel-laterman Apr 2, 2025
09377dd
Remove insecure attribute from TLS settings
michel-laterman Apr 16, 2025
3946b01
Merge branch 'main' into feat/tls-proxy-connection-settings
michel-laterman Apr 16, 2025
ab67942
Add purpose of CA trust flow
michel-laterman Apr 21, 2025
4d86017
Review suggestions
michel-laterman Apr 30, 2025
0f7ceb9
CA trust flow
michel-laterman Apr 30, 2025
a2918c7
Make what to do if TLSConnectionSettings is not present explicit
michel-laterman Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions proto/opamp.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,10 @@ message OpAMPConnectionSettings {
// If this field has no value or is set to 0, the Agent should not send any heartbeats.
// Status: [Development]
uint64 heartbeat_interval_seconds = 4;

// Optional connection specific TLS settings.
// Status: [Development]
TLSConnectionSettings tls = 5;
}

// The TelemetryConnectionSettings message is a collection of fields which comprise an
Expand All @@ -349,6 +353,10 @@ message TelemetryConnectionSettings {
// This field is optional: if omitted the client SHOULD NOT use a client-side certificate.
// This field can be used to perform a client certificate revocation/rotation.
TLSCertificate certificate = 3;

// Optional connection specific TLS settings.
// Status: [Development]
TLSConnectionSettings tls = 4;
}

// The OtherConnectionSettings message is a collection of fields which comprise an
Expand Down Expand Up @@ -394,6 +402,34 @@ message OtherConnectionSettings {
// Other connection settings. These are Agent-specific and are up to the Agent
// interpret.
map<string, string> other_settings = 4;

// Optional connection specific TLS settings.
// Status: [Development]
TLSConnectionSettings tls = 5;
}


// TLSConnectionSettings are optional connection settings that can be passed to
// the client in order to specify TLS configuration.
// Status: [Development]
message TLSConnectionSettings {
// Provides CA cert contents as a string.
string ca_pem_contents = 1;

// Load system CA pool alongside any passed CAs.
bool include_system_ca_certs_pool = 2;
Comment thread
michel-laterman marked this conversation as resolved.

// skip certificate verification.
bool insecure_skip_verify = 3;
Comment thread
michel-laterman marked this conversation as resolved.

// Miniumum accepted TLS version; default "1.2".
string min_version = 4;

// Maxiumum accepted TLS version; default "".
string max_version = 5;

// Explicit list of cipher suites.
repeated string cipher_suites = 6;
Comment thread
michel-laterman marked this conversation as resolved.
}

// Status: [Beta]
Expand Down
47 changes: 46 additions & 1 deletion specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,15 +114,19 @@ Status: [Beta]
- [OpAMPConnectionSettings.headers](#opampconnectionsettingsheaders)
- [OpAMPConnectionSettings.certificate](#opampconnectionsettingscertificate)
- [OpAMPConnectionSettings.heartbeat_interval_seconds](#opampconnectionsettingsheartbeat_interval_seconds)
- [OpAMPConnectionSettings.tls](#opampconnectionsettingstls)
+ [TelemetryConnectionSettings](#telemetryconnectionsettings)
- [TelemetryConnectionSettings.destination_endpoint](#telemetryconnectionsettingsdestination_endpoint)
- [TelemetryConnectionSettings.headers](#telemetryconnectionsettingsheaders)
- [TelemetryConnectionSettings.certificate](#telemetryconnectionsettingscertificate)
- [TelemetryConnectionSettings.tls](#telemetryconnectionsettingstls)
+ [OtherConnectionSettings](#otherconnectionsettings)
- [OtherConnectionSettings.destination_endpoint](#otherconnectionsettingsdestination_endpoint)
- [OtherConnectionSettings.headers](#otherconnectionsettingsheaders)
- [OtherConnectionSettings.certificate](#otherconnectionsettingscertificate)
- [OtherConnectionSettings.other_settings](#otherconnectionsettingsother_settings)
- [OtherConnectionSettings.tls](#otherconnectionsettingstls)
+ [TLSConnectionSettings Message](#tlsconnectionsettings-message)
+ [Headers Message](#headers-message)
+ [TLSCertificate Message](#tlscertificate-message)
- [TLSCertificate.cert](#tlscertificatecert)
Expand Down Expand Up @@ -1904,6 +1908,7 @@ message OpAMPConnectionSettings {
Headers headers = 2;
TLSCertificate certificate = 3;
uint64 heartbeat_interval_seconds = 4;
TLSConnectionSettings tls = 5;
}
```

Expand Down Expand Up @@ -1979,6 +1984,12 @@ The flow for negotiating a heartbeat is described as so:

The Agent can decide not to send heartbeats by not setting the ReportsHeartbeat capability. The Server can decide to not receive heartbeats by responding with a value of `0` seconds in the OpAMPConnectionSettings.heartbeat_interval_seconds field.

##### OpAMPConnectionSettings.tls

Status: [Development]

Optional OpAMP specific TLS settings.

#### TelemetryConnectionSettings

The TelemetryConnectionSettings message is a collection of fields which comprise an
Expand All @@ -1990,6 +2001,7 @@ message TelemetryConnectionSettings {
string destination_endpoint = 1;
Headers headers = 2;
TLSCertificate certificate = 3;
TLSConnectionSettings tls = 4;
}
```

Expand All @@ -2016,6 +2028,12 @@ for this connection.
This field is optional: if omitted the client SHOULD NOT use a client-side certificate.
This field can be used to perform a client certificate revocation/rotation.

##### TelemetryConnectionSettings.tls

Status: [Development]

Optional telemetry specific TLS settings.

#### OtherConnectionSettings

The OtherConnectionSettings message is a collection of fields which comprise an
Expand Down Expand Up @@ -2045,6 +2063,7 @@ message OtherConnectionSettings {
Headers headers = 2;
TLSCertificate certificate = 3;
map<string, string> other_settings = 4;
TLSConnectionSettings tls = 5;
}
```

Expand Down Expand Up @@ -2074,9 +2093,35 @@ This field can be used to perform a client certificate revocation/rotation.
Other connection settings. These are Agent-specific and are up to the Agent
interpret.

#### Headers Message
##### OtherConnectionSettings.tls

Status: [Development]

Optional connection specific TLS settings.

#### TLSConnectionSettings Message

Status: [Development]

The message carries optional TLS settings that are used to configure a client's
connection. If the Agent is able to validate the connection settings, the Agent
SHOULD forget any previous TLS settings. If this message is not included, the
client SHOULD use the agent's default TLS settings for the connection.
Comment on lines +2106 to +2109

@michel-laterman michel-laterman Apr 30, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tigrannajaryan @andykellr, I've added a description on how TLS settings should function, and have changed the demo (open-telemetry/opamp-go#338) to reflect this.

The goal is that when TLSConnectionSettings is present, it can form the TLS config (excluding client certificate).
If no TLS settings are sent with a connection offering, the agent's defaults should be used.


```protobuf
message TLSConnectionSettings {
string ca_pem_contents = 1;
bool include_system_ca_certs_pool = 2;
bool insecure_skip_verify = 3;
string min_version = 4;
string max_version = 5;
repeated string cipher_suites = 6;
}
```

#### Headers Message

```protobuf
message Headers {
repeated Header headers = 1;
}
Expand Down