From 28ce4df3eaa8b26b4ab1ccbe0c75de6be5a34387 Mon Sep 17 00:00:00 2001 From: Alex Craig Date: Wed, 21 Feb 2024 09:08:21 -0800 Subject: [PATCH] [telemetrygen] Fix case where root CAs should inherit from host environment (#31250) **Description:** Adding TLS configuration to telemetrygen made it so that providing root CA information is mandatory. This is for the case when you are generating CAs and using them to sign certificates. In the case where the CA that signed the certificate is a known trusted CA, we shouldn't have to provide its CA certificate. This PR fixes this problem by allowing the code to pull its CA pool from the host environment when CAs are not explicitly supplied. **Link to tracking Issue:** [github.com/open-telemetry/opentelemetry-collector-contrib/issues/31191](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/31191) **Testing:** Generate metrics, logs, traces against http and grpc endpoints with legitimate certificates **Documentation:** --- .chloggen/dev_fix-broken-root-ca.yaml | 27 +++++++++++++++++++ cmd/telemetrygen/internal/common/tls_utils.go | 22 +++++++++++---- 2 files changed, 44 insertions(+), 5 deletions(-) create mode 100755 .chloggen/dev_fix-broken-root-ca.yaml diff --git a/.chloggen/dev_fix-broken-root-ca.yaml b/.chloggen/dev_fix-broken-root-ca.yaml new file mode 100755 index 0000000000000..c56e66d3cff8c --- /dev/null +++ b/.chloggen/dev_fix-broken-root-ca.yaml @@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver) +component: cmd/telemetrygen + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Inherit root CAs from the host environment if not supplied on the command line. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [31191] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [] diff --git a/cmd/telemetrygen/internal/common/tls_utils.go b/cmd/telemetrygen/internal/common/tls_utils.go index d9678079a1884..286d7345adc1a 100644 --- a/cmd/telemetrygen/internal/common/tls_utils.go +++ b/cmd/telemetrygen/internal/common/tls_utils.go @@ -35,9 +35,15 @@ func GetTLSCredentialsForGRPCExporter(caFile string, cAuth ClientAuth) (credenti return nil, err } - creds := credentials.NewTLS(&tls.Config{ - RootCAs: pool, - }) + var creds credentials.TransportCredentials + + if caFile != "" { + creds = credentials.NewTLS(&tls.Config{ + RootCAs: pool, + }) + } else { + creds = credentials.NewTLS(&tls.Config{}) + } // Configuration for mTLS if cAuth.Enabled { @@ -60,8 +66,14 @@ func GetTLSCredentialsForHTTPExporter(caFile string, cAuth ClientAuth) (*tls.Con return nil, err } - tlsCfg := tls.Config{ - RootCAs: pool, + var tlsCfg tls.Config + + if caFile != "" { + tlsCfg = tls.Config{ + RootCAs: pool, + } + } else { + tlsCfg = tls.Config{} } // Configuration for mTLS