Skip to content

Add TLS settings to all connection settings #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 21 commits into from
May 6, 2025
Merged

Add TLS settings to all connection settings #205

merged 21 commits into from
May 6, 2025

Conversation

michel-laterman
Copy link
Contributor

@michel-laterman michel-laterman commented Oct 15, 2024
edited
Loading

Add new TLSConnectionSettings across all connection settings a server can offer.

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Oct 15, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

tigrannajaryan
tigrannajaryan reviewed Oct 16, 2024
View reviewed changes
Copy link
Member

@tigrannajaryan tigrannajaryan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the draft @michel-laterman

I left some comments, and I would like @andykellr to also review.

@michel-laterman michel-laterman force-pushed the feat/tls-proxy-connection-settings branch from e79ec75 to b8770b8 Compare October 16, 2024 16:20
@michel-laterman michel-laterman force-pushed the feat/tls-proxy-connection-settings branch from b8770b8 to 7849fe0 Compare October 16, 2024 16:21
tigrannajaryan
tigrannajaryan requested changes Oct 22, 2024
View reviewed changes
Copy link
Member

@tigrannajaryan tigrannajaryan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would advise to break this down into 2 PRs: one that adds TLSConnectionSettings, the other that adds ProxyConnectionSettings.

If there are known uses cases for other_settings that should likely be the 3rd PR where we can discuss it.

@michel-laterman michel-laterman changed the title Add other_settings, TLS, and proxy settings to connection settings Add TLS settings to all connection settings Oct 22, 2024
@michel-laterman
Copy link
Contributor Author

I'll recreate the ProxySettings in another pr

tigrannajaryan
tigrannajaryan reviewed Oct 23, 2024
View reviewed changes
@michel-laterman michel-laterman force-pushed the feat/tls-proxy-connection-settings branch from fed1177 to 05f2846 Compare October 23, 2024 19:39
tigrannajaryan
tigrannajaryan reviewed Oct 31, 2024
View reviewed changes
@tigrannajaryan
Copy link
Member

@michel-laterman we had a discussion with other OpAMP approvers/maintainers and decided to follow the Otel spec's requirements for making new proposals, namely to ask for prototypes that demonstrate the new capabilities. We will be formalizing the requirements in this PR: #207

I think it is important for this particular proposal to show how the TLS settings will be used. It is not a trivial change, so a working code would help understand it better.

@michel-laterman michel-laterman mentioned this pull request Jan 9, 2025
Merged
@michel-laterman
Copy link
Contributor Author

@tigrannajaryan, I have a WIP demo for offering the TLS settings: open-telemetry/opamp-go#338

I have yet to add a demo for Agent-initiated CA trust Flow.

michel-laterman
michel-laterman commented Jan 11, 2025
View reviewed changes
@michel-laterman
Copy link
Contributor Author

To give a rough recap on my question about initial CA distribution during today's opamp sig meeting.

The current spec as written uses an implicit workflow where the client will connect with InsecureSkipVerify: true and the server will send offer connection settings to a new agent in response to the initial connection.
My demo implementation: open-telemetry/opamp-go#338 does this if both the client and server are started with special flags (-await-ca/-send-ca)

The idea I have for changing this is to make it explicit behaviour. We add a new attribute to OpAMPConnectionSettingsRequest (called something like ConnectionSettingsRequest) that a client can use to demand ConnectionSettingsOffers from the server.
With this approach, in order to trigger the setting being sent, the client would be started with a new flag (i.e., -request-connection-settings), and would connect to the opamp server with InsecureSkipVerify: true initially, but include OpAMPConnectionSettingsRequest.ConnectionSettingsRequest in the first message sent to the server

michel-laterman and others added 4 commits April 1, 2025 15:04
@michel-laterman
Add downloading state and download_details to PackageStatus (open-tel…
e8c6c76 
…emetry#206)

Add a separate `Downloading` `PackageStatusEnum` so an agent can use a distinguish between downloading and installing a new package.
Add a `download_details` attribute that may optionally be used with the new `Downloading` status to give a user additional details about the package download: download rate, and percentage download.

- Closes open-telemetry#204
@BinaryFissionGames @michel-laterman
Add message about available components to AgentDetails (open-telemetr…
df8b65c 
…y#201)

This PR adds a new ComponentDetails type that allows agents to communicate metadata relating to the components available in the agent.
@tigrannajaryan @michel-laterman
Add guidelines for making new capability proposals (open-telemetry#207)
1fd13b4 
As discussed with OpAMP approvers/maintainers this
adds the requirement to have working prototypes for
specification proposals.
@tigrannajaryan @michel-laterman
Prepare CHANGELOG.md for v0.11.0 release (open-telemetry#208)
bc5eb2d
@michel-laterman michel-laterman force-pushed the feat/tls-proxy-connection-settings branch from 8d2b26c to 1af8ba5 Compare April 2, 2025 19:15
@michel-laterman
Copy link
Contributor Author

I went ahead and made the intial CA distribution require a explicit signal from a client.
I have already added to my demo: open-telemetry/opamp-go#338
I'm going to mark this as ready for review

@michel-laterman michel-laterman marked this pull request as ready for review April 2, 2025 21:45
@michel-laterman michel-laterman requested a review from a team as a code owner April 2, 2025 21:45
andykellr
andykellr reviewed Apr 29, 2025
View reviewed changes
@andykellr
Copy link
Contributor

Can you describe the use of the hash? It isn't used in the example implementation. When would the client request settings again? Also is the hash stored somewhere on the client?

The example implementation in opamp-go uses a sync.Once called requestConnectionSettingsOnce to ensure that there is only one request for the connection settings. If we only expect this to happen once then it should probably be stated in the spec. Regarding that implementation, I think there could be a case where the connection is dropped or the server fails to respond (could send 503 Service Unavailable) and the client will not attempt to request the settings again because the Once will have completed. I think the spec should be more clear about the circumstances under which the client will/should send a SettingsRequest.

tigrannajaryan
tigrannajaryan reviewed Apr 29, 2025
View reviewed changes
specification.md Outdated
The `opamp` field is set to indicate a request for OpAMP connection settings.
If this field is unset then the ConnectionSettingsRequest message is empty and is
not actionable for the Server.
The `settings_request` field is set to indicate a request for all offered
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"for all" or specifically "for TLSConnectionSettings"? What does "all" mean in this context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All settings for OpAMP connection (this may include the hosts, and things like the heartbeat)

@michel-laterman
Copy link
Contributor Author

Can you describe the use of the hash? It isn't used in the example implementation. When would the client request settings again? Also is the hash stored somewhere on the client?

@andykellr hash for this is meant to match ConnectionSettingsOffers.hash there's references to it in opamp-go, but I don't think it's used at the moment.

The example implementation in opamp-go uses a sync.Once called requestConnectionSettingsOnce to ensure that there is only one request for the connection settings. If we only expect this to happen once then it should probably be stated in the spec. Regarding that implementation, I think there could be a case where the connection is dropped or the server fails to respond (could send 503 Service Unavailable) and the client will not attempt to request the settings again because the Once will have completed. I think the spec should be more clear about the circumstances under which the client will/should send a SettingsRequest.

Good point, I'll remove the use of Once and leave it purely up to the client

tigrannajaryan
tigrannajaryan reviewed Apr 30, 2025
View reviewed changes
@michel-laterman
Copy link
Contributor Author

Notes from the SIG meeting, we're splitting this PR into:

  • add TLSSettings to offered connections (also add a description on what the settings are intended for)
  • add a report offered config message that mirrors remoteconfigsettings; the status enum used by remoteconfig status will be made more generic and reused between the both
  • add the CA initial trust workflow

michel-laterman
michel-laterman commented Apr 30, 2025
View reviewed changes
specification.md
Comment on lines +2106 to +2109
The message carries optional TLS settings that are used to configure a client's
connection. If the Agent is able to validate the connection settings, the Agent
SHOULD forget any previous TLS settings. If this message is not included, the
client SHOULD use the agent's default TLS settings for the connection.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tigrannajaryan @andykellr, I've added a description on how TLS settings should function, and have changed the demo (open-telemetry/opamp-go#338) to reflect this.

The goal is that when TLSConnectionSettings is present, it can form the TLS config (excluding client certificate).
If no TLS settings are sent with a connection offering, the agent's defaults should be used.

andykellr
andykellr approved these changes May 2, 2025
View reviewed changes
Copy link
Contributor

@andykellr andykellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let @tigrannajaryan merge when he has a chance to review.

@tigrannajaryan tigrannajaryan merged commit 5d6c717 into open-telemetry:main May 6, 2025
5 checks passed
@tigrannajaryan
Copy link
Member

Thanks for you patience @michel-laterman

@michel-laterman michel-laterman deleted the feat/tls-proxy-connection-settings branch May 6, 2025 20:00
@michel-laterman michel-laterman mentioned this pull request Aug 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andykellr andykellr andykellr approved these changes

@tigrannajaryan tigrannajaryan tigrannajaryan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@michel-laterman @tigrannajaryan @andykellr @BinaryFissionGames