diff --git a/.chloggen/telemetrygen-insecureskipverify.yaml b/.chloggen/telemetrygen-insecureskipverify.yaml new file mode 100644 index 000000000000..a1debf677268 --- /dev/null +++ b/.chloggen/telemetrygen-insecureskipverify.yaml @@ -0,0 +1,27 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver) +component: telemetrygen + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Enable the `--otlp-insecure-skip-verify` flag + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +issues: [35735] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# If your change doesn't affect end users or the exported elements of any package, +# you should instead start your pull request title with [chore] or use the "Skip Changelog" label. +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [user] diff --git a/cmd/telemetrygen/go.mod b/cmd/telemetrygen/go.mod index 7181398c24d3..2dcf1cd100bf 100644 --- a/cmd/telemetrygen/go.mod +++ b/cmd/telemetrygen/go.mod @@ -23,6 +23,7 @@ require ( go.opentelemetry.io/otel/sdk/log v0.6.0 go.opentelemetry.io/otel/sdk/metric v1.30.0 go.opentelemetry.io/otel/trace v1.30.0 + go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/goleak v1.3.0 go.uber.org/zap v1.27.0 golang.org/x/time v0.7.0 @@ -45,7 +46,6 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect go.opentelemetry.io/collector/config/configtelemetry v0.111.1-0.20241008154146-ea48c09c31ae // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect - go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.25.0 // indirect diff --git a/cmd/telemetrygen/internal/common/tls_utils.go b/cmd/telemetrygen/internal/common/tls_utils.go index 286d7345adc1..6759541ec508 100644 --- a/cmd/telemetrygen/internal/common/tls_utils.go +++ b/cmd/telemetrygen/internal/common/tls_utils.go @@ -28,52 +28,37 @@ func caPool(caFile string) (*x509.CertPool, error) { return pool, nil } -func GetTLSCredentialsForGRPCExporter(caFile string, cAuth ClientAuth) (credentials.TransportCredentials, error) { - - pool, err := caPool(caFile) +func GetTLSCredentialsForGRPCExporter( + caFile string, + cAuth ClientAuth, + insecureSkipVerify bool, +) (credentials.TransportCredentials, error) { + tlsConfig, err := getTLSConfig(caFile, cAuth, insecureSkipVerify) if err != nil { return nil, err } + return credentials.NewTLS(tlsConfig), nil +} - var creds credentials.TransportCredentials - - if caFile != "" { - creds = credentials.NewTLS(&tls.Config{ - RootCAs: pool, - }) - } else { - creds = credentials.NewTLS(&tls.Config{}) - } - - // Configuration for mTLS - if cAuth.Enabled { - keypair, err := tls.LoadX509KeyPair(cAuth.ClientCertFile, cAuth.ClientKeyFile) - if err != nil { - return nil, err - } - creds = credentials.NewTLS(&tls.Config{ - RootCAs: pool, - Certificates: []tls.Certificate{keypair}, - }) - } - - return creds, nil +func GetTLSCredentialsForHTTPExporter( + caFile string, + cAuth ClientAuth, + insecureSkipVerify bool, +) (*tls.Config, error) { + return getTLSConfig(caFile, cAuth, insecureSkipVerify) } -func GetTLSCredentialsForHTTPExporter(caFile string, cAuth ClientAuth) (*tls.Config, error) { - pool, err := caPool(caFile) - if err != nil { - return nil, err +func getTLSConfig(caFile string, cAuth ClientAuth, insecureSkipVerify bool) (*tls.Config, error) { + tlsCfg := tls.Config{ + InsecureSkipVerify: insecureSkipVerify, } - var tlsCfg tls.Config - if caFile != "" { - tlsCfg = tls.Config{ - RootCAs: pool, + pool, err := caPool(caFile) + if err != nil { + return nil, err } - } else { - tlsCfg = tls.Config{} + tlsCfg.RootCAs = pool } // Configuration for mTLS @@ -82,7 +67,6 @@ func GetTLSCredentialsForHTTPExporter(caFile string, cAuth ClientAuth) (*tls.Con if err != nil { return nil, err } - tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert tlsCfg.Certificates = []tls.Certificate{keypair} } return &tlsCfg, nil diff --git a/cmd/telemetrygen/internal/logs/exporter.go b/cmd/telemetrygen/internal/logs/exporter.go index 37df9ac9ac76..9543a45370cd 100644 --- a/cmd/telemetrygen/internal/logs/exporter.go +++ b/cmd/telemetrygen/internal/logs/exporter.go @@ -22,7 +22,9 @@ func grpcExporterOptions(cfg *Config) ([]otlploggrpc.Option, error) { if cfg.Insecure { grpcExpOpt = append(grpcExpOpt, otlploggrpc.WithInsecure()) } else { - credentials, err := common.GetTLSCredentialsForGRPCExporter(cfg.CaFile, cfg.ClientAuth) + credentials, err := common.GetTLSCredentialsForGRPCExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } @@ -47,7 +49,9 @@ func httpExporterOptions(cfg *Config) ([]otlploghttp.Option, error) { if cfg.Insecure { httpExpOpt = append(httpExpOpt, otlploghttp.WithInsecure()) } else { - tlsCfg, err := common.GetTLSCredentialsForHTTPExporter(cfg.CaFile, cfg.ClientAuth) + tlsCfg, err := common.GetTLSCredentialsForHTTPExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } diff --git a/cmd/telemetrygen/internal/metrics/exporter.go b/cmd/telemetrygen/internal/metrics/exporter.go index 1933c6aea73e..d8323ffbebd0 100644 --- a/cmd/telemetrygen/internal/metrics/exporter.go +++ b/cmd/telemetrygen/internal/metrics/exporter.go @@ -22,7 +22,9 @@ func grpcExporterOptions(cfg *Config) ([]otlpmetricgrpc.Option, error) { if cfg.Insecure { grpcExpOpt = append(grpcExpOpt, otlpmetricgrpc.WithInsecure()) } else { - credentials, err := common.GetTLSCredentialsForGRPCExporter(cfg.CaFile, cfg.ClientAuth) + credentials, err := common.GetTLSCredentialsForGRPCExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } @@ -47,7 +49,9 @@ func httpExporterOptions(cfg *Config) ([]otlpmetrichttp.Option, error) { if cfg.Insecure { httpExpOpt = append(httpExpOpt, otlpmetrichttp.WithInsecure()) } else { - tlsCfg, err := common.GetTLSCredentialsForHTTPExporter(cfg.CaFile, cfg.ClientAuth) + tlsCfg, err := common.GetTLSCredentialsForHTTPExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } diff --git a/cmd/telemetrygen/internal/traces/exporter.go b/cmd/telemetrygen/internal/traces/exporter.go index 8dfb3e51d502..4d75c36635c3 100644 --- a/cmd/telemetrygen/internal/traces/exporter.go +++ b/cmd/telemetrygen/internal/traces/exporter.go @@ -22,7 +22,9 @@ func grpcExporterOptions(cfg *Config) ([]otlptracegrpc.Option, error) { if cfg.Insecure { grpcExpOpt = append(grpcExpOpt, otlptracegrpc.WithInsecure()) } else { - credentials, err := common.GetTLSCredentialsForGRPCExporter(cfg.CaFile, cfg.ClientAuth) + credentials, err := common.GetTLSCredentialsForGRPCExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } @@ -47,7 +49,9 @@ func httpExporterOptions(cfg *Config) ([]otlptracehttp.Option, error) { if cfg.Insecure { httpExpOpt = append(httpExpOpt, otlptracehttp.WithInsecure()) } else { - tlsCfg, err := common.GetTLSCredentialsForHTTPExporter(cfg.CaFile, cfg.ClientAuth) + tlsCfg, err := common.GetTLSCredentialsForHTTPExporter( + cfg.CaFile, cfg.ClientAuth, cfg.InsecureSkipVerify, + ) if err != nil { return nil, fmt.Errorf("failed to get TLS credentials: %w", err) } diff --git a/cmd/telemetrygen/internal/traces/exporter_test.go b/cmd/telemetrygen/internal/traces/exporter_test.go new file mode 100644 index 000000000000..b8af7442c836 --- /dev/null +++ b/cmd/telemetrygen/internal/traces/exporter_test.go @@ -0,0 +1,137 @@ +// Copyright The OpenTelemetry Authors +// SPDX-License-Identifier: Apache-2.0 + +package traces + +import ( + "context" + "encoding/pem" + "net/http" + "net/http/httptest" + "net/url" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp" + tracepb "go.opentelemetry.io/proto/otlp/trace/v1" + + "github.com/open-telemetry/opentelemetry-collector-contrib/cmd/telemetrygen/internal/common" +) + +func TestHTTPExporterOptions_TLS(t *testing.T) { + // TODO add test cases for mTLS + for name, tc := range map[string]struct { + tls bool + tlsServerCA bool // use the httptest.Server's TLS cert as the CA + cfg Config + + expectTransportError bool + }{ + "Insecure": { + tls: false, + cfg: Config{Config: common.Config{Insecure: true}}, + }, + "InsecureSkipVerify": { + tls: true, + cfg: Config{Config: common.Config{InsecureSkipVerify: true}}, + }, + "InsecureSkipVerifyDisabled": { + tls: true, + expectTransportError: true, + }, + "CaFile": { + tls: true, + tlsServerCA: true, + }, + } { + t.Run(name, func(t *testing.T) { + var called bool + var h http.HandlerFunc = func(http.ResponseWriter, *http.Request) { + called = true + } + var srv *httptest.Server + if tc.tls { + srv = httptest.NewTLSServer(h) + } else { + srv = httptest.NewServer(h) + } + defer srv.Close() + srvURL, _ := url.Parse(srv.URL) + + cfg := tc.cfg + cfg.CustomEndpoint = srvURL.Host + if tc.tlsServerCA { + caFile := filepath.Join(t.TempDir(), "cert.pem") + err := os.WriteFile(caFile, pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: srv.TLS.Certificates[0].Certificate[0], + }), 0600) + require.NoError(t, err) + cfg.CaFile = caFile + } + + opts, err := httpExporterOptions(&cfg) + require.NoError(t, err) + client := otlptracehttp.NewClient(opts...) + + err = client.UploadTraces(context.Background(), []*tracepb.ResourceSpans{}) + if tc.expectTransportError { + require.Error(t, err) + assert.False(t, called) + } else { + require.NoError(t, err) + assert.True(t, called) + } + }) + } +} + +func TestHTTPExporterOptions_HTTP(t *testing.T) { + for name, tc := range map[string]struct { + cfg Config + + expectedHTTPPath string + expectedHeader http.Header + }{ + "HTTPPath": { + cfg: Config{Config: common.Config{HTTPPath: "/foo"}}, + expectedHTTPPath: "/foo", + }, + "Headers": { + cfg: Config{ + Config: common.Config{Headers: map[string]any{"a": "b"}}, + }, + expectedHTTPPath: "/v1/traces", + expectedHeader: http.Header{"a": []string{"b"}}, + }, + } { + t.Run(name, func(t *testing.T) { + var httpPath string + var header http.Header + var h http.HandlerFunc = func(_ http.ResponseWriter, r *http.Request) { + httpPath = r.URL.Path + header = r.Header + } + srv := httptest.NewServer(h) + defer srv.Close() + srvURL, _ := url.Parse(srv.URL) + + cfg := tc.cfg + cfg.Insecure = true + cfg.CustomEndpoint = srvURL.Host + opts, err := httpExporterOptions(&cfg) + require.NoError(t, err) + client := otlptracehttp.NewClient(opts...) + + err = client.UploadTraces(context.Background(), []*tracepb.ResourceSpans{}) + require.NoError(t, err) + assert.Equal(t, tc.expectedHTTPPath, httpPath) + for k, expected := range tc.expectedHeader { + assert.Equal(t, expected, []string{header.Get(k)}) + } + }) + } +}