[extension/opamp] TLS config loaded even for insecure schemes (ws/http) #39515

johannaojeling · 2025-04-21T14:19:02Z

Component(s)

extension/opamp

What happened?

Description

The OpAMP Agent Extension's OpAMP agent applies TLS settings even when the server::ws::endpoint/server::http::endpoint is set to a URL with ws/http scheme, resulting in the client being unable to connect to a server that uses an insecure protocol.

In the OpAMP Supervisor, a similar issue was addressed by loading the agent's TLS settings conditionally:

opentelemetry-collector-contrib/cmd/opampsupervisor/supervisor/supervisor.go

Lines 630 to 641 in 2d91302

    
           // determine if we need to load a TLS config or not 
        
           var tlsConfig *tls.Config 
        
           parsedURL, err := url.Parse(s.config.Server.Endpoint) 
        
           if err != nil { 
        
           	return fmt.Errorf("parse server endpoint: %w", err) 
        
           } 
        
           if parsedURL.Scheme == "wss" || parsedURL.Scheme == "https" { 
        
           	tlsConfig, err = s.config.Server.TLSSetting.LoadTLSConfig(context.Background()) 
        
           	if err != nil { 
        
           		return err 
        
           	} 
        
           }

A similar approach can be taken here.

Steps to Reproduce

Start an OpAMP server without TLS. If using the opamp-go example server, this can be done by replacing this line with:

_ = tlsConfig

Run the collector with the provided config from the OpenTelemetry Collector configuration section below:

./otelcol-contrib --config=./config.yaml

Expected Result

The collector connects to the OpAMP server.

Actual Result

The collector fails to connect to the OpAMP server.

It only connects if providing TLS config insecure: true:

extensions:
  opamp:
    server:
      ws:
        endpoint: "ws://127.0.0.1:4320/v1/opamp"
        tls:
          insecure: true

Collector version

v0.124.1

Environment information

Environment

OS: macOS Sequoia 15.4.1
Compiler: go1.24.2 darwin/arm64

OpenTelemetry Collector configuration

extensions:
  opamp:
    server:
      ws:
        endpoint: "ws://127.0.0.1:4320/v1/opamp"

receivers:
  nop:

exporters:
  nop:

service:
  extensions: [opamp]
  pipelines:
    traces:
      receivers: [nop]
      exporters: [nop]

Log output

2025-04-21T15:47:29.487+0200    info    [email protected]/service.go:199 Setting up own telemetry...
2025-04-21T15:47:29.487+0200    info    [email protected]/service.go:266 Starting otelcol-contrib...     {"Version": "0.124.1", "NumCPU": 11}
2025-04-21T15:47:29.487+0200    info    extensions/extensions.go:41     Starting extensions...
2025-04-21T15:47:29.487+0200    info    extensions/extensions.go:45     Extension is starting...
2025-04-21T15:47:29.509+0200    info    extensions/extensions.go:62     Extension started.
2025-04-21T15:47:29.510+0200    info    [email protected]/service.go:289 Everything is ready. Begin running and processing data.
2025-04-21T15:47:29.511+0200    error   [email protected]/opamp_agent.go:138      Failed to connect to the OpAMP server   {"error": "tls: first record does not look like a TLS handshake"}
github.com/open-telemetry/opentelemetry-collector-contrib/extension/opampextension.(*opampAgent).Start.func3
        github.com/open-telemetry/opentelemetry-collector-contrib/extension/[email protected]/opamp_agent.go:138
github.com/open-telemetry/opamp-go/client.(*wsClient).tryConnectOnce
        github.com/open-telemetry/[email protected]/client/wsclient.go:239
github.com/open-telemetry/opamp-go/client.(*wsClient).ensureConnected
        github.com/open-telemetry/[email protected]/client/wsclient.go:282
github.com/open-telemetry/opamp-go/client.(*wsClient).runOneCycle
        github.com/open-telemetry/[email protected]/client/wsclient.go:326
github.com/open-telemetry/opamp-go/client.(*wsClient).runUntilStopped
        github.com/open-telemetry/[email protected]/client/wsclient.go:412
github.com/open-telemetry/opamp-go/client/internal.(*ClientCommon).StartConnectAndRun.func1
        github.com/open-telemetry/[email protected]/client/internal/clientcommon.go:208

Additional context

No response

The text was updated successfully, but these errors were encountered:

github-actions · 2025-04-21T14:19:18Z

Pinging code owners:

extension/opamp: @portertech @evan-bradley @tigrannajaryan

See Adding Labels via Comments if you do not have permissions to add labels yourself.

johannaojeling · 2025-04-21T14:20:44Z

Self-assign

…pen-telemetry#39516)  #### Description Loads TLS config for the OpAMP Extension's OpAMP agent only if the `server::ws::endpoint`/`server::http::endpoint` config is set to a URL with scheme `wss`/`https`.  #### Link to tracking issue Fixes open-telemetry#39515  #### Testing - Added unit tests - Tested manually with the steps described in **Steps to Reproduce** in open-telemetry#39515

johannaojeling added bug Something isn't working needs triage New item requiring triage labels Apr 21, 2025

github-actions bot added the extension/opamp label Apr 21, 2025

johannaojeling mentioned this issue Apr 21, 2025

[extension/opamp] Load TLS config only for wss and https endpoints #39516

Merged

atoulme closed this as completed in #39516 Apr 21, 2025

atoulme closed this as completed in 6fccc5e Apr 21, 2025

github-actions bot mentioned this issue Apr 22, 2025

Weekly Report: 2025-04-15 - 2025-04-22 #39524

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[extension/opamp] TLS config loaded even for insecure schemes (ws/http) #39515

[extension/opamp] TLS config loaded even for insecure schemes (ws/http) #39515

johannaojeling commented Apr 21, 2025

github-actions bot commented Apr 21, 2025

johannaojeling commented Apr 21, 2025