[cmd/opampsupervisor] Conditionally use TLS config (open-telemetry#35363)

dpaasman00 · jriguera · commit 2d7836a5fd9b · 2024-10-05T00:04:55.000+02:00
**Description:** <Describe what has changed.>  Fixes an issue where TLS would be used despite the opamp server using `ws` or `http` protocols. Before a TLS config would always get created, causing the connection to always use TLS settings. This change first checks which protocol we're using before creating a TLS config. **Link to tracking Issue:** <Issue number if applicable> Fixes open-telemetry#35283 **Testing:** <Describe what testing was performed and which tests were added.> Removed `tls.insecure_skip_verify: true` from e2e test configs which were using `ws` protocol since they are no longer needed. **Documentation:** <Describe the documentation added.>
diff --git a/.chloggen/fix-opampsupervisor-tls-settings.yaml b/.chloggen/fix-opampsupervisor-tls-settings.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: opampsupervisor
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Only use TLS config when connecting to OpAMP server if using `wss` or `https` protocols.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [35283]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
diff --git a/cmd/opampsupervisor/supervisor/supervisor.go b/cmd/opampsupervisor/supervisor/supervisor.go
@@ -6,11 +6,13 @@ package supervisor
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	_ "embed"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"sort"
@@ -366,9 +368,17 @@ func (s *Supervisor) startOpAMP() error {
 func (s *Supervisor) startOpAMPClient() error {
 	s.opampClient = client.NewWebSocket(newLoggerFromZap(s.logger))
 
-	tlsConfig, err := s.config.Server.TLSSetting.LoadTLSConfig(context.Background())
+	// determine if we need to load a TLS config or not
+	var tlsConfig *tls.Config
+	parsedURL, err := url.Parse(s.config.Server.Endpoint)
 	if err != nil {
-		return err
+		return fmt.Errorf("parse server endpoint: %w", err)
+	}
+	if parsedURL.Scheme == "wss" || parsedURL.Scheme == "https" {
+		tlsConfig, err = s.config.Server.TLSSetting.LoadTLSConfig(context.Background())
+		if err != nil {
+			return err
+		}
 	}
 
 	s.logger.Debug("Connecting to OpAMP server...", zap.String("endpoint", s.config.Server.Endpoint), zap.Any("headers", s.config.Server.Headers))
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_accepts_conn.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_accepts_conn.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: true
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_agent_description.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_agent_description.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: true
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_basic.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_basic.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: true
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_healthcheck_port.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_healthcheck_port.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: true
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_nocap.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_nocap.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: false
diff --git a/cmd/opampsupervisor/testdata/supervisor/supervisor_persistence.yaml b/cmd/opampsupervisor/testdata/supervisor/supervisor_persistence.yaml
@@ -1,7 +1,5 @@
 server:
   endpoint: ws://{{.url}}/v1/opamp
-  tls:
-    insecure: true
 
 capabilities:
   reports_effective_config: true
