Socket
Socket
Sign inDemoInstall

go.opentelemetry.io/collector/config/configtls

Package Overview
Dependencies
8
Alerts
File Explorer

Install Socket

Detect and block malicious and high-risk dependencies

Install

    go.opentelemetry.io/collector/config/configtls

Package configtls implements the TLS settings to load and configure TLS clients and servers.


Version published

Readme

Source

TLS Configuration Settings

Crypto TLS exposes a variety of settings. Several of these settings are available for configuration within individual receivers or exporters.

Note that mutual TLS (mTLS) is also supported.

TLS / mTLS Configuration

By default, TLS is enabled:

  • insecure (default = false): whether to enable client transport security for the exporter's gRPC connection. See grpc.WithInsecure().

As a result, the following parameters are also required:

  • cert_file: Path to the TLS cert to use for TLS required connections. Should only be used if insecure is set to false.

    • cert_pem: Alternative to cert_file. Provide the certificate contents as a string instead of a filepath.
  • key_file: Path to the TLS key to use for TLS required connections. Should only be used if insecure is set to false.

    • key_pem: Alternative to key_file. Provide the key contents as a string instead of a filepath.

A certificate authority may also need to be defined:

  • ca_file: Path to the CA cert. For a client this verifies the server certificate. For a server this verifies client certificates. If empty uses system root CA. Should only be used if insecure is set to false.
    • ca_pem: Alternative to ca_file. Provide the CA cert contents as a string instead of a filepath.

Additionally you can configure TLS to be enabled but skip verifying the server's certificate chain. This cannot be combined with insecure since insecure won't use TLS at all.

  • insecure_skip_verify (default = false): whether to skip verifying the certificate or not.

Minimum and maximum TLS version can be set:

IMPORTANT: TLS 1.0 and 1.1 are deprecated due to known vulnerabilities and should be avoided.

  • min_version (default = "1.2"): Minimum acceptable TLS version.

    • options: ["1.0", "1.1", "1.2", "1.3"]
  • max_version (default = "" handled by crypto/tls - currently TLS 1.3): Maximum acceptable TLS version.

    • options: ["1.0", "1.1", "1.2", "1.3"]

Explicit cipher suites can be set. If left blank, a safe default list is used. See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.

  • cipher_suites: (default = []): List of cipher suites to use.

Example:

  cipher_suites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Additionally certificates may be reloaded by setting the below configuration.

  • reload_interval (optional) : ReloadInterval specifies the duration after which the certificate will be reloaded. If not set, it will never be reloaded. Accepts a duration string, valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

How TLS/mTLS is configured depends on whether configuring the client or server. See below for examples.

Client Configuration

Exporters leverage client configuration. The TLS configuration parameters are defined under tls, like server configuration.

Beyond TLS configuration, the following setting can optionally be configured:

  • server_name_override: If set to a non-empty string, it will override the virtual host name of authority (e.g. :authority header field) in requests (typically used for testing).

Example:

exporters:
  otlp:
    endpoint: myserver.local:55690
    tls:
      insecure: false
      ca_file: server.crt
      cert_file: client.crt
      key_file: client.key
      min_version: "1.1"
      max_version: "1.2"
  otlp/insecure:
    endpoint: myserver.local:55690
    tls:
      insecure: true
  otlp/secure_no_verify:
    endpoint: myserver.local:55690
    tls:
      insecure: false
      insecure_skip_verify: true

Server Configuration

Receivers leverage server configuration.

Beyond TLS configuration, the following setting can optionally be configured (required for mTLS):

  • client_ca_file: Path to the TLS cert to use by the server to verify a client certificate. (optional) This sets the ClientCAs and ClientAuth to RequireAndVerifyClientCert in the TLSConfig. Please refer to https://godoc.org/crypto/tls#Config for more information.

Example:

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: mysite.local:55690
        tls:
          cert_file: server.crt
          key_file: server.key
  otlp/mtls:
    protocols:
      grpc:
        endpoint: mysite.local:55690
        tls:
          client_ca_file: client.pem
          cert_file: server.crt
          key_file: server.key
  otlp/notls:
    protocols:
      grpc:
        endpoint: mysite.local:55690

FAQs

Last updated on 24 Jan 2024

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc