Add support for ssl in v3 #1175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

Akshay2191 wants to merge 6 commits into main from add-ssl-support-v3

Akshay2191 commented Jul 17, 2025

Proposed changes

Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the supported keywords here in this description (not in the title of the PR).

Checklist

Before creating a PR, run through this checklist and mark each as complete.

I have read the CONTRIBUTING document
I have run make install-tools and have attached any dependency changes to this pull request
If applicable, I have added tests that prove my fix is effective or that my feature works
If applicable, I have checked that any relevant tests pass after adding my changes
If applicable, I have updated any relevant documentation (README.md)
If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

Akshay2191 added 3 commits

July 17, 2025 16:16


          adding changes to proto

a847b66


          code changes to support ssl

b95dcb0


          fixing otel collector config

06e701d

Akshay2191 requested a review from a team as a code owner

July 17, 2025 16:00

github-actions bot added chore documentation labels

Akshay2191 added 2 commits

July 17, 2025 17:25


          added unit test to increase test coverage

961954a


          fixing lint errors

bcdcd99

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go Outdated

+              func TestStubStatusScraperTLS(t *testing.T) {
+              	// Create a test CA certificate and key
+              	ca := &x509.Certificate{

Contributor

aphralG Jul 21, 2025

Could the GenerateSelfSignedCert helper in test/helpers/certs_utils.go be used here

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go Outdated

+              	require.NoError(t, caBytesErr)
+              	// Create a test server certificate signed by the CA
+              	cert := &x509.Certificate{

Contributor

aphralG Jul 21, 2025

Same as above

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go Outdated

+              	tempDir := t.TempDir()
+              	// Save CA certificate to a file
+              	caFile := filepath.Join(tempDir, "ca.crt")

Contributor

aphralG Jul 21, 2025

Can WriteCertFiles from test/helpers/certs_utils.go be used here

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go Outdated

+              	defer listener.Close()
+              	// Start a simple HTTP server on the Unix socket
+              	server := &http.Server{

Contributor

aphralG Jul 21, 2025

Can httptest be used here instead

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go Outdated

+              func TestStubStatusScraperUnixSocket(t *testing.T) {
+              	// Use a shorter path for the socket to avoid path length issues
+              	socketPath := filepath.Join(os.TempDir(), "test-nginx.sock")

Contributor

aphralG Jul 21, 2025

Can t.TempDir be used here instead of os.TempDir()

aphralG reviewed

View reviewed changes

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper_tls_test.go

+              	}
+              	// Create a test server with TLS
+              	server := httptest.NewUnstartedServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {

Contributor

aphralG Jul 21, 2025

Can httptest.NewTLSServer be used here

internal/config/types.go Outdated

    
            @@ -61,6 +61,7 @@ type (
          
              	}

              	NginxDataPlaneConfig struct {

              		ApiTls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`

Contributor

aphralG Jul 21, 2025

Suggested change

      
            		ApiTls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`
          
            		APITls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`

dhurley reviewed

View reviewed changes

api/grpc/mpi/v1/command.proto Outdated

Comment on lines 355 to 356

    
                  // the API Ca directive

                  string Ca = 3;

Collaborator

dhurley Jul 18, 2025

Suggested change

      
                // the API Ca directive
          
                string Ca = 3;
          
                // the API CA file path
          
                string ca = 3;

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper.go Outdated

@@ @@ -63,6 +66,28 @@ func (s *NginxStubStatusScraper) ID() component.ID { @@
               func (s *NginxStubStatusScraper) Start(_ context.Context, _ component.Host) error {
               	s.logger.Info("Starting NGINX stub status scraper")
               	httpClient := http.DefaultClient
+              	caCertLocation := s.cfg.APIDetails.Ca
+              	if caCertLocation != "" {
+              		s.settings.Logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))

Collaborator

dhurley Jul 18, 2025

Suggested change

      
            		s.settings.Logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))
          
            		s.settings.Logger.Debug("Reading CA certificate", zap.Any("file_path", caCertLocation))

internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper.go Outdated

Comment on lines 74 to 75

		s.settings.Logger.Error("Error starting NGINX stub scraper. "+
		"Failed to read CA certificate : ", zap.Error(err))

Collaborator

dhurley Jul 18, 2025

Suggested change

      
            			s.settings.Logger.Error("Error starting NGINX stub scraper. "+
          
            				"Failed to read CA certificate : ", zap.Error(err))
          
            			s.settings.Logger.Error("Error starting NGINX stub status scraper. "+
          
            				"Failed to read CA certificate", zap.Error(err))

internal/collector/nginxplusreceiver/scraper.go Outdated

@@ @@ -82,6 +85,26 @@ func (nps *NginxPlusScraper) ID() component.ID { @@
               func (nps *NginxPlusScraper) Start(_ context.Context, _ component.Host) error {
               	endpoint := strings.TrimPrefix(nps.cfg.APIDetails.URL, "unix:")
               	httpClient := http.DefaultClient
+              	caCertLocation := nps.cfg.APIDetails.Ca
+              	if caCertLocation != "" {
+              		nps.logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))

Collaborator

dhurley Jul 21, 2025

Suggested change

      
            		nps.logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))
          
            		nps.logger.Debug("Reading CA certificate", zap.Any("file_path", caCertLocation))

internal/collector/nginxplusreceiver/scraper.go Outdated

+              		nps.logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))
+              		caCert, err := os.ReadFile(caCertLocation)
+              		if err != nil {
+              			nps.logger.Error("Unable to start NGINX Plus scraper. Failed to read CA certificate: %v", zap.Error(err))

Collaborator

dhurley Jul 21, 2025

Suggested change

      
            			nps.logger.Error("Unable to start NGINX Plus scraper. Failed to read CA certificate: %v", zap.Error(err))
          
            			nps.logger.Error("Error starting NGINX stub status scraper. "+
          
            				"Failed to read CA certificate", zap.Error(err))

internal/datasource/config/nginx_config_parser.go Outdated

+              	if caCertLocation != "" && !ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+              		// If SSL is enabled but CA cert is provided and not allowed, treat it as if no CA cert
+              		slog.Warn("CA certificate location is not allowed, treating as if no CA cert provided.")

Collaborator

dhurley Jul 21, 2025

Can you use WarnContext function instead?

internal/resource/resource_service.go Outdated

+              		slog.Debug("Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
+              		caCert, err := os.ReadFile(caCertLocation)
+              		if err != nil {
+              			slog.Error("Unable to Create NGINX Plus client. Failed to read CA certificate : ", "err", err)

Collaborator

dhurley Jul 21, 2025

No need to log error since you are returning the error anyways

internal/datasource/config/nginx_config_parser.go Outdated

+              		slog.DebugContext(ctx, "Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
+              		caCert, err := os.ReadFile(caCertLocation)
+              		if err != nil {
+              			slog.ErrorContext(ctx, "Failed to read CA certificate", "error", err)

Collaborator

dhurley Jul 21, 2025

No need to log error since you are returning the error anyways

internal/resource/resource_service.go Outdated

               	}
               	httpClient := http.DefaultClient
+              	caCertLocation := plusAPI.GetCa()
+              	if caCertLocation != "" {
+              		slog.Debug("Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)

Collaborator

dhurley Jul 21, 2025

Suggested change

      
            		slog.Debug("Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
          
            		slog.Debug("Reading CA certificate", zap.Any("file_path", caCertLocation)

internal/datasource/config/nginx_config_parser.go Outdated

+              	caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.ApiTls.Ca
+              	if caCertLocation != "" && ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+              		slog.DebugContext(ctx, "Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)

Collaborator

dhurley Jul 21, 2025

Suggested change

      
            		slog.DebugContext(ctx, "Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
          
            		slog.DebugContext(ctx, "Reading CA certificate", zap.Any("file_path", caCertLocation)


          Changes as per PR review comments

6c2f5ca

Akshay2191 requested review from dhurley and aphralG

July 21, 2025 14:09

oCHRISo added the v3.x label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore documentation v3.x