Skip to content

Initial implementation for TPM extension #39059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Initial implementation for TPM extension #39059

wants to merge 3 commits into from

Conversation

pavolloffay
Copy link
Member

@pavolloffay pavolloffay commented Mar 31, 2025
edited
Loading

Description

Link to tracking issue

Updates: #38682

Testing

Documentation

make  otelcontribcol
 cd bin
./otelcontribcol_linux_amd64 --config config.yaml

# CA
#  openssl genrsa -des3 -out ca.key 2048
# openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
#
# client
# sudo tpm2tss-genkey -a rsa -s 2048 edge-cert.key
# sudo openssl req -new -provider tpm2  -key edge-cert.key -out edge-cert.csr -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in edge-cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out edge-cert.crt -days 1826 -copy_extensions copyall
#
# server
# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr  -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -copy_extensions copyall
receivers:
  hostmetrics:
    collection_interval: 10s
    scrapers:
      cpu:
      memory:

  otlp/server:
    protocols:
      http:
        endpoint: localhost:4319
        tls:
          client_ca_file: ca.crt
          cert_file: server.crt
          key_file: server.key
exporters:
  otlphttp:
    endpoint: https://localhost:4319
    auth:
      authenticator: tpm
  debug:
    verbosity: normal
extensions:
  tpm:
    path: /dev/tpmrm0
    key_file: edge-cert.key
    cert_file: edge-cert.crt
    ca_file: ca.crt
service:
  telemetry:
    metrics:
      address: localhost:8889
  extensions: [tpm]
  pipelines:
    metrics/client:
      receivers: [hostmetrics]
      exporters: [otlphttp]
    metrics/server:
      receivers: [otlp/server]
      exporters: [debug]

@pavolloffay pavolloffay requested a review from a team as a code owner March 31, 2025 13:47
@pavolloffay pavolloffay requested a review from dehaansa March 31, 2025 13:47
pavolloffay
pavolloffay commented Mar 31, 2025
View reviewed changes
extension/tpmextension/extension.go

// RoundTrip modifies the original request and adds Bearer token Authorization headers. Incoming requests support multiple tokens, but outgoing requests only use one.
func (interceptor *TPMRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
return interceptor.tpmTLSTransport.RoundTrip(req)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unfortunate that it skips other interceptors.

@pavolloffay
cleanup
20fd283 
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay
cleanup
0539d53 
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay pavolloffay mentioned this pull request Apr 4, 2025
Merged
@pavolloffay
Copy link
Member Author

Replaced by open-telemetry/opentelemetry-collector#12801

@atoulme atoulme marked this pull request as draft April 7, 2025 15:17
@github-actions GitHub Actions
Copy link
Contributor

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@github-actions github-actions bot added the Stale label Apr 22, 2025
github-merge-queue bot pushed a commit to open-telemetry/opentelemetry-collector that referenced this pull request Apr 30, 2025
@pavolloffay
Add trusted platform module (TPM) support to TLS package (#12801)
045488f 
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

Add trusted platform module (TPM) support to TLS package.

<!-- Issue number if applicable -->
#### Link to tracking issue
Resolves
open-telemetry/opentelemetry-collector-contrib#38682
Replaces
open-telemetry/opentelemetry-collector-contrib#39059

TPM cannot be implemented as extension
open-telemetry/opentelemetry-collector-contrib#38682
because it overrides the entire `http.transport` and therefore
invalidates other extensions/authenticators.

<!--Describe what testing was performed and which tests were added.-->
#### Testing

```yaml
# make otelcorecol 
# sudo ./bin/otelcorecol_linux_amd64 --config ./examples/local/tpm.yaml
#
# CA
#  openssl genrsa -des3 -out ca.key 2048
# openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
#
# client
# sudo tpm2tss-genkey -a rsa -s 2048 edge-cert.key
# sudo openssl req -new -provider tpm2  -key edge-cert.key -out edge-cert.csr -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in edge-cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out edge-cert.crt -days 1826 -copy_extensions copyall
#
# server
# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr  -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -copy_extensions copyall
receivers:
  otlp:
    protocols:
      grpc:
        endpoint: localhost:4317
      http:
        endpoint: localhost:4318
  otlp/server:
    protocols:
      grpc:
        endpoint: localhost:4319
        tls:
          client_ca_file: ca.crt
          cert_file: server.crt
          key_file: server.key
exporters:
  otlp:
    endpoint: https://localhost:4319
    tls:
      key_file: edge-cert.key
      cert_file: edge-cert.crt
      ca_file: ca.crt
      tpm:
        enabled: true
        path: /dev/tpmrm0
  debug:
    verbosity: normal
service:
  telemetry:
    metrics:
      address: localhost:8889
  pipelines:
    metrics/client:
      receivers: [otlp]
      exporters: [otlp]
    metrics/server:
      receivers: [otlp/server]
      exporters: [debug]
```

<!--Describe the documentation added.-->
#### Documentation



<!--Please delete paragraphs that you did not use before submitting.-->

Signed-off-by: Pavol Loffay <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dehaansa dehaansa Awaiting requested review from dehaansa dehaansa is a code owner automatically assigned from open-telemetry/collector-contrib-approvers

Assignees

@evan-bradley evan-bradley

Labels
extension/tpm Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pavolloffay @evan-bradley