Skip to content

fix(otel): don't combine WithTLSClientConfig with WithInsecure#293

Merged
blue4209211 merged 1 commit into
mainfrom
fix/otel-insecure-tls-conflict
Jul 15, 2026
Merged

fix(otel): don't combine WithTLSClientConfig with WithInsecure#293
blue4209211 merged 1 commit into
mainfrom
fix/otel-insecure-tls-conflict

Conversation

@mayankpande88

Copy link
Copy Markdown
Contributor

Problem

Since the otel group bump to v1.43 (#262), the agent fatals at startup whenever the traces endpoint is plain HTTP (e.g. the in-cluster otel collector):

F tracing.go:77] insecure HTTP endpoint cannot use TLS client configuration

otel v1.43+ validates exporter options and rejects WithTLSClientConfig combined with WithInsecure. Both the traces and logs exporters unconditionally set the TLS client config and then add WithInsecure() for non-https endpoints.

This is live: the republished 0.1.1 image crashloops on any cluster with an HTTP TRACES_ENDPOINT (observed on nudgebee-agent-dev). Note pods currently also fail earlier with exec: "coroot-node-agent": not found — that's a separate chart bug, fixed in nudgebee/k8s-agent#521. This crash is what pods hit once the chart fix lands.

Fix

Apply WithTLSClientConfig only when the endpoint scheme is https, in both tracing/tracing.go and logs/otel.go.

gofmt -l clean; go vet ./tracing/... passes (logs package needs Linux/systemd headers, verified by CI).

otel v1.43+ rejects a TLS client config on insecure HTTP endpoints:

  F tracing.go:77] insecure HTTP endpoint cannot use TLS client configuration

Since the otel group bump, the agent fatals at startup whenever
TRACES_ENDPOINT is plain HTTP (e.g. the in-cluster otel collector).
Apply WithTLSClientConfig only for https endpoints, in both the
traces and logs exporters.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the OpenTelemetry logging and tracing initialization to only apply TLS client configurations when the endpoint scheme is HTTPS. The review feedback suggests a security improvement to explicitly set the minimum TLS version to TLS 1.2 in both configurations to prevent the use of deprecated and insecure TLS versions.

Comment thread logs/otel.go
Comment thread tracing/tracing.go
@blue4209211 blue4209211 merged commit 8a3d59d into main Jul 15, 2026
7 checks passed
@blue4209211 blue4209211 deleted the fix/otel-insecure-tls-conflict branch July 15, 2026 02:47
blue4209211 pushed a commit to nudgebee/k8s-agent that referenced this pull request Jul 15, 2026
* chore(chart): bump node-agent image to 0.1.2, chart to 0.1.11

Picks up the otel exporter startup fix (nudgebee/node-agent#293):
agent fataled on plain-HTTP TRACES_ENDPOINT since the otel v1.43 bump.
New immutable image tag 0.1.2 instead of republishing 0.1.1, whose
in-place republish on 2026-07-10 caused the CrashLoopBackOff incident.

* chore: update image tags for main release

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
mayankpande88 added a commit to nudgebee/k8s-agent that referenced this pull request Jul 15, 2026
Picks up the otel exporter startup fix (nudgebee/node-agent#293):
agent fataled on plain-HTTP TRACES_ENDPOINT since the otel v1.43 bump.
New immutable image tag 0.1.2 instead of republishing 0.1.1, whose
in-place republish on 2026-07-10 caused the CrashLoopBackOff incident.
mayankpande88 added a commit to nudgebee/k8s-agent that referenced this pull request Jul 15, 2026
Picks up the otel exporter startup fix (nudgebee/node-agent#293):
agent fataled on plain-HTTP TRACES_ENDPOINT since the otel v1.43 bump.
New immutable image tag 0.1.2 instead of republishing 0.1.1, whose
in-place republish on 2026-07-10 caused the CrashLoopBackOff incident.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants