Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Load client certificate from hardware security device with Pkcs11 protocol #31536

Closed
martinscheffler opened this issue Mar 2, 2024 · 3 comments
Labels
closed as inactive enhancement New feature or request needs triage New item requiring triage question Further information is requested Stale

Comments

@martinscheffler
Copy link

Component(s)

No response

Is your feature request related to a problem? Please describe.

We want to run an otel collector on an edge device. It should collect telemetry from applications running on that edge device, and forward them to another otel collector on a central server.
The applications on the edge device keep client certificates for mtls in a TPM chip. We would like to also use the TPM to secure the connection from the local collector to the central collector.
Is that possible as is? Or would it be possible to develop an extension that uses Pkcs11 to use a certificate in the TPM?
Thank you!

Describe the solution you'd like

An extension for using Pkcs11 to establish mtls connection for otlp exporter

Describe alternatives you've considered

Establish a tls tunnel with the Pkcs11 certificates

Additional context

No response

@martinscheffler
Copy link
Author

After digging into the otel code, I now think an extension is not the right path - that is more for modifying telemetry streams I guess.
The only way to do this cleanly is probably to modify the code in configtls.go. I could try to tackle this, but only if other parties are interested in TPM authentication.
In the meantime, I will try to add code to our otel connector that creates a TLS tunnel with the certificate in my TPM, then set up the grpc exporter to connect to that tunnel on localhost.

Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Copy link
Contributor

This issue has been closed as inactive because it has been stale for 120 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed as inactive enhancement New feature or request needs triage New item requiring triage question Further information is requested Stale
Projects
None yet
Development

No branches or pull requests

2 participants