open-telemetry · codeboten · Sep 8, 2025 · Jun 21, 2025 · Jun 21, 2025 · Jun 26, 2025
@@ -0,0 +1,25 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: configtls
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add early validation for TLS server configurations to fail fast when certificates are missing instead of failing at runtime.
+
+# One or more tracking issues or pull requests related to the change
+issues: [13130, 13245]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
@@ -194,6 +194,21 @@ func (c Config) Validate() error {
 		return errors.New("provide either a CA file or the PEM-encoded string, but not both")
 	}
 
+	// Ensure certificate is not set using both file and PEM
+	if c.hasCertFile() && c.hasCertPem() {
+		return errors.New("provide either certificate file or PEM, but not both")
+	}
+
+	// Ensure key is not set using both file and PEM
+	if c.hasKeyFile() && c.hasKeyPem() {
+		return errors.New("provide either key file or PEM, but not both")
+	}
+
+	// Require both certificate and key if either is provided
+	if c.hasCert() != c.hasKey() {
+		return errors.New("TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)")
+	}
+
 	minTLS, err := convertVersion(c.MinVersion, defaultMinTLSVersion)
 	if err != nil {
 		return fmt.Errorf("invalid TLS min_version: %w", err)
@@ -211,6 +226,18 @@ func (c Config) Validate() error {
 	return nil
 }
 
+func (c ClientConfig) Validate() error {
+	return nil
+}
+
+func (c ServerConfig) Validate() error {
+	// For servers, both certificate and key are always required
+	if !c.hasCert() && !c.hasKey() {
+		return errors.New("TLS configuration must include both certificate and key for server connections")
+	}
+	return nil
+}
+
 // loadTLSConfig loads TLS certificates and returns a tls.Config.
 // This will set the RootCAs and Certificates of a tls.Config.
 func (c Config) loadTLSConfig() (*tls.Config, error) {

@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"go.opentelemetry.io/collector/config/configopaque"
+	"go.opentelemetry.io/collector/confmap/xconfmap"
 )
 
 func TestNewDefaultConfig(t *testing.T) {
@@ -668,6 +669,16 @@ func TestConfigValidate(t *testing.T) {
 		{name: `TLS Config ["0.4", ""] to give [Error]`, tlsConfig: Config{MinVersion: "0.4", MaxVersion: ""}, errorTxt: `invalid TLS min_version: unsupported TLS version: "0.4"`},
 		{name: `TLS Config ["1.2", "1.1"] to give [Error]`, tlsConfig: Config{MinVersion: "1.2", MaxVersion: "1.1"}, errorTxt: `invalid TLS configuration: min_version cannot be greater than max_version`},
 		{name: `TLS Config with both CA File and PEM`, tlsConfig: Config{CAFile: "test", CAPem: "test"}, errorTxt: `provide either a CA file or the PEM-encoded string, but not both`},
+		{name: `TLS Config with cert file but no key`, tlsConfig: Config{CertFile: "cert.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with key file but no cert`, tlsConfig: Config{KeyFile: "key.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with cert PEM but no key`, tlsConfig: Config{CertPem: "cert-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with key PEM but no cert`, tlsConfig: Config{KeyPem: "key-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with both cert file and cert PEM`, tlsConfig: Config{CertFile: "cert.pem", CertPem: "cert-pem", KeyFile: "key.pem"}, errorTxt: `provide either certificate file or PEM, but not both`},
+		{name: `TLS Config with both key file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem", KeyPem: "key-pem"}, errorTxt: `provide either key file or PEM, but not both`},
+		{name: `TLS Config with cert file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyPem: "key-pem"}},
+		{name: `TLS Config with cert PEM and key file`, tlsConfig: Config{CertPem: "cert-pem", KeyFile: "key.pem"}},
+		{name: `TLS Config with valid cert and key files`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem"}},
+		{name: `TLS Config with valid cert and key PEM`, tlsConfig: Config{CertPem: "cert-pem", KeyPem: "key-pem"}},
 	}
 
 	for _, test := range tests {
@@ -923,3 +934,194 @@ func TestCurvePreferences(t *testing.T) {
 		}
 	}
 }
+
+func TestServerConfigValidate(t *testing.T) {
+	tests := []struct {
+		name         string
+		serverConfig ServerConfig
+		errorTxt     string
+	}{
+		{
+			name:         "server config without certificates",
+			serverConfig: ServerConfig{},
+			errorTxt:     "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "valid server config with cert and key files",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyFile:  "key.pem",
+				},
+			},
+		},
+		{
+			name: "valid server config with cert and key PEM",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertPem: "cert-pem",
+					KeyPem:  "key-pem",
+				},
+			},
+		},
+		{
+			name: "valid server config with mixed cert file and key PEM",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyPem:   "key-pem",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := test.serverConfig.Validate()
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}
+
+func TestServerConfigValidateWithConfmap(t *testing.T) {
+	tests := []struct {
+		name         string
+		serverConfig ServerConfig
+		errorTxt     string
+	}{
+		{
+			name: "server config with cert file but no key via confmap validation",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+				},
+			},
+			errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)",
+		},
+		{
+			name: "server config with key file but no cert via confmap validation",
+			serverConfig: ServerConfig{
+				Config: Config{
+					KeyFile: "key.pem",
+				},
+			},
+			errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)",
+		},
+		{
+			name: "server config with both cert file and cert PEM via confmap validation",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					CertPem:  "cert-pem",
+					KeyFile:  "key.pem",
+				},
+			},
+			errorTxt: "config: provide either certificate file or PEM, but not both",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := xconfmap.Validate(test.serverConfig)
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}
+
+func TestClientConfigValidate(t *testing.T) {
+	tests := []struct {
+		name         string
+		clientConfig ClientConfig
+		errorTxt     string
+	}{
+		{
+			name:         "valid empty client config",
+			clientConfig: ClientConfig{},
+		},
+		{
+			name: "valid client config with insecure connection",
+			clientConfig: ClientConfig{
+				Insecure: true,
+			},
+		},
+		{
+			name: "valid client config with cert and key files",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyFile:  "key.pem",
+				},
+			},
+		},
+		{
+			name: "valid client config with mixed cert file and key PEM",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyPem:   "key-pem",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := test.clientConfig.Validate()
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}
+
+func TestClientConfigValidateWithConfmap(t *testing.T) {
+	tests := []struct {
+		name         string
+		clientConfig ClientConfig
+		errorTxt     string
+	}{
+		{
+			name: "client config with cert file but no key via confmap validation",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+				},
+			},
+			errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)",
+		},
+		{
+			name: "client config with invalid TLS version via confmap validation",
+			clientConfig: ClientConfig{
+				Config: Config{
+					MinVersion: "invalid",
+				},
+			},
+			errorTxt: `config: invalid TLS min_version: unsupported TLS version: "invalid"`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := xconfmap.Validate(test.clientConfig)
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}