open-telemetry · codeboten · Sep 8, 2025 · Jun 21, 2025 · Jun 21, 2025 · Jun 26, 2025
@@ -0,0 +1,28 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: configtls
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add early validation for TLS server configurations to fail fast when certificates are missing instead of failing at runtime.
+
+# One or more tracking issues or pull requests related to the change
+issues: [13130]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Internalized config validation to prevent unwanted recursion.
+  Improved certificate/key validation logic for early error detection.
+  ClientConfig skips validation when Insecure is true and no CA is set.
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
@@ -189,11 +189,25 @@ func (r *certReloader) GetCertificate() (*tls.Certificate, error) {
 	return r.cert, nil
 }
 
-func (c Config) Validate() error {
+func (c Config) validate() error {
 	if c.hasCAFile() && c.hasCAPem() {
 		return errors.New("provide either a CA file or the PEM-encoded string, but not both")
 	}
 
+	// Ensure certificate is not set using both file and PEM
+	if c.hasCertFile() && c.hasCertPem() {
+		return errors.New("provide either certificate file or PEM, but not both")
+	}
+
+	// Ensure key is not set using both file and PEM
+	if c.hasKeyFile() && c.hasKeyPem() {
+		return errors.New("provide either key file or PEM, but not both")
+	}
+	// Require both certificate and key if either is provided
+	if c.hasCert() != c.hasKey() {
+		return errors.New("TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)")
+	}
+
 	minTLS, err := convertVersion(c.MinVersion, defaultMinTLSVersion)
 	if err != nil {
 		return fmt.Errorf("invalid TLS min_version: %w", err)
@@ -211,6 +225,24 @@ func (c Config) Validate() error {
 	return nil
 }
 
+func (c ClientConfig) Validate() error {
+	if c.Insecure && !c.hasCA() {
+		return nil
+	}
+	return c.Config.validate()
+}
+
+func (c ServerConfig) Validate() error {
+	if err := c.Config.validate(); err != nil {
+		return err
+	}
+	// For servers, both certificate and key are always required
+	if !c.hasCert() && !c.hasKey() {
+		return errors.New("TLS configuration must include both certificate and key for server connections")
+	}
+	return nil
+}
+
 // loadTLSConfig loads TLS certificates and returns a tls.Config.
 // This will set the RootCAs and Certificates of a tls.Config.
 func (c Config) loadTLSConfig() (*tls.Config, error) {

@@ -668,11 +668,22 @@ func TestConfigValidate(t *testing.T) {
 		{name: `TLS Config ["0.4", ""] to give [Error]`, tlsConfig: Config{MinVersion: "0.4", MaxVersion: ""}, errorTxt: `invalid TLS min_version: unsupported TLS version: "0.4"`},
 		{name: `TLS Config ["1.2", "1.1"] to give [Error]`, tlsConfig: Config{MinVersion: "1.2", MaxVersion: "1.1"}, errorTxt: `invalid TLS configuration: min_version cannot be greater than max_version`},
 		{name: `TLS Config with both CA File and PEM`, tlsConfig: Config{CAFile: "test", CAPem: "test"}, errorTxt: `provide either a CA file or the PEM-encoded string, but not both`},
+		{name: `TLS Config with cert file but no key`, tlsConfig: Config{CertFile: "cert.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with key file but no cert`, tlsConfig: Config{KeyFile: "key.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with cert PEM but no key`, tlsConfig: Config{CertPem: "cert-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with key PEM but no cert`, tlsConfig: Config{KeyPem: "key-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`},
+		{name: `TLS Config with both cert file and cert PEM`, tlsConfig: Config{CertFile: "cert.pem", CertPem: "cert-pem", KeyFile: "key.pem"}, errorTxt: `provide either certificate file or PEM, but not both`},
+		{name: `TLS Config with both key file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem", KeyPem: "key-pem"}, errorTxt: `provide either key file or PEM, but not both`},
+		{name: `TLS Config with cert file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyPem: "key-pem"}},
+		{name: `TLS Config with cert PEM and key file`, tlsConfig: Config{CertPem: "cert-pem", KeyFile: "key.pem"}},
+		{name: `TLS Config with valid cert and key files`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem"}},
+		{name: `TLS Config with valid cert and key PEM`, tlsConfig: Config{CertPem: "cert-pem", KeyPem: "key-pem"}},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			err := test.tlsConfig.Validate()
+			clientConfig := ClientConfig{Config: test.tlsConfig}
+			err := clientConfig.Validate()
 
 			if test.errorTxt == "" {
 				assert.NoError(t, err)
@@ -923,3 +934,186 @@ func TestCurvePreferences(t *testing.T) {
 		}
 	}
 }
+
+func TestServerConfigValidate(t *testing.T) {
+	tests := []struct {
+		name         string
+		serverConfig ServerConfig
+		errorTxt     string
+	}{
+		{
+			name:         "Server config without certificates",
+			serverConfig: ServerConfig{},
+			errorTxt:     "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Valid server config with certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyFile:  "key.pem",
+				},
+			},
+		},
+		{
+			name: "Valid server config with PEM certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertPem: "cert-pem",
+					KeyPem:  "key-pem",
+				},
+			},
+		},
+		{
+			name: "Server config with TLS settings but no certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					MinVersion: "1.2",
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Server config with cipher suites but no certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Server config with reload interval but no certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					ReloadInterval: time.Minute,
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Server config with mixed cert file and key PEM",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyPem:   "key-pem",
+				},
+			},
+		},
+		{
+			name: "Server config with only cert file",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)",
+		},
+		{
+			name: "Server config with CA file but no certificates",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CAFile: "ca.pem",
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Server config with client CA file but no certificates",
+			serverConfig: ServerConfig{
+				ClientCAFile: "client-ca.pem",
+			},
+			errorTxt: "TLS configuration must include both certificate and key for server connections",
+		},
+		{
+			name: "Server config with both cert file and cert PEM",
+			serverConfig: ServerConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					CertPem:  "cert-pem",
+					KeyFile:  "key.pem",
+				},
+			},
+			errorTxt: "provide either certificate file or PEM, but not both",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := test.serverConfig.Validate()
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}
+
+func TestClientConfigValidate(t *testing.T) {
+	tests := []struct {
+		name         string
+		clientConfig ClientConfig
+		errorTxt     string
+	}{
+		{
+			name:         "Valid empty client config",
+			clientConfig: ClientConfig{},
+		},
+		{
+			name: "Valid insecure client config",
+			clientConfig: ClientConfig{
+				Insecure: true,
+			},
+		},
+		{
+			name: "Valid client config with certificates",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyFile:  "key.pem",
+				},
+			},
+		},
+		{
+			name: "Client config with only cert file",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+				},
+			},
+			errorTxt: "TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)",
+		},
+		{
+			name: "Client config with mixed cert file and key PEM",
+			clientConfig: ClientConfig{
+				Config: Config{
+					CertFile: "cert.pem",
+					KeyPem:   "key-pem",
+				},
+			},
+		},
+		{
+			name: "Client config with invalid TLS version",
+			clientConfig: ClientConfig{
+				Config: Config{
+					MinVersion: "invalid",
+				},
+			},
+			errorTxt: `invalid TLS min_version: unsupported TLS version: "invalid"`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			err := test.clientConfig.Validate()
+
+			if test.errorTxt == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, test.errorTxt)
+			}
+		})
+	}
+}