open-telemetry · jaronoff97 · Jun 18, 2026 · Mar 31, 2026 · Jun 16, 2026
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: opampbridge
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Add TLS configuration support to the OpAMP Bridge, including options to disable TLS or skip certificate verification."
+
+# One or more tracking issues related to the change
+issues: [4921]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -13,6 +13,9 @@ type OpAMPBridgeSpec struct {
 	// OpAMP backend Server endpoint
 	// +required
 	Endpoint string `json:"endpoint"`
+	// TLS configuration for the connection to the OpAMP backend server.
+	// +optional
+	TLS *OpAMPBridgeTLSConfig `json:"tls,omitempty"`
 	// Headers is an optional map of headers to use when connecting to the OpAMP Server,
 	// typically used to set access tokens or other authorization headers.
 	// +optional
@@ -120,6 +123,16 @@ type AgentDescription struct {
 	NonIdentifyingAttributes map[string]string `json:"non_identifying_attributes"`
 }
 
+type OpAMPBridgeTLSConfig struct {
+	// Insecure indicates whether the endpoint should use TLS or not.
+	// When true, TLS is completely disabled.
+	// +optional
+	Insecure bool `json:"insecure,omitempty" yaml:"insecure,omitempty"`
+	// InsecureSkipVerify indicates to keep TLS but skip certificate validation.
+	// +optional
+	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty" yaml:"insecure_skip_verify,omitempty"`
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

@@ -872,6 +872,13 @@ spec:
                 type: object
               serviceAccount:
                 type: string
+              tls:
+                properties:
+                  insecure:
+                    type: boolean
+                  insecure_skip_verify:
+                    type: boolean
+                type: object
               tolerations:
                 items:
                   properties:

@@ -872,6 +872,13 @@ spec:
                 type: object
               serviceAccount:
                 type: string
+              tls:
+                properties:
+                  insecure:
+                    type: boolean
+                  insecure_skip_verify:
+                    type: boolean
+                type: object
               tolerations:
                 items:
                   properties:

@@ -6,8 +6,10 @@ package agent
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
+	"net/url"
 	"strings"
 	"time"
 
@@ -256,8 +258,34 @@ func (agent *Agent) Start() error {
 		},
 		RemoteConfigStatus:    agent.remoteConfigStatus,
 		PackagesStateProvider: nil,
-		Capabilities:          agent.config.GetCapabilities(),
 	}
+
+	// Configure TLS based on explicit tls settings.
+	if agent.config.TLS != nil {
+		if agent.config.TLS.Insecure {
+			parsedURL, parseErr := url.Parse(settings.OpAMPServerURL)
+			if parseErr != nil {
+				return fmt.Errorf("invalid OpAMP server endpoint %q: %w", settings.OpAMPServerURL, parseErr)
+			}
+
+			if parsedURL.Scheme == "wss" || parsedURL.Scheme == "https" {
+				return fmt.Errorf(
+					"tls.insecure=true requires an insecure endpoint scheme (ws:// or http://), but got %q. "+
+						"Please update the endpoint to use the insecure scheme when tls.insecure is enabled",
+					settings.OpAMPServerURL,
+				)
+			}
+
+			agent.logger.Info("TLS is disabled for the OpAMP client connection (tls.insecure=true). This connection is not encrypted.")
+		} else if agent.config.TLS.InsecureSkipVerify {
+			// TLS enabled but skip certificate verification (standard behavior)
+			settings.TLSConfig = &tls.Config{
+				InsecureSkipVerify: true, //nolint:gosec // User explicitly opted in via tls.insecure_skip_verify.
+			}
+			agent.logger.Info("TLS is enabled for the OpAMP client connection but certificate verification is skipped (tls.insecure_skip_verify=true)")
+		}
+	}
+
 	err = agent.opampClient.SetAgentDescription(agent.agentDescription)
 	if err != nil {
 		return err
@@ -266,6 +294,11 @@ func (agent *Agent) Start() error {
 	if err != nil {
 		return err
 	}
+	capabilities := agent.config.GetCapabilities()
+	err = agent.opampClient.SetCapabilities(&capabilities)
+	if err != nil {
+		return err
+	}
 
 	agent.logger.V(3).Info("Starting OpAMP client...")
 

@@ -1258,3 +1258,67 @@ func getMessageDataFromConfigFile(filemap map[string]string) (*types.MessageData
 	}
 	return toReturn, nil
 }
+
+func TestAgent_Start_TLSConfig(t *testing.T) {
+	tests := []struct {
+		name               string
+		endpoint           string
+		insecure           bool
+		insecureSkipVerify bool
+		expectNil          bool
+		expectSkip         bool
+		expectURL          string
+	}{
+		{
+			name:      "Insecure (no TLS)",
+			endpoint:  "ws://127.0.0.1:4320/v1/opamp",
+			insecure:  true,
+			expectNil: true,
+			expectURL: "ws://127.0.0.1:4320/v1/opamp",
+		},
+		{
+			name:               "Secure with Skip Verify",
+			endpoint:           "wss://127.0.0.1:4320/v1/opamp",
+			insecure:           false,
+			insecureSkipVerify: true,
+			expectNil:          false,
+			expectSkip:         true,
+			expectURL:          "wss://127.0.0.1:4320/v1/opamp",
+		},
+		{
+			name:               "Secure (verify enabled)",
+			endpoint:           "wss://127.0.0.1:4320/v1/opamp",
+			insecure:           false,
+			insecureSkipVerify: false,
+			expectNil:          true,
+			expectURL:          "wss://127.0.0.1:4320/v1/opamp",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockClient := &mockOpampClient{}
+			conf := config.NewConfig(logr.Discard())
+			conf.Endpoint = tt.endpoint
+			conf.TLS = &v1alpha1.OpAMPBridgeTLSConfig{
+				Insecure:           tt.insecure,
+				InsecureSkipVerify: tt.insecureSkipVerify,
+			}
+			applier := getFakeApplier(t, conf)
+			mp := newMockProxy(nil, nil, nil)
+			agent := NewAgent(l, applier, conf, mockClient, mp)
+
+			err := agent.Start()
+			require.NoError(t, err)
+
+			if tt.expectNil {
+				assert.Nil(t, mockClient.settings.TLSConfig)
+			} else {
+				require.NotNil(t, mockClient.settings.TLSConfig)
+				assert.Equal(t, tt.expectSkip, mockClient.settings.TLSConfig.InsecureSkipVerify)
+			}
+			assert.Equal(t, tt.expectURL, mockClient.settings.OpAMPServerURL)
+			agent.Shutdown()
+		})
+	}
+}
@@ -84,13 +84,14 @@ type Config struct {
 	instanceId         uuid.UUID    `yaml:"-"`
 
 	// ComponentsAllowed is a list of allowed OpenTelemetry components for each pipeline type (receiver, processor, etc.)
-	ComponentsAllowed map[string][]string `yaml:"componentsAllowed,omitempty"`
-	Endpoint          string              `yaml:"endpoint"`
-	Headers           Headers             `yaml:"headers,omitempty"`
-	Capabilities      map[Capability]bool `yaml:"capabilities"`
-	HeartbeatInterval time.Duration       `yaml:"heartbeatInterval,omitempty"`
-	Name              string              `yaml:"name,omitempty"`
-	AgentDescription  AgentDescription    `yaml:"description,omitempty"`
+	ComponentsAllowed map[string][]string            `yaml:"componentsAllowed,omitempty"`
+	Endpoint          string                         `yaml:"endpoint"`
+	TLS               *v1alpha1.OpAMPBridgeTLSConfig `yaml:"tls,omitempty"`
+	Headers           Headers                        `yaml:"headers,omitempty"`
+	Capabilities      map[Capability]bool            `yaml:"capabilities"`
+	HeartbeatInterval time.Duration                  `yaml:"heartbeatInterval,omitempty"`
+	Name              string                         `yaml:"name,omitempty"`
+	AgentDescription  AgentDescription               `yaml:"description,omitempty"`
 }
 
 // AgentDescription is copied from the OpAMP Extension in the collector.

@@ -870,6 +870,13 @@ spec:
                 type: object
               serviceAccount:
                 type: string
+              tls:
+                properties:
+                  insecure:
+                    type: boolean
+                  insecure_skip_verify:
+                    type: boolean
+                type: object
               tolerations:
                 items:
                   properties:

@@ -253,6 +253,13 @@ default.<br/>
 the operator will not automatically create a ServiceAccount for the OpAMPBridge.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#opampbridgespectls">tls</a></b></td>
+        <td>object</td>
+        <td>
+          TLS configuration for the connection to the OpAMP backend server.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b><a href="#opampbridgespectolerationsindex">tolerations</a></b></td>
         <td>[]object</td>
@@ -3483,6 +3490,41 @@ PodSecurityContext, the value specified in SecurityContext takes precedence.<br/
 </table>
 
 
+### OpAMPBridge.spec.tls
+<sup><sup>[↩ Parent](#opampbridgespec)</sup></sup>
+
+
+
+TLS configuration for the connection to the OpAMP backend server.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>insecure</b></td>
+        <td>boolean</td>
+        <td>
+          Insecure indicates whether the endpoint should use TLS or not.
+When true, TLS is completely disabled.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>insecure_skip_verify</b></td>
+        <td>boolean</td>
+        <td>
+          InsecureSkipVerify indicates to keep TLS but skip certificate validation.<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### OpAMPBridge.spec.tolerations[index]
 <sup><sup>[↩ Parent](#opampbridgespec)</sup></sup>
 

@@ -27,6 +27,10 @@ func ConfigMap(params manifests.Params) (*corev1.ConfigMap, error) {
 		config["endpoint"] = params.OpAMPBridge.Spec.Endpoint
 	}
 
+	if params.OpAMPBridge.Spec.TLS != nil {
+		config["tls"] = params.OpAMPBridge.Spec.TLS
+	}
+
 	if len(params.OpAMPBridge.Spec.Headers) > 0 {
 		config["headers"] = params.OpAMPBridge.Spec.Headers
 	}

@@ -83,6 +83,10 @@ func (*OpAMPBridgeWebhook) validate(r *v1alpha1.OpAMPBridge) (admission.Warnings
 		return warnings, errors.New("the OpAMP server endpoint is not specified")
 	}
 
+	if r.Spec.TLS != nil && r.Spec.TLS.Insecure && r.Spec.TLS.InsecureSkipVerify {
+		return warnings, errors.New("tls.insecure and tls.insecure_skip_verify cannot both be true")
+	}
+
 	// validate OpAMPBridge capabilities
 	if len(r.Spec.Capabilities) == 0 {
 		return warnings, errors.New("the capabilities supported by OpAMP Bridge are not specified")

@@ -164,6 +164,22 @@ func TestOpAMPBridgeValidatingWebhook(t *testing.T) {
 			},
 			expectedErr: "the capabilities supported by OpAMP Bridge are not specified",
 		},
+		{
+			name: "insecure and insecure skip verify both set",
+			opampBridge: v1alpha1.OpAMPBridge{
+				Spec: v1alpha1.OpAMPBridgeSpec{
+					Endpoint: "ws://opamp-server:4320/v1/opamp",
+					TLS: &v1alpha1.OpAMPBridgeTLSConfig{
+						Insecure:           true,
+						InsecureSkipVerify: true,
+					},
+					Capabilities: map[v1alpha1.OpAMPBridgeCapability]bool{
+						v1alpha1.OpAMPBridgeCapabilityReportsStatus: true,
+					},
+				},
+			},
+			expectedErr: "tls.insecure and tls.insecure_skip_verify cannot both be true",
+		},
 		{
 			name: "replica count greater than 1 should return error",
 			opampBridge: v1alpha1.OpAMPBridge{

@@ -51,6 +51,8 @@ data:
       receivers:
       - otlp
     endpoint: ws://e2e-test-app-bridge-server:4320/v1/opamp
+    tls:
+      insecure: true
 kind: ConfigMap
 metadata:
   name: test-opamp-bridge

@@ -61,4 +61,6 @@ spec:
       - memory_limiter
     receivers:
       - otlp
-  endpoint: ws://e2e-test-app-bridge-server:4320/v1/opamp
+  endpoint: ws://e2e-test-app-bridge-server:4320/v1/opamp
+  tls:
+    insecure: true