agents: add root certs API and use it in OTLPAgent

[santigimeno]

Also, make all our existing agents code to use it.
Ideally having an API like this being exposed from the node::crypto
namespace (crypto_context specifically) would be ideal, but for the time
being this should do.

Summary by CodeRabbit

Summary by CodeRabbit

• New Features
  • Embedded root CA certificates are now included in the OTLP agent, enabling secure SSL/TLS connections for metrics and trace exporters without external certificate files. This improves security and simplifies setup for end-users.

[coderabbitai]

Walkthrough

The changes centralize root CA certificates by introducing a cacert_ string member initialized from embedded certificates accessed via new functions. This certificate string is passed to OTLP metrics and trace exporters for SSL/TLS configuration. Constructors of metrics exporters are updated to accept the certificate string. Root certificate handling is refactored into a new source and header file used across multiple agents.

Changes

File(s)	Change Summary
agents/otlp/src/otlp_agent.cc, otlp_agent.h	Add cacert_ member initialized from embedded root certs; pass to OTLP metrics and trace exporters.
agents/otlp/src/otlp_metrics.cc, otlp_metrics.h	Update OTLPMetrics constructors to accept and apply CA certificate string for SSL/TLS configuration.
agents/grpc/src/grpc_agent.cc	Replace static root cert array with calls to GetRootCerts() and GetRootCertsCount() for cacert_.
agents/src/http_client.cc	Replace static root cert array with GetRootCerts() and GetRootCertsCount() usage for cacert_.
agents/src/root_certs.cc, root_certs.h	New files defining and exposing root certificates and their count via GetRootCerts() and GetRootCertsCount().
node.gyp	Add new root cert source and header files to build configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Main
    participant OTLPAgent
    participant OTLPMetrics
    participant ExporterOptions
    participant RootCerts

    Main->>OTLPAgent: Construct OTLPAgent()
    OTLPAgent->>RootCerts: GetRootCerts() and GetRootCertsCount()
    RootCerts-->>OTLPAgent: Return embedded root cert strings
    OTLPAgent->>OTLPAgent: Concatenate root certs into cacert_
    Main->>OTLPAgent: config_otlp_endpoint(config)
    OTLPAgent->>OTLPMetrics: Construct OTLPMetrics(..., cacert_)
    OTLPMetrics->>ExporterOptions: Set SSL/TLS CA cert to cacert_
    OTLPAgent->>ExporterOptions: Set CA cert for trace exporters to cacert_

Loading

Poem

🐇 Beneath the code, roots intertwine,
Certificates bundled, secure, and fine.
OTLP agents now trust with care,
Metrics and traces, safe to share.
From burrowed bytes to network hops,
This bunny’s work just never stops!
🔐🌿

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 496b992 and d543dd2.

📒 Files selected for processing (9)

• agents/grpc/src/grpc_agent.cc (2 hunks)
• agents/otlp/src/otlp_agent.cc (5 hunks)
• agents/otlp/src/otlp_agent.h (1 hunks)
• agents/otlp/src/otlp_metrics.cc (3 hunks)
• agents/otlp/src/otlp_metrics.h (1 hunks)
• agents/src/http_client.cc (2 hunks)
• agents/src/root_certs.cc (1 hunks)
• agents/src/root_certs.h (1 hunks)
• node.gyp (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• agents/src/root_certs.h
• node.gyp

🚧 Files skipped from review as they are similar to previous changes (7)

• agents/otlp/src/otlp_agent.h
• agents/src/root_certs.cc
• agents/grpc/src/grpc_agent.cc
• agents/src/http_client.cc
• agents/otlp/src/otlp_metrics.h
• agents/otlp/src/otlp_metrics.cc
• agents/otlp/src/otlp_agent.cc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: coverage-linux-without-intl
• GitHub Check: test-macOS
• GitHub Check: coverage-linux
• GitHub Check: build-tarball
• GitHub Check: test-linux (ubuntu-24.04)
• GitHub Check: test-linux (ubuntu-24.04-arm)
• GitHub Check: coverage-windows
• GitHub Check: lint-js-and-md

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

agents/otlp/src/otlp_agent.cc (1)

104-107: Consider optimizing string concatenation.

The current implementation is correct but could be optimized for better performance.

Consider using a more efficient approach for string concatenation:

-  for (size_t i = 0; i < sizeof(root_certs) / sizeof(root_certs[0]); i++) {
-    cacert_ += root_certs[i];
-    cacert_ += "\n";
-  }
+  size_t total_size = 0;
+  constexpr size_t cert_count = sizeof(root_certs) / sizeof(root_certs[0]);
+  for (size_t i = 0; i < cert_count; i++) {
+    total_size += strlen(root_certs[i]) + 1; // +1 for newline
+  }
+  
+  cacert_.reserve(total_size);
+  for (size_t i = 0; i < cert_count; i++) {
+    cacert_ += root_certs[i];
+    cacert_ += "\n";
+  }

This reserves the required capacity upfront, reducing memory reallocations during concatenation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e86a3a and 80842c5.

📒 Files selected for processing (4)

• agents/otlp/src/otlp_agent.cc (5 hunks)
• agents/otlp/src/otlp_agent.h (1 hunks)
• agents/otlp/src/otlp_metrics.cc (3 hunks)
• agents/otlp/src/otlp_metrics.h (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: test-macOS
• GitHub Check: build-tarball
• GitHub Check: coverage-linux
• GitHub Check: lint-js-and-md
• GitHub Check: coverage-windows
• GitHub Check: test-linux (ubuntu-24.04)
• GitHub Check: test-linux (ubuntu-24.04-arm)
• GitHub Check: build-docs
• GitHub Check: coverage-linux-without-intl

🔇 Additional comments (5)

agents/otlp/src/otlp_agent.h (1)

153-153: LGTM! Clean addition of certificate storage member.

The addition of the cacert_ member is well-placed and appropriately typed for storing the embedded root CA certificates.

agents/otlp/src/otlp_metrics.h (1)

34-35: LGTM! Consistent constructor signature updates.

The constructors are correctly updated to accept the cacert parameter using const std::string&, which avoids unnecessary copying and follows C++ best practices.

Also applies to: 41-42

agents/otlp/src/otlp_metrics.cc (1)

63-64: LGTM! Proper SSL certificate configuration implementation.

The constructor implementations correctly apply the cacert parameter to the appropriate SSL configuration fields for both HTTP (ssl_ca_cert_string) and gRPC (ssl_credentials_cacert_as_string) exporters, ensuring consistent certificate usage across all OTLP metrics exporters.

Also applies to: 69-69, 74-74, 83-84, 93-93, 98-98

agents/otlp/src/otlp_agent.cc (2)

48-50: LGTM! Proper certificate embedding setup.

The inclusion of node_root_certs.h and static array declaration provides a clean way to embed root certificates directly in the binary.

---

550-550: LGTM! Consistent certificate usage across all OTLP exporters.

The implementation correctly applies the embedded root certificates to both metrics and trace exporters (HTTP and gRPC variants), ensuring consistent SSL/TLS configuration across all OTLP communications.

Also applies to: 575-575, 594-594, 601-601

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

agents/src/http_client.cc (1)

42-45: Optimize loop performance by caching the certificate count.

The loop logic is correct, but calling GetRootCertsCount() in each iteration is inefficient. Cache the count in a variable for better performance.

-  for (size_t i = 0; i < GetRootCertsCount(); i++) {
+  size_t cert_count = GetRootCertsCount();
+  for (size_t i = 0; i < cert_count; i++) {
     cacert_ += GetRootCerts()[i];
     cacert_ += "\n";
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80842c5 and 496b992.

📒 Files selected for processing (9)

• agents/grpc/src/grpc_agent.cc (2 hunks)
• agents/otlp/src/otlp_agent.cc (5 hunks)
• agents/otlp/src/otlp_agent.h (1 hunks)
• agents/otlp/src/otlp_metrics.cc (3 hunks)
• agents/otlp/src/otlp_metrics.h (1 hunks)
• agents/src/http_client.cc (2 hunks)
• agents/src/root_certs.cc (1 hunks)
• agents/src/root_certs.h (1 hunks)
• node.gyp (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• node.gyp
• agents/src/root_certs.cc
• agents/src/root_certs.h
• agents/grpc/src/grpc_agent.cc

🚧 Files skipped from review as they are similar to previous changes (4)

• agents/otlp/src/otlp_agent.h
• agents/otlp/src/otlp_metrics.cc
• agents/otlp/src/otlp_metrics.h
• agents/otlp/src/otlp_agent.cc

🧰 Additional context used

🧬 Code Graph Analysis (1)

agents/src/http_client.cc (2)

agents/src/root_certs.cc (4)

• GetRootCertsCount (14-16)
• GetRootCertsCount (14-14)
• GetRootCerts (10-12)
• GetRootCerts (10-10)

agents/src/root_certs.h (2)

• GetRootCertsCount (12-12)
• GetRootCerts (10-10)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: test-macOS
• GitHub Check: lint-js-and-md
• GitHub Check: coverage-linux
• GitHub Check: test-linux (ubuntu-24.04)
• GitHub Check: test-linux (ubuntu-24.04-arm)
• GitHub Check: build-tarball
• GitHub Check: coverage-linux-without-intl
• GitHub Check: coverage-windows

🔇 Additional comments (1)

agents/src/http_client.cc (1)

2-2: LGTM: Include change aligns with centralized root certificate management.

The change from "util.h" to "root_certs.h" correctly reflects the new centralized interface for root certificate access.

[RafaelGSS]

RSLGTM

[santigimeno]

Landed in 585a500 and 3c92c0a