Error loading TLS certificates from ENV variable

[epchris]

Describe the bug
When attempting to configure TLS using environment variables for the contents of the certs there is an error parsing the value of the certificates.

Steps to reproduce
Use the following configuration file:

---
receivers:
  otlp:
    protocols:
      http:
        endpoint: 0.0.0.0:4318
processors:
  batch:

exporters:
  kafka:
    auth:
      tls:
        # DOES NOT WORK: Contents of the cert in the env variable
        ca_pem: ${env:CA_PEM}

        # WORKS
        # ca_pem: |
        #   -----BEGIN CERTIFICATE-----
        #   MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        #   MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        #   VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        #   NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        #   TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        #   ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        #   V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        #   gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        #   FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        #   CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        #   BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        #   BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        #   Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        #   -----END CERTIFICATE-----

        # WORKS: Above contents stored to a file
        #ca_file: ca.pem

        insecure_skip_verify: true

service:
  pipelines:
    logs:
      receivers: [otlp]
      processors: [batch]
      exporters: [kafka]

Create a ca.pem file with the content:

-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----

Set env variable to the content of the cert:

export CA_PEM=$(cat ca.pem)

Run otel collector with the configuration file:

otelcol --config config.yml

What did you expect to see?
I expected that when ca_pem: ${env:CA_PEM} was specified that otel collector would parse the cert.

What did you see instead?
When ca_pem: ${env:CA_PEM} is specified, I get the following error:

Error: cannot start pipelines: error loading tls config: failed to load TLS config: failed to load CA CertPool PEM: failed to parse cert
2024/06/13 18:05:57 collector server run finished with error: cannot start pipelines: error loading tls config: failed to load TLS config: failed to load CA CertPool PEM: failed to parse cert

When I comment out that configuration and use either ca_pem: | CONTENT or ca_file: ca.pem the above error is not present and the collector starts up.

What version did you use?
Version: 0.102.1

What config did you use?
The above configuration file.

Environment
Docker image: golang:1.22

otelcol was fetched from Github and unpacked within the docker image manually.

OTEL_COLLECTOR_VERSION=0.102.1
OTEL_COLLECTOR_ARTIFACT=otelcol_${OTEL_COLLECTOR_VERSION}_linux_amd64.tar.gz
OTEL_COLLECTOR_DEST=.
wget https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v$OTEL_COLLECTOR_VERSION/$OTEL_COLLECTOR_ARTIFACT
tar -xzvf $OTEL_COLLECTOR_ARTIFACT -C $OTEL_COLLECTOR_DEST otelcol

Additional context

[mx-psi]

From the Slack convo, we confirmed the issue also happens with the ${CA_PEM} syntax.

[k15r]

i experience exactly the same issue on version 0.104.0

[mx-psi]

@k15r can you reproduce with 0.103.0?

[k15r]

I used the exact same configuration with a freshly built 0.103.0 and a 0.104.0
It fails on 0.104.0,
but works on 0.103.0

[mx-psi]

@k15r I think this issue is not related to your problem then. Could you try running v0.104.0 but passing the --feature-gates=-confmap.unifyEnvVarExpansion command line option then? I want to check if your issue is related to a change in v0.104.0:

Expansion of BASH-style environment variables, such as $FOO is no longer supported by default. If you depend on this syntax, disable the confmap.unifyEnvVarExpansion feature gate, but know that the feature will be removed in the future in favor of ${env:FOO}.

[k15r]

No complaints when i disable the feature. I assume the new feature broke the parsing of newlines in the PEM block.

[mx-psi]

I assume the new feature broke the parsing of newlines in the PEM block.

Hm, I don't think the changes we made here would affect newlines there, can you share your configuration? (without the PEM block or any other identifying details of course 😄)

[k15r]

here you go:

service:
    pipelines:
        traces/traces-mtls-missing-values--missing-all:
            receivers:
                - otlp
            processors:
                - batch
            exporters:
                - otlp/traces-mtls-missing-values--missing-all
        traces/traces-mtls-missing-values--missing-all-but-ca:
            receivers:
                - otlp
            processors:
                - batch
            exporters:
                - otlp/traces-mtls-missing-values--missing-all-but-ca
        traces/traces-mtls-missing-values--missing-ca:
            receivers:
                - otlp
            processors:
                - batch
            exporters:
                - otlp/traces-mtls-missing-values--missing-ca
    telemetry:
        metrics:
            address: ${MY_POD_IP}:8888
        logs:
            level: debug
            encoding: json
receivers:
    otlp:
        protocols:
            http:
                endpoint: ${MY_POD_IP}:4318
            grpc:
                endpoint: ${MY_POD_IP}:4317
processors:
    batch:
        send_batch_size: 512
        timeout: 10s
        send_batch_max_size: 512
exporters:
    otlp/traces-mtls-missing-values--missing-all:
        endpoint: ${OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_ALL}
        tls:
            insecure: true
            insecure_skip_verify: true
        sending_queue:
            enabled: true
            queue_size: 85
        retry_on_failure:
            enabled: true
            initial_interval: 5s
            max_interval: 30s
            max_elapsed_time: 300s
    otlp/traces-mtls-missing-values--missing-all-but-ca:
        endpoint: ${OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA}
        tls:
            insecure: true
            ca_pem: ${env:OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA}
        sending_queue:
            enabled: true
            queue_size: 85
        retry_on_failure:
            enabled: true
            initial_interval: 5s
            max_interval: 30s
            max_elapsed_time: 300s
    otlp/traces-mtls-missing-values--missing-ca:
        endpoint: ${OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_CA}
        tls:
            insecure: true
            cert_pem: ${env:OTLP_TLS_CERT_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_CA}
            key_pem: ${env:OTLP_TLS_KEY_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_CA}
        sending_queue:
            enabled: true
            queue_size: 85
        retry_on_failure:
            enabled: true
            initial_interval: 5s
            max_interval: 30s
            max_elapsed_time: 300s

[TylerHelmuth]

@k15r I want to try to reproduce this. Can you give an example of what is in your env var that's failing (not the real value, something fake) and the steps you took to create the env var.

[k15r]

use this env-file (no worries, just some test ca cert and key data):

export MY_POD_IP=127.0.0.1
export OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_ALL=1.2.3.4:1234
export OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA=1.2.3.4:1234
export OTLP_ENDPOINT_TRACES_MTLS_MISSING_VALUES__MISSING_CA=1.2.3.4:1234
export OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA=$(echo -n LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVUUoraGhaTGxZL0hNdXF4cW5lQ3U3V2QrRkgwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBM01USXhNREkxTkRGYUZ3MHlPVEEzCk1URXhNREkxTkRGYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRFdFS2ZoNitGZnVhZjY1cmRBV1lzY3g0U2NvN0JDd3hhckVZQlZzVUN0Ck52ZmVRNHAyWWUvdjFKOGFUOW83Nk43Y0prSG5QWGhvSmJ0NXQwMWczMDBpNU1PSzVMbEoycWpsRkpaVzFnaG0KV0tNenFKRk1JV2haUVB5alRkZmY5Y0l1cEFvTWYrcmFYc3Uwb1haU0loVmx0b1F0ajJNcHpVTEgvSnNYRTlqTAo2dXFMazVsR3o0aEo4Y2xaMlZoK3pkSW9LOTNMRDBlMmhFQkVHVHpJQU41RVFjbUFjWjdxeG84V2QrRGpBTTNLClFJR3hkeTZldXdvYko1RVJaeU9BcG1BUVJuUkV6K1dwNHl2VGppU3lFSTV1RGQxblVVTm1EYWM5TzJWMlFEWEUKQ0ZlRTAvNUVUZUZpVzQ2a3RGeHJaL3J3eXdMMUszZTV2RVU4UVBjUG5tSmkzNXF6cVUrWVZRY25mQ2psOTVSWQpLU0lJMDNmM0lWTmVWL3c4WVlGdWtwYmgxZTFSVE96d1d5VXVMY2RLVmYyNFNOWmFsZU1qR2s4bjZSZ3NhQW44CjkrVVdRNVRab0dYRXVkMjl6dTdwSjB5bjFXNDVjVlA3d21YcWtDMXEwQklKTnU1UC95K2ZISFZzd3M2bnBHZ1gKT3NqajNNclQwRDY2RUhCTnJCNjdQcE9RY203RnBKdWxZZ2RySm54WngzQjQxb0FoeHpLR2RsR3NXZVRaSmpJcwpMNXFySkVMbFdXanhNY21ZQ3JDNjdiOHNOUVErME5mOTQ0bmVBcjVmY3VIRWNCK1dURDF1K0JzckVFYkI5Qzh6CjlwamlJdG9jVEk2N0dycTRRN3JoR1VMOWhUSVdySWZkMHAvNTN0UDB2NEZNYm9LWFRENnJpNHVNVXUrZHlQZ2UKWHdJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVVNPZ2lVQklUeXBKN3I3QlpjWXNRbFV4YVBpc3dId1lEVlIwagpCQmd3Rm9BVVNPZ2lVQklUeXBKN3I3QlpjWXNRbFV4YVBpc3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBVEZYQ296YWU1SnU1OWdtZVdadktJMTF0eTgzT0FENDhYLzFHOEl1cmhFN20KSkRKT01GSlV6NkJJMC9QUWJ0QmJVUkhkNDVLVzhuMDlsUzlMdGVpRVFKekhzNXcrSW9HS3VNZ254Z0VkR3JvOQoyWUxydXFwSGJsK2c1elZKZlZ1OTdqbHFSK2xBQ1BEL05FdHc5cXV4UFpFOGhnb05sQ293QU02eDVsbEFzWFdVCkxWV2ZaWVlDUVBPSEpIUTBMRVJ0OU1YMW1SZTdDTFlwQmNZRlVEczV0ZW1kdzM3T3JFcHJDbmdkZHRzeGhxU1EKOVRJS0xsUUFEMC94UGF1UDJ6bk1rZnNaQjhPemh2YWNaZ0R4cVpPTTR6UVJVODk0VDQrbEJhZ05KRmhCUGJRZwphYW41RUFZVVorREpJSWVkQkNWbFZWQVpjWm1OUWd1TzZoK1dOTE8yOXlwTTVHV1RiMFZaYUFpd3JuMmVMWWIrCmZjREpYRVd2WFBWRCsyUnJuWnMyMXMrWkt1NUNVbHdvSUdDM0VOZHJqNFVqY1dKRFZyT2ZROVkrbDVHZU94ZkkKN1JTZkZtOWxoSGJTZ0NZaTY1TmcyNXcxNjFVTUd2czBWMHlrVlVKT0lYZEJyeWFhUXQvUUlMWlc5R2YxeTIzbAo3RjMxWEdwdHFGQzZvajlMSDMySkZnbjVOd21CT2VRUUhRVGpQUDVrWHVBWnBYQUJmNEtKRFlvelhPbTJ1a1piCjFDaEhUaHhYRm80Q1htWnpIOGhMSmZIclFETFd1TkluMENHN2dTV3ZROWFsVGZqQTJrUDRraEM5OTNPR09TQVYKWXhOcURsZUwyZkZ2cUttbXhGRlptRFVHclhWcVVrWjl1NFoxbXFQZ3pOWUJ4V0RtWC9pZFZiR0tNd1I4bERNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 -d )

export OTLP_TLS_CERT_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_CA=$(echo -n LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhekNDQWxPZ0F3SUJBZ0lVUTMzZEtQWUpKU251ZXlmcjdGRkE0TGVSd1VZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBM01USXhNREl3TUROYUZ3MHlOVEEzCk1EY3hNREl3TUROYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFFva0MrTDlTS0h5SllRS040blRScnYvYkNUeW1rRVFIZVdFbFp1N2Y5CkxEUnd0QVNXQTJ3aElMc3dEOWE5aUVSaldxa1RkZzRLUEhURlVKNDYyM0pBS1FtcEhnaE4wSVRJVjYwaE5tc0cKLzFtdGxmYi9yY0YwZVRJa2VhS09jYW9sdDROdjZLcjFmalhrZ1lpZy90YUhGMFJRdDhkSzJ2UkZWTUdYOGVwYQoyNHJoUXFtTFlwOHJWdlk3aDdHRWtkcFEwaFZNT1M4dlVDL3h6aXR2NUc0UTBhRGVxcTJlT0JkS045Z3BidjBsCkZYcXlmRlNsUTZhdHBXTHhmWjJxbHNrcmU1VVJPYkZ4cSs1NWNDVUltZ1RnY3hUbnJoOW5CT3dxY1BGWSs5Y2QKUzJHU3FSUFA2d25pN0RvR0FvR3liemtPcGdZa29rWmFmS1ZXbGFYTnVHU3ZBZ01CQUFHalV6QlJNQjBHQTFVZApEZ1FXQkJTWkdYOGR6cGs1d244OGk1d0s4WWdWUmZDR1ZUQWZCZ05WSFNNRUdEQVdnQlNaR1g4ZHpwazV3bjg4Cmk1d0s4WWdWUmZDR1ZUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQzMKWFFWdGlyUlVzbTJlYzVxQUEvN3NCa1A1NnFLQVNKS21mRVNSN0xXZEl6cmVHS1hPRzVxNW1NcDNMSWdpYytKMQpJNUxoWlpqNHpDVmx2K0kzOGx6em02bFJWTGkyNll6VDhHSWRoQTg0b2pGM0kvMzZjOC9TcGwwNDRrZFpoNzlQCnplNnRJdUdRaC9zTTNEd3U1K21Vd2J1WEtZT2RWOUdmb3RhNzBtQTJSa3RHRnNqejNxSHJuM2ZhMHVLeXgwNjgKbVBzYWNsUGJhTk5lZDJ6cXQxU3NLTE1CSStzczhLNDl4cEcrMlJNaWNNYlZUZ2lvQ3pYcjlYYWJQNTRYNSt6ZApoQmt3M1h3R0YvVTFXSUc3alRncG12b2JnUHpUYTVrdFNnZkFRcDR2Rk0zaWp1U0ZiblIrRWdJb2M1WFFHWlF2CnlCT0VyemplNmhSMysxSE9YdERlCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | base64 -d )

export OTLP_TLS_KEY_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_CA=$(echo -n LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFFva0MrTDlTS0h5SlkKUUtONG5UUnJ2L2JDVHlta0VRSGVXRWxadTdmOUxEUnd0QVNXQTJ3aElMc3dEOWE5aUVSaldxa1RkZzRLUEhURgpVSjQ2MjNKQUtRbXBIZ2hOMElUSVY2MGhObXNHLzFtdGxmYi9yY0YwZVRJa2VhS09jYW9sdDROdjZLcjFmalhrCmdZaWcvdGFIRjBSUXQ4ZEsydlJGVk1HWDhlcGEyNHJoUXFtTFlwOHJWdlk3aDdHRWtkcFEwaFZNT1M4dlVDL3gKeml0djVHNFEwYURlcXEyZU9CZEtOOWdwYnYwbEZYcXlmRlNsUTZhdHBXTHhmWjJxbHNrcmU1VVJPYkZ4cSs1NQpjQ1VJbWdUZ2N4VG5yaDluQk93cWNQRlkrOWNkUzJHU3FSUFA2d25pN0RvR0FvR3liemtPcGdZa29rWmFmS1ZXCmxhWE51R1N2QWdNQkFBRUNnZ0VBQ1NGUW5BSVQxd2VOeFRidThIUlF1dlpub2hFOHpVVkJRNjJ4YUEvaStWMVoKM2lUQ25wMy91V05wVGEwanhKK1YvcE1WR3hqcmZGOHc3UUdlS3cwM2JyOWRBTjJqbDJRc3EyZksxODA5MmN5Swo3Q0hIOFdCMU90ZWk3aDIwazI4OTl2Q1UrK3krcm9lYmJDaVBCaHlnM3NDUjZNWmlIbEIrcUJvUmJzalRiSzVpCm1PMWhoSjZxam83ckRFdWNEdUdLaFV6MUx0aWhubUExZWROWFZzY2NTWDdYeHpRa2dNTDcxb2ZWUnZMOHo3RzEKZTNwdjN1eElNSEZwQlM1MTRWVXdJQkRSaGNMSHJYUUZWRUZSNmpDZmtJdWxyT0hkUkJlY09jbTdlbTBMSHoxbwo1djdZSUd2YysrckNybjNJd0VWQ1dlTklDdDM0WnRWbExsNzVzaHJ0SVFLQmdRRDQ5ZjlTL3doQ2FIck4wRWVBCmFER0ZGNS8rYzVUTWUvMlBBcjBNemhxaTJaQ0pRVndOYXNPUHIwc2RDQzQ2ZmVjUlorWndyN1lQamZCT2tlVm4KMXZDN3M3Rk9jYmxvRTJWYkU3b0tzK2laUndUMG15MDVmWHphenJUNERPZ2JCaGlJdlF0aERMOXFQTnlaNjF4OApISGxsSWNzV3FaQlBGYUczeU9mb1VEbjZjd0tCZ1FEV2lGMHZHRXduYzlKZjFMTEZheVBlRXduZzgwSW9PK2crCk5WVGFtc2tweHpobzFuRHRtVUlpRWRsM3dlWVh2enc3SUhZcjllV0FrTDlOb0VRSUpNZlhjVWQwenZYN2d4UDcKL0lFUkYybC9mVXRMZEMwb2dUSlpXelBUeXlOT2MvdCtHL25rMEdIRXpRQmx5MWZsb0NLVXpnRDNnRDhFdzgxYgo1cEdISDRreDFRS0JnUURGTnNGU01ycU5PSXlIT3dWWS83Q3ltSHRpS3BibHdSYWowZXlHRjBKY1hISTFlRFArCllPT1hqNm0xenNRb0M1SWVaS3JUK3kwQ2QxSzBPcmg2SUhkRWlWemNJaFJZRUgxS3YzNnhlY0M0b3R5WEU5R28KWi9LZXRmMy9QT0lrZmhpelFPV2h0R0p4T3RNWmpxc05tZFRFT3hmUTFQTis0a2pmK0dOVTBUQ01ad0tCZ0RoaAp6bHU2UHdsL1h5TGdlN3QyMVE1Z1lwQkVYbmJFaDkwUmx5TjgyckdvTWlNYmVNSjVMUEJYVUpndzFaQVlLblEvCnE4OFI2U2RJNDM0N1NLWDdSS3BTa3owWHgzNDZqTjRGRnNhdktJTGhJeERKajdTOWY4WU1PaXJIa0pmbDA0cnAKUDF2cmlFWjR1a29Hanl0Q1V0Ulk3OWdjVkhPa0lpeXRCRUpHLzMraEFvR0FNaFZVSjFKOEthYlBHSkhmbHhBVApJQlVkKzFoQ2pYMnR5UUo5NXhyT204d0ZVS2Mvd2VkTHN1dUdFVk5HL0JyMytKbGFYTzZZbFdjNC81UytMaU9FCjlOanVWSmdVdjJvWThta2dYenEvMTFhUkNJKzZVUFg1bmxvSG42N3dLUTZST2JHWVNTSkl6RXFSamU2cmYyUk4KTjEyVWVNeXNRWXVjNFRnMzl2VlVGaDQ9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K| base64 -d)

and use the previous config.

my response with 104 without feature gate disabled:

{"level":"info","ts":1720780040.187592,"caller":"service@v0.104.0/service.go:116","msg":"Setting up own telemetry..."}
{"level":"info","ts":1720780040.188305,"caller":"service@v0.104.0/service.go:119","msg":"OpenCensus bridge is disabled for Collector telemetry and will be removed in a future version, use --feature-gates=-service.disableOpenCensusBridge to re-enable"}
{"level":"info","ts":1720780040.188551,"caller":"service@v0.104.0/telemetry.go:96","msg":"Serving metrics","address":"127.0.0.1:8888","metrics level":"Normal"}
{"level":"debug","ts":1720780040.188641,"caller":"exporter@v0.104.0/exporter.go:278","msg":"Stable component.","kind":"exporter","data_type":"traces","name":"otlp/traces-mtls-missing-values--missing-all"}
{"level":"debug","ts":1720780040.189462,"caller":"processor@v0.104.0/processor.go:306","msg":"Beta component. May change in the future.","kind":"processor","name":"batch","pipeline":"traces/traces-mtls-missing-values--missing-all"}
{"level":"debug","ts":1720780040.1899898,"caller":"exporter@v0.104.0/exporter.go:278","msg":"Stable component.","kind":"exporter","data_type":"traces","name":"otlp/traces-mtls-missing-values--missing-ca"}
{"level":"debug","ts":1720780040.190007,"caller":"processor@v0.104.0/processor.go:306","msg":"Beta component. May change in the future.","kind":"processor","name":"batch","pipeline":"traces/traces-mtls-missing-values--missing-ca"}
{"level":"debug","ts":1720780040.190017,"caller":"exporter@v0.104.0/exporter.go:278","msg":"Stable component.","kind":"exporter","data_type":"traces","name":"otlp/traces-mtls-missing-values--missing-all-but-ca"}
{"level":"debug","ts":1720780040.190031,"caller":"processor@v0.104.0/processor.go:306","msg":"Beta component. May change in the future.","kind":"processor","name":"batch","pipeline":"traces/traces-mtls-missing-values--missing-all-but-ca"}
{"level":"debug","ts":1720780040.190043,"caller":"receiver@v0.104.0/receiver.go:313","msg":"Stable component.","kind":"receiver","name":"otlp","data_type":"traces"}
{"level":"info","ts":1720780040.190249,"caller":"service@v0.104.0/service.go:198","msg":"Starting otelcorecol...","Version":"0.104.0-dev","NumCPU":10}
{"level":"info","ts":1720780040.190256,"caller":"extensions/extensions.go:34","msg":"Starting extensions..."}
{"level":"info","ts":1720780040.1904798,"caller":"service@v0.104.0/service.go:261","msg":"Starting shutdown..."}
{"level":"info","ts":1720780040.1905248,"caller":"extensions/extensions.go:59","msg":"Stopping extensions..."}
{"level":"info","ts":1720780040.190528,"caller":"service@v0.104.0/service.go:275","msg":"Shutdown complete."}
Error: cannot start pipelines: failed to load TLS config: failed to load CA CertPool PEM: failed to parse cert: -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIUQJ+hhZLlY/HMuqxqneCu7Wd+FH0wDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTIxMDI1NDFaFw0yOTA3 MTExMDI1NDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQDWEKfh6+Ffuaf65rdAWYscx4Sco7BCwxarEYBVsUCt NvfeQ4p2Ye/v1J8aT9o76N7cJkHnPXhoJbt5t01g300i5MOK5LlJ2qjlFJZW1ghm WKMzqJFMIWhZQPyjTdff9cIupAoMf+raXsu0oXZSIhVltoQtj2MpzULH/JsXE9jL 6uqLk5lGz4hJ8clZ2Vh+zdIoK93LD0e2hEBEGTzIAN5EQcmAcZ7qxo8Wd+DjAM3K QIGxdy6euwobJ5ERZyOApmAQRnREz+Wp4yvTjiSyEI5uDd1nUUNmDac9O2V2QDXE CFeE0/5ETeFiW46ktFxrZ/rwywL1K3e5vEU8QPcPnmJi35qzqU+YVQcnfCjl95RY KSII03f3IVNeV/w8YYFukpbh1e1RTOzwWyUuLcdKVf24SNZaleMjGk8n6RgsaAn8 9+UWQ5TZoGXEud29zu7pJ0yn1W45cVP7wmXqkC1q0BIJNu5P/y+fHHVsws6npGgX Osjj3MrT0D66EHBNrB67PpOQcm7FpJulYgdrJnxZx3B41oAhxzKGdlGsWeTZJjIs L5qrJELlWWjxMcmYCrC67b8sNQQ+0Nf944neAr5fcuHEcB+WTD1u+BsrEEbB9C8z 9pjiItocTI67Grq4Q7rhGUL9hTIWrIfd0p/53tP0v4FMboKXTD6ri4uMUu+dyPge XwIDAQABo1MwUTAdBgNVHQ4EFgQUSOgiUBITypJ7r7BZcYsQlUxaPiswHwYDVR0j BBgwFoAUSOgiUBITypJ7r7BZcYsQlUxaPiswDwYDVR0TAQH/BAUwAwEB/zANBgkq hkiG9w0BAQsFAAOCAgEATFXCozae5Ju59gmeWZvKI11ty83OAD48X/1G8IurhE7m JDJOMFJUz6BI0/PQbtBbURHd45KW8n09lS9LteiEQJzHs5w+IoGKuMgnxgEdGro9 2YLruqpHbl+g5zVJfVu97jlqR+lACPD/NEtw9quxPZE8hgoNlCowAM6x5llAsXWU LVWfZYYCQPOHJHQ0LERt9MX1mRe7CLYpBcYFUDs5temdw37OrEprCngddtsxhqSQ 9TIKLlQAD0/xPauP2znMkfsZB8OzhvacZgDxqZOM4zQRU894T4+lBagNJFhBPbQg aan5EAYUZ+DJIIedBCVlVVAZcZmNQguO6h+WNLO29ypM5GWTb0VZaAiwrn2eLYb+ fcDJXEWvXPVD+2RrnZs21s+ZKu5CUlwoIGC3ENdrj4UjcWJDVrOfQ9Y+l5GeOxfI 7RSfFm9lhHbSgCYi65Ng25w161UMGvs0V0ykVUJOIXdBryaaQt/QILZW9Gf1y23l 7F31XGptqFC6oj9LH32JFgn5NwmBOeQQHQTjPP5kXuAZpXABf4KJDYozXOm2ukZb 1ChHThxXFo4CXmZzH8hLJfHrQDLWuNIn0CG7gSWvQ9alTfjA2kP4khC993OGOSAV YxNqDleL2fFvqKmmxFFZmDUGrXVqUkZ9u4Z1mqPgzNYBxWDmX/idVbGKMwR8lDM= -----END CERTIFICATE-----
2024/07/12 12:27:20 collector server run finished with error: cannot start pipelines: failed to load TLS config: failed to load CA CertPool PEM: failed to parse cert: -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIUQJ+hhZLlY/HMuqxqneCu7Wd+FH0wDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTIxMDI1NDFaFw0yOTA3 MTExMDI1NDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQDWEKfh6+Ffuaf65rdAWYscx4Sco7BCwxarEYBVsUCt NvfeQ4p2Ye/v1J8aT9o76N7cJkHnPXhoJbt5t01g300i5MOK5LlJ2qjlFJZW1ghm WKMzqJFMIWhZQPyjTdff9cIupAoMf+raXsu0oXZSIhVltoQtj2MpzULH/JsXE9jL 6uqLk5lGz4hJ8clZ2Vh+zdIoK93LD0e2hEBEGTzIAN5EQcmAcZ7qxo8Wd+DjAM3K QIGxdy6euwobJ5ERZyOApmAQRnREz+Wp4yvTjiSyEI5uDd1nUUNmDac9O2V2QDXE CFeE0/5ETeFiW46ktFxrZ/rwywL1K3e5vEU8QPcPnmJi35qzqU+YVQcnfCjl95RY KSII03f3IVNeV/w8YYFukpbh1e1RTOzwWyUuLcdKVf24SNZaleMjGk8n6RgsaAn8 9+UWQ5TZoGXEud29zu7pJ0yn1W45cVP7wmXqkC1q0BIJNu5P/y+fHHVsws6npGgX Osjj3MrT0D66EHBNrB67PpOQcm7FpJulYgdrJnxZx3B41oAhxzKGdlGsWeTZJjIs L5qrJELlWWjxMcmYCrC67b8sNQQ+0Nf944neAr5fcuHEcB+WTD1u+BsrEEbB9C8z 9pjiItocTI67Grq4Q7rhGUL9hTIWrIfd0p/53tP0v4FMboKXTD6ri4uMUu+dyPge XwIDAQABo1MwUTAdBgNVHQ4EFgQUSOgiUBITypJ7r7BZcYsQlUxaPiswHwYDVR0j BBgwFoAUSOgiUBITypJ7r7BZcYsQlUxaPiswDwYDVR0TAQH/BAUwAwEB/zANBgkq hkiG9w0BAQsFAAOCAgEATFXCozae5Ju59gmeWZvKI11ty83OAD48X/1G8IurhE7m JDJOMFJUz6BI0/PQbtBbURHd45KW8n09lS9LteiEQJzHs5w+IoGKuMgnxgEdGro9 2YLruqpHbl+g5zVJfVu97jlqR+lACPD/NEtw9quxPZE8hgoNlCowAM6x5llAsXWU LVWfZYYCQPOHJHQ0LERt9MX1mRe7CLYpBcYFUDs5temdw37OrEprCngddtsxhqSQ 9TIKLlQAD0/xPauP2znMkfsZB8OzhvacZgDxqZOM4zQRU894T4+lBagNJFhBPbQg aan5EAYUZ+DJIIedBCVlVVAZcZmNQguO6h+WNLO29ypM5GWTb0VZaAiwrn2eLYb+ fcDJXEWvXPVD+2RrnZs21s+ZKu5CUlwoIGC3ENdrj4UjcWJDVrOfQ9Y+l5GeOxfI 7RSfFm9lhHbSgCYi65Ng25w161UMGvs0V0ykVUJOIXdBryaaQt/QILZW9Gf1y23l 7F31XGptqFC6oj9LH32JFgn5NwmBOeQQHQTjPP5kXuAZpXABf4KJDYozXOm2ukZb 1ChHThxXFo4CXmZzH8hLJfHrQDLWuNIn0CG7gSWvQ9alTfjA2kP4khC993OGOSAV YxNqDleL2fFvqKmmxFFZmDUGrXVqUkZ9u4Z1mqPgzNYBxWDmX/idVbGKMwR8lDM= -----END CERTIFICATE-----

(yepp, i changed the error message to include the certificate data)

With the feature disabled it starts up normally.

[TylerHelmuth]

I was able to reproduce the problem, but not using your exact config.

The problem occurs, as the issue description suggests, when expanding the env variable using the envprovider, which happens with ${env:OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA}. If I use v0.103.0 or v0.104.0, with or without the feature gate, ${env:OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA} isn't parsed correctly.

If I use ${OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA} or $OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA instead, parsing works correctly on v0.103.0 and v0.104.0 with --feature-gates=-confmap.unifyEnvVarExpansion.

I still need to investigate what the envprovider is doing wrong with the value.

Test config:

receivers:
  nop:
exporters:
  otlp:
    endpoint: https://api.honeycomb.io:443
    tls:
      insecure: true
      ca_pem: ${env:OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA}

service:  
  telemetry:
    logs:
      level: debug
  pipelines:
    traces:
      receivers:
        - nop
      exporters:
        - otlp

env var:

export OTLP_TLS_CA_PEM_TRACES_MTLS_MISSING_VALUES__MISSING_ALL_BUT_CA=$(echo -n LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVUUoraGhaTGxZL0hNdXF4cW5lQ3U3V2QrRkgwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBM01USXhNREkxTkRGYUZ3MHlPVEEzCk1URXhNREkxTkRGYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRFdFS2ZoNitGZnVhZjY1cmRBV1lzY3g0U2NvN0JDd3hhckVZQlZzVUN0Ck52ZmVRNHAyWWUvdjFKOGFUOW83Nk43Y0prSG5QWGhvSmJ0NXQwMWczMDBpNU1PSzVMbEoycWpsRkpaVzFnaG0KV0tNenFKRk1JV2haUVB5alRkZmY5Y0l1cEFvTWYrcmFYc3Uwb1haU0loVmx0b1F0ajJNcHpVTEgvSnNYRTlqTAo2dXFMazVsR3o0aEo4Y2xaMlZoK3pkSW9LOTNMRDBlMmhFQkVHVHpJQU41RVFjbUFjWjdxeG84V2QrRGpBTTNLClFJR3hkeTZldXdvYko1RVJaeU9BcG1BUVJuUkV6K1dwNHl2VGppU3lFSTV1RGQxblVVTm1EYWM5TzJWMlFEWEUKQ0ZlRTAvNUVUZUZpVzQ2a3RGeHJaL3J3eXdMMUszZTV2RVU4UVBjUG5tSmkzNXF6cVUrWVZRY25mQ2psOTVSWQpLU0lJMDNmM0lWTmVWL3c4WVlGdWtwYmgxZTFSVE96d1d5VXVMY2RLVmYyNFNOWmFsZU1qR2s4bjZSZ3NhQW44CjkrVVdRNVRab0dYRXVkMjl6dTdwSjB5bjFXNDVjVlA3d21YcWtDMXEwQklKTnU1UC95K2ZISFZzd3M2bnBHZ1gKT3NqajNNclQwRDY2RUhCTnJCNjdQcE9RY203RnBKdWxZZ2RySm54WngzQjQxb0FoeHpLR2RsR3NXZVRaSmpJcwpMNXFySkVMbFdXanhNY21ZQ3JDNjdiOHNOUVErME5mOTQ0bmVBcjVmY3VIRWNCK1dURDF1K0JzckVFYkI5Qzh6CjlwamlJdG9jVEk2N0dycTRRN3JoR1VMOWhUSVdySWZkMHAvNTN0UDB2NEZNYm9LWFRENnJpNHVNVXUrZHlQZ2UKWHdJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVVNPZ2lVQklUeXBKN3I3QlpjWXNRbFV4YVBpc3dId1lEVlIwagpCQmd3Rm9BVVNPZ2lVQklUeXBKN3I3QlpjWXNRbFV4YVBpc3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBVEZYQ296YWU1SnU1OWdtZVdadktJMTF0eTgzT0FENDhYLzFHOEl1cmhFN20KSkRKT01GSlV6NkJJMC9QUWJ0QmJVUkhkNDVLVzhuMDlsUzlMdGVpRVFKekhzNXcrSW9HS3VNZ254Z0VkR3JvOQoyWUxydXFwSGJsK2c1elZKZlZ1OTdqbHFSK2xBQ1BEL05FdHc5cXV4UFpFOGhnb05sQ293QU02eDVsbEFzWFdVCkxWV2ZaWVlDUVBPSEpIUTBMRVJ0OU1YMW1SZTdDTFlwQmNZRlVEczV0ZW1kdzM3T3JFcHJDbmdkZHRzeGhxU1EKOVRJS0xsUUFEMC94UGF1UDJ6bk1rZnNaQjhPemh2YWNaZ0R4cVpPTTR6UVJVODk0VDQrbEJhZ05KRmhCUGJRZwphYW41RUFZVVorREpJSWVkQkNWbFZWQVpjWm1OUWd1TzZoK1dOTE8yOXlwTTVHV1RiMFZaYUFpd3JuMmVMWWIrCmZjREpYRVd2WFBWRCsyUnJuWnMyMXMrWkt1NUNVbHdvSUdDM0VOZHJqNFVqY1dKRFZyT2ZROVkrbDVHZU94ZkkKN1JTZkZtOWxoSGJTZ0NZaTY1TmcyNXcxNjFVTUd2czBWMHlrVlVKT0lYZEJyeWFhUXQvUUlMWlc5R2YxeTIzbAo3RjMxWEdwdHFGQzZvajlMSDMySkZnbjVOd21CT2VRUUhRVGpQUDVrWHVBWnBYQUJmNEtKRFlvelhPbTJ1a1piCjFDaEhUaHhYRm80Q1htWnpIOGhMSmZIclFETFd1TkluMENHN2dTV3ZROWFsVGZqQTJrUDRraEM5OTNPR09TQVYKWXhOcURsZUwyZkZ2cUttbXhGRlptRFVHclhWcVVrWjl1NFoxbXFQZ3pOWUJ4V0RtWC9pZFZiR0tNd1I4bERNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 -d )

[mx-psi]

#10603 is, pending testing, a possible solution. The root cause of this may be go-yaml/yaml/issues/963 or some related issue in our YAML parser, but maybe we shouldn't parse YAML strings at all

[epchris]

@mx-psi Thank you for tackling this!