Security¶
Ampora is the central control plane for an OpenTelemetry agent fleet. That makes it a high-value target: someone who controls the management server can reroute every agent's data, swap exporters, or push compromised binaries.
The pages in this section assume that and are written defensively.
| Page | What it covers |
|---|---|
| Threat model | Adversaries we defend against and which controls cover what |
| Hardening checklist | What to flip on for production |
| Secrets management | Master key, OIDC secret, peer secrets, GitOps creds |
| Certificate rotation | CA signing-key rotation, agent leaf rotation |
| HSM / KMS integration | AWS KMS, Azure Key Vault, GCP KMS, PKCS#11, Vault Transit |
| Revocation (CRL/OCSP) | Distribution points, freshness windows, troubleshooting |
Quick wins¶
If you only do four things:
- Set
KeyProtection:MasterKeyto a real CSPRNG value, store it in your secret manager, never in a configmap. - Replace the placeholder
Secretfromdeploy/kustomize/base/secret.yamlvia External Secrets / sealed-secrets / SOPS / Vault — the placeholder is annotatedampora.io/placeholder=trueso audit tools refuse it. - Set
OpAmp:RequireMtls=trueand never setOpAmp:BootstrapPlaintextAllowed=trueoutside dev. - Require OIDC group membership for the
Adminrole — do not rely on "first user gets bootstrapped as Admin" past initial setup.
Reporting a vulnerability¶
Follow the disclosure procedure in the repository's SECURITY.md. Do not open a public GitLab issue for security-sensitive reports.