FAQ¶

Product scope¶

Is Ampora open source?¶

The codebase ships with full source under the project license. There is no "community / enterprise" split; binary releases, container images, and Helm artefacts are produced from the same tree CI builds.

Does Ampora replace my observability backend?¶

No. Ampora manages the agents, not the telemetry. Your collectors keep exporting to whatever OTLP-compatible backend you use today (Prometheus, Tempo, Jaeger, Loki, Datadog, Grafana Cloud, Honeycomb, …).

Can Ampora manage non-Collector agents?¶

Yes, in principle — anything that speaks OpAMP. The Ampora.OpAmp.Core context is deliberately Collector-agnostic (a config is an opaque hashed blob). The pipeline visualizer is the only Collector-specific feature; an agent that does not have OpenTelemetry-Collector-shaped pipelines simply won't render one.

Does Ampora run my collectors for me?¶

No. Ampora manages collectors that you run. Where the collector binary runs (Kubernetes, VM, edge appliance, container, bare metal) is your call. Ampora distributes new binaries via the package-transfer feature once the agent advertises AcceptsPackages.

Protocol & interoperability¶

Which OpAMP version does Ampora implement?¶

Ampora implements the WebSocket flavour of OpAMP with the 1-byte-header binary frame, per ADR-016. The capabilities currently honoured are listed in the capability matrix.

Does Ampora work with `opentelemetry-collector-contrib`?¶

Yes. The opamp_extension (formerly opamp extension) in contrib is the canonical client. Both the --feature-gate=opamp.observed_log_severity_text and the default builds work.

Does the agent need outbound internet?¶

No. The agent only needs network reachability to your Ampora server. Ampora's web UI and OpAMP endpoint can sit on the same TLS port or be split to two ports — see Operator → Configuration → Settings.

Operating Ampora¶

What database do I need in production?¶

PostgreSQL 16 or newer. SQLite is supported in development for ergonomic reasons but is not safe for production workloads (no concurrent writers, no replication, no JSONB). See Operator → Database & migrations.

Do I need Redis?¶

Only if you run multiple Ampora instances and prefer Redis as the cross-instance dispatch backplane. Postgres LISTEN/NOTIFY is supported as the alternative and is sufficient for most deployments. Single-instance deployments do not need Redis.

How do I scale Ampora horizontally?¶

Run multiple instances behind a sticky-session reverse proxy and configure a shared dispatch backplane. See Operator → Scaling out. Ampora is designed so the rollout state lives in PostgreSQL — no in-memory-only truth — which is what makes scale-out safe.

Can I run Ampora air-gapped?¶

Yes. The default GitOps source is polling (no webhooks required), all package downloads are uploaded once and served from your blob storage, and no telemetry leaves the cluster unless you opt in. See Operator → Hardening checklist.

Security¶

How do agents authenticate?¶

First connection: short-lived bootstrap token in the WebSocket upgrade header. After that: mTLS client certificate issued by Ampora's persisted CA (or, optionally, an HSM/KMS). The bootstrap token is never honoured again after the first successful connection. See Threat model.

Where do private keys live?¶

By default in the database, encrypted at rest with an AES-GCM master key you supply via configuration. Optionally backed by an HSM or KMS; see HSM/KMS integration for the supported adapters (AWS KMS, Azure Key Vault, GCP KMS, PKCS#11, HashiCorp Vault Transit).

Does Ampora support certificate revocation?¶

Yes — both CRL (with a configurable Distribution Point endpoint) and OCSP (stapled and unstapled). See Revocation (CRL/OCSP).

Does Ampora pass SOC 2 / ISO 27001 audits?¶

Audit-readiness is a property of your deployment, not of Ampora itself. Ampora gives you the technical building blocks: full audit log with configurable retention, RBAC, mTLS, OIDC, key rotation, federation isolation. The Hardening checklist walks through turning these on for production.

Pricing & support¶

How is Ampora licensed?¶

The repository ships under the project license (see LICENSE). The same binaries are used by everyone; there is no proprietary tier.

Where do I file bugs?¶

GitLab issues on the project. For security-sensitive reports, follow the disclosure procedure documented in the repository's SECURITY.md.

Is there commercial support?¶

The project README lists current support options. For self-hosted operation, the docs you are reading now plus the ADRs (under docs/adr/) are the authoritative reference.

Anything else¶

Why is the documentation in English when the codebase has German comments?¶

The codebase has both. Customer-facing docs are English so they reach the broadest possible audience. Internal architecture decisions (ADRs) are kept in their original language; the ADR index links to them with English summaries.

Where do I see what is on the roadmap?¶

Public roadmap commitments are tracked in the repository's docs/roadmap.md and in the Release Notes. ADRs in Reference → ADR index cover what has been decided; anything not in an ADR is not committed.