From a4d73ca2cca51f197cf48be7128ba875a8fb5be7 Mon Sep 17 00:00:00 2001
From: Hugo Hromic <hhromic@users.noreply.github.com>
Date: Tue, 15 Aug 2023 18:34:33 +0100
Subject: [PATCH] enhancement(core): Add CLI arg and env variable to control
 openssl probing (#18229)

* enhancement(core): Add CLI arg and env variable to control openssl probing

This commit implements a new CLI argument `--openssl-no-probe` with a corresponding environment
variable `VECTOR_OPENSSL_NO_PROBE` to disable calling the `openssl_probe::init_ssl_cert_env_vars()`
function when starting Vector.

The openssl-probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment
variables in the Vector process. This behavior can be problematic for users of the `exec` source,
which by default inherits the environment of the Vector process.

Signed-off-by: Hugo Hromic <hhromic@gmail.com>

* Document new option and env variable

* Also add missing documentation for `openssl-legacy-provider` option and env var

* Remove copy/pasted block by mistake

* Align in-code comment with reference documentation

---------

Signed-off-by: Hugo Hromic <hhromic@gmail.com>
---
 src/app.rs                    | 13 ++++++++++---
 src/cli.rs                    |  8 ++++++++
 website/cue/reference/cli.cue | 20 ++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/app.rs b/src/app.rs
index b745d831e07c3..baee7a8afc23b 100644
--- a/src/app.rs
+++ b/src/app.rs
@@ -180,7 +180,7 @@ impl Application {
     }
 
     pub fn prepare_from_opts(opts: Opts) -> Result<(Runtime, Self), ExitCode> {
-        init_global();
+        init_global(!opts.root.openssl_no_probe);
 
         let color = opts.root.color.use_color();
 
@@ -191,6 +191,11 @@ impl Application {
             opts.root.internal_log_rate_limit,
         );
 
+        // Can only log this after initializing the logging subsystem
+        if opts.root.openssl_no_probe {
+            debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL.");
+        }
+
         let openssl_legacy_provider = opts
             .root
             .openssl_legacy_provider
@@ -420,8 +425,10 @@ impl FinishedApplication {
     }
 }
 
-pub fn init_global() {
-    openssl_probe::init_ssl_cert_env_vars();
+pub fn init_global(openssl_probe: bool) {
+    if openssl_probe {
+        openssl_probe::init_ssl_cert_env_vars();
+    }
 
     #[cfg(not(feature = "enterprise-tests"))]
     metrics::init_global().expect("metrics initialization failed");
diff --git a/src/cli.rs b/src/cli.rs
index 1493e8db117e8..32a9ac4f277fd 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -198,6 +198,14 @@ pub struct RootOpts {
     /// Load the OpenSSL legacy provider.
     #[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")]
     pub openssl_legacy_provider: bool,
+
+    /// Disable probing and configuration of root certificate locations on the system for OpenSSL.
+    ///
+    /// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables
+    /// in the Vector process. This behavior can be problematic for users of the `exec` source, which by
+    /// default inherits the environment of the Vector process.
+    #[arg(long, env = "VECTOR_OPENSSL_NO_PROBE", default_value = "false")]
+    pub openssl_no_probe: bool,
 }
 
 impl RootOpts {
diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue
index b356f454de2ea..ec32672cf73df 100644
--- a/website/cue/reference/cli.cue
+++ b/website/cue/reference/cli.cue
@@ -113,6 +113,14 @@ cli: {
 			description: env_vars.VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT.description
 			env_var:     "VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT"
 		}
+		"openssl-legacy-provider": {
+			description: env_vars.VECTOR_OPENSSL_LEGACY_PROVIDER.description
+			env_var:     "VECTOR_OPENSSL_LEGACY_PROVIDER"
+		}
+		"openssl-no-probe": {
+			description: env_vars.VECTOR_OPENSSL_NO_PROBE.description
+			env_var:     "VECTOR_OPENSSL_NO_PROBE"
+		}
 	}
 
 	_core_config_options: {
@@ -624,6 +632,18 @@ cli: {
 			description: "Never time out while waiting for graceful shutdown after SIGINT or SIGTERM received. This is useful when you would like for Vector to attempt to send data until terminated by a SIGKILL. Overrides/cannot be set with `--graceful-shutdown-limit-secs`."
 			type: bool: default: false
 		}
+		VECTOR_OPENSSL_LEGACY_PROVIDER: {
+			description: "Load the OpenSSL legacy provider."
+			type: bool: default: true
+		}
+		VECTOR_OPENSSL_NO_PROBE: {
+			description: """
+				Disable probing and configuration of root certificate locations on the system for OpenSSL.
+
+				The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables in the Vector process. This behavior can be problematic for users of the `exec` source, which by default inherits the environment of the Vector process.
+				"""
+			type: bool: default: false
+		}
 	}
 
 	// Helpers