open-telemetry · mx-psi · Mar 22, 2026 · Feb 27, 2026 · Mar 17, 2026 · Mar 20, 2026
@@ -0,0 +1,35 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: receiver/docker_stats
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add TLS configuration support for connecting to the Docker daemon over HTTPS with client and server certificates.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [33557]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  A new optional `tls` configuration block is available in `docker_stats` receiver config (and the
+  shared `internal/docker` package). When omitted the connection remains insecure (plain HTTP or
+  Unix socket), preserving existing behavior. When provided it supports the standard
+  `configtls.ClientConfig` fields: `ca_file`, `cert_file`, `key_file`, `insecure_skip_verify`,
+  `min_version`, and `max_version`.
+  A warning is now emitted when a plain `tcp://` or `http://` endpoint is used without TLS,
+  reflecting Docker's deprecation of unauthenticated TCP connections since Docker v26.0
+  (see https://docs.docker.com/engine/deprecated/#unauthenticated-tcp-connections).
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user, api]
@@ -38,11 +38,14 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/foxboron/go-tpm-keyfiles v0.0.0-20250903184740-5d135037bd4d // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -75,6 +78,9 @@ require (
 	github.com/tklauser/numcpus v0.11.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/config/configopaque v1.54.1-0.20260320051400-372cc483b303 // indirect
+	go.opentelemetry.io/collector/config/configoptional v1.54.1-0.20260320051400-372cc483b303 // indirect
+	go.opentelemetry.io/collector/config/configtls v1.54.1-0.20260320051400-372cc483b303 // indirect
 	go.opentelemetry.io/collector/featuregate v1.54.1-0.20260320051400-372cc483b303 // indirect
 	go.opentelemetry.io/collector/internal/componentalias v0.148.1-0.20260320051400-372cc483b303 // indirect
 	go.opentelemetry.io/collector/pdata v1.54.1-0.20260320051400-372cc483b303 // indirect

@@ -4,6 +4,7 @@
 package docker // import "github.com/open-telemetry/opentelemetry-collector-contrib/internal/docker"
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"strconv"
@@ -12,6 +13,8 @@ import (
 
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
+	"go.opentelemetry.io/collector/config/configoptional"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/confmap"
 )
 
@@ -29,6 +32,11 @@ type Config struct {
 	// Docker client API version. If empty, the client will auto-negotiate
 	// the API version with the Docker daemon using version negotiation.
 	DockerAPIVersion string `mapstructure:"api_version"`
+
+	// TLS holds optional TLS client configuration for connecting to the Docker daemon
+	// over HTTPS. When nil (the default), the connection uses no custom TLS — suitable
+	// for Unix sockets and plain HTTP endpoints.
+	TLS configoptional.Optional[configtls.ClientConfig] `mapstructure:"tls,omitempty"`
 }
 
 func (config *Config) Unmarshal(conf *confmap.Conf) error {
@@ -51,6 +59,11 @@ func (config Config) Validate() error {
 	if config.Endpoint == "" {
 		return errors.New("endpoint must be specified")
 	}
+	if config.TLS.HasValue() {
+		if _, err := config.TLS.Get().LoadTLSConfig(context.Background()); err != nil {
+			return fmt.Errorf("invalid tls configuration: %w", err)
+		}
+	}
 	return nil
 }
 

@@ -17,3 +17,7 @@ $defs:
         description: The maximum amount of time to wait for docker API responses. Default is 5s
         type: string
         format: duration
+      tls:
+        description: TLS holds optional TLS client configuration for connecting to the Docker daemon over HTTPS. When nil (the default), the connection uses no custom TLS — suitable for Unix sockets and plain HTTP endpoints.
+        x-optional: true
+        $ref: go.opentelemetry.io/collector/config/configtls.client_config
@@ -8,6 +8,9 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/config/configoptional"
+	"go.opentelemetry.io/collector/config/configtls"
+	"go.opentelemetry.io/collector/confmap"
 )
 
 func TestAPIVersion(t *testing.T) {
@@ -78,3 +81,49 @@ func TestAPIVersion(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultConfigHasNoTLS(t *testing.T) {
+	cfg := NewDefaultConfig()
+	assert.False(t, cfg.TLS.HasValue(), "default config should have nil TLS for backward compatibility")
+}
+
+func TestNewConfigHasNoTLS(t *testing.T) {
+	cfg := NewConfig("unix:///var/run/docker.sock", 0, nil, "")
+	assert.False(t, cfg.TLS.HasValue(), "NewConfig should have nil TLS by default")
+}
+
+func TestUnmarshalNoTLSKeepsNil(t *testing.T) {
+	conf := confmap.NewFromStringMap(map[string]any{
+		"endpoint": "unix:///var/run/docker.sock",
+	})
+	cfg := &Config{}
+	require.NoError(t, cfg.Unmarshal(conf))
+	assert.False(t, cfg.TLS.HasValue(), "omitting tls block should leave TLS nil")
+}
+
+func TestUnmarshalWithTLSBlock(t *testing.T) {
+	conf := confmap.NewFromStringMap(map[string]any{
+		"endpoint": "https://example.com/",
+		"tls": map[string]any{
+			"insecure_skip_verify": true,
+		},
+	})
+	cfg := &Config{}
+	require.NoError(t, cfg.Unmarshal(conf))
+	assert.True(t, cfg.TLS.HasValue())
+	assert.True(t, cfg.TLS.Get().InsecureSkipVerify)
+}
+
+func TestValidateInvalidTLSCertPath(t *testing.T) {
+	cfg := &Config{
+		Endpoint: "https://example.com/",
+		TLS: configoptional.Some(configtls.ClientConfig{
+			Config: configtls.Config{
+				CAFile: "/nonexistent/ca.pem",
+			},
+		}),
+	}
+	err := cfg.Validate()
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid tls configuration")
+}
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"strings"
 	"sync"
 	"time"
@@ -62,6 +63,25 @@ func NewDockerClient(config *Config, logger *zap.Logger, opts ...docker.Opt) (*C
 		logger.Debug("Docker API version not specified, using automatic version negotiation")
 	}
 
+	// Configure TLS transport when a TLS config is provided.
+	if config.TLS.HasValue() && !config.TLS.Get().Insecure {
+		tlsCfg, err := config.TLS.Get().LoadTLSConfig(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("could not load docker client TLS config: %w", err)
+		}
+		transport := &http.Transport{TLSClientConfig: tlsCfg}
+		clientOpts = append(clientOpts, docker.WithHTTPClient(&http.Client{Transport: transport}))
+	} else if isTCPEndpoint(config.Endpoint) {
+		// Unauthenticated TCP connections to the Docker daemon were deprecated in Docker v26.0
+		// and enforcement began in v27.0. Configure the 'tls' block to secure this connection.
+		// See: https://docs.docker.com/engine/deprecated/#unauthenticated-tcp-connections
+		logger.Warn(
+			"Unauthenticated TCP connection to Docker daemon is deprecated since Docker v26.0. "+
+				"Configure the 'tls' option to use a secure connection.",
+			zap.String("endpoint", config.Endpoint),
+		)
+	}
+
 	// Append any additional opts passed by caller
 	clientOpts = append(clientOpts, opts...)
 
@@ -342,6 +362,13 @@ func (dc *Client) shouldBeExcluded(image string) bool {
 	return dc.excludedImageMatcher != nil && dc.excludedImageMatcher.matches(image)
 }
 
+// isTCPEndpoint reports whether the endpoint uses a plain TCP or HTTP scheme,
+// meaning the connection is not secured by a Unix socket, named pipe, or TLS.
+func isTCPEndpoint(endpoint string) bool {
+	lower := strings.ToLower(endpoint)
+	return strings.HasPrefix(lower, "tcp://") || strings.HasPrefix(lower, "http://")
+}
+
 func ContainerEnvToMap(env []string) map[string]string {
 	out := make(map[string]string, len(env))
 	for _, v := range env {

@@ -19,6 +19,8 @@ import (
 	ctypes "github.com/docker/docker/api/types/container"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/config/configoptional"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"go.uber.org/zap/zaptest/observer"
@@ -222,11 +224,15 @@ func TestEventLoopHandlesError(t *testing.T) {
 	defer cancel()
 
 	assert.EventuallyWithT(t, func(tt *assert.CollectT) {
+		var eventErrLogs []observer.LoggedEntry
 		for _, l := range logs.All() {
-			assert.Contains(tt, l.Message, "Error watching docker container events")
-			assert.Contains(tt, l.ContextMap()["error"], "EOF")
+			if strings.Contains(l.Message, "Error watching docker container events") {
+				eventErrLogs = append(eventErrLogs, l)
+			}
+		}
+		if assert.NotEmpty(tt, eventErrLogs) {
+			assert.Contains(tt, eventErrLogs[0].ContextMap()["error"], "EOF")
 		}
-		assert.NotEmpty(tt, logs.All())
 	}, 1*time.Second, 1*time.Millisecond, "failed to find desired error logs.")
 
 	finished := make(chan struct{})
@@ -292,3 +298,69 @@ func TestDefaultConfigUsesNegotiation(t *testing.T) {
 	config := NewDefaultConfig()
 	assert.Empty(t, config.DockerAPIVersion, "Default config should have empty DockerAPIVersion for auto-negotiation")
 }
+
+func TestTLSClientConfig(t *testing.T) {
+	// Start a TLS test server
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	config := &Config{
+		Endpoint: srv.URL,
+		Timeout:  5 * time.Second,
+		TLS: configoptional.Some(configtls.ClientConfig{
+			InsecureSkipVerify: true,
+		}),
+	}
+
+	cli, err := NewDockerClient(config, zap.NewNop())
+	require.NoError(t, err)
+	assert.NotNil(t, cli)
+}
+
+func TestUnauthenticatedTCPWarning(t *testing.T) {
+	for _, endpoint := range []string{
+		"tcp://192.168.1.1:2375",
+		"http://192.168.1.1:2375",
+		"TCP://192.168.1.1:2375",
+		"HTTP://192.168.1.1:2375",
+	} {
+		t.Run(endpoint, func(t *testing.T) {
+			observed, logs := observer.New(zapcore.WarnLevel)
+			_, _ = NewDockerClient(&Config{Endpoint: endpoint}, zap.New(observed))
+			assert.NotEmpty(t, logs.All(), "expected a deprecation warning for unauthenticated TCP endpoint")
+			assert.Contains(t, logs.All()[0].Message, "deprecated")
+		})
+	}
+}
+
+func TestNoWarningForSecureEndpoints(t *testing.T) {
+	for _, endpoint := range []string{
+		"unix:///var/run/docker.sock",
+		"npipe:////./pipe/docker_engine",
+	} {
+		t.Run(endpoint, func(t *testing.T) {
+			observed, logs := observer.New(zapcore.WarnLevel)
+			_, _ = NewDockerClient(&Config{Endpoint: endpoint}, zap.New(observed))
+			assert.Empty(t, logs.All(), "expected no deprecation warning for non-TCP endpoint")
+		})
+	}
+}
+
+func TestTLSClientConfigInvalidCert(t *testing.T) {
+	config := &Config{
+		Endpoint: "https://example.com/",
+		Timeout:  5 * time.Second,
+		TLS: configoptional.Some(configtls.ClientConfig{
+			Config: configtls.Config{
+				CAFile: "/nonexistent/ca.pem",
+			},
+		}),
+	}
+
+	cli, err := NewDockerClient(config, zap.NewNop())
+	assert.Nil(t, cli)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "could not load docker client TLS config")
+}
@@ -8,6 +8,8 @@ require (
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/gobwas/glob v0.2.3
 	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/collector/config/configoptional v1.54.1-0.20260320051400-372cc483b303
+	go.opentelemetry.io/collector/config/configtls v1.54.1-0.20260320051400-372cc483b303
 	go.opentelemetry.io/collector/confmap v1.54.1-0.20260320051400-372cc483b303
 	go.uber.org/goleak v1.3.0
 	go.uber.org/zap v1.27.1
@@ -22,9 +24,12 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/foxboron/go-tpm-keyfiles v0.0.0-20250903184740-5d135037bd4d // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
+	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/hashicorp/go-version v1.8.0 // indirect
 	github.com/knadh/koanf/maps v0.1.2 // indirect
 	github.com/knadh/koanf/providers/confmap v1.0.0 // indirect
@@ -40,6 +45,8 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/config/configopaque v1.54.1-0.20260320051400-372cc483b303 // indirect
+	go.opentelemetry.io/collector/confmap/xconfmap v0.148.1-0.20260320051400-372cc483b303 // indirect
 	go.opentelemetry.io/collector/featuregate v1.54.1-0.20260320051400-372cc483b303 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
@@ -49,6 +56,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/time v0.4.0 // indirect