From 57c34526e9ba9b3dd7afe7010b55179ff7c8ff0d Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Mon, 15 Jun 2026 07:34:48 +0200
Subject: [PATCH] feat(config): add EnableSslTracing / DSsl flags for the
 OpenSSL L7 gadget

armosec/private-node-agent ships a native OpenSSL TLS-capture gadget
(R-L7-1) that needs an off-by-default toggle, mirroring the HTTP detection
pair. config.Config is external to that repo, so it currently gates on a
local ENABLE_SSL_TRACING env var; adding the field here lets it move to the
standard config mechanism.

- EnableSslTracing (sslTracingEnabled): enable the SSL/TLS L7 capture gadget.
- DSsl (dSsl): disable override, mirroring DHttp/dHttp.

Both default to false (zero value), so behavior is unchanged unless set.
Sample configuration/config.json documents sslTracingEnabled; config_test
updated to assert the default.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 configuration/config.json | 1 +
 pkg/config/config.go      | 2 ++
 pkg/config/config_test.go | 1 +
 3 files changed, 4 insertions(+)

diff --git a/configuration/config.json b/configuration/config.json
index 29b677006..364c63dd5 100644
--- a/configuration/config.json
+++ b/configuration/config.json
@@ -11,6 +11,7 @@
       "runtimeDetectionEnabled": "false",
       "nodeProfileServiceEnabled": "false",
       "httpDetectionEnabled": "false",
+      "sslTracingEnabled": "false",
       "nodeProfileInterval": "1m",
       "seccompServiceEnabled": "false",
       "enableEmbeddedSBOMs": "false",
diff --git a/pkg/config/config.go b/pkg/config/config.go
index f203ad110..d8c9061c8 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -65,6 +65,7 @@ type Config struct {
 	DRandomx                       bool                                 `mapstructure:"dRandomx"`
 	DSeccomp                       bool                                 `mapstructure:"dSeccomp"`
 	DSsh                           bool                                 `mapstructure:"dSsh"`
+	DSsl                           bool                                 `mapstructure:"dSsl"`
 	DSymlink                       bool                                 `mapstructure:"dSymlink"`
 	DTop                           bool                                 `mapstructure:"dTop"`
 	DUnshare                       bool                                 `mapstructure:"dUnshare"`
@@ -85,6 +86,7 @@ type Config struct {
 	EnableRuntimeDetection         bool                                 `mapstructure:"runtimeDetectionEnabled"`
 	EnableSbomGeneration           bool                                 `mapstructure:"sbomGenerationEnabled"`
 	EnableSeccomp                  bool                                 `mapstructure:"seccompServiceEnabled"`
+	EnableSslTracing               bool                                 `mapstructure:"sslTracingEnabled"`
 	HostMonitoringEnabled          bool                                 `mapstructure:"hostMonitoringEnabled"`
 	StandaloneMonitoringEnabled    bool                                 `mapstructure:"standaloneMonitoringEnabled"`
 	SeccompProfileBackend          string                               `mapstructure:"seccompProfileBackend"`
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
index 74f322147..490cd6321 100644
--- a/pkg/config/config_test.go
+++ b/pkg/config/config_test.go
@@ -34,6 +34,7 @@ func TestLoadConfig(t *testing.T) {
 				EnableNetworkTracing:           false,
 				EnableNodeProfile:              false,
 				EnableHttpDetection:            false,
+				EnableSslTracing:               false,
 				EnableHostMalwareSensor:        false,
 				EnableHostNetworkSensor:        false,
 				EnableFIM:                      true,