[extension/opamp] Load TLS config only for wss and https endpoints (open-telemetry#39516)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description
Loads TLS config for the OpAMP Extension's OpAMP agent only if the
`server::ws::endpoint`/`server::http::endpoint` config is set to a URL
with scheme `wss`/`https`.

<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes
open-telemetry#39515

<!--Describe what testing was performed and which tests were added.-->
#### Testing
- Added unit tests
- Tested manually with the steps described in **Steps to Reproduce** in
open-telemetry#39515

<!--Please delete paragraphs that you did not use before submitting.-->

Author: johannaojeling

.chloggen/opampextension-conditional-tls.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: opampextension
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Skips loading TLS config for insecure endpoints
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [39515]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []

extension/opampextension/config.go

@@ -4,7 +4,10 @@
 package opampextension // import "github.com/open-telemetry/opentelemetry-collector-contrib/extension/opampextension"
 
 import (
+	"context"
+	"crypto/tls"
 	"errors"
+	"fmt"
 	"net/url"
 	"time"
 
@@ -146,7 +149,21 @@ func (s OpAMPServer) GetHeaders() map[string]configopaque.String {
 	return map[string]configopaque.String{}
 }
 
-func (s OpAMPServer) GetTLSSetting() configtls.ClientConfig {
+// GetTLSConfig returns a TLS config if the endpoint is secure (wss or https)
+func (s OpAMPServer) GetTLSConfig(ctx context.Context) (*tls.Config, error) {
+	parsedURL, err := url.Parse(s.GetEndpoint())
+	if err != nil {
+		return nil, fmt.Errorf("parse server endpoint: %w", err)
+	}
+
+	if parsedURL.Scheme != "wss" && parsedURL.Scheme != "https" {
+		return nil, nil
+	}
+
+	return s.getTLSSetting().LoadTLSConfig(ctx)
+}
+
+func (s OpAMPServer) getTLSSetting() configtls.ClientConfig {
 	if s.WS != nil {
 		return s.WS.TLSSetting
 	} else if s.HTTP != nil {

extension/opampextension/config_test.go

@@ -4,6 +4,7 @@
 package opampextension
 
 import (
+	"context"
 	"path/filepath"
 	"testing"
 	"time"
@@ -144,12 +145,72 @@ func TestConfig_Getters(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tt.expected.headers(t, tt.fields.Server.GetHeaders())
-			tt.expected.tls(t, tt.fields.Server.GetTLSSetting())
+			tt.expected.tls(t, tt.fields.Server.getTLSSetting())
 			tt.expected.endpoint(t, tt.fields.Server.GetEndpoint())
 		})
 	}
 }
 
+func TestOpAMPServer_GetTLSConfig(t *testing.T) {
+	tests := []struct {
+		name              string
+		server            OpAMPServer
+		expectedTLSConfig assert.ValueAssertionFunc
+	}{
+		{
+			name: "wss endpoint",
+			server: OpAMPServer{
+				WS: &commonFields{
+					Endpoint:   "wss://example.com",
+					TLSSetting: configtls.NewDefaultClientConfig(),
+				},
+			},
+			expectedTLSConfig: assert.NotNil,
+		},
+		{
+			name: "https endpoint",
+			server: OpAMPServer{
+				HTTP: &httpFields{
+					commonFields: commonFields{
+						Endpoint:   "https://example.com",
+						TLSSetting: configtls.NewDefaultClientConfig(),
+					},
+				},
+			},
+			expectedTLSConfig: assert.NotNil,
+		},
+		{
+			name: "ws endpoint",
+			server: OpAMPServer{
+				WS: &commonFields{
+					Endpoint: "ws://example.com",
+				},
+			},
+			expectedTLSConfig: assert.Nil,
+		},
+		{
+			name: "http endpoint",
+			server: OpAMPServer{
+				HTTP: &httpFields{
+					commonFields: commonFields{
+						Endpoint: "http://example.com",
+					},
+				},
+			},
+			expectedTLSConfig: assert.Nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+			tlsConfig, err := tt.server.GetTLSConfig(ctx)
+			assert.NoError(t, err)
+			tt.expectedTLSConfig(t, tlsConfig)
+		})
+	}
+}
+
 func TestConfig_Validate(t *testing.T) {
 	type fields struct {
 		Server       *OpAMPServer

extension/opampextension/opamp_agent.go

@@ -120,7 +120,7 @@ func (o *opampAgent) Start(ctx context.Context, host component.Host) error {
 		header.Set(k, string(v))
 	}
 
-	tls, err := o.cfg.Server.GetTLSSetting().LoadTLSConfig(ctx)
+	tls, err := o.cfg.Server.GetTLSConfig(ctx)
 	if err != nil {
 		return err
 	}