fluent-plugin: Add client certificate verification (#1189)

* fluent-plugin: Add client certificate verification

* use OpenSSL::PKey.read to read private key

* remove gem file

fluentd/fluent-plugin-grafana-loki/README.md

@@ -166,6 +166,22 @@ If using the GrafanaLab's hosted Loki, the username needs to be set to your inst
 ### tenant
 Loki is a multi-tenant log storage platform and all requests sent must include a tenant.  For some installations the tenant will be set automatically by an authenticating proxy.  Otherwise you can define a tenant to be passed through.  The tenant can be any string value.
 
+### client certificate verification
+Specify a pair of client certificate and private key with `cert` and `key` if a reverse proxy with client certificate verification is configured in front of Loki. `ca_cert` can also be specified if the server uses custom certificate authority.
+
+```
+<match **>
+  @type loki
+
+  url "https://loki"
+
+  cert /path/to/certificate.pem
+  key /path/to/key.key
+  ca_cert /path/to/ca.pem
+
+  ...
+</match>
+```
 
 ### output format
 Loki is intended to index and group log streams using only a small set of labels.  It is not intended for full-text indexing.  When sending logs to Loki the majority of log message will be sent as a single log "line".

fluentd/fluent-plugin-grafana-loki/fluent-plugin-grafana-loki.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.push File.expand_path('lib', __dir__)
 
 Gem::Specification.new do |spec|
   spec.name    = 'fluent-plugin-grafana-loki'
-  spec.version = '1.1.1'
+  spec.version = '1.2.1'
   spec.authors = %w[woodsaj briangann]
   spec.email   = ['[email protected]', '[email protected]']
 

fluentd/fluent-plugin-grafana-loki/lib/fluent/plugin/out_loki.rb

@@ -40,6 +40,13 @@ class LokiOutput < Fluent::Plugin::Output # rubocop:disable Metrics/ClassLength
       config_param :username, :string, default: nil
       config_param :password, :string, default: nil, secret: true
 
+      desc 'Client certificate'
+      config_param :cert, :string, default: nil
+      config_param :key, :string, default: nil
+
+      desc 'TLS'
+      config_param :ca_cert, :string, default: nil
+
       desc 'Loki tenant id'
       config_param :tenant, :string, default: nil
 
@@ -78,6 +85,17 @@ def configure(conf)
         @remove_keys.each do |key|
           @remove_keys_accessors.push(record_accessor_create(key))
         end
+
+        @cert = OpenSSL::X509::Certificate.new(File.read(@cert)) if @cert
+        @key = OpenSSL::PKey.read(File.read(key)) if @key
+
+        if !@key.is_a?(OpenSSL::PKey::RSA) && !@key.is_a?(OpenSSL::PKey::DSA)
+          raise "Unsupported private key type #{key.class}"
+        end
+
+        if !@ca_cert.nil? && !File.exist?(@ca_cert)
+          raise "CA certificate file #{@ca_cert} not found"
+        end
       end
 
       def multi_workers_ready?
@@ -110,6 +128,21 @@ def write(chunk)
         opts = {
           use_ssl: uri.scheme == 'https'
         }
+
+        if !@cert.nil? && !@key.nil?
+          opts = opts.merge(
+            verify_mode: OpenSSL::SSL::VERIFY_PEER,
+            cert: @cert,
+            key: @key
+          )
+        end
+
+        if !@ca_cert.nil?
+          opts = opts.merge(
+            ca_file: @ca_cert
+          )
+        end
+
         log.debug "sending #{req.body.length} bytes to loki"
         res = Net::HTTP.start(uri.hostname, uri.port, **opts) { |http| http.request(req) }
         unless res&.is_a?(Net::HTTPSuccess)