Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

Commit

Permalink
Relax mandatory FluentD's key and cert
Browse files Browse the repository at this point in the history
There are cases where the upstream service uses other CA certificates
and shares it with other components. When this happens, it's not
possible to configure fluentd to use mTLS.

This commit relaxes the mandatory cert-key usage for fluentD.

Signed-off-by: Tiago Silva <[email protected]>
  • Loading branch information
tigrato committed Oct 10, 2023
1 parent 7c383e8 commit 1dfdc80
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
4 changes: 2 additions & 2 deletions event-handler/cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ type FluentdConfig struct {
FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"`

// FluentdCert is a path to fluentd cert
FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
FluentdCert string `help:"fluentd TLS certificate file" required:"false" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`

// FluentdKey is a path to fluentd key
FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`
FluentdKey string `help:"fluentd TLS key file" required:"false" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`

// FluentdCA is a path to fluentd CA
FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"`
Expand Down
14 changes: 10 additions & 4 deletions event-handler/fluentd_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,15 @@ type FluentdClient struct {

// NewFluentdClient creates new FluentdClient
func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
if err != nil {
return nil, trace.Wrap(err)
var certs []tls.Certificate
if c.FluentdCert != "" && c.FluentdKey != "" {
cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
if err != nil {
return nil, trace.Wrap(err)
}
certs = append(certs, cert)
} else if c.FluentdCert != "" || c.FluentdKey != "" {
return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified")
}

ca, err := getCertPool(c)
Expand All @@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: ca,
Certificates: []tls.Certificate{cert},
Certificates: certs,
},
},
Timeout: httpTimeout,
Expand Down

0 comments on commit 1dfdc80

Please sign in to comment.