From 1dfdc80adc93622849b56e95029418fe6a7658d0 Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 10 Oct 2023 20:45:41 +0100 Subject: [PATCH] Relax mandatory FluentD's key and cert There are cases where the upstream service uses other CA certificates and shares it with other components. When this happens, it's not possible to configure fluentd to use mTLS. This commit relaxes the mandatory cert-key usage for fluentD. Signed-off-by: Tiago Silva --- event-handler/cli.go | 4 ++-- event-handler/fluentd_client.go | 14 ++++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/event-handler/cli.go b/event-handler/cli.go index cef83a807..111e691ab 100644 --- a/event-handler/cli.go +++ b/event-handler/cli.go @@ -38,10 +38,10 @@ type FluentdConfig struct { FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"` // FluentdCert is a path to fluentd cert - FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` + FluentdCert string `help:"fluentd TLS certificate file" required:"false" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` // FluentdKey is a path to fluentd key - FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` + FluentdKey string `help:"fluentd TLS key file" required:"false" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` // FluentdCA is a path to fluentd CA FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"` diff --git a/event-handler/fluentd_client.go b/event-handler/fluentd_client.go index 8f8dfd067..e1a8c6703 100644 --- a/event-handler/fluentd_client.go +++ b/event-handler/fluentd_client.go @@ -43,9 +43,15 @@ type FluentdClient struct { // NewFluentdClient creates new FluentdClient func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { - cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) - if err != nil { - return nil, trace.Wrap(err) + var certs []tls.Certificate + if c.FluentdCert != "" && c.FluentdKey != "" { + cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) + if err != nil { + return nil, trace.Wrap(err) + } + certs = append(certs, cert) + } else if c.FluentdCert != "" || c.FluentdKey != "" { + return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified") } ca, err := getCertPool(c) @@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { Transport: &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: ca, - Certificates: []tls.Certificate{cert}, + Certificates: certs, }, }, Timeout: httpTimeout,