Merge branch 'master' into reed/go1.21.3

event-handler/cli.go

@@ -38,10 +38,10 @@ type FluentdConfig struct {
 	FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"`
 
 	// FluentdCert is a path to fluentd cert
-	FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
+	FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
 
 	// FluentdKey is a path to fluentd key
-	FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`
+	FluentdKey string `help:"fluentd TLS key file" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`
 
 	// FluentdCA is a path to fluentd CA
 	FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"`

event-handler/fluentd_client.go

@@ -43,9 +43,15 @@ type FluentdClient struct {
 
 // NewFluentdClient creates new FluentdClient
 func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
-	cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
-	if err != nil {
-		return nil, trace.Wrap(err)
+	var certs []tls.Certificate
+	if c.FluentdCert != "" && c.FluentdKey != "" {
+		cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		certs = append(certs, cert)
+	} else if c.FluentdCert != "" || c.FluentdKey != "" {
+		return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified")
 	}
 
 	ca, err := getCertPool(c)
@@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				RootCAs:      ca,
-				Certificates: []tls.Certificate{cert},
+				Certificates: certs,
 			},
 		},
 		Timeout: httpTimeout,