diff --git a/event-handler/cli.go b/event-handler/cli.go index cef83a807..3fa48a9bf 100644 --- a/event-handler/cli.go +++ b/event-handler/cli.go @@ -38,10 +38,10 @@ type FluentdConfig struct { FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"` // FluentdCert is a path to fluentd cert - FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` + FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` // FluentdKey is a path to fluentd key - FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` + FluentdKey string `help:"fluentd TLS key file" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` // FluentdCA is a path to fluentd CA FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"` diff --git a/event-handler/fluentd_client.go b/event-handler/fluentd_client.go index 8f8dfd067..e1a8c6703 100644 --- a/event-handler/fluentd_client.go +++ b/event-handler/fluentd_client.go @@ -43,9 +43,15 @@ type FluentdClient struct { // NewFluentdClient creates new FluentdClient func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { - cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) - if err != nil { - return nil, trace.Wrap(err) + var certs []tls.Certificate + if c.FluentdCert != "" && c.FluentdKey != "" { + cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) + if err != nil { + return nil, trace.Wrap(err) + } + certs = append(certs, cert) + } else if c.FluentdCert != "" || c.FluentdKey != "" { + return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified") } ca, err := getCertPool(c) @@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { Transport: &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: ca, - Certificates: []tls.Certificate{cert}, + Certificates: certs, }, }, Timeout: httpTimeout,