Relax mandatory FluentD's key and cert (#948)

There are cases where the upstream service uses other CA certificates and shares it with other components. When this happens, it's not possible to configure fluentd to use mTLS. This commit relaxes the mandatory cert-key usage for fluentD. Signed-off-by: Tiago Silva <[email protected]>
gravitational · Oct 10, 2023 · e4be012 · e4be012
1 parent 7c383e8
commit e4be012
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/event-handler/cli.go b/event-handler/cli.go
@@ -38,10 +38,10 @@ type FluentdConfig struct {
 	FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"`
 
 	// FluentdCert is a path to fluentd cert
-	FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
+	FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
 
 	// FluentdKey is a path to fluentd key
-	FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`
+	FluentdKey string `help:"fluentd TLS key file" type:"existingfile" env:"FDWRD_FLUENTD_KEY"`
 
 	// FluentdCA is a path to fluentd CA
 	FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"`

diff --git a/event-handler/fluentd_client.go b/event-handler/fluentd_client.go
@@ -43,9 +43,15 @@ type FluentdClient struct {
 
 // NewFluentdClient creates new FluentdClient
 func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
-	cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
-	if err != nil {
-		return nil, trace.Wrap(err)
+	var certs []tls.Certificate
+	if c.FluentdCert != "" && c.FluentdKey != "" {
+		cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		certs = append(certs, cert)
+	} else if c.FluentdCert != "" || c.FluentdKey != "" {
+		return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified")
 	}
 
 	ca, err := getCertPool(c)
@@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) {
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				RootCAs:      ca,
-				Certificates: []tls.Certificate{cert},
+				Certificates: certs,
 			},
 		},
 		Timeout: httpTimeout,