From e4be012b7d09723f83f77d0a354c76d222245fce Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 10 Oct 2023 21:32:48 +0100 Subject: [PATCH] Relax mandatory FluentD's key and cert (#948) There are cases where the upstream service uses other CA certificates and shares it with other components. When this happens, it's not possible to configure fluentd to use mTLS. This commit relaxes the mandatory cert-key usage for fluentD. Signed-off-by: Tiago Silva --- event-handler/cli.go | 4 ++-- event-handler/fluentd_client.go | 14 ++++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/event-handler/cli.go b/event-handler/cli.go index cef83a807..3fa48a9bf 100644 --- a/event-handler/cli.go +++ b/event-handler/cli.go @@ -38,10 +38,10 @@ type FluentdConfig struct { FluentdSessionURL string `help:"fluentd session url" required:"true" env:"FDFWD_FLUENTD_SESSION_URL"` // FluentdCert is a path to fluentd cert - FluentdCert string `help:"fluentd TLS certificate file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` + FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDWRD_FLUENTD_CERT"` // FluentdKey is a path to fluentd key - FluentdKey string `help:"fluentd TLS key file" required:"true" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` + FluentdKey string `help:"fluentd TLS key file" type:"existingfile" env:"FDWRD_FLUENTD_KEY"` // FluentdCA is a path to fluentd CA FluentdCA string `help:"fluentd TLS CA file" type:"existingfile" env:"FDWRD_FLUENTD_CA"` diff --git a/event-handler/fluentd_client.go b/event-handler/fluentd_client.go index 8f8dfd067..e1a8c6703 100644 --- a/event-handler/fluentd_client.go +++ b/event-handler/fluentd_client.go @@ -43,9 +43,15 @@ type FluentdClient struct { // NewFluentdClient creates new FluentdClient func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { - cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) - if err != nil { - return nil, trace.Wrap(err) + var certs []tls.Certificate + if c.FluentdCert != "" && c.FluentdKey != "" { + cert, err := tls.LoadX509KeyPair(c.FluentdCert, c.FluentdKey) + if err != nil { + return nil, trace.Wrap(err) + } + certs = append(certs, cert) + } else if c.FluentdCert != "" || c.FluentdKey != "" { + return nil, trace.BadParameter("both fluentd_cert and fluentd_key should be specified") } ca, err := getCertPool(c) @@ -57,7 +63,7 @@ func NewFluentdClient(c *FluentdConfig) (*FluentdClient, error) { Transport: &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: ca, - Certificates: []tls.Certificate{cert}, + Certificates: certs, }, }, Timeout: httpTimeout,