From 43515713ec0da6e125e334b9773c0e2926ae0d5a Mon Sep 17 00:00:00 2001 From: l1ghtman2k Date: Fri, 1 Mar 2024 12:47:48 -0500 Subject: [PATCH] allow overwriting tls for s3 (usecase: minio cluster access in airgapped system) Signed-off-by: l1ghtman2k --- .../v1alpha2/plugins/output/s3_types.go | 10 +- .../plugins/output/zz_generated.deepcopy.go | 5 + .../fluentbit.fluent.io_clusteroutputs.yaml | 67 +++++++++ .../crds/fluentbit.fluent.io_outputs.yaml | 67 +++++++++ .../fluentbit.fluent.io_clusteroutputs.yaml | 67 +++++++++ .../bases/fluentbit.fluent.io_outputs.yaml | 67 +++++++++ manifests/setup/fluent-operator-crd.yaml | 134 ++++++++++++++++++ manifests/setup/setup.yaml | 134 ++++++++++++++++++ 8 files changed, 550 insertions(+), 1 deletion(-) diff --git a/apis/fluentbit/v1alpha2/plugins/output/s3_types.go b/apis/fluentbit/v1alpha2/plugins/output/s3_types.go index 063499b30..c2e9a925d 100644 --- a/apis/fluentbit/v1alpha2/plugins/output/s3_types.go +++ b/apis/fluentbit/v1alpha2/plugins/output/s3_types.go @@ -63,7 +63,8 @@ type S3 struct { // Integer value to set the maximum number of retries allowed. RetryLimit *int32 `json:"RetryLimit,omitempty"` // Specify an external ID for the STS API, can be used with the role_arn parameter if your role requires an external ID. - ExternalId string `json:"ExternalId,omitempty"` + ExternalId string `json:"ExternalId,omitempty"` + *plugins.TLS `json:"tls,omitempty"` } // Name implement Section() method @@ -153,5 +154,12 @@ func (o *S3) Params(sl plugins.SecretLoader) (*params.KVs, error) { if o.ExternalId != "" { kvs.Insert("external_id", o.ExternalId) } + if o.TLS != nil { + tls, err := o.TLS.Params(sl) + if err != nil { + return nil, err + } + kvs.Merge(tls) + } return kvs, nil } diff --git a/apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go b/apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go index e61bcfe3f..9911151c5 100644 --- a/apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go +++ b/apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go @@ -852,6 +852,11 @@ func (in *S3) DeepCopyInto(out *S3) { *out = new(int32) **out = **in } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(plugins.TLS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3. diff --git a/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_clusteroutputs.yaml b/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_clusteroutputs.yaml index a05a53050..210383456 100644 --- a/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_clusteroutputs.yaml +++ b/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_clusteroutputs.yaml @@ -2542,6 +2542,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region diff --git a/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_outputs.yaml b/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_outputs.yaml index 383ce7085..c141d1d0b 100644 --- a/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_outputs.yaml +++ b/charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_outputs.yaml @@ -2542,6 +2542,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region diff --git a/config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml b/config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml index a05a53050..210383456 100644 --- a/config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml +++ b/config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml @@ -2542,6 +2542,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region diff --git a/config/crd/bases/fluentbit.fluent.io_outputs.yaml b/config/crd/bases/fluentbit.fluent.io_outputs.yaml index 383ce7085..c141d1d0b 100644 --- a/config/crd/bases/fluentbit.fluent.io_outputs.yaml +++ b/config/crd/bases/fluentbit.fluent.io_outputs.yaml @@ -2542,6 +2542,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region diff --git a/manifests/setup/fluent-operator-crd.yaml b/manifests/setup/fluent-operator-crd.yaml index d0fb949ae..b3ae9afb5 100644 --- a/manifests/setup/fluent-operator-crd.yaml +++ b/manifests/setup/fluent-operator-crd.yaml @@ -5082,6 +5082,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region @@ -28369,6 +28436,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region diff --git a/manifests/setup/setup.yaml b/manifests/setup/setup.yaml index bae33723a..64769f8fd 100644 --- a/manifests/setup/setup.yaml +++ b/manifests/setup/setup.yaml @@ -5082,6 +5082,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region @@ -28369,6 +28436,73 @@ spec: description: Use the S3 PutObject API, instead of the multipart upload API. type: boolean + tls: + description: Fluent Bit provides integrated support for Transport + Layer Security (TLS) and it predecessor Secure Sockets Layer + (SSL) respectively. + properties: + caFile: + description: Absolute path to CA certificate file + type: string + caPath: + description: Absolute path to scan for certificate files + type: string + crtFile: + description: Absolute path to Certificate file + type: string + debug: + description: 'Set TLS debug verbosity level. It accept the + following values: 0 (No debug), 1 (Error), 2 (State change), + 3 (Informational) and 4 Verbose' + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + format: int32 + type: integer + keyFile: + description: Absolute path to private Key file + type: string + keyPassword: + description: Optional password for tls.key_file file + properties: + valueFrom: + description: ValueSource defines how to find a value's + key. + properties: + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + verify: + description: Force certificate validation + type: boolean + vhost: + description: Hostname to be used for TLS SNI extension + type: string + type: object required: - Bucket - Region