Skip to content

Commit

Permalink
Merge pull request #1011 from antrema/418_elastic_output_ssl_verify
Browse files Browse the repository at this point in the history 
fix: Add SSL/TLS settings feature for fluentd output Elasticsearch #418
  • Loading branch information
@benjaminhuo
benjaminhuo authored Dec 11, 2023
2 parents 965a267 + fe5ef44 commit 773687c
Show file tree
Hide file tree
Showing 9 changed files with 399 additions and 0 deletions.
10 changes: 10 additions & 0 deletions apis/fluentd/v1alpha1/plugins/output/es.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,14 @@ type Elasticsearch struct {
User *plugins.Secret `json:"user,omitempty"`
// Optional, The login credentials to connect to Elasticsearch
Password *plugins.Secret `json:"password,omitempty"`
// Optional, Force certificate validation
SslVerify *bool `json:"sslVerify,omitempty"`
// Optional, Absolute path to CA certificate file
CAFile *string `json:"caFile,omitempty"`
// Optional, Absolute path to client Certificate file
ClientCert *string `json:"clientCert,omitempty"`
// Optional, Absolute path to client private Key file
ClientKey *string `json:"clientKey,omitempty"`
// Optional, password for ClientKey file
ClientKeyPassword *plugins.Secret `json:"clientKeyPassword,omitempty"`
}
24 changes: 24 additions & 0 deletions apis/fluentd/v1alpha1/plugins/output/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,30 @@ func (o *Output) elasticsearchPlugin(parent *params.PluginStore, loader plugins.
parent.InsertPairs("password", pwd)
}

if o.Elasticsearch.SslVerify != nil {
parent.InsertPairs("ssl_verify", fmt.Sprint(*o.Elasticsearch.SslVerify))
}

if o.Elasticsearch.CAFile != nil {
parent.InsertPairs("ca_file", fmt.Sprint(*o.Elasticsearch.CAFile))
}

if o.Elasticsearch.ClientCert != nil {
parent.InsertPairs("client_cert", fmt.Sprint(*o.Elasticsearch.ClientCert))
}

if o.Elasticsearch.ClientKey != nil {
parent.InsertPairs("client_key", fmt.Sprint(*o.Elasticsearch.ClientKey))
}

if o.Elasticsearch.ClientKeyPassword != nil {
pwd, err := loader.LoadSecret(*o.Elasticsearch.ClientKeyPassword)
if err != nil {
return nil, err
}
parent.InsertPairs("client_key_pass", pwd)
}

if o.Elasticsearch.Scheme != nil {
parent.InsertPairs("scheme", fmt.Sprint(*o.Elasticsearch.Scheme))
}
Expand Down
45 changes: 45 additions & 0 deletions charts/fluent-operator/charts/fluentd-crds/crds/fluentd.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,48 @@ spec:
elasticsearch:
description: out_es plugin
properties:
caFile:
description: Optional, Absolute path to CA certificate file
type: string
clientCert:
description: Optional, Absolute path to client Certificate
file
type: string
clientKey:
description: Optional, Absolute path to client private Key
file
type: string
clientKeyPassword:
description: Optional, password for ClientKey file
properties:
valueFrom:
description: ValueSource defines how to find a value's
key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select
from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion,
kind, uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
host:
description: 'The hostname of your Elasticsearch node (default:
localhost).'
Expand Down Expand Up @@ -608,6 +650,9 @@ spec:
description: 'Specify https if your Elasticsearch endpoint
supports SSL (default: http).'
type: string
sslVerify:
description: Optional, Force certificate validation
type: boolean
user:
description: Optional, The login credentials to connect
to Elasticsearch
Expand Down
45 changes: 45 additions & 0 deletions charts/fluent-operator/charts/fluentd-crds/crds/fluentd.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,48 @@ spec:
elasticsearch:
description: out_es plugin
properties:
caFile:
description: Optional, Absolute path to CA certificate file
type: string
clientCert:
description: Optional, Absolute path to client Certificate
file
type: string
clientKey:
description: Optional, Absolute path to client private Key
file
type: string
clientKeyPassword:
description: Optional, password for ClientKey file
properties:
valueFrom:
description: ValueSource defines how to find a value's
key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select
from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion,
kind, uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
host:
description: 'The hostname of your Elasticsearch node (default:
localhost).'
Expand Down Expand Up @@ -608,6 +650,9 @@ spec:
description: 'Specify https if your Elasticsearch endpoint
supports SSL (default: http).'
type: string
sslVerify:
description: Optional, Force certificate validation
type: boolean
user:
description: Optional, The login credentials to connect
to Elasticsearch
Expand Down
45 changes: 45 additions & 0 deletions config/crd/bases/fluentd.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,48 @@ spec:
elasticsearch:
description: out_es plugin
properties:
caFile:
description: Optional, Absolute path to CA certificate file
type: string
clientCert:
description: Optional, Absolute path to client Certificate
file
type: string
clientKey:
description: Optional, Absolute path to client private Key
file
type: string
clientKeyPassword:
description: Optional, password for ClientKey file
properties:
valueFrom:
description: ValueSource defines how to find a value's
key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select
from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion,
kind, uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
host:
description: 'The hostname of your Elasticsearch node (default:
localhost).'
Expand Down Expand Up @@ -608,6 +650,9 @@ spec:
description: 'Specify https if your Elasticsearch endpoint
supports SSL (default: http).'
type: string
sslVerify:
description: Optional, Force certificate validation
type: boolean
user:
description: Optional, The login credentials to connect
to Elasticsearch
Expand Down
45 changes: 45 additions & 0 deletions config/crd/bases/fluentd.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,48 @@ spec:
elasticsearch:
description: out_es plugin
properties:
caFile:
description: Optional, Absolute path to CA certificate file
type: string
clientCert:
description: Optional, Absolute path to client Certificate
file
type: string
clientKey:
description: Optional, Absolute path to client private Key
file
type: string
clientKeyPassword:
description: Optional, password for ClientKey file
properties:
valueFrom:
description: ValueSource defines how to find a value's
key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select
from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion,
kind, uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
host:
description: 'The hostname of your Elasticsearch node (default:
localhost).'
Expand Down Expand Up @@ -608,6 +650,9 @@ spec:
description: 'Specify https if your Elasticsearch endpoint
supports SSL (default: http).'
type: string
sslVerify:
description: Optional, Force certificate validation
type: boolean
user:
description: Optional, The login credentials to connect
to Elasticsearch
Expand Down
5 changes: 5 additions & 0 deletions docs/plugins/fluentd/output/es.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,8 @@ Elasticsearch defines the parameters for out_es output plugin
| logstashPrefix | LogstashPrefix defines the logstash prefix index name to write events when logstash_format is true (default: logstash). | *string |
| user | Optional, The login credentials to connect to Elasticsearch | *[plugins.Secret](../secret.md) |
| password | Optional, The login credentials to connect to Elasticsearch | *[plugins.Secret](../secret.md) |
| sslVerify | Optional, Force certificate validation | *bool |
| caFile | Optional, Absolute path to CA certificate file | *string |
| clientCert | Optional, Absolute path to client Certificate file | *string |
| clientKey | Optional, Absolute path to client private Key file | *string |
| clientKeyPassword | Optional, password for ClientKey file | *[plugins.Secret](../secret.md) |
Loading

0 comments on commit 773687c

Please sign in to comment.