From c1b360e1ca3255779e09932c4c0a459dc7abcf03 Mon Sep 17 00:00:00 2001 From: H0rla Date: Thu, 17 Aug 2017 18:41:26 +0700 Subject: [PATCH] feat(fluentd): add TLS support to gelf plugin Add TLS support on the gelf plugin. Update fluent-plugin-gelf-hs gem from 1.0.2 to 1.0.4. --- README.md | 6 ++++++ rootfs/Dockerfile | 2 +- rootfs/opt/fluentd/sbin/stores/gelf | 25 ++++++++++++++++++++++--- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c70ef50..e2b0800 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,12 @@ This plugin allows for `fluentd` to send all log data to a remote graylog endpoi * `GELF_HOST=some.host` * `GELF_PORT=12201` * `GELF_PROTOCOL="udp/tcp"` +* `GELF_TLS="true/false"` +* `GELF_TLS_OPTIONS_CERT="-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----"` +* `GELF_TLS_OPTIONS_KEY="-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----"` +* `GELF_TLS_OPTIONS_ALL_CIPHERS="true/false"` +* `GELF_TLS_OPTIONS_TLS_VERSION=":TLSv1/:TLSv1_1/:TLSv1_2"` +* `GELF_TLS_OPTIONS_NO_DEFAULT_CA="true/false"` ### Deis Output Deis output is a custom fluentd plugin that was written to forward data directly to deis components while filtering out data that we did not care about. We have 2 pieces of information we care about currently. diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index bf0e5dc..a9ef2cc 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -16,7 +16,7 @@ RUN buildDeps='g++ gcc make ruby-dev'; \ fluent-gem install --no-document fluent-plugin-elasticsearch -v 1.7.0 && \ fluent-gem install --no-document fluent-plugin-remote_syslog -v 0.3.2 && \ fluent-gem install --no-document fluent-plugin-sumologic-mattk42 -v 0.0.4 && \ - fluent-gem install --no-document fluent-plugin-gelf-hs -v 1.0.2 && \ + fluent-gem install --no-document fluent-plugin-gelf-hs -v 1.0.4 && \ fluent-gem install --no-document influxdb -v 0.3.2 && \ fluent-gem install --no-document nsq-ruby -v 1.7.0 && \ fluent-gem install --local /opt/fluentd/deis-output/pkg/fluent-plugin-deis_output-0.1.0.gem && \ diff --git a/rootfs/opt/fluentd/sbin/stores/gelf b/rootfs/opt/fluentd/sbin/stores/gelf index 8c958c7..a716512 100755 --- a/rootfs/opt/fluentd/sbin/stores/gelf +++ b/rootfs/opt/fluentd/sbin/stores/gelf @@ -5,14 +5,33 @@ then echo "Starting fluentd with gelf configuration!" GELF_PORT=${GELF_PORT:-12201} GELF_PROTOCOL=${GELF_PROTOCOL:-udp} + GELF_TLS=${GELF_TLS:-false} + GELF_TLS_OPTIONS_TLS_VERSION=${GELF_TLS_OPTIONS_TLS_VERSION:-":TLSv1_2"} + GELF_TLS_OPTIONS_NO_DEFAULT_CA=${GELF_TLS_OPTIONS_NO_DEFAULT_CA:-false} + GELF_TLS_OPTIONS_ALL_CIPHERS=${GELF_TLS_OPTIONS_ALL_CIPHERS:-false} + if [ "$GELF_TLS" == true ] && (! [ -n "$GELF_TLS_OPTIONS_CERT" ] || ! [ -n "$GELF_TLS_OPTIONS_KEY" ]) + then + echo "error: GELF_TLS_OPTIONS_{KEY,CERT} must be both provided" + elif [ "$GELF_TLS" == true ] + then + declare -a arr=("cert" "key" "no_default_ca" "all_ciphers" "tls_version") + TLS_OPTIONS="" + for element in "${arr[@]}" + do + tmp="GELF_TLS_OPTIONS_${element^^}" + TLS_OPTIONS+='"'$element'":"'${!tmp}'",' + done + fi -cat << EOF >> $FLUENTD_CONF +cat << EOF >> $FLUENTD_CONF @type gelf - host ${GELF_HOST} + host '${GELF_HOST}' port ${GELF_PORT} - protocol ${GELF_PROTOCOL} + protocol '${GELF_PROTOCOL}' + tls ${GELF_TLS} + tls_options '{$([ "${GELF_TLS}" == true ] && echo "${TLS_OPTIONS::-1}")}' EOF fi