Open duj4 opened 1 month ago
We already read certificates from Root certstore on Windows. You mean that it should be configurable? I wrote a mechanism from reading certstore on Fluentd side.
hi @cosmo0920 , thanks for your reply (again)
Let me try to clarify it: In the Loki output plugin, we would like to turn on TLS function to make sure the transmission's security. However, on Windows FluentBit cannot refer to the cert from certstore but only read from the file. In our environment, the cert/key can only be generated manually but there are around hundreds of servers. If FluentBit Windows could support this feature, that'll save us from the pain.
Windows FluentBit cannot refer to the cert from certstore but only read from the file.
For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249 This could be used for reading system certificates. To be configurable, we need to provide an interface to specify Windows specific parameters.
Windows FluentBit cannot refer to the cert from certstore but only read from the file.
For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249 This could be used for reading system certificates. To be configurable, we need to provide an interface to specify Windows specific parameters.
Yes, that'd be better if there is any interface for the configuration, thanks @cosmo0920
Is your feature request related to a problem? Please describe. This is not related to a problem but just a feature request.
Describe the solution you'd like In our windows server, the cert is auto-enrolled when the server was provisioned and the private key export is disabled as well for the sake of security. In such case, the only way to refer to the cert is from Windows cert store, but it seems Fluent-Bit does not support this (Fluentd does, https://docs.fluentd.org/output/forward#how-to-connect-to-a-tls-ssl-enabled-server-with-windows-certstore-certificate). Therefore, could it be possible to add this to the existing [OUTPUT] plugins that support TLS in Windows version?
Describe alternatives you've considered We have to generated cert and key separately manually, but there are hundreds of servers.
Additional context There are hundreds of Windows servers in our production environment and we have to turn on TLS while sending the logs to Loki. If it does support reading cert from Windows cert store, we have to generate a separate cert/key pair manually (though we are trying to work out a programmatic way for this).