search

fluent / fluent-bit

Fast and Lightweight Logs and Metrics processor for Linux, BSD, OSX and Windows
https://fluentbit.io
Apache License 2.0
5.73k stars 1.56k forks source link

Need Fluent-Bit to support reading cert from Windows Certstore #9215

Open duj4 opened 1 month ago

duj4 commented 1 month ago

Is your feature request related to a problem? Please describe. This is not related to a problem but just a feature request.

Describe the solution you'd like In our windows server, the cert is auto-enrolled when the server was provisioned and the private key export is disabled as well for the sake of security. In such case, the only way to refer to the cert is from Windows cert store, but it seems Fluent-Bit does not support this (Fluentd does, https://docs.fluentd.org/output/forward#how-to-connect-to-a-tls-ssl-enabled-server-with-windows-certstore-certificate). Therefore, could it be possible to add this to the existing [OUTPUT] plugins that support TLS in Windows version?

Describe alternatives you've considered We have to generated cert and key separately manually, but there are hundreds of servers.

Additional context There are hundreds of Windows servers in our production environment and we have to turn on TLS while sending the logs to Loki. If it does support reading cert from Windows cert store, we have to generate a separate cert/key pair manually (though we are trying to work out a programmatic way for this).

cosmo0920 commented 3 weeks ago

We already read certificates from Root certstore on Windows. You mean that it should be configurable? I wrote a mechanism from reading certstore on Fluentd side.

duj4 commented 3 weeks ago

hi @cosmo0920 , thanks for your reply (again)

Let me try to clarify it: In the Loki output plugin, we would like to turn on TLS function to make sure the transmission's security. However, on Windows FluentBit cannot refer to the cert from certstore but only read from the file. In our environment, the cert/key can only be generated manually but there are around hundreds of servers. If FluentBit Windows could support this feature, that'll save us from the pain.

cosmo0920 commented 3 weeks ago

Windows FluentBit cannot refer to the cert from certstore but only read from the file.

For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249 This could be used for reading system certificates. To be configurable, we need to provide an interface to specify Windows specific parameters.

duj4 commented 3 weeks ago

Windows FluentBit cannot refer to the cert from certstore but only read from the file.

For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249 This could be used for reading system certificates. To be configurable, we need to provide an interface to specify Windows specific parameters.

Yes, that'd be better if there is any interface for the configuration, thanks @cosmo0920