Support TLS configuration with k8s.io/tls secrets

Modify the custom resources to optionally support specifying the certificate and key for each service using a secret of type `kubernetes.io/tls`.The pre-existing method of configuration, using a `Secret` that contained both cert/key pairs plus the CA cert remains the default. Also update the helm charts to optional support the new type of configuration. Fixes: kube-logging#133
xinjixi · Sep 5, 2019 · ef29224 · ef29224
1 parent 4e74e36
commit ef29224
Show file tree

Hide file tree

Showing 15 changed files with 194 additions and 56 deletions.
diff --git a/charts/logging-operator-fluent/README.md b/charts/logging-operator-fluent/README.md
@@ -24,14 +24,15 @@ This chart applies Fluentd and Fluent-bit custom resources to [Logging Operator]
 |                      Parameter                      |                        Description                     |             Default            |
 | --------------------------------------------------- | ------------------------------------------------------ | ------------------------------ |
 | `tls.enabled`                                       | Enabled TLS communication between components           | true                           |
-| `tls.secretName`                                    | Specified secret name, which contain tls certs         | This will overwrite automatic Helm certificate generation. |
+| `tls.secretName`                                    | Specified generic secret name, which contain tls certs | This will overwrite automatic Helm certificate generation and overrides `fluentbit.tlsSecret` and `fluentd.tlsSecret`. |
 | `tls.sharedKey`                                     | Shared key between nodes (fluentd-fluentbit)           | [autogenerated]                |
 | `fluentbit.enabled`                                 | Install fluent-bit                                     | true                           |
 | `fluentbit.namespace`                               | Specified fluentbit installation namespace             | same as operator namespace     |
-| `fluentbit.image.tag`                               | Fluentbit container image tag                          | `1.1.3`                       |
+| `fluentbit.image.tag`                               | Fluentbit container image tag                          | `1.1.3`                        |
 | `fluentbit.image.repository`                        | Fluentbit container image repository                   | `fluent/fluent-bit`            |
 | `fluentbit.image.pullPolicy`                        | Fluentbit container pull policy                        | `IfNotPresent`                 |
 | `fluentbit.tolerations`                             | Fluentbit tolerations                                  | `nil`                          |
+| `fluentbit.tlsSecret`                               | Secret name that contains Fluentbit TLS client cert    | Ignored if `tls.secretName` is specified. Must refer to a secret of type `kubernetes.io/tls` |
 | `fluentd.enabled`                                   | Install fluentd                                        | true                           |
 | `fluentd.namespace`                                 | Specified fluentd installation namespace               | same as operator namespace     |
 | `fluentd.image.tag`                                 | Fluentd container image tag                            | `v1.5.0`                       |
@@ -46,4 +47,5 @@ This chart applies Fluentd and Fluent-bit custom resources to [Logging Operator]
 | `fluentd.fluentdPvcSpec.accessModes`                | Fluentd persistence volume access modes                | `[ReadWriteOnce]`              |
 | `fluentd.fluentdPvcSpec.resources.requests.storage` | Fluentd persistence volume size                        | `21Gi`                         |
 | `fluentd.tolerations`                               | Fluentd tolerations                                    | `nil`                          |
+| `fluentd.tlsSecret`                                 | Secret name that contains Fluentd TLS client cert      | Ignored if `tls.secretName` is specified. Must refer to a secret of type `kubernetes.io/tls`. |
 | `psp.enabled`                                       | Install PodSecurityPolicy                              | `false`                        |
diff --git a/charts/logging-operator-fluent/templates/fluentbit-cr.yaml b/charts/logging-operator-fluent/templates/fluentbit-cr.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.fluentbit.enabled }}
+{{ $fluentbitUseGenericSecret := or .Values.tls.secretName (not .Values.fluentbit.tlsSecret ) }}
 apiVersion: logging.banzaicloud.com/v1alpha1
 kind: Fluentbit
 metadata:
@@ -21,6 +22,12 @@ spec:
   {{- end }}
   tls:
     enabled: {{ .Values.tls.enabled }}
+{{- if $fluentbitUseGenericSecret }}
     secretName: {{ .Values.tls.secretName | default (include "logging-operator-fluent.fullname" .) }}
+    secretType: generic
+{{- else }}
+    secretName: {{ .Values.fluentbit.tlsSecret }}
+    secretType: tls
+{{- end }}
     sharedKey: {{ .Values.tls.sharedKey | default (derivePassword 1 "long" (.Release.Time | toString) .Release.Name .Chart.Name ) | b64enc | quote }}
 {{ end }}
diff --git a/charts/logging-operator-fluent/templates/fluentd-cr.yaml b/charts/logging-operator-fluent/templates/fluentd-cr.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.fluentd.enabled }}
+{{ $fluentdUseGenericSecret := or .Values.tls.secretName (not .Values.fluentd.tlsSecret) }}
 apiVersion: logging.banzaicloud.com/v1alpha1
 kind: Fluentd
 metadata:
@@ -24,7 +25,13 @@ spec:
   {{- end }}
   tls:
     enabled: {{ .Values.tls.enabled }}
+{{- if $fluentdUseGenericSecret }}
     secretName: {{ .Values.tls.secretName | default (include "logging-operator-fluent.fullname" .) }}
+    secretType: generic
+{{- else }}
+    secretName: {{ .Values.fluentd.tlsSecret }}
+    secretType: tls
+{{- end }}
     sharedKey: {{ .Values.tls.sharedKey | default (derivePassword 1 "long" (.Release.Time | toString) .Release.Name .Chart.Name ) | b64enc | quote }}
   serviceType: {{ .Values.fluentd.serviceType | default "ClusterIP" | quote }}
 {{ end }}
diff --git a/charts/logging-operator-fluent/templates/secret.yaml b/charts/logging-operator-fluent/templates/secret.yaml
@@ -7,10 +7,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "logging-operator.fullname" . }}
+  name: {{ template "logging-operator-fluent.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "logging-operator.name" . }}
-    helm.sh/chart: {{ include "logging-operator.chart" . }}
+    app.kubernetes.io/name: {{ include "logging-operator-fluent.name" . }}
+    helm.sh/chart: {{ include "logging-operator-fluent.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:

diff --git a/charts/logging-operator-fluent/values.yaml b/charts/logging-operator-fluent/values.yaml
@@ -15,6 +15,7 @@ fluentbit:
     tag: "1.1.3"
     repository: "fluent/fluent-bit"
     pullPolicy: "IfNotPresent"
+  tlsSecret: ""
 
 fluentd:
   enabled: true
@@ -38,6 +39,7 @@ fluentd:
     resources:
       requests:
         storage: 21Gi
+  tlsSecret: ""
 
 psp:
   enabled: false
diff --git a/docs/examples/tls.md b/docs/examples/tls.md
@@ -0,0 +1,101 @@
+
+# TLS Configuration
+
+To configure TLS for Fluentd and Fluentbit the operator needs TLS certificates
+set via the Fluentd and Fluentbit Custom Resources respectively. This can be
+done in two ways:
+
+## Generic Opaque secret (default)
+
+Create a secret like this:
+
+```
+apiVersion: v1
+data:
+  caCert: ...
+  clientCert: ...
+  clientKey: ...
+  serverCert: ...
+  serverKey: ...
+kind: Secret
+metadata:
+  name: something-something-tls
+type: Opaque
+```
+
+Note that we are providing three certificates in the same secret, one for
+Fluentd (`serverCert`), one for Fluentbit (`clientCert`), and the CA
+certificate (`caCert`).
+
+Then in your custom resource configure like this:
+
+```
+apiVersion: logging.banzaicloud.com/v1alpha1
+kind: Fluentd/Fluentbit
+metadata:
+  name: my-fluent-thing
+spec:
+  ...
+  tls:
+    enabled: true
+    secretName: something-something-tls
+    sharedKey: changeme
+```
+
+
+## `kubernetes.io/tls`
+
+The alternative is if your certificates are in secrets of type `kubernetes.io/tls`, e.g.
+
+```
+apiVersion: v1
+data:
+  ca.crt: LS0tLS1...
+  tls.crt: LS0tLS1...
+  tls.key: LS0tLS1...
+kind: Secret
+metadata:
+  name: something-something-tls
+type: kubernetes.io/tls
+```
+
+Then configure your custom resources like this:
+
+```
+apiVersion: logging.banzaicloud.com/v1alpha1
+kind: Fluentd/Fluentbit
+metadata:
+  name: my-fluent-thing
+spec:
+  ...
+  tls:
+    enabled: true
+    secretName: something-something-tls
+    secretType: tls
+    sharedKey: changeme
+```
+
+Note: in this case we can use the same secret for both Fluentbit and Fluentd,
+or create separate secrets for each.
+
+Note: the secret's data include the CA certificate, which is in-line with the
+structure created by [jetstack/cert-manager](https://github.com/jetstack/cert-manager/).
+
+## Usage with the helm chart
+
+For the generic Opaque secret just set `tls.enabled=True` and optionally provide the `tls.secretName` value to use your own certificates (instead of the automatically generated ones from the chart).
+
+For `kubernetes.io/tls` install `logging-operator-fluent` with a `values.yaml` like this:
+
+```
+tls:
+  enabled: true
+
+fluentbit:
+  tlsSecret: something-something-tls
+
+fluentd:
+  tlsSecret: otherthing-otherthing-tls
+```
+
+For more information see the helm chart's [README.md](https://github.com/banzaicloud/logging-operator/blob/master/charts/logging-operator-fluent/README.md).
diff --git a/docs/plugins/forward.md b/docs/plugins/forward.md
@@ -5,6 +5,9 @@
 | pattern | - |  |
 | clientHostname | fluentd.client |  |
 | tlsSharedKey |  |  |
+| tlsCACertFilel | fluentd/tls/caCert |  |
+| tlsCertFile | fluentd/tls/clientCert |  |
+| tlsKeyFile | /fluentd/tls/clientKey |  |
 | name | target |  |
 | host | - |  |
 | port | - |  |
@@ -26,9 +29,9 @@
   {{ if not (eq .tlsSharedKey "") -}}
   transport tls
   tls_version TLSv1_2
-  tls_cert_path                /fluentd/tls/caCert
-  tls_client_cert_path         /fluentd/tls/clientCert
-  tls_client_private_key_path  /fluentd/tls/clientKey
+  tls_cert_path                {{ .tlsCACertFile }}
+  tls_client_cert_path         {{ .tlsCertFile }}
+  tls_client_private_key_path  {{ .tlsKeyFile }}
   <security>
     self_hostname           {{ .clientHostname }}
     shared_key              {{ .tlsSharedKey }}

diff --git a/pkg/apis/logging/v1alpha1/fluentbit_types.go b/pkg/apis/logging/v1alpha1/fluentbit_types.go
@@ -44,6 +44,7 @@ type FluentbitSpec struct {
 type FluentbitTLS struct {
 	Enabled    bool   `json:"enabled"`
 	SecretName string `json:"secretName"`
+	SecretType string `json:"secretType,omitempty"`
 	SharedKey  string `json:"sharedKey"`
 }
 

diff --git a/pkg/apis/logging/v1alpha1/fluentd_types.go b/pkg/apis/logging/v1alpha1/fluentd_types.go
@@ -48,6 +48,7 @@ type FluentdSpec struct {
 type FluentdTLS struct {
 	Enabled    bool   `json:"enabled"`
 	SecretName string `json:"secretName"`
+	SecretType string `json:"secretType,omitempty"`
 	SharedKey  string `json:"sharedKey"`
 }
 

diff --git a/pkg/resources/fluentbit/config.go b/pkg/resources/fluentbit/config.go
@@ -54,9 +54,9 @@ var fluentBitConfigTemplate = `
     {{ if .TLS.Enabled }}
     tls           On
     tls.verify    Off
-    tls.ca_file   /fluent-bit/tls/caCert
-    tls.crt_file  /fluent-bit/tls/clientCert
-    tls.key_file  /fluent-bit/tls/clientKey
+    tls.ca_file   {{ .TLS.CACertFile }}
+    tls.crt_file  {{ .TLS.CertFile }}
+    tls.key_file  {{ .TLS.KeyFile }}
     Shared_Key    {{ .TLS.SharedKey }}
     {{- end }}
     Retry_Limit   False

diff --git a/pkg/resources/fluentbit/configmap.go b/pkg/resources/fluentbit/configmap.go
@@ -24,14 +24,19 @@ import (
 	"text/template"
 )
 
+type fluentbitTLSConfig struct {
+	Enabled    bool
+	SharedKey  string
+	CACertFile string
+	CertFile   string
+	KeyFile    string
+}
+
 type fluentBitConfig struct {
 	Namespace string
-	TLS       struct {
-		Enabled   bool
-		SharedKey string
-	}
-	Monitor map[string]string
-	Output  map[string]string
+	TLS       fluentbitTLSConfig
+	Monitor   map[string]string
+	Output    map[string]string
 }
 
 func (r *Reconciler) configMap() runtime.Object {
@@ -41,16 +46,23 @@ func (r *Reconciler) configMap() runtime.Object {
 			"Port": r.Fluentbit.Spec.Annotations["prometheus.io/port"],
 		}
 	}
+	tlsConfig := fluentbitTLSConfig{
+		Enabled:   r.Fluentbit.Spec.TLS.Enabled,
+		SharedKey: r.Fluentbit.Spec.TLS.SharedKey,
+	}
+	if r.Fluentbit.Spec.TLS.SecretType == "tls" {
+		tlsConfig.CertFile = "/fluent-bit/tls/tls.crt"
+		tlsConfig.KeyFile = "/fluent-bit/tls/tls.key"
+		tlsConfig.CACertFile = "/fluent-bit/tls/ca.crt"
+	} else {
+		tlsConfig.CertFile = "/fluent-bit/tls/clientCert"
+		tlsConfig.KeyFile = "/fluent-bit/tls/clientKey"
+		tlsConfig.CACertFile = "/fluent-bit/tls/caCert"
+	}
 	input := fluentBitConfig{
 		Namespace: r.Fluentbit.Namespace,
-		TLS: struct {
-			Enabled   bool
-			SharedKey string
-		}{
-			Enabled:   r.Fluentbit.Spec.TLS.Enabled,
-			SharedKey: r.Fluentbit.Spec.TLS.SharedKey,
-		},
-		Monitor: monitorConfig,
+		TLS:       tlsConfig,
+		Monitor:   monitorConfig,
 	}
 	return &corev1.ConfigMap{
 		ObjectMeta: templates.FluentbitObjectMeta(fluentbitConfigMapName, r.Fluentbit.Labels, r.Fluentbit),

diff --git a/pkg/resources/fluentbit/daemonset.go b/pkg/resources/fluentbit/daemonset.go
@@ -94,18 +94,7 @@ func generateVolumeMounts(fluentbit *loggingv1alpha1.Fluentbit) (v []corev1.Volu
 		tlsRelatedVolume := []corev1.VolumeMount{
 			{
 				Name:      "fluent-tls",
-				MountPath: "/fluent-bit/tls/caCert",
-				SubPath:   "caCert",
-			},
-			{
-				Name:      "fluent-tls",
-				MountPath: "/fluent-bit/tls/clientCert",
-				SubPath:   "clientCert",
-			},
-			{
-				Name:      "fluent-tls",
-				MountPath: "/fluent-bit/tls/clientKey",
-				SubPath:   "clientKey",
+				MountPath: "/fluent-bit/tls",
 			},
 		}
 		v = append(v, tlsRelatedVolume...)

diff --git a/pkg/resources/fluentd/config.go b/pkg/resources/fluentd/config.go
@@ -50,9 +50,9 @@ var fluentdInputTemplate = `
     </security>
     <transport tls>
       version                TLSv1_2
-      ca_path                /fluentd/tls/caCert
-      cert_path              /fluentd/tls/serverCert
-      private_key_path       /fluentd/tls/serverKey
+      ca_path                {{ .TLS.CACertFile }}
+      cert_path              {{ .TLS.CertFile }}
+      private_key_path       {{ .TLS.KeyFile }}
       client_cert_auth       true
     </transport>
     {{- end }}

diff --git a/pkg/resources/fluentd/configmap.go b/pkg/resources/fluentd/configmap.go
@@ -26,23 +26,33 @@ import (
 	"text/template"
 )
 
+type fluentdTLSConfig struct {
+	Enabled    bool
+	SharedKey  string
+	CACertFile string
+	CertFile   string
+	KeyFile    string
+}
+
 type fluentdConfig struct {
-	TLS struct {
-		Enabled   bool
-		SharedKey string
-	}
+	TLS fluentdTLSConfig
 }
 
 func (r *Reconciler) configMap() runtime.Object {
-	input := fluentdConfig{
-		TLS: struct {
-			Enabled   bool
-			SharedKey string
-		}{
-			Enabled:   r.Fluentd.Spec.TLS.Enabled,
-			SharedKey: r.Fluentd.Spec.TLS.SharedKey,
-		},
+	tlsConfig := fluentdTLSConfig{
+		Enabled:   r.Fluentd.Spec.TLS.Enabled,
+		SharedKey: r.Fluentd.Spec.TLS.SharedKey,
+	}
+	if r.Fluentd.Spec.TLS.SecretType == "tls" {
+		tlsConfig.CertFile = "/fluentd/tls/tls.crt"
+		tlsConfig.KeyFile = "/fluentd/tls/tls.key"
+		tlsConfig.CACertFile = "/fluentd/tls/ca.crt"
+	} else {
+		tlsConfig.CertFile = "/fluentd/tls/serverCert"
+		tlsConfig.KeyFile = "/fluentd/tls/serverKey"
+		tlsConfig.CACertFile = "/fluentd/tls/caCert"
 	}
+	input := fluentdConfig{TLS: tlsConfig}
 	return &corev1.ConfigMap{
 		ObjectMeta: templates.FluentdObjectMeta(configMapName, util.MergeLabels(r.Fluentd.Labels, labelSelector), r.Fluentd),
 		Data: map[string]string{