fluent-bit icon indicating copy to clipboard operation
fluent-bit copied to clipboard

Published 20 hours ago verified publisher icon fluent

Support TLS on Forward Input plugin

Open vizcay opened this issue 4 years ago • 23 comments

According to https://docs.fluentbit.io/manual/administration/security TLS is only supported in output plugins. I will be great also to have support for input plugins. Mostly because we prefer to use fluent-bit over fluentd as it is simpler and has a lower footprint.

vizcay avatar Nov 14 '20 13:11 vizcay

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Mar 06 '21 02:03 github-actions[bot]

Still relevant.

vizcay avatar Mar 07 '21 13:03 vizcay

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Apr 07 '21 02:04 github-actions[bot]

Still relevant.

vizcay avatar Apr 07 '21 13:04 vizcay

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar May 12 '21 01:05 github-actions[bot]

Still relevant.

vizcay avatar May 13 '21 07:05 vizcay

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Jun 16 '21 01:06 github-actions[bot]

Still relevant.

vizcay avatar Jun 16 '21 07:06 vizcay

So, is there anyone know why input plugins do not support tls?

liuchintao avatar Jul 14 '21 07:07 liuchintao

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 14 '21 01:08 github-actions[bot]

Still relevant.

vizcay avatar Aug 15 '21 23:08 vizcay

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Oct 10 '21 01:10 github-actions[bot]

bump

edsiper avatar Oct 10 '21 01:10 edsiper

+1 this would be a great feature to have.

Mbr2k avatar Oct 19 '21 09:10 Mbr2k

Hello, I think I know why input plugins do not support TLS.

Perhaps, I can deploy flb behand a nginx server, I just need to config my nginx server to support TLS, and let nginx forward traffic to flb.

liuchintao avatar Oct 21 '21 04:10 liuchintao

Hello, I think I know why input plugins do not support TLS.

Why that will be? fluentd supports TLS for this.

vizcay avatar Oct 21 '21 22:10 vizcay

Is the desired design that folks use a service mesh to handle the TLS between pods? Either way, the ticket is still relevant!

bbeattie-phxlabs avatar Nov 01 '21 16:11 bbeattie-phxlabs

That feeling when you build your first fluentbit forward setup and when you're almost done, you find out, when building the receiving end, that it cannot serve a TLS endpoint (especially weird since it receives a secret) and you find a github issue older than a year without at least a response of the maintainer about why such feature that anyone with common sense would expect is simply not there. ¯\(ツ)

I want to use fluentbit to stream syslog to my elasticsearch cluster in a secure fashion. Since the es output of fluentbit doesn't have the option (like in the fluentd one) to specify multiple output hosts, the documentation points you to the upstream forwarder approach. Fine with that, but please at least mention there's (apparently?) no way you can build this securely. :(

Is the desired design that folks use a service mesh to handle the TLS between pods?

My motivation for preferring fluentbit over other solutions is its small footprint. If I need a proxy or something like that in addition, I can just as well go with fluentd, I guess.

tumbl3w33d avatar Feb 03 '22 17:02 tumbl3w33d

After problems with fluentd and seeing old same issues without any answer there I thought maybe fluent-bit is better, but it does not seem to. Is fluentd not maintained anymore?

LukasJerabek avatar Feb 08 '22 09:02 LukasJerabek

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar May 10 '22 02:05 github-actions[bot]

Bump.

vizcay avatar May 10 '22 10:05 vizcay

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar Aug 09 '22 02:08 github-actions[bot]

Bump.

vizcay avatar Aug 09 '22 09:08 vizcay

Is there any way to use https for prometheus_scrape input endpoint?

rohitkg avatar Aug 23 '22 23:08 rohitkg

I don't think it's possible at the moment but it will be in 2.0 (which will also include TLS support for input plugins)

leonardo-albertovich avatar Aug 24 '22 12:08 leonardo-albertovich

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar Nov 23 '22 02:11 github-actions[bot]

@leonardo-albertovich this has been implemented finally? 🎉

vizcay avatar Nov 23 '22 12:11 vizcay

Yes, it came out in 2.0 and I have fixed a few issues that were identified in latest version (I think it came out yesterday).

leonardo-albertovich avatar Nov 23 '22 12:11 leonardo-albertovich

Per https://docs.fluentbit.io/manual/administration/transport-security bluent-bit 2.0 input tls just supports MQTT, TCP, HTTP and OpenTelemetry, no forward

But fluentd supports it https://docs.fluentd.org/input/forward#how-to-enable-tls-encryption

shvc avatar Apr 02 '23 01:04 shvc

It seems like there's an error in the documentation. The forward input plugin has TLS support in Fluent-bit 2.0+

leonardo-albertovich avatar Apr 02 '23 13:04 leonardo-albertovich