Add server TLS certificate verification (#2171)

* Add server TLS certificate verification * Generalize use of server TLS certificate verification * Fix typo * Bump fluent-plugin-grafana-loki gem version: 1.2.12 -> 1.2.13 * Replace option: verify_tls -> insecure_tls * Update document * Update docs/clients/fluentd/README.md Co-authored-by: Cyril Tovena <cyril.tovena@gmail.com>
grafana · Jun 16, 2020 · e2a7941 · e2a7941
1 parent 0ecaa10
commit e2a7941
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 2 deletions.
diff --git a/cmd/fluentd/fluent-plugin-grafana-loki.gemspec b/cmd/fluentd/fluent-plugin-grafana-loki.gemspec
@@ -4,7 +4,7 @@ $LOAD_PATH.push File.expand_path('lib', __dir__)
 
 Gem::Specification.new do |spec|
   spec.name    = 'fluent-plugin-grafana-loki'
-  spec.version = '1.2.12'
+  spec.version = '1.2.13'
   spec.authors = %w[woodsaj briangann cyriltovena]
   spec.email   = ['awoods@grafana.com', 'brian@grafana.com', 'cyril.tovena@grafana.com']
 

diff --git a/cmd/fluentd/lib/fluent/plugin/out_loki.rb b/cmd/fluentd/lib/fluent/plugin/out_loki.rb
@@ -49,6 +49,9 @@ class LogPostError < StandardError; end
       desc 'TLS'
       config_param :ca_cert, :string, default: nil
 
+      desc 'Disable server certificate verification'
+      config_param :insecure_tls, :bool, default: false
+
       desc 'Loki tenant id'
       config_param :tenant, :string, default: nil
 
@@ -153,14 +156,22 @@ def ssl_opts(uri)
           use_ssl: uri.scheme == 'https'
         }
 
+        # Disable server TLS certificate verification
+        if @insecure_tls
+          opts = opts.merge(
+            verify_mode: OpenSSL::SSL::VERIFY_NONE
+          )
+        end
+
+        # Verify client TLS certificate
         if !@cert.nil? && !@key.nil?
           opts = opts.merge(
-            verify_mode: OpenSSL::SSL::VERIFY_PEER,
             cert: @cert,
             key: @key
           )
         end
 
+        # Specify custom certificate authority
         unless @ca_cert.nil?
           opts = opts.merge(
             ca_file: @ca_cert

diff --git a/cmd/fluentd/spec/gems/fluent/plugin/loki_output_spec.rb b/cmd/fluentd/spec/gems/fluent/plugin/loki_output_spec.rb
@@ -24,6 +24,7 @@
       line_format key_value
       drop_single_key true
       remove_keys a, b
+      insecure_tls true
       <label>
         job
         instance instance
@@ -39,6 +40,7 @@
     expect(driver.instance.record_accessors.keys).to eq %w[job instance]
     expect(driver.instance.remove_keys).to eq %w[a b]
     expect(driver.instance.drop_single_key).to eq true
+    expect(driver.instance.insecure_tls).to eq true
   end
 
   it 'converts syslog output to loki output' do

diff --git a/docs/clients/fluentd/README.md b/docs/clients/fluentd/README.md
@@ -210,6 +210,21 @@ Specify a pair of client certificate and private key with `cert` and `key` if a
 </match>
 ```
 
+### Server certificate verification
+A flag to disable a server certificate verification. By default the `insecure_tls` is set to false.
+
+```
+<match **>
+  @type loki
+
+  url "https://loki"
+
+  insecure_tls true
+
+  ...
+</match>
+```
+
 ### output format
 Loki is intended to index and group log streams using only a small set of labels.  It is not intended for full-text indexing.  When sending logs to Loki the majority of log message will be sent as a single log "line".