When deploying or configuring a pipeline you may need to receive messages that are encrypted. Calyptia Core supports the ability to configure TLS over TCP and Forward protocol for a pipeline's endpoint.

This allows you to send data securely from Fluent Bit and Fluentd to Calyptia Core.

Adding TLS to existing pipeline

We use the Calyptia Cloud CLI to add TLS to an existing pipeline endpoint. First, we retrieve the endpoint ID and then update it with the following.

This will modify the existing pipeline and keep the current bound ports and server addresses.

calyptia get endpoints --pipeline <PIPELINE_ID> --show-ids
calyptia update endpoint <ENDPOINT_ID> --protocol tcps

Using custom certificates

Calyptia Core also allows for the use of custom certificates that be used for mutual TLS. These certificates must follow the format below and make use of the frontend port for the pipeline.



This port can be found in the pipeline configuration you are sending data to as the port used in the [INPUT]

For example, in the following configuration

    Name forward
    Port 5555
    Tag  fluentd


Custom Certificate component


Certificate File in PEM Format


Key File in PEM Format


Example sending data from Fluent Bit

In the following configuration file for Fluent Bit we use the forward plugin with the option tls.verify set to off which will not make use of the certificate or key file. We can configure additional parameters for the certificate or key file as well.

    Flush      5
    Daemon     off
    Log_Level  info

    Name       cpu
    Tag        cpu_usage

    Name          forward
    Match         *
    Port          24284
    Self_Hostname flb.local
    tls           on
    tls.verify    off

Did this page help you?