SSL/TLS
When deploying or configuring a pipeline you may need to receive messages that are encrypted. Calyptia Core supports the ability to configure TLS over TCP and Forward protocol for a pipeline's endpoint.
This allows you to send data securely from Fluent Bit and Fluentd to Calyptia Core.
Adding TLS to existing pipeline
We use the Calyptia Cloud CLI to add TLS to an existing pipeline endpoint. First, we retrieve the endpoint ID and then update it with the following.
This will modify the existing pipeline and keep the current bound ports and server addresses.
calyptia get endpoints --pipeline <PIPELINE_ID> --show-ids
calyptia update endpoint <ENDPOINT_ID> --protocol tcps
Using custom certificates
Calyptia Core also allows for the use of custom certificates that be used for mutual TLS. These certificates must follow the format below and make use of the frontend port for the pipeline.
FRONTEND_PORT
This port can be found in the pipeline configuration you are sending data to as the port used in the [INPUT]
For example, in the following configuration
[INPUT] Name forward Port 5555 Tag fluentdThe FRONTEND_PORT = 5555
Custom Certificate component | Format |
|---|---|
Certificate File in PEM Format | <FRONTEND_PORT>-cert |
Key File in PEM Format | <FRONTEND_PORT>-key |
Example sending data from Fluent Bit
In the following configuration file for Fluent Bit we use the forward plugin with the option tls.verify set to off which will not make use of the certificate or key file. We can configure additional parameters for the certificate or key file as well.
[SERVICE]
Flush 5
Daemon off
Log_Level info
[INPUT]
Name cpu
Tag cpu_usage
[OUTPUT]
Name forward
Match *
Host 127.0.0.1
Port 24284
Self_Hostname flb.local
tls on
tls.verify off
Updated 28 days ago