diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_syslogngclusteroutputs.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_syslogngclusteroutputs.yaml index e95b56c99..fec0e65e9 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_syslogngclusteroutputs.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_syslogngclusteroutputs.yaml @@ -974,39 +974,6 @@ spec: type: object tls: properties: - ca_dir: - properties: - mountFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - value: - type: string - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - type: object ca_file: properties: mountFrom: @@ -1073,8 +1040,6 @@ spec: type: object type: object type: object - cipher-suite: - type: string key_file: properties: mountFrom: @@ -1108,19 +1073,6 @@ spec: type: object type: object type: object - peer_verify: - type: boolean - ssl_version: - enum: - - sslv3 - - tlsv1 - - tlsv1_0 - - tlsv1_1 - - tlsv1_2 - - tlsv1_3 - type: string - use-system-cert-store: - type: boolean type: object type: object batch-lines: diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_syslogngoutputs.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_syslogngoutputs.yaml index 6ef31e553..3bdcb6873 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_syslogngoutputs.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_syslogngoutputs.yaml @@ -970,39 +970,6 @@ spec: type: object tls: properties: - ca_dir: - properties: - mountFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - value: - type: string - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - type: object ca_file: properties: mountFrom: @@ -1069,8 +1036,6 @@ spec: type: object type: object type: object - cipher-suite: - type: string key_file: properties: mountFrom: @@ -1104,19 +1069,6 @@ spec: type: object type: object type: object - peer_verify: - type: boolean - ssl_version: - enum: - - sslv3 - - tlsv1 - - tlsv1_0 - - tlsv1_1 - - tlsv1_2 - - tlsv1_3 - type: string - use-system-cert-store: - type: boolean type: object type: object batch-lines: diff --git a/config/crd/bases/logging.banzaicloud.io_syslogngclusteroutputs.yaml b/config/crd/bases/logging.banzaicloud.io_syslogngclusteroutputs.yaml index e95b56c99..fec0e65e9 100644 --- a/config/crd/bases/logging.banzaicloud.io_syslogngclusteroutputs.yaml +++ b/config/crd/bases/logging.banzaicloud.io_syslogngclusteroutputs.yaml @@ -974,39 +974,6 @@ spec: type: object tls: properties: - ca_dir: - properties: - mountFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - value: - type: string - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - type: object ca_file: properties: mountFrom: @@ -1073,8 +1040,6 @@ spec: type: object type: object type: object - cipher-suite: - type: string key_file: properties: mountFrom: @@ -1108,19 +1073,6 @@ spec: type: object type: object type: object - peer_verify: - type: boolean - ssl_version: - enum: - - sslv3 - - tlsv1 - - tlsv1_0 - - tlsv1_1 - - tlsv1_2 - - tlsv1_3 - type: string - use-system-cert-store: - type: boolean type: object type: object batch-lines: diff --git a/config/crd/bases/logging.banzaicloud.io_syslogngoutputs.yaml b/config/crd/bases/logging.banzaicloud.io_syslogngoutputs.yaml index 6ef31e553..3bdcb6873 100644 --- a/config/crd/bases/logging.banzaicloud.io_syslogngoutputs.yaml +++ b/config/crd/bases/logging.banzaicloud.io_syslogngoutputs.yaml @@ -970,39 +970,6 @@ spec: type: object tls: properties: - ca_dir: - properties: - mountFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - value: - type: string - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - optional: - type: boolean - required: - - key - type: object - type: object - type: object ca_file: properties: mountFrom: @@ -1069,8 +1036,6 @@ spec: type: object type: object type: object - cipher-suite: - type: string key_file: properties: mountFrom: @@ -1104,19 +1069,6 @@ spec: type: object type: object type: object - peer_verify: - type: boolean - ssl_version: - enum: - - sslv3 - - tlsv1 - - tlsv1_0 - - tlsv1_1 - - tlsv1_2 - - tlsv1_3 - type: string - use-system-cert-store: - type: boolean type: object type: object batch-lines: diff --git a/docs/configuration/plugins/syslogng-outputs/auth.md b/docs/configuration/plugins/syslogng-outputs/auth.md index ae825e4b0..58a3326cd 100644 --- a/docs/configuration/plugins/syslogng-outputs/auth.md +++ b/docs/configuration/plugins/syslogng-outputs/auth.md @@ -11,6 +11,8 @@ generated_file: true ## Configuration ## Auth +Authentication settings. Only one authentication method can be set. Default: Insecure + ### adc (*ADC, optional) {#auth-adc} Application Default Credentials (ADC). @@ -26,7 +28,7 @@ Application Layer Transport Security (ALTS) is a simple to use authentication, o This is the default method, authentication is disabled (`auth(insecure())`). -### tls (*TLS, optional) {#auth-tls} +### tls (*GrpcTLS, optional) {#auth-tls} This option sets various options related to TLS encryption, for example, key/certificate files and trusted CA locations. TLS can be used only with tcp-based transport protocols. For details, see [TLS for syslog-ng outputs](../tls/) and the [documentation of the AxoSyslog syslog-ng distribution](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions). diff --git a/docs/configuration/plugins/syslogng-outputs/tls.md b/docs/configuration/plugins/syslogng-outputs/tls.md index 2623a4894..3171ad917 100644 --- a/docs/configuration/plugins/syslogng-outputs/tls.md +++ b/docs/configuration/plugins/syslogng-outputs/tls.md @@ -52,3 +52,21 @@ Use the certificate store of the system for verifying HTTPS certificates. For de +## GrpcTLS + +### ca_file (*secret.Secret, optional) {#grpctls-ca_file} + +The name of a file that contains a set of trusted CA certificates in PEM format. (Optional) For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#ca-file). + + +### cert_file (*secret.Secret, optional) {#grpctls-cert_file} + +Name of a file, that contains an X.509 certificate (or a certificate chain) in PEM format, suitable as a TLS certificate, matching the private key set in the key-file() option. For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#cert-file). + + +### key_file (*secret.Secret, optional) {#grpctls-key_file} + +The name of a file that contains an unencrypted private key in PEM format, suitable as a TLS key. For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#key-file). + + + diff --git a/go.work.sum b/go.work.sum index 12c554c47..8b01650e9 100644 --- a/go.work.sum +++ b/go.work.sum @@ -2351,6 +2351,7 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 h1:3jAYbRHQAqzLjd9I4tzxwJ8Pk/N6AqBcF6m1ZHrxG94= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0/go.mod h1:+N7zNjIJv4K+DeX67XXET0P+eIciESgaFDBqh+ZJFS4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= go.opentelemetry.io/otel/metric v0.20.0 h1:4kzhXFP+btKm4jwxpjIqjs41A7MakRFUS86bqLHTIw8= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/metric v0.30.0/go.mod h1:/ShZ7+TS4dHzDFmfi1kSXMhMVubNoP0oIaBp70J6UXU= @@ -2648,12 +2649,14 @@ google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFl google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0= +google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWofoFcihmDEMYeDR9KN/ThbPWGrh++g= google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 h1:m8v1xLLLzMe1m5P+gCTF8nJB9epwZQUBERm20Oy1poQ= google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA= google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o= diff --git a/pkg/sdk/logging/model/syslogng/config/output_tests/loki_test.go b/pkg/sdk/logging/model/syslogng/config/output_tests/loki_test.go index 221827b9d..cce768c48 100644 --- a/pkg/sdk/logging/model/syslogng/config/output_tests/loki_test.go +++ b/pkg/sdk/logging/model/syslogng/config/output_tests/loki_test.go @@ -142,19 +142,13 @@ func TestLokiOutputTable(t *testing.T) { Workers: 3, LogFIFOSize: 1000, Auth: &output.Auth{ - ALTS: &output.ALTS{}, - ADC: &output.ADC{}, Insecure: &output.Insecure{}, - TLS: &output.TLS{ - PeerVerify: config.NewTrue(), - UseSystemCertStore: config.NewFalse(), - }, }, }, }, }, config: `destination "output_default_test-loki-out" { - loki(auth(alts() adc() insecure() tls(peer_verify(yes) use-system-cert-store(no))) url("test.local") batch-lines(2000) batch-timeout(10) workers(3) persist_name("output_default_test-loki-out") log-fifo-size(1000)); + loki(auth(insecure()) url("test.local") batch-lines(2000) batch-timeout(10) workers(3) persist_name("output_default_test-loki-out") log-fifo-size(1000)); }; `, }, diff --git a/pkg/sdk/logging/model/syslogng/output/auth.go b/pkg/sdk/logging/model/syslogng/output/auth.go index 10a3a5c40..d741602d1 100644 --- a/pkg/sdk/logging/model/syslogng/output/auth.go +++ b/pkg/sdk/logging/model/syslogng/output/auth.go @@ -28,6 +28,7 @@ type _docAuth interface{} //nolint:deadcode,unused type _metaAuth interface{} //nolint:deadcode,unused // +kubebuilder:object:generate=true +// Authentication settings. Only one authentication method can be set. Default: Insecure type Auth struct { // Application Layer Transport Security (ALTS) is a simple to use authentication, only available within Google’s infrastructure. ALTS *ALTS `json:"alts,omitempty"` @@ -36,7 +37,7 @@ type Auth struct { // This is the default method, authentication is disabled (`auth(insecure())`). Insecure *Insecure `json:"insecure,omitempty"` // This option sets various options related to TLS encryption, for example, key/certificate files and trusted CA locations. TLS can be used only with tcp-based transport protocols. For details, see [TLS for syslog-ng outputs](../tls/) and the [documentation of the AxoSyslog syslog-ng distribution](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions). - TLS *TLS `json:"tls,omitempty"` + TLS *GrpcTLS `json:"tls,omitempty"` } type ADC struct{} diff --git a/pkg/sdk/logging/model/syslogng/output/tls.go b/pkg/sdk/logging/model/syslogng/output/tls.go index 1f1d6f0bd..6a7f0d84b 100644 --- a/pkg/sdk/logging/model/syslogng/output/tls.go +++ b/pkg/sdk/logging/model/syslogng/output/tls.go @@ -50,3 +50,13 @@ type TLS struct { // +kubebuilder:validation:Enum=sslv3;tlsv1;tlsv1_0;tlsv1_1;tlsv1_2;tlsv1_3 SslVersion string `json:"ssl_version,omitempty"` } + +// +kubebuilder:object:generate=true +type GrpcTLS struct { + // The name of a file that contains a set of trusted CA certificates in PEM format. (Optional) For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#ca-file). + CaFile *secret.Secret `json:"ca_file,omitempty"` + // The name of a file that contains an unencrypted private key in PEM format, suitable as a TLS key. For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#key-file). + KeyFile *secret.Secret `json:"key_file,omitempty"` + // Name of a file, that contains an X.509 certificate (or a certificate chain) in PEM format, suitable as a TLS certificate, matching the private key set in the key-file() option. For details, see the [AxoSyslog Core documentation](https://axoflow.com/docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/#cert-file). + CertFile *secret.Secret `json:"cert_file,omitempty"` +} diff --git a/pkg/sdk/logging/model/syslogng/output/zz_generated.deepcopy.go b/pkg/sdk/logging/model/syslogng/output/zz_generated.deepcopy.go index 030579d1f..6f09e49c8 100644 --- a/pkg/sdk/logging/model/syslogng/output/zz_generated.deepcopy.go +++ b/pkg/sdk/logging/model/syslogng/output/zz_generated.deepcopy.go @@ -64,7 +64,7 @@ func (in *Auth) DeepCopyInto(out *Auth) { } if in.TLS != nil { in, out := &in.TLS, &out.TLS - *out = new(TLS) + *out = new(GrpcTLS) (*in).DeepCopyInto(*out) } } @@ -185,6 +185,36 @@ func (in *FileOutput) DeepCopy() *FileOutput { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GrpcTLS) DeepCopyInto(out *GrpcTLS) { + *out = *in + if in.CaFile != nil { + in, out := &in.CaFile, &out.CaFile + *out = new(secret.Secret) + (*in).DeepCopyInto(*out) + } + if in.KeyFile != nil { + in, out := &in.KeyFile, &out.KeyFile + *out = new(secret.Secret) + (*in).DeepCopyInto(*out) + } + if in.CertFile != nil { + in, out := &in.CertFile, &out.CertFile + *out = new(secret.Secret) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrpcTLS. +func (in *GrpcTLS) DeepCopy() *GrpcTLS { + if in == nil { + return nil + } + out := new(GrpcTLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPOutput) DeepCopyInto(out *HTTPOutput) { *out = *in