Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Watch TLS certificate and key files #9718

Open
kaedwen opened this issue Dec 12, 2024 · 3 comments
Open

Watch TLS certificate and key files #9718

kaedwen opened this issue Dec 12, 2024 · 3 comments

Comments

@kaedwen
Copy link

kaedwen commented Dec 12, 2024

Is your feature request related to a problem? Please describe.
We do run fluent-bit to export our logs to a opensearch driven logging instance. The output does authenticate via TLS certificates. We do rotate these certificates on a daily basis, but fluent-bit does not reload the mounted secret and I do not see an option to configure that.

Describe the solution you'd like
A configuration option to configure fluent-bit to watch the tls secret mount point, or a interval based approach to define a reload interval (e.g. 30m)

Additional context
Currently the only option I do see is creating a CronJob in k8s calling the http hot reload api, yet not tested it.

@patrick-stephens
Copy link
Contributor

The official chart does offer hot reload for config map or secret changes via https://github.com/fluent/helm-charts/blob/f9cad1572a0a3f6bcf0cb2582023ece2d76e34af/charts/fluent-bit/values.yaml#L513-L516

I think this should do what you require?

@kaedwen
Copy link
Author

kaedwen commented Dec 13, 2024

Hey @patrick-stephens thanks for your input, but I am not sure if that will help, because the reloader does watch the original config map only, we do provide an additional one via extraVolumes because we need to dynamically write it during provisioning where we configure the output including the tls settings.

And the reloader does watch the config only, not the referenced tls secret where a change will happen.

I will try it out but I am pretty sure it will not work.

@patrick-stephens
Copy link
Contributor

If it doesn't I'm sure it can be easily customised via a PR though to add the extra parameters required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants