Skip to content

tls: openssl: output: configurable certstore name #10590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 16, 2025
Merged

tls: openssl: output: configurable certstore name #10590

merged 5 commits into from
Jul 16, 2025

Conversation

cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Jul 14, 2025
edited
Loading

To support loading certificates with a user-specified name from Windows CertStore, we need to provide a capability to handle input and output parameters for specifying name of certstore and loading certstore with a user-defined name.

Fixes #9215.

This is also a possible obstacles migrations from Fluentd to Fluent Bit.
So, we should eliminate this kind of blockers for migrations.

Plus, this is a parity for Fluentd's feature:
(Fluentd does, https://docs.fluentd.org/output/forward#how-to-connect-to-a-tls-ssl-enabled-server-with-windows-certstore-certificate).

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
[SERVICE]
    Flush        5
    Daemon       Off
    Log_Level    debug
    HTTP_Monitor Off
    HTTP_Port    2020

[INPUT]
    Name dummy
    Tag test
    Dummy {"this is":"dummy data"}
    Rate 1

[OUTPUT]
    Name forward
    Match *
    tls on
    tls.windows.certstore_name My
    tls.windows.use_enterprise_store false
  • Debug log output from testing the change
Fluent Bit v4.1.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

______ _                  _    ______ _ _             ___  _____
|  ___| |                | |   | ___ (_) |           /   ||  _  |
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| || |/' |
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| ||  /| |
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |\ |_/ /
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)___/


[2025/07/15 23:56:35] [ info] Configuration:
[2025/07/15 23:56:35] [ info]  flush time     | 5.000000 seconds
[2025/07/15 23:56:35] [ info]  grace          | 5 seconds
[2025/07/15 23:56:35] [ info]  daemon         | 0
[2025/07/15 23:56:35] [ info] ___________
[2025/07/15 23:56:35] [ info]  inputs:
[2025/07/15 23:56:35] [ info]      dummy
[2025/07/15 23:56:35] [ info] ___________
[2025/07/15 23:56:35] [ info]  filters:
[2025/07/15 23:56:35] [ info] ___________
[2025/07/15 23:56:35] [ info]  outputs:
[2025/07/15 23:56:35] [ info]      forward.0
[2025/07/15 23:56:35] [ info] ___________
[2025/07/15 23:56:35] [ info]  collectors:
[2025/07/15 23:56:35] [ info] [fluent bit] version=4.1.0, commit=ea38ae232a, pid=38088
[2025/07/15 23:56:35] [debug] [engine] maxstdio set: 512
[2025/07/15 23:56:35] [debug] [engine] coroutine stack size: 98302 bytes (96.0K)
[2025/07/15 23:56:35] [ info] [storage] ver=1.5.3, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/07/15 23:56:35] [ info] [simd    ] disabled
[2025/07/15 23:56:35] [ info] [cmetrics] version=1.0.4
[2025/07/15 23:56:35] [ info] [ctraces ] version=0.6.6
[2025/07/15 23:56:35] [ info] [input:dummy:dummy.0] initializing
[2025/07/15 23:56:35] [ info] [input:dummy:dummy.0] storage_strategy='memory' (memory only)
[2025/07/15 23:56:35] [debug] [dummy:dummy.0] created event channels: read=824 write=828
[2025/07/15 23:56:35] [debug] [forward:forward.0] created event channels: read=832 write=836
[2025/07/15 23:56:35] [debug] [tls] successfully loaded certificates from windows system Root store.
[2025/07/15 23:56:35] [debug] [output forward.0] starting to load My certstore in TLS context
[2025/07/15 23:56:35] [debug] [output forward.0] attempting to load My certstore in TLS context
[2025/07/15 23:56:35] [debug] [tls] successfully loaded certificates from windows system My store.
[2025/07/15 23:56:35] [ info] [sp] stream processor started
[2025/07/15 23:56:35] [ info] [output:forward:forward.0] worker #0 started
[2025/07/15 23:56:35] [ info] [output:forward:forward.0] worker #1 started
[2025/07/15 23:56:35] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/07/15 23:56:40] [debug] [task] created task=000002B5A7A71B10 id=0 OK
[2025/07/15 23:56:40] [debug] [output:forward:forward.0] task_id=0 assigned to thread #0
[2025/07/15 23:56:40] [debug] [output:forward:forward.0] request 164 bytes to flush
[2025/07/15 23:56:40] [debug] [upstream] KA connection #1180 to 127.0.0.1:24224 is connected
[2025/07/15 23:56:40] [debug] [upstream] KA connection #1180 to 127.0.0.1:24224 is now available
[2025/07/15 23:56:40] [debug] [out flush] cb_destroy coro_id=0
[2025/07/15 23:56:40] [debug] [task] destroy task=000002B5A7A71B10 (task_id=0)
[2025/07/15 23:56:42] [engine] caught signal (SIGINT)
[2025/07/15 23:56:42] [debug] [task] created task=000002B5A7A70C10 id=0 OK
[2025/07/15 23:56:42] [debug] [output:forward:forward.0] request 123 bytes to flush
[2025/07/15 23:56:42] [debug] [output:forward:forward.0] task_id=0 assigned to thread #1
[2025/07/15 23:56:42] [ warn] [engine] service will shutdown in max 5 seconds
[2025/07/15 23:56:42] [debug] [engine] retry=0000000000000000 for task 0 already scheduled to run, not re-scheduling it.
[2025/07/15 23:56:42] [ info] [input] pausing dummy.0
[2025/07/15 23:56:42] [debug] [upstream] KA connection #1116 to 127.0.0.1:24224 is connected
[2025/07/15 23:56:42] [debug] [upstream] KA connection #1116 to 127.0.0.1:24224 is now available
[2025/07/15 23:56:42] [debug] [out flush] cb_destroy coro_id=0
[2025/07/15 23:56:42] [debug] [task] destroy task=000002B5A7A70C10 (task_id=0)
[2025/07/15 23:56:43] [ info] [engine] service has stopped (0 pending tasks)
[2025/07/15 23:56:43] [ info] [input] pausing dummy.0
[2025/07/15 23:56:43] [ info] [output:forward:forward.0] thread worker #0 stopping...
[2025/07/15 23:56:43] [ info] [output:forward:forward.0] thread worker #0 stopped
[2025/07/15 23:56:43] [ info] [output:forward:forward.0] thread worker #1 stopping...
[2025/07/15 23:56:43] [ info] [output:forward:forward.0] thread worker #1 stopped
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

#10590

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from 7f98627 to ea38ae2 Compare July 15, 2025 02:40
@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from ea38ae2 to efde9f1 Compare July 15, 2025 05:58
@cosmo0920
tls: openssl: Make configurable certstore name
e41f63d 
Plus, implemented handling way of using enterprise store.

Signed-off-by: Hiroshi Hatake <[email protected]>
@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from efde9f1 to 9a1117a Compare July 15, 2025 06:35
@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from 9a1117a to f044830 Compare July 15, 2025 06:52
@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from f25dca0 to fb9da0d Compare July 15, 2025 11:17
@cosmo0920 cosmo0920 force-pushed the comos0920-configurable-certstore-name branch from fb9da0d to 4e47d9e Compare July 15, 2025 14:56
@cosmo0920 cosmo0920 marked this pull request as ready for review July 15, 2025 14:58
@cosmo0920 cosmo0920 added this to the Fluent Bit v4.1 milestone Jul 15, 2025
@cosmo0920 cosmo0920 mentioned this pull request Jul 15, 2025
Closed
@edsiper edsiper merged commit 865dd04 into master Jul 16, 2025
49 of 51 checks passed
@edsiper edsiper deleted the comos0920-configurable-certstore-name branch July 16, 2025 17:23
This was referenced Jul 17, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit v4.1

Development

Successfully merging this pull request may close these issues.

Need Fluent-Bit to support reading cert from Windows Certstore

2 participants

@cosmo0920 @edsiper