TLS encryption

To use TLS encryption in your logging infrastructure, you have to configure encryption:

  • for the log collection part of your logging pipeline (between Fluent Bit and Fluentd or Fluent bit and syslog-ng), and
  • for the output plugin (between Fluentd or syslog-ng and the output backend).

For configuring the output, see the documentation of the output plugin you want to use at Outputs.

For Fluentd and Fluent Bit, you can configure encryption in the logging resource using the following parameters:

NameTypeDefaultDescription
enabledbool“Yes”Enable TLS encryption
secretNamestring""Kubernetes secret that contains: tls.crt, tls.key, ca.crt
sharedKeystring""Shared secret for fluentd authentication

For example:

apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: default-logging-tls
spec:
  fluentd:
    tls:
      enabled: true
      secretName: fluentd-tls
      sharedKey: example-secret
  fluentbit:
    tls:
      enabled: true
      secretName: fluentbit-tls
      sharedKey: example-secret
  controlNamespace: logging

For other parameters of the logging resource, see LoggingSpec.