Merge pull request #164 from richm/issue-163

richm · web-flow · commit 3cdd4b41e826 · 2018-12-11T17:03:52.000-07:00
add support for ssl_partial_chain
diff --git a/README.md b/README.md
@@ -54,6 +54,9 @@ when true (default: `true`)
 * `orphaned_namespace_name` - The namespace to associate with records where the namespace can not be determined (default: `.orphaned`)
 * `orphaned_namespace_id` - The namespace id to associate with records where the namespace can not be determined (default: `orphaned`)
 * `lookup_from_k8s_field` - If the field `kubernetes` is present, lookup the metadata from the given subfields such as `kubernetes.namespace_name`, `kubernetes.pod_name`, etc.  This allows you to avoid having to pass in metadata to lookup in an explicitly formatted tag name or in an explicitly formatted `CONTAINER_NAME` value.  For example, set `kubernetes.namespace_name`, `kubernetes.pod_name`, `kubernetes.container_name`, and `docker.id` in the record, and the filter will fill in the rest. (default: `true`)
+* `ssl_partial_chain` - if `ca_file` is for an intermediate CA, or otherwise we do not have the root CA and want
+  to trust the intermediate CA certs we do have, set this to `true` - this corresponds to
+  the `openssl s_client -partial_chain` flag and `X509_V_FLAG_PARTIAL_CHAIN` (default: `false`)
 
 **NOTE:** As of the release 2.1.x of this plugin, it no longer supports parsing the source message into JSON and attaching it to the
 payload.  The following configuration options are removed:
diff --git a/lib/fluent/plugin/filter_kubernetes_metadata.rb b/lib/fluent/plugin/filter_kubernetes_metadata.rb
@@ -72,6 +72,10 @@ class KubernetesMetadataFilter < Fluent::Plugin::Filter
     config_param :orphaned_namespace_name, :string, default: '.orphaned'
     config_param :orphaned_namespace_id, :string, default: 'orphaned'
     config_param :lookup_from_k8s_field, :bool, default: true
+    # if `ca_file` is for an intermediate CA, or otherwise we do not have the root CA and want
+    # to trust the intermediate CA certs we do have, set this to `true` - this corresponds to
+    # the openssl s_client -partial_chain flag and X509_V_FLAG_PARTIAL_CHAIN
+    config_param :ssl_partial_chain, :bool, default: false
 
     def fetch_pod_metadata(namespace_name, pod_name)
       log.trace("fetching pod metadata: #{namespace_name}/#{pod_name}") if log.trace?
@@ -219,6 +223,21 @@ def log.trace?
             verify_ssl:  @verify_ssl ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
         }
 
+        if @ssl_partial_chain
+          # taken from the ssl.rb OpenSSL::SSL::SSLContext code for DEFAULT_CERT_STORE
+          require 'openssl'
+          ssl_store = OpenSSL::X509::Store.new
+          ssl_store.set_default_paths
+          if defined? OpenSSL::X509::V_FLAG_PARTIAL_CHAIN
+            flagval = OpenSSL::X509::V_FLAG_PARTIAL_CHAIN
+          else
+            # this version of ruby does not define OpenSSL::X509::V_FLAG_PARTIAL_CHAIN
+            flagval = 0x80000
+          end
+          ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL | flagval
+          ssl_options[:cert_store] = ssl_store
+        end
+
         auth_options = {}
 
         if @bearer_token_file.present?
