Need Fluent-Bit to support reading cert from Windows Certstore

[duj4]

Is your feature request related to a problem? Please describe.
This is not related to a problem but just a feature request.

Describe the solution you'd like
In our windows server, the cert is auto-enrolled when the server was provisioned and the private key export is disabled as well for the sake of security. In such case, the only way to refer to the cert is from Windows cert store, but it seems Fluent-Bit does not support this (Fluentd does, https://docs.fluentd.org/output/forward#how-to-connect-to-a-tls-ssl-enabled-server-with-windows-certstore-certificate). Therefore, could it be possible to add this to the existing [OUTPUT] plugins that support TLS in Windows version?

Describe alternatives you've considered
We have to generated cert and key separately manually, but there are hundreds of servers.

Additional context
There are hundreds of Windows servers in our production environment and we have to turn on TLS while sending the logs to Loki. If it does support reading cert from Windows cert store, we have to generate a separate cert/key pair manually (though we are trying to work out a programmatic way for this).

[cosmo0920]

We already read certificates from Root certstore on Windows. You mean that it should be configurable?
I wrote a mechanism from reading certstore on Fluentd side.

[duj4]

hi @cosmo0920 , thanks for your reply (again)

Let me try to clarify it:
In the Loki output plugin, we would like to turn on TLS function to make sure the transmission's security. However, on Windows FluentBit cannot refer to the cert from certstore but only read from the file. In our environment, the cert/key can only be generated manually but there are around hundreds of servers. If FluentBit Windows could support this feature, that'll save us from the pain.

[cosmo0920]

Windows FluentBit cannot refer to the cert from certstore but only read from the file.

For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249
This could be used for reading system certificates.
To be configurable, we need to provide an interface to specify Windows specific parameters.

[duj4]

Windows FluentBit cannot refer to the cert from certstore but only read from the file.

For sure, it's not partially correct. This is because we already read Root certstore on Windows here: https://github.com/fluent/fluent-bit/blob/master/src/tls/openssl.c#L249 This could be used for reading system certificates. To be configurable, we need to provide an interface to specify Windows specific parameters.

Yes, that'd be better if there is any interface for the configuration, thanks @cosmo0920

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

[niedbalski]

@edsiper I added support for this and certificates are indeed loaded from the cert store

fluent-bit/src/tls/openssl.c

Line 285 in b0f3a63

static int windows_load_system_certificates(struct tls_context *ctx)

[edsiper]

so it seems we are missing the config aspect

note: moving to another milestone