Fluentd is an open source data collector, which lets you unify data collection and consumption for a better use and understanding of data. This chart is meant to be used with this fluent-bit chart on a kubernetes cluster. Fluent-bit will be deployed as a daemonset using this image to collect all logs and will then push them to fluentd using the in_forward protocol, secured by TLS. FLuentd will pass on logs to elasticsearch, secured by xpack, and to s3 for long term archival.
This system sends on all logs to elasticsearch. To connect correctly, username and password fields will need to be set to allow fluentd to communicate securely with elasticsearch xpack. These fields will end up becoming the user
and password
fields of the elasticsearch output plugin configuration. They should match an elasticsearch xpack username and password and can be passed in at installation in with:
--set fluentESUser=your-username,fluentESPassword=your-password
Fluentd has an output plugin to push logs to s3. This plugin must be included in the values.yaml
file under the plugins
section to be installed. You must first go into s3 and create the bucket and path that you wish to push to. Then either use or create an IAM role that has s3 read/write access.
Several pieces of information must be passed in at chart install for this to work properly, as the plugin needs access to your aws credentials, and needs to know which region and bucket you would like to push the logs to.
Make sure the following envs are set: AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
You will also need to provide s3 bucket name and region at chart installation.
For example: s3Bucket=myLogs
and s3Region=us-west-2
Firstly, client and server certs must be created. For a quick walkthrough of how this can work with fluen-bit and fluentd, read this blog For fluent-bit to connect and securely send logs to fluentd, TLS information must be passed in as a kubernetes secret to the cluster before this chart can be deployed.
kubectl create secret generic fluentd-tls \
--from-file=ca.crt.pem=./certs/ca.crt.pem \
--from-file=server.crt.pem=./certs/server.crt.pem \
--from-file=server.key.pem=./private/server.key.pem
It is recommended to protect keys with a password, although this step can be skipped if desired. Set the fluentD passphrase at installation with
--set fluentdPrivateKeyPassphrase=your-ssl-passphrase
Ensure that client certs are passed into secrets as well and used by fluent-bit.
helm install ./fluentd/ --name fluentd --namespace=your-namespace --set awsKeyId="$AWS_ACCESS_KEY_ID",awsSecKey="$AWS_SECRET_ACCESS_KEY",s3Bucket=your-bucket,s3Region=your-region,fluentdPrivateKeyPassphrase=your-ssl-passphrase,fluentESUser=your-username,fluentESPassword=your-password
- search for plugins
- create a yaml file to hold new values
- include desired plugin in
plugins
section of file if necessary, or take out plugins not needed - update
output.conf
to reflect desired plugin usage - when installing chart, pass in new file using
-f <new_values.yaml>
example installation:
helm install ./fluentd/ --name fluentd -f <new_values.yaml>