fluent-plugin-grafana-loki 1.2.20 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c085d1fab891521b78a29e74cb171049013870eacf0bd902a82b73c5e2c1be6
-  data.tar.gz: f82af7a67da96eb1b51f9de96c1b9ca156b7b3304072f0a38cdfd0f5e324f49f
+  metadata.gz: 392322f21a178f97e079ce0a9c0fff34f1ace1d13321b1a720d060cbd96171c3
+  data.tar.gz: b4e6fff6f38c344069ba407a191ca90cfb33a76f79ff1b8e969859ccb8cfba2e
 SHA512:
-  metadata.gz: afc6b16682378857824334d80767ee7ff6ea1ca44a9b0cec3d4e131eab3049da6342a9d5adf5d16b65d2ceacc404cf280930675a296caf1b119dc5e0f3c90752
-  data.tar.gz: 276a4724d61a1290f4bed889a620dda8e87c42acdf46bc26907455c0f453fc1ef9829d06830a791c8a95a62a1ec841feb18d851cbb543baec99d818ff362d39f
+  metadata.gz: 77aadf99e24c00616cb7089b8cf156517572ca23e7582233a85c6dff476c33e38a022d57cc0d09b80e5697500fce8b2c4c2bec45eab8622820bc8e2c86519f66
+  data.tar.gz: 1e9bcc0b0b89e33683d3574c750c6c37d50a109577b2f082b5d0921a5ae0004e4245899c48503ad01f87be00216fd6f7a3f0f9ecf35e7e676cc3f44c9310afea

data/README.md

@@ -2,7 +2,11 @@
 
 [Fluentd](https://fluentd.org/) is a data collector for unified logging layer, it can be configured with the Loki output plugin, provided in this folder, to ship logs to Loki.
 
-See [docs/client/fluentd/README.md](../../docs/sources/clients/fluentd/_index.md) for detailed information.
+See the [Fluentd documentation](../../../docs/sources/send-data/fluentd/_index.md) for detailed information.
+
+## Client certificates (mTLS)
+
+For mutual TLS in front of Loki, configure `cert`, `key`, and optionally `ca_cert`. A PEM `cert` file may include the leaf plus intermediate chain; **sending the full chain requires Ruby 3.0+**. See [Client certificate verification](../../../docs/sources/send-data/fluentd/_index.md#client-certificate-verification) in the Loki docs.
 
 ## Development
 

data/lib/fluent/plugin/out_loki.rb

@@ -18,8 +18,11 @@
 require 'fluent/env'
 require 'fluent/plugin/output'
 require 'net/http'
+require 'rubygems/version'
 require 'yajl'
 require 'time'
+require 'zlib'
+require 'stringio'
 
 module Fluent
   module Plugin
@@ -45,16 +48,28 @@ module Fluent
       desc 'Authentication: Authorization header with Bearer token scheme'
       config_param :bearer_token_file, :string, default: nil
 
-      desc 'TLS: parameters for presenting a client certificate'
+      desc 'TLS: client certificate file (PEM). May contain multiple PEM blocks (leaf plus intermediate chain); full chain is sent only on Ruby 3.0+.'
       config_param :cert, :string, default: nil
       config_param :key, :string, default: nil
 
       desc 'TLS: CA certificate file for server certificate verification'
       config_param :ca_cert, :string, default: nil
 
+      desc 'TLS: the ciphers to use for the tls connection (e.g TLS1_0, TLS1_1, TLS1_2)'
+      config_param :ciphers, :string, default: nil
+
+      desc 'TLS: The minimum version for the tls connection'
+      config_param :min_version, :string, default: nil
+
       desc 'TLS: disable server certificate verification'
       config_param :insecure_tls, :bool, default: false
 
+      desc 'Custom HTTP headers'
+      config_param :custom_headers, :hash, default: {}
+
+      desc 'Compress HTTP request payload'
+      config_param :compress, :enum, list: %i[gzip], default: nil
+
       desc 'Loki tenant id'
       config_param :tenant, :string, default: nil
 
@@ -132,14 +147,43 @@ module Fluent
         !@key.nil? && !@cert.nil?
       end
 
+      # Net::HTTP exposes extra_chain_cert for the client TLS chain in Ruby 3.0+ stdlib.
+      def self.extra_chain_cert_supported?
+        Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.0')
+      end
+
       def load_client_cert
-        @cert = OpenSSL::X509::Certificate.new(File.read(@cert)) if @cert
+        @extra_chain_cert = nil
+        if @cert
+          raw = File.read(@cert)
+          pem_certs = raw.scan(/-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m)
+          if pem_certs.empty?
+            # No PEM blocks found - fall back to OpenSSL's native parsing,
+            # which handles DER-encoded (binary) certificates.
+            @cert = OpenSSL::X509::Certificate.new(raw)
+          else
+            # PEM file: use the first cert as the client certificate,
+            # and any remaining certs as the intermediate CA chain (Ruby 3.0+ only).
+            @cert = OpenSSL::X509::Certificate.new(pem_certs[0])
+            remaining = pem_certs[1..]
+            if !remaining.empty?
+              if self.class.extra_chain_cert_supported?
+                @extra_chain_cert = remaining.map { |c| OpenSSL::X509::Certificate.new(c) }
+              elsif !@client_cert_intermediate_chain_skipped_logged
+                @client_cert_intermediate_chain_skipped_logged = true
+                log.warn 'client certificate file contains multiple PEM blocks, but sending the intermediate chain ' \
+                         'requires Ruby 3.0+. Only the leaf certificate will be presented; mTLS may fail if the ' \
+                         'server requires the full chain.'
+              end
+            end
+          end
+        end
         @key = OpenSSL::PKey.read(File.read(@key)) if @key
       end
 
       def validate_client_cert_key
         if !@key.is_a?(OpenSSL::PKey::RSA) && !@key.is_a?(OpenSSL::PKey::DSA)
-          raise "Unsupported private key type #{key.class}"
+          raise "Unsupported private key type #{@key.class}"
         end
       end
 
@@ -183,12 +227,17 @@ module Fluent
           )
         end
 
-        # Optionally present client certificate
+        # Optionally present client certificate (with intermediate chain if available; Ruby 3.0+ only).
         if !@cert.nil? && !@key.nil?
           opts = opts.merge(
             cert: @cert,
             key: @key
           )
+          if @extra_chain_cert && self.class.extra_chain_cert_supported?
+            opts = opts.merge(
+              extra_chain_cert: @extra_chain_cert
+            )
+          end
         end
 
         # For server certificate verification: set custom CA bundle.
@@ -198,6 +247,19 @@ module Fluent
             ca_file: @ca_cert
           )
         end
+
+        if @ciphers
+          opts = opts.merge(
+            ciphers: @ciphers
+          )
+        end
+
+        if @min_version
+          opts = opts.merge(
+            min_version: @min_version.to_sym
+          )
+        end
+
         opts
       end
 
@@ -213,10 +275,21 @@ module Fluent
         req = Net::HTTP::Post.new(
           @uri.request_uri
         )
+        @custom_headers.each do |key, value|
+          req.add_field(key, value)
+        end
         req.add_field('Content-Type', 'application/json')
         req.add_field('Authorization', "Bearer #{@auth_token_bearer}") unless @auth_token_bearer.nil?
         req.add_field('X-Scope-OrgID', tenant) if tenant
-        req.body = Yajl.dump(body)
+        payload = Yajl.dump(body)
+        if @compress == :gzip
+          req.add_field('Content-Encoding', 'gzip')
+          compressed = StringIO.new
+          Zlib::GzipWriter.wrap(compressed) { |gz| gz.write(payload) }
+          req.body = compressed.string
+        else
+          req.body = payload
+        end
         req.basic_auth(@username, @password) if @username
 
         opts = http_request_opts(@uri)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-grafana-loki
 version: !ruby/object:Gem::Version
-  version: 1.2.20
+  version: 1.3.0
 platform: ruby
 authors:
 - woodsaj
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-06 00:00:00.000000000 Z
+date: 2026-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Output plugin to ship logs to a Grafana Loki server