1. Using kubernetes fluentbit.fluent.io with cert-manager.skyscanner.net

    TypeScript

    Integrating Fluent Bit with cert-manager in a Kubernetes cluster involves deploying Fluent Bit as a log processor and forwarder that runs as a DaemonSet. Cert-manager, on the other hand, is a native Kubernetes certificate management tool that can issue and manage TLS certificates automatically. Together, you can use Fluent Bit to securely forward logs using TLS certificates managed by cert-manager.

    Below is a Pulumi TypeScript program that deploys Fluent Bit with a TLS configuration, assuming that you have cert-manager already set up and running in your Kubernetes cluster.

    This example will:

    1. Create a self-signed issuer using cert-manager to issue certificates.
    2. Generate a certificate managed by cert-manager for Fluent Bit.
    3. Configure Fluent Bit's DaemonSet with the mounted TLS secrets.
    4. Forward logs securely using the TLS configuration.

    Make sure to have cert-manager installed in your cluster before running this program.

    import * as k8s from "@pulumi/kubernetes"; import * as pulumi from "@pulumi/pulumi"; // Create a self-signed issuer for cert-manager. const selfSignedIssuer = new k8s.apiextensions.CustomResource("selfsigned-issuer", { apiVersion: "cert-manager.io/v1", kind: "Issuer", metadata: { name: "selfsigned-issuer" }, spec: { selfSigned: {} } }, { provider: k8sProvider }); // Provide your Kubernetes provider configuration // Generate a TLS certificate for Fluent Bit. const fluentBitCert = new k8s.apiextensions.CustomResource("fluentbit-tls", { apiVersion: "cert-manager.io/v1", kind: "Certificate", metadata: { name: "fluentbit-tls" }, spec: { secretName: "fluentbit-tls", // The name of the secret to store the TLS key and certificate issuerRef: { name: "selfsigned-issuer", kind: "Issuer" }, dnsNames: ["fluentbit.local"], // Use the appropriate DNS name for your Fluent Bit service } }, { provider: k8sProvider, dependsOn: [selfSignedIssuer] }); // Ensure cert-manager issuer is created first // Deploy Fluent Bit as a DaemonSet with TLS configuration. const fluentBitDaemonSet = new k8s.apps.v1.DaemonSet("fluentbit-ds", { metadata: { name: "fluentbit" }, spec: { selector: { matchLabels: { app: "fluentbit" } }, template: { metadata: { labels: { app: "fluentbit" } }, spec: { containers: [{ name: "fluentbit", image: "fluent/fluent-bit:latest", // Use the required Fluent Bit image // Mount the volume with the TLS certificates. volumeMounts: [{ name: "tls", mountPath: "/fluent-bit/tls", readOnly: true, }], // Configure your Fluent Bit outputs to use the TLS certificates. // This configuration will vary depending on your output sink and settings. }], // Define the volume sourced from the secret created by cert-manager. volumes: [{ name: "tls", secret: { secretName: "fluentbit-tls", }, }], } } } }, { provider: k8sProvider, dependsOn: [fluentBitCert] }); // Export the DaemonSet name export const fluentBitDaemonSetName = fluentBitDaemonSet.metadata.name;

    In this program, replace k8sProvider with your own Kubernetes provider configuration if necessary.

    Here’s what each part of the program does:

    • SelfSignedIssuer: This defines a self-signed issuer via cert-manager by creating a CustomResource. This issuer is then used to sign certificates for services within your cluster.
    • FluentBitCert: This creates another CustomResource of kind Certificate that instructs cert-manager to issue a TLS certificate for Fluent Bit, storing it in a Kubernetes secret named fluentbit-tls.
    • FluentBitDaemonSet: This deploys Fluent Bit as a DaemonSet on your cluster. We configure the container within the DaemonSet to mount the TLS certificates from the secret that's managed by cert-manager. We also specify that Fluent Bit should use these certificates for secure communication.

    After you've written this program and saved it in a .ts file, you would use the Pulumi CLI to deploy it to your Kubernetes cluster. Ensure that your kubectl context is set to the Kubernetes cluster you wish to deploy to and that you have appropriate permissions to create resources.

    Please note that the forwarder outputs and logs configuration should be customized based on your environment or requirements, and the dnsNames field in the Certificate resource should reflect the appropriate DNS names for your Fluent Bit service.