From 6f8ea7584125897d84f9071c6e3b5e03c6d99bc7 Mon Sep 17 00:00:00 2001
From: David Miserak <David.Miserak@gmail.com>
Date: Wed, 17 Sep 2025 04:46:37 -0400
Subject: [PATCH] fix: Add x509 key pair to config

Signed-off-by: David Miserak <David.Miserak@gmail.com>
---
 CHANGELOG.md     |  4 +++-
 fluent/fluent.go | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e05ff53..d7a1e92 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,9 @@
 # CHANGELOG
 
-## 1.10.0
+## 10.0.1
+* Support x509 Key Pair option
 
+## 1.10.0
 * Refactor Fluent Logger for Improved Thread Safety and Error Handling
 * Follow the recent Golang module updates
 * Stabilize testing on CI
diff --git a/fluent/fluent.go b/fluent/fluent.go
index c414f97..c0a4fde 100644
--- a/fluent/fluent.go
+++ b/fluent/fluent.go
@@ -38,6 +38,10 @@ const (
 	// Default value whether to skip checking insecure certs on TLS connections.
 	defaultTlsInsecureSkipVerify = false
 	defaultReadTimeout           = time.Duration(0) // Read() will not time out
+
+	// Default values for cert and key pair
+	defaultTlsCertFile = ""
+	defaultTlsKeyFile  = ""
 )
 
 // randomGenerator is used by getUniqueId to generate ack hashes. Its value is replaced
@@ -82,6 +86,10 @@ type Config struct {
 
 	// ReadTimeout specifies the timeout on reads. Currently only acks are read.
 	ReadTimeout time.Duration `json:"read_timeout"`
+
+	// Cert file and key file
+	TlsCertFile string `json: "tls_cert_file"`
+	TlsKeyFile  string `json: "tls_key_file"`
 }
 
 type ErrUnknownNetwork struct {
@@ -171,6 +179,12 @@ func newWithDialer(config Config, d dialer) (f *Fluent, err error) {
 	if !config.TlsInsecureSkipVerify {
 		config.TlsInsecureSkipVerify = defaultTlsInsecureSkipVerify
 	}
+	if config.TlsCertFile == "" {
+		config.TlsCertFile = defaultTlsCertFile
+	}
+	if config.TlsKeyFile == "" {
+		config.TlsKeyFile = defaultTlsKeyFile
+	}
 	if config.AsyncConnect {
 		fmt.Fprintf(os.Stderr, "fluent#New: AsyncConnect is now deprecated, please use Async instead")
 		config.Async = config.Async || config.AsyncConnect
@@ -465,6 +479,13 @@ func (f *Fluent) connect(ctx context.Context) (err error) {
 			f.Config.FluentHost+":"+strconv.Itoa(f.Config.FluentPort))
 	case "tls":
 		tlsConfig := &tls.Config{InsecureSkipVerify: f.Config.TlsInsecureSkipVerify}
+		if (f.Config.TlsCertFile != "") && (f.Config.TlsKeyFile != "") {
+			cert, err := tls.LoadX509KeyPair(f.Config.TlsCertFile, f.Config.TlsKeyFile)
+			if err != nil {
+				return err
+			}
+			tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: f.Config.TlsInsecureSkipVerify}
+		}
 		f.conn, err = tls.DialWithDialer(
 			&net.Dialer{Timeout: f.Config.Timeout},
 			"tcp",