From acdfd6fcf52ca8075e8c30fe4aa0ba27739076a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Nicol?= <hervenicol@users.noreply.github.com>
Date: Thu, 19 Oct 2023 09:41:19 +0200
Subject: [PATCH] multi-tenant-proxy: enforce write orgid according to the user
 (#230)

* multi-tenant-proxy: enforce write orgid according to the user
* make behaviour configurable

---------

Co-authored-by: Herve Nicol <12008875+hervenicol@users.noreply.github.com>
---
 CHANGELOG.md                                                   | 1 +
 helm/loki/templates/multi-tenant-proxy/multi-tenant-proxy.yaml | 2 ++
 helm/loki/values.yaml                                          | 3 +++
 3 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd9d7b91..2c7dbe8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Upgraded upstream chart from 5.29.0 to 5.34.0 - see [changelog](https://github.com/grafana/loki/blob/main/production/helm/loki/CHANGELOG.md) for more information.
 - Upgraded loki from 2.9.1 to 2.9.2 - see [changelog](https://github.com/grafana/loki/blob/main/CHANGELOG.md) for more information.
 - Resource usage improvements (requests and limits, and HPA tuning)
+- multi-tenant-proxy: enforce org-id according to the user - can be changed back with `.Values.multiTenantAuth.write.enforceOrgId`
 
 ## [0.13.0] - 2023-10-17
 
diff --git a/helm/loki/templates/multi-tenant-proxy/multi-tenant-proxy.yaml b/helm/loki/templates/multi-tenant-proxy/multi-tenant-proxy.yaml
index 7857fde5..62efaca6 100644
--- a/helm/loki/templates/multi-tenant-proxy/multi-tenant-proxy.yaml
+++ b/helm/loki/templates/multi-tenant-proxy/multi-tenant-proxy.yaml
@@ -86,7 +86,9 @@ spec:
             - "--port=3101"
             - '--loki-server=http://loki-write.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:3100'
             - "--auth-config=/etc/loki-multi-tenant-proxy/authn.yaml"
+            {{- if not .Values.multiTenantAuth.write.enforceOrgId }}
             - "--keep-orgid"
+            {{- end }}
           ports:
             - name: http-write
               containerPort: 3101
diff --git a/helm/loki/values.yaml b/helm/loki/values.yaml
index 94e2eec7..e17a3fe7 100644
--- a/helm/loki/values.yaml
+++ b/helm/loki/values.yaml
@@ -53,6 +53,9 @@ multiTenantAuth:
     readOnlyRootFilesystem: true
     seccompProfile:
       type: RuntimeDefault
+  write:
+    # -- disabling this allows write requests to set whatever orgid they want
+    enforceOrgId: true
 
 global:
   image: