From d43aa0f3e28bab1033ae0a07e6206bc2720e02cb Mon Sep 17 00:00:00 2001 From: Pete Wall Date: Wed, 23 Oct 2024 10:10:23 +0200 Subject: [PATCH] Add bearer token support for loki and for metrics over otlp Signed-off-by: Pete Wall --- charts/k8s-monitoring-v1/README.md | 3 +++ .../otel-metrics-service/metrics.alloy | 1 - .../examples/otel-metrics-service/output.yaml | 2 -- .../alloy_config/_logs_service_loki.alloy.txt | 6 +++++ .../alloy_config/_logs_service_otlp.alloy.txt | 23 +++++++++++++++++-- .../_metrics_service_otlp.alloy.txt | 23 +++++++++++++++++-- .../templates/log-service-credentials.yaml | 3 +++ charts/k8s-monitoring-v1/values.schema.json | 14 +++++++++++ charts/k8s-monitoring-v1/values.yaml | 12 ++++++++++ 9 files changed, 80 insertions(+), 7 deletions(-) diff --git a/charts/k8s-monitoring-v1/README.md b/charts/k8s-monitoring-v1/README.md index 723b92b89..a00da7360 100644 --- a/charts/k8s-monitoring-v1/README.md +++ b/charts/k8s-monitoring-v1/README.md @@ -237,6 +237,9 @@ The Prometheus and Loki services may be hosted on the same cluster, or remotely | externalServices.loki.basicAuth.passwordKey | string | `"password"` | The key for the password property in the secret | | externalServices.loki.basicAuth.username | string | `""` | Loki basic auth username | | externalServices.loki.basicAuth.usernameKey | string | `"username"` | The key for the username property in the secret | +| externalServices.loki.bearerToken.token | string | `""` | Configure the Loki Bearer Token | +| externalServices.loki.bearerToken.tokenFile | string | `""` | Configure the Loki Bearer Token file | +| externalServices.loki.bearerToken.tokenKey | string | `"bearerToken"` | Configure the Key for Loki Bearer Token secret | | externalServices.loki.externalLabels | object | `{}` | Custom labels to be added to all logs and events. All values are treated as strings and automatically quoted. | | externalServices.loki.externalLabelsFrom | object | `{}` | Custom labels to be added to all logs and events through a dynamic reference. All values are treated as raw strings and not quoted. | | externalServices.loki.extraHeaders | object | `{}` | Extra headers to be set when sending metrics. All values are treated as strings and automatically quoted. | diff --git a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy index 57faefb8e..4b81bdfd1 100644 --- a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy +++ b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy @@ -796,7 +796,6 @@ otelcol.auth.basic "metrics_service" { otelcol.exporter.otlphttp "metrics_service" { client { endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp" - auth = otelcol.auth.basic.metrics_service.handler headers = { "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]), diff --git a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml index 7c74c71f6..fde9b7a73 100644 --- a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml +++ b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml @@ -928,7 +928,6 @@ data: otelcol.exporter.otlphttp "metrics_service" { client { endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp" - auth = otelcol.auth.basic.metrics_service.handler headers = { "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]), @@ -68429,7 +68428,6 @@ data: otelcol.exporter.otlphttp "metrics_service" { client { endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp" - auth = otelcol.auth.basic.metrics_service.handler headers = { "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]), diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt index a9f673fbf..56e635100 100644 --- a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt +++ b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt @@ -23,6 +23,12 @@ loki.write "logs_service" { username = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .basicAuth.usernameKey | quote }}]) password = remote.kubernetes.secret.logs_service.data[{{ .basicAuth.passwordKey | quote }}] } +{{- else if eq .authMode "bearerToken" }} + {{- if .bearerToken.tokenFile }} + bearer_token_file = {{ .bearerToken.tokenFile | quote }} + {{- else }} + bearer_token = remote.kubernetes.secret.logs_service.data[{{ .bearerToken.tokenKey | quote }}] + {{- end }} {{- else if eq .authMode "oauth2" }} oauth2 { client_id = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .oauth2.clientIdKey | quote }}]) diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt index 2cd301b1d..7111eeb85 100644 --- a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt +++ b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt @@ -54,11 +54,28 @@ otelcol.processor.memory_limiter "logs_service" { {{- end }} } } -{{ if eq .authMode "basic" }} +{{- if eq .authMode "basic" }} + otelcol.auth.basic "logs_service" { username = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .basicAuth.usernameKey | quote }}]) password = remote.kubernetes.secret.logs_service.data[{{ .basicAuth.passwordKey | quote }}] } +{{- else if eq .authMode "bearerToken" }} + {{- if .bearerToken.tokenFile }} + +local.file "logs_service_bearer_token" { + filename = .bearerToken.tokenFile + is_secret = true +} +otelcol.auth.bearer "logs_service" { + token = local.file.logs_service_bearer_token.content +} + {{- else }} + +otelcol.auth.bearer "logs_service" { + token = remote.kubernetes.secret.logs_service.data[{{ .bearerToken.tokenKey | quote }}] +} + {{- end }} {{- end }} {{ if eq .protocol "otlp" }} otelcol.exporter.otlp "logs_service" { @@ -68,8 +85,10 @@ otelcol.exporter.otlphttp "logs_service" { {{- end }} client { endpoint = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .hostKey | quote }}]) + "{{ .writeEndpoint }}" -{{ if or (.basicAuth.username) (.basicAuth.password) }} +{{- if eq .authMode "basic" }} auth = otelcol.auth.basic.logs_service.handler +{{- else if eq .authMode "bearerToken" }} + auth = otelcol.auth.bearer.logs_service.handler {{- end }} headers = { "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .tenantIdKey | quote }}]), diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt index 9c0195a00..88915a680 100644 --- a/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt +++ b/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt @@ -54,11 +54,28 @@ otelcol.processor.memory_limiter "metrics_service" { {{- end }} } } -{{ if eq .authMode "basic" }} +{{- if eq .authMode "basic" }} + otelcol.auth.basic "metrics_service" { username = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .basicAuth.usernameKey | quote }}]) password = remote.kubernetes.secret.metrics_service.data[{{ .basicAuth.passwordKey | quote }}] } +{{- else if eq .authMode "bearerToken" }} + {{- if .bearerToken.tokenFile }} + +local.file "metrics_service_bearer_token" { + filename = .bearerToken.tokenFile + is_secret = true +} +otelcol.auth.bearer "metrics_service" { + token = local.file.metrics_service.content +} + {{- else }} + +otelcol.auth.bearer "metrics_service" { + token = remote.kubernetes.secret.metrics_service.data[{{ .bearerToken.tokenKey | quote }}] +} + {{- end }} {{- end }} {{ if eq .protocol "otlp" }} otelcol.exporter.otlp "metrics_service" { @@ -68,8 +85,10 @@ otelcol.exporter.otlphttp "metrics_service" { {{- end }} client { endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .hostKey | quote }}]) + "{{ .writeEndpoint }}" -{{ if or (.basicAuth.username) (.basicAuth.password) }} +{{- if eq .authMode "basic" }} auth = otelcol.auth.basic.metrics_service.handler +{{- else if eq .authMode "bearerToken" }} + auth = otelcol.auth.bearer.metrics_service.handler {{- end }} headers = { "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .tenantIdKey | quote }}]), diff --git a/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml b/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml index b94d783d4..bf06c09e1 100644 --- a/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml +++ b/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml @@ -18,6 +18,9 @@ data: {{- if .tenantId }} {{ .tenantIdKey }}: {{ .tenantId | toString | b64enc | quote }} {{- end }} +{{- if .bearerToken.token }} + {{ .bearerToken.tokenKey }}: {{ .bearerToken.token | toString | b64enc | quote }} +{{- end }} {{- if .oauth2.clientId }} {{ .oauth2.clientIdKey }}: {{ .oauth2.clientId | toString | b64enc | quote }} {{- end }} diff --git a/charts/k8s-monitoring-v1/values.schema.json b/charts/k8s-monitoring-v1/values.schema.json index c93b7739e..4599118a4 100644 --- a/charts/k8s-monitoring-v1/values.schema.json +++ b/charts/k8s-monitoring-v1/values.schema.json @@ -312,6 +312,20 @@ } } }, + "bearerToken": { + "type": "object", + "properties": { + "token": { + "type": "string" + }, + "tokenFile": { + "type": "string" + }, + "tokenKey": { + "type": "string" + } + } + }, "externalLabels": { "type": "object" }, diff --git a/charts/k8s-monitoring-v1/values.yaml b/charts/k8s-monitoring-v1/values.yaml index fbb6ab8ad..a66c152b4 100644 --- a/charts/k8s-monitoring-v1/values.yaml +++ b/charts/k8s-monitoring-v1/values.yaml @@ -377,6 +377,18 @@ externalServices: # @section -- External Services (Loki) tokenURL: "" + # Authenticate to Loki using bearerToken or bearerTokenFile + bearerToken: + # -- Configure the Loki Bearer Token + # @section -- External Services (Loki) + token: "" + # -- Configure the Key for Loki Bearer Token secret + # @section -- External Services (Loki) + tokenKey: "bearerToken" + # -- Configure the Loki Bearer Token file + # @section -- External Services (Loki) + tokenFile: "" + # Credential management secret: # -- Should this Helm chart create the secret. If false, you must define the name and namespace values.