Add bearer token support for loki and for metrics over otlp (#813)

Signed-off-by: Pete Wall <[email protected]>
grafana · Oct 29, 2024 · 0b3ce8e · 0b3ce8e
1 parent c8358d3
commit 0b3ce8e
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 7 deletions.
diff --git a/charts/k8s-monitoring-v1/README.md b/charts/k8s-monitoring-v1/README.md
@@ -237,6 +237,9 @@ The Prometheus and Loki services may be hosted on the same cluster, or remotely
 | externalServices.loki.basicAuth.passwordKey | string | `"password"` | The key for the password property in the secret |
 | externalServices.loki.basicAuth.username | string | `""` | Loki basic auth username |
 | externalServices.loki.basicAuth.usernameKey | string | `"username"` | The key for the username property in the secret |
+| externalServices.loki.bearerToken.token | string | `""` | Configure the Loki Bearer Token |
+| externalServices.loki.bearerToken.tokenFile | string | `""` | Configure the Loki Bearer Token file |
+| externalServices.loki.bearerToken.tokenKey | string | `"bearerToken"` | Configure the Key for Loki Bearer Token secret |
 | externalServices.loki.externalLabels | object | `{}` | Custom labels to be added to all logs and events. All values are treated as strings and automatically quoted. |
 | externalServices.loki.externalLabelsFrom | object | `{}` | Custom labels to be added to all logs and events through a dynamic reference. All values are treated as raw strings and not quoted. |
 | externalServices.loki.extraHeaders | object | `{}` | Extra headers to be set when sending metrics. All values are treated as strings and automatically quoted. |

diff --git a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/metrics.alloy
@@ -796,7 +796,6 @@ otelcol.auth.basic "metrics_service" {
 otelcol.exporter.otlphttp "metrics_service" {
   client {
     endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp"
-
     auth = otelcol.auth.basic.metrics_service.handler
     headers = {
       "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]),

diff --git a/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml b/charts/k8s-monitoring-v1/docs/examples/otel-metrics-service/output.yaml
@@ -928,7 +928,6 @@ data:
     otelcol.exporter.otlphttp "metrics_service" {
       client {
         endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp"
-
         auth = otelcol.auth.basic.metrics_service.handler
         headers = {
           "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]),
@@ -68429,7 +68428,6 @@ data:
     otelcol.exporter.otlphttp "metrics_service" {
       client {
         endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data["host"]) + "/api/v1/otlp"
-
         auth = otelcol.auth.basic.metrics_service.handler
         headers = {
           "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data["tenantId"]),

diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_loki.alloy.txt
@@ -23,6 +23,12 @@ loki.write "logs_service" {
       username = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .basicAuth.usernameKey | quote }}])
       password = remote.kubernetes.secret.logs_service.data[{{ .basicAuth.passwordKey | quote }}]
     }
+{{- else if eq .authMode "bearerToken" }}
+  {{- if .bearerToken.tokenFile }}
+    bearer_token_file = {{  .bearerToken.tokenFile | quote  }}
+  {{- else }}
+    bearer_token = remote.kubernetes.secret.logs_service.data[{{ .bearerToken.tokenKey | quote }}]
+  {{- end }}
 {{- else if eq .authMode "oauth2" }}
     oauth2 {
       client_id = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .oauth2.clientIdKey | quote }}])

diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_logs_service_otlp.alloy.txt
@@ -54,11 +54,28 @@ otelcol.processor.memory_limiter "logs_service" {
 {{- end }}
   }
 }
-{{ if eq .authMode "basic" }}
+{{- if eq .authMode "basic" }}
+
 otelcol.auth.basic "logs_service" {
   username = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .basicAuth.usernameKey | quote }}])
   password = remote.kubernetes.secret.logs_service.data[{{ .basicAuth.passwordKey | quote }}]
 }
+{{- else if eq .authMode "bearerToken" }}
+  {{- if .bearerToken.tokenFile }}
+
+local.file "logs_service_bearer_token" {
+  filename = .bearerToken.tokenFile
+  is_secret = true
+}
+otelcol.auth.bearer "logs_service" {
+  token = local.file.logs_service_bearer_token.content
+}
+  {{- else }}
+
+otelcol.auth.bearer "logs_service" {
+  token = remote.kubernetes.secret.logs_service.data[{{ .bearerToken.tokenKey | quote }}]
+}
+  {{- end }}
 {{- end }}
 {{ if eq .protocol "otlp" }}
 otelcol.exporter.otlp "logs_service" {
@@ -68,8 +85,10 @@ otelcol.exporter.otlphttp "logs_service" {
 {{- end }}
   client {
     endpoint = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .hostKey | quote }}]) + "{{ .writeEndpoint }}"
-{{ if or (.basicAuth.username) (.basicAuth.password) }}
+{{- if eq .authMode "basic" }}
     auth = otelcol.auth.basic.logs_service.handler
+{{- else if eq .authMode "bearerToken" }}
+    auth = otelcol.auth.bearer.logs_service.handler
 {{- end }}
     headers = {
       "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.logs_service.data[{{ .tenantIdKey | quote }}]),

diff --git a/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt b/charts/k8s-monitoring-v1/templates/alloy_config/_metrics_service_otlp.alloy.txt
@@ -54,11 +54,28 @@ otelcol.processor.memory_limiter "metrics_service" {
 {{- end }}
   }
 }
-{{ if eq .authMode "basic" }}
+{{- if eq .authMode "basic" }}
+
 otelcol.auth.basic "metrics_service" {
   username = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .basicAuth.usernameKey | quote }}])
   password = remote.kubernetes.secret.metrics_service.data[{{ .basicAuth.passwordKey | quote }}]
 }
+{{- else if eq .authMode "bearerToken" }}
+  {{- if .bearerToken.tokenFile }}
+
+local.file "metrics_service_bearer_token" {
+  filename = .bearerToken.tokenFile
+  is_secret = true
+}
+otelcol.auth.bearer "metrics_service" {
+  token = local.file.metrics_service.content
+}
+  {{- else }}
+
+otelcol.auth.bearer "metrics_service" {
+  token = remote.kubernetes.secret.metrics_service.data[{{ .bearerToken.tokenKey | quote }}]
+}
+  {{- end }}
 {{- end }}
 {{ if eq .protocol "otlp" }}
 otelcol.exporter.otlp "metrics_service" {
@@ -68,8 +85,10 @@ otelcol.exporter.otlphttp "metrics_service" {
 {{- end }}
   client {
     endpoint = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .hostKey | quote }}]) + "{{ .writeEndpoint }}"
-{{ if or (.basicAuth.username) (.basicAuth.password) }}
+{{- if eq .authMode "basic" }}
     auth = otelcol.auth.basic.metrics_service.handler
+{{- else if eq .authMode "bearerToken" }}
+    auth = otelcol.auth.bearer.metrics_service.handler
 {{- end }}
     headers = {
       "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.metrics_service.data[{{ .tenantIdKey | quote }}]),

diff --git a/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml b/charts/k8s-monitoring-v1/templates/log-service-credentials.yaml
@@ -18,6 +18,9 @@ data:
 {{- if .tenantId }}
   {{ .tenantIdKey }}: {{ .tenantId | toString | b64enc | quote }}
 {{- end }}
+{{- if .bearerToken.token }}
+  {{ .bearerToken.tokenKey }}: {{ .bearerToken.token | toString | b64enc | quote }}
+{{- end }}
 {{- if .oauth2.clientId }}
   {{ .oauth2.clientIdKey }}: {{ .oauth2.clientId | toString | b64enc | quote }}
 {{- end }}

diff --git a/charts/k8s-monitoring-v1/values.schema.json b/charts/k8s-monitoring-v1/values.schema.json
@@ -312,6 +312,20 @@
                                 }
                             }
                         },
+                        "bearerToken": {
+                            "type": "object",
+                            "properties": {
+                                "token": {
+                                    "type": "string"
+                                },
+                                "tokenFile": {
+                                    "type": "string"
+                                },
+                                "tokenKey": {
+                                    "type": "string"
+                                }
+                            }
+                        },
                         "externalLabels": {
                             "type": "object"
                         },

diff --git a/charts/k8s-monitoring-v1/values.yaml b/charts/k8s-monitoring-v1/values.yaml
@@ -377,6 +377,18 @@ externalServices:
       # @section -- External Services (Loki)
       tokenURL: ""
 
+    # Authenticate to Loki using bearerToken or bearerTokenFile
+    bearerToken:
+      # -- Configure the Loki Bearer Token
+      # @section -- External Services (Loki)
+      token: ""
+      # -- Configure the Key for Loki Bearer Token secret
+      # @section -- External Services (Loki)
+      tokenKey: "bearerToken"
+      # -- Configure the Loki Bearer Token file
+      # @section -- External Services (Loki)
+      tokenFile: ""
+
     # Credential management
     secret:
       # -- Should this Helm chart create the secret. If false, you must define the name and namespace values.