kyma-project · TeodorSAP · Nov 18, 2025 · Nov 18, 2025 · Nov 19, 2025 · Nov 20, 2025
@@ -11,13 +11,14 @@ ENV_GARDENER_MIN_NODES=1
 ENV_GARDENER_MAX_NODES=2
 
 ## Dependencies
-ENV_ISTIO_VERSION=1.23.2
+ENV_ISTIO_VERSION=1.23.1
 ENV_GORELEASER_VERSION=v1.23.0
 
 ## Default Docker Images
 ENV_FLUENTBIT_EXPORTER_IMAGE="europe-docker.pkg.dev/kyma-project/prod/directory-size-exporter:v20250910-86122076"
 ENV_FLUENTBIT_IMAGE="europe-docker.pkg.dev/kyma-project/prod/external/fluent/fluent-bit:4.2.0"
 ENV_OTEL_COLLECTOR_IMAGE="europe-docker.pkg.dev/kyma-project/prod/kyma-otel-collector:0.141.0-main"
+ENV_OTEL_COLLECTOR_CONTRIB_IMAGE="otel/opentelemetry-collector-contrib:0.141.0"
 ENV_SELFMONITOR_IMAGE="europe-docker.pkg.dev/kyma-project/prod/tpi/telemetry-self-monitor:3.7.3-f4e3fab"
 ENV_TEST_TELEMETRYGEN_IMAGE="ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.141.0"
 ENV_ALPINE_IMAGE="europe-docker.pkg.dev/kyma-project/prod/external/library/alpine:3.22.2"
@@ -41,6 +41,7 @@ const (
 
 // OTLPOutput OTLP output configuration
 // +kubebuilder:validation:XValidation:rule="(has(self.path) && size(self.path) > 0) ? self.protocol == 'http' : true",message="Path is only available with HTTP protocol"
+// +kubebuilder:validation:XValidation:rule="(has(self.authentication) && has(self.authentication.oauth2) && self.protocol == 'grpc' && has(self.tls)) ? !(has(self.tls.insecure) && self.tls.insecure == true) : true",message="OAuth2 authentication requires TLS when using gRPC protocol"
 type OTLPOutput struct {
 	// Protocol defines the OTLP protocol (`http` or `grpc`). Default is `grpc`.
 	// +kubebuilder:validation:Optional
@@ -63,10 +64,15 @@ type OTLPOutput struct {
 	TLS *OTLPTLS `json:"tls,omitempty"`
 }
 
+// AuthenticationOptions OTLP output authentication options
+// +kubebuilder:validation:XValidation:rule="!(has(self.basic) && has(self.oauth2))",message="Only one authentication method can be specified"
 type AuthenticationOptions struct {
 	// Basic activates `Basic` authentication for the destination providing relevant Secrets.
 	// +kubebuilder:validation:Optional
 	Basic *BasicAuthOptions `json:"basic,omitempty"`
+	// OAuth2 activates `OAuth2` authentication for the destination providing relevant Secrets.
+	// +kubebuilder:validation:Optional
+	OAuth2 *OAuth2Options `json:"oauth2,omitempty"`
 }
 
 type BasicAuthOptions struct {
@@ -78,6 +84,26 @@ type BasicAuthOptions struct {
 	Password ValueType `json:"password"`
 }
 
+// OAuth2Options contains OAuth2 authentication options.
+type OAuth2Options struct {
+	// TokenURL contains the OAuth2 token endpoint URL or a Secret reference.
+	// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="tokenURL' missing"
+	// +kubebuilder:validation:XValidation:rule="(self.value != '' ) ? (isURL(self.value)) : true", message="'tokenURL' must be a valid URL"
+	TokenURL ValueType `json:"tokenURL"`
+	// ClientID contains the OAuth2 client ID or a Secret reference.
+	// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="'clientID' missing"
+	ClientID ValueType `json:"clientID"`
+	// ClientSecret contains the OAuth2 client secret or a Secret reference.
+	// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="clientSecret' missing"
+	ClientSecret ValueType `json:"clientSecret"`
+	// Scopes contains optional OAuth2 scopes.
+	// +kubebuilder:validation:Optional
+	Scopes []string `json:"scopes,omitempty"`
+	// Params contains optional additional OAuth2 parameters that are sent to the token endpoint.
+	// +kubebuilder:validation:Optional
+	Params map[string]string `json:"params,omitempty"`
+}
+
 type Header struct {
 	// Defines the header value.
 	ValueType `json:",inline"`

@@ -173,7 +173,8 @@ func convertAuthenticationToBeta(a *AuthenticationOptions) *telemetryv1beta1.Aut
 	}
 
 	return &telemetryv1beta1.AuthenticationOptions{
-		Basic: convertBasicAuthToBeta(a.Basic),
+		Basic:  convertBasicAuthToBeta(a.Basic),
+		OAuth2: convertOAuth2ToBeta(a.OAuth2),
 	}
 }
 
@@ -183,7 +184,8 @@ func convertAuthenticationToAlpha(a *telemetryv1beta1.AuthenticationOptions) *Au
 	}
 
 	return &AuthenticationOptions{
-		Basic: convertBasicAuthToAlpha(a.Basic),
+		Basic:  convertBasicAuthToAlpha(a.Basic),
+		OAuth2: convertOAuth2ToAlpha(a.OAuth2),
 	}
 }
 
@@ -209,6 +211,34 @@ func convertBasicAuthToAlpha(b *telemetryv1beta1.BasicAuthOptions) *BasicAuthOpt
 	}
 }
 
+func convertOAuth2ToBeta(o *OAuth2Options) *telemetryv1beta1.OAuth2Options {
+	if o == nil {
+		return nil
+	}
+
+	return &telemetryv1beta1.OAuth2Options{
+		TokenURL:     convertValueTypeToBeta(o.TokenURL),
+		ClientID:     convertValueTypeToBeta(o.ClientID),
+		ClientSecret: convertValueTypeToBeta(o.ClientSecret),
+		Scopes:       append([]string{}, o.Scopes...),
+		Params:       make(map[string]string),
+	}
+}
+
+func convertOAuth2ToAlpha(o *telemetryv1beta1.OAuth2Options) *OAuth2Options {
+	if o == nil {
+		return nil
+	}
+
+	return &OAuth2Options{
+		TokenURL:     convertValueTypeToAlpha(o.TokenURL),
+		ClientID:     convertValueTypeToAlpha(o.ClientID),
+		ClientSecret: convertValueTypeToAlpha(o.ClientSecret),
+		Scopes:       append([]string{}, o.Scopes...),
+		Params:       make(map[string]string),
+	}
+}
+
 func convertHeadersToBeta(hs []Header) []telemetryv1beta1.Header {
 	var out []telemetryv1beta1.Header
 	for _, h := range hs {

@@ -43,6 +43,7 @@ const (
 
 // OTLPOutput OTLP output configuration
 // +kubebuilder:validation:XValidation:rule="(has(self.path) && size(self.path) > 0) ? self.protocol == 'http' : true",message="Path is only available with HTTP protocol"
+// +kubebuilder:validation:XValidation:rule="(has(self.authentication) && has(self.authentication.oauth2) && self.protocol == 'grpc' && has(self.tls)) ? !(has(self.tls.insecure) && self.tls.insecure == true) : true",message="OAuth2 authentication requires TLS when using gRPC protocol"
 type OTLPOutput struct {
 	// Protocol defines the OTLP protocol (`http` or `grpc`). Default is `grpc`.
 	// +kubebuilder:validation:Optional
@@ -65,10 +66,15 @@ type OTLPOutput struct {
 	TLS *OutputTLS `json:"tls,omitempty"`
 }
 
+// AuthenticationOptions OTLP output authentication options
+// +kubebuilder:validation:XValidation:rule="!(has(self.basic) && has(self.oauth2))",message="Only one authentication method can be specified"
 type AuthenticationOptions struct {
 	// Basic activates `Basic` authentication for the destination providing relevant Secrets.
 	// +kubebuilder:validation:Optional
 	Basic *BasicAuthOptions `json:"basic,omitempty"`
+	// OAuth2 activates `OAuth2` authentication for the destination providing relevant Secrets.
+	// +kubebuilder:validation:Optional
+	OAuth2 *OAuth2Options `json:"oauth2,omitempty"`
 }
 
 type BasicAuthOptions struct {
@@ -80,6 +86,24 @@ type BasicAuthOptions struct {
 	Password ValueType `json:"password"`
 }
 
+type OAuth2Options struct {
+	// TokenURL contains the OAuth2 token endpoint URL or a Secret reference.
+	// +kubebuilder:validation:Required
+	TokenURL ValueType `json:"tokenURL"`
+	// ClientID contains the OAuth2 client ID or a Secret reference.
+	// +kubebuilder:validation:Required
+	ClientID ValueType `json:"clientID"`
+	// ClientSecret contains the OAuth2 client secret or a Secret reference.
+	// +kubebuilder:validation:Required
+	ClientSecret ValueType `json:"clientSecret"`
+	// Scopes contains optional OAuth2 scopes.
+	// +kubebuilder:validation:Optional
+	Scopes []string `json:"scopes,omitempty"`
+	// Params contains optional additional OAuth2 parameters that are sent to the token endpoint.
+	// +kubebuilder:validation:Optional
+	Params map[string]string `json:"params,omitempty"`
+}
+
 type Header struct {
 	// Defines the header value.
 	ValueType `json:",inline"`

@@ -18,8 +18,9 @@ var templates = map[string]string{
 package testkit
 
 const (
-	DefaultTelemetryGenImage  = "{{ .ENV_TEST_TELEMETRYGEN_IMAGE }}"
-	DefaultOTelCollectorImage = "{{ .ENV_OTEL_COLLECTOR_IMAGE }}"
+	DefaultTelemetryGenImage         = "{{ .ENV_TEST_TELEMETRYGEN_IMAGE }}"
+	DefaultOTelCollectorContribImage = "{{ .ENV_OTEL_COLLECTOR_CONTRIB_IMAGE }}"
+	DefaultOTelCollectorImage        = "{{ .ENV_OTEL_COLLECTOR_IMAGE }}"
 )
 `,
 }

@@ -40,7 +40,7 @@ Ensure the port in your endpoint URL is correct for the chosen protocol.
 
 ## Set Up Authentication
 
-For each pipeline, add authentication details (like user names, passwords, certificates, or tokens) to connect securely to your observability backend. You can use mutual TLS (mTLS), custom headers, or Basic Authentication.
+For each pipeline, add authentication details (like user names, passwords, certificates, or tokens) to connect securely to your observability backend. You can use mutual TLS (mTLS), custom headers, OAuth2, or Basic Authentication.
 
 While you can choose to add your authentication details from plain text, it’s recommended to store these sensitive details in a Kubernetes `Secret` and reference the Secret's keys in your pipeline configuration. When you rotate the `Secret` and update its values, Telemetry Manager detects the changes and applies the new `Secret` to your setup.
 
@@ -88,6 +88,40 @@ While you can choose to add your authentication details from plain text, it’s
                 key: token
   ```
 
+- To use OAuth2 for authentication, configure the `authentication.oauth2` section.
+
+  ```yaml
+    ...
+    output:
+      otlp:
+        endpoint:
+          valueFrom:
+            secretKeyRef:
+                name: backend
+                namespace: default
+                key: endpoint
+        authentication:
+          oauth2:
+            clientId:
+              valueFrom:
+                secretKeyRef:
+                  name: backend
+                  namespace: default
+                  key: clientId
+            clientSecret:
+              valueFrom:
+                secretKeyRef:
+                  name: backend
+                  namespace: default
+                  key: clientSecret
+            tokenUrl:
+              valueFrom:
+                secretKeyRef:
+                  name: backend
+                  namespace: default
+                  key: tokenUrl
+  ```
+
 - To use a username and password for authentication, configure the `authentication.basic` section.
 
   ```yaml

@@ -198,6 +198,30 @@ For details, see the [LogPipeline specification file](https://github.com/kyma-pr
 | **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** (required) | string | Key defines the name of the attribute of the Secret holding the referenced value. |
 | **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** (required) | string | Name of the Secret containing the referenced value. |
 | **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** (required) | string | Namespace containing the Secret with the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2**  | object | OAuth2 activates `OAuth2` authentication for the destination providing relevant Secrets. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID** (required) | object | ClientID contains the OAuth2 client ID or a Secret reference. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;value**  | string | Value as plain text. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;valueFrom**  | object | ValueFrom is the value as a reference to a resource. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;valueFrom.&#x200b;secretKeyRef** (required) | object | SecretKeyRef refers to the value of a specific key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** (required) | string | Key defines the name of the attribute of the Secret holding the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** (required) | string | Name of the Secret containing the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientID.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** (required) | string | Namespace containing the Secret with the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret** (required) | object | ClientSecret contains the OAuth2 client secret or a Secret reference. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;value**  | string | Value as plain text. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;valueFrom**  | object | ValueFrom is the value as a reference to a resource. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;valueFrom.&#x200b;secretKeyRef** (required) | object | SecretKeyRef refers to the value of a specific key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** (required) | string | Key defines the name of the attribute of the Secret holding the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** (required) | string | Name of the Secret containing the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;clientSecret.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** (required) | string | Namespace containing the Secret with the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;params**  | map\[string\]string | Params contains optional additional OAuth2 parameters that are sent to the token endpoint. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;scopes**  | \[\]string | Scopes contains optional OAuth2 scopes. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL** (required) | object | TokenURL contains the OAuth2 token endpoint URL or a Secret reference. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;value**  | string | Value as plain text. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;valueFrom**  | object | ValueFrom is the value as a reference to a resource. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;valueFrom.&#x200b;secretKeyRef** (required) | object | SecretKeyRef refers to the value of a specific key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** (required) | string | Key defines the name of the attribute of the Secret holding the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** (required) | string | Name of the Secret containing the referenced value. |
+| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;oauth2.&#x200b;tokenURL.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** (required) | string | Namespace containing the Secret with the referenced value. |
 | **output.&#x200b;otlp.&#x200b;endpoint** (required) | object | Endpoint defines the host and port (`<host>:<port>`) of an OTLP endpoint. |
 | **output.&#x200b;otlp.&#x200b;endpoint.&#x200b;value**  | string | Value as plain text. |
 | **output.&#x200b;otlp.&#x200b;endpoint.&#x200b;valueFrom**  | object | ValueFrom is the value as a reference to a resource. |