Skip to content

Commit

Permalink
Merge pull request #1224 from raynay-r/add-bearer-token-auth-for-loki
Browse files Browse the repository at this point in the history 
Add bearer token auth for loki
  • Loading branch information
@benjaminhuo
benjaminhuo authored Jul 8, 2024
2 parents 8e9bae2 + f11d4c1 commit f39b24f
Show file tree
Hide file tree
Showing 18 changed files with 375 additions and 3 deletions.
15 changes: 15 additions & 0 deletions apis/fluentbit/v1alpha2/plugins/output/loki_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,16 @@ type Loki struct {
// +kubebuilder:validation:Minimum:=1
// +kubebuilder:validation:Maximum:=65535
Port *int32 `json:"port,omitempty"`
// Specify a custom HTTP URI. It must start with forward slash.
Uri string `json:"uri,omitempty"`
// Set HTTP basic authentication user name.
HTTPUser *plugins.Secret `json:"httpUser,omitempty"`
// Password for user defined in HTTP_User
// Set HTTP basic authentication password
HTTPPasswd *plugins.Secret `json:"httpPassword,omitempty"`
// Set bearer token authentication token value.
// Can be used as alterntative to HTTP basic authentication
BearerToken *plugins.Secret `json:"bearerToken,omitempty"`
// Tenant ID used by default to push logs to Loki.
// If omitted or empty it assumes Loki is running in single-tenant mode and no X-Scope-OrgID header is sent.
TenantID *plugins.Secret `json:"tenantID,omitempty"`
Expand Down Expand Up @@ -70,6 +75,9 @@ func (l *Loki) Params(sl plugins.SecretLoader) (*params.KVs, error) {
if l.Port != nil {
kvs.Insert("port", fmt.Sprint(*l.Port))
}
if l.Uri != "" {
kvs.Insert("uri", l.Uri)
}
if l.HTTPUser != nil {
u, err := sl.LoadSecret(*l.HTTPUser)
if err != nil {
Expand All @@ -84,6 +92,13 @@ func (l *Loki) Params(sl plugins.SecretLoader) (*params.KVs, error) {
}
kvs.Insert("http_passwd", pwd)
}
if l.BearerToken != nil {
bearerToken, err := sl.LoadSecret(*l.BearerToken)
if err != nil {
return nil, err
}
kvs.Insert("bearer_token", bearerToken)
}
if l.TenantID != nil {
id, err := sl.LoadSecret(*l.TenantID)
if err != nil {
Expand Down
5 changes: 5 additions & 0 deletions apis/fluentbit/v1alpha2/plugins/output/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions apis/fluentd/v1alpha1/plugins/output/loki.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ type Loki struct {
// Password for user defined in HTTP_User
// Set HTTP basic authentication password
HTTPPasswd *plugins.Secret `json:"httpPassword,omitempty"`
// Set path to file with bearer authentication token
// Can be used as alterntative to HTTP basic authentication
BearerTokenFile *string `json:"bearerTokenFile,omitempty"`
// Tenant ID used by default to push logs to Loki.
// If omitted or empty it assumes Loki is running in single-tenant mode and no X-Scope-OrgID header is sent.
TenantID *plugins.Secret `json:"tenantID,omitempty"`
Expand Down
3 changes: 3 additions & 0 deletions apis/fluentd/v1alpha1/plugins/output/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,9 @@ func (o *Output) lokiPlugin(parent *params.PluginStore, loader plugins.SecretLoa
}
parent.InsertPairs("password", passwd)
}
if o.Loki.BearerTokenFile != nil {
parent.InsertPairs("bearer_token_file", fmt.Sprint(*o.Loki.BearerTokenFile))
}
if o.Loki.TenantID != nil {
id, err := loader.LoadSecret(*o.Loki.TenantID)
if err != nil {
Expand Down
35 changes: 35 additions & 0 deletions charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1979,6 +1979,37 @@ spec:
- "on"
- "off"
type: string
bearerToken:
description: |-
Set bearer token authentication token value.
Can be used as alterntative to HTTP basic authentication
properties:
valueFrom:
description: ValueSource defines how to find a value's key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
dropSingleKey:
description: If set to true and after extracting labels only a
single key remains, the log line sent to Loki will be the value
Expand Down Expand Up @@ -2249,6 +2280,10 @@ spec:
description: Hostname to be used for TLS SNI extension
type: string
type: object
uri:
description: Specify a custom HTTP URI. It must start with forward
slash.
type: string
required:
- host
type: object
Expand Down
35 changes: 35 additions & 0 deletions charts/fluent-operator/charts/fluent-bit-crds/crds/fluentbit.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1979,6 +1979,37 @@ spec:
- "on"
- "off"
type: string
bearerToken:
description: |-
Set bearer token authentication token value.
Can be used as alterntative to HTTP basic authentication
properties:
valueFrom:
description: ValueSource defines how to find a value's key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
dropSingleKey:
description: If set to true and after extracting labels only a
single key remains, the log line sent to Loki will be the value
Expand Down Expand Up @@ -2249,6 +2280,10 @@ spec:
description: Hostname to be used for TLS SNI extension
type: string
type: object
uri:
description: Specify a custom HTTP URI. It must start with forward
slash.
type: string
required:
- host
type: object
Expand Down
5 changes: 5 additions & 0 deletions charts/fluent-operator/charts/fluentd-crds/crds/fluentd.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1914,6 +1914,11 @@ spec:
loki:
description: out_loki plugin
properties:
bearerTokenFile:
description: |-
Set path to file with bearer authentication token
Can be used as alterntative to HTTP basic authentication
type: string
dropSingleKey:
description: If a record only has 1 key, then just set the
log line to the value and discard the key.
Expand Down
5 changes: 5 additions & 0 deletions charts/fluent-operator/charts/fluentd-crds/crds/fluentd.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1914,6 +1914,11 @@ spec:
loki:
description: out_loki plugin
properties:
bearerTokenFile:
description: |-
Set path to file with bearer authentication token
Can be used as alterntative to HTTP basic authentication
type: string
dropSingleKey:
description: If a record only has 1 key, then just set the
log line to the value and discard the key.
Expand Down
18 changes: 16 additions & 2 deletions charts/fluent-operator/templates/fluentbit-output-loki.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,15 @@

{{ with .Values.fluentbit.output.loki -}}
{{/*
When http{User,Password} or tenantID is a string, make a secret for them
When http{User,Password}, bearerToken, or tenantID is a string, make a secret for them
When these keys are objects, they specify a secret to use generated elsewhere, assumed to exist in the k8s cluster
*/}}
{{ $userSecret := "loki-http-auth" -}}
{{ $passSecret := "loki-http-pass" -}}
{{ $bearerTokenSecret := "loki-bearer-token" -}}
{{ $tenantIDSecret := "loki-tenant-id" -}}

{{ range $k, $v := dict $userSecret .httpUser $passSecret .httpPassword $tenantIDSecret .tenantID -}}
{{ range $k, $v := dict $userSecret .httpUser $passSecret .httpPassword $tenantIDSecret .tenantID $bearerTokenSecret .bearerToken -}}
{{ if kindIs "string" $v -}}
---
apiVersion: v1
Expand Down Expand Up @@ -81,6 +82,19 @@ spec:
{{- end }}
{{- end }}

{{- if .bearerToken }}
bearerToken:
{{- if kindIs "string" .bearerToken }}
valueFrom:
secretKeyRef:
key: 'value'
name: {{ $bearerTokenSecret }}
optional: false
{{- else }}
{{ .bearerToken | toYaml | indent 6 }}
{{- end }}
{{- end }}

{{- if .tenantID }}
tenantID:
{{- if kindIs "string" .tenantID }}
Expand Down
11 changes: 10 additions & 1 deletion charts/fluent-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ fluentbit:
# See https://docs.fluentbit.io/manual/pipeline/outputs/loki
loki:
# Switch for generation of fluentbit loki ClusterOutput (and loki basic auth http user and pass secrets if required)
enable: false # Bool
enable: false # Bool
host: 127.0.0.1 # String
port: 3100 # Int
# Either, give http{User,Password},tenantID string values specifying them directly
Expand All @@ -305,6 +305,15 @@ fluentbit:
# name: tenantsecret
# optional: true
#
# To use bearer token auth instead of http basic auth
#bearerToken: ey....
# or with existing secret
#bearerToken:
# valueFrom:
# secretKeyRef:
# key: value
# name: bearerTokenSecret
# optional: true
#labels: [] # String list of <name>=<value>
#labelKeys: [] # String list of <key>
#removeKeys: [] # String list of <key>
Expand Down
35 changes: 35 additions & 0 deletions config/crd/bases/fluentbit.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1979,6 +1979,37 @@ spec:
- "on"
- "off"
type: string
bearerToken:
description: |-
Set bearer token authentication token value.
Can be used as alterntative to HTTP basic authentication
properties:
valueFrom:
description: ValueSource defines how to find a value's key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
dropSingleKey:
description: If set to true and after extracting labels only a
single key remains, the log line sent to Loki will be the value
Expand Down Expand Up @@ -2249,6 +2280,10 @@ spec:
description: Hostname to be used for TLS SNI extension
type: string
type: object
uri:
description: Specify a custom HTTP URI. It must start with forward
slash.
type: string
required:
- host
type: object
Expand Down
35 changes: 35 additions & 0 deletions config/crd/bases/fluentbit.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1979,6 +1979,37 @@ spec:
- "on"
- "off"
type: string
bearerToken:
description: |-
Set bearer token authentication token value.
Can be used as alterntative to HTTP basic authentication
properties:
valueFrom:
description: ValueSource defines how to find a value's key.
properties:
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
type: object
dropSingleKey:
description: If set to true and after extracting labels only a
single key remains, the log line sent to Loki will be the value
Expand Down Expand Up @@ -2249,6 +2280,10 @@ spec:
description: Hostname to be used for TLS SNI extension
type: string
type: object
uri:
description: Specify a custom HTTP URI. It must start with forward
slash.
type: string
required:
- host
type: object
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/fluentd.fluent.io_clusteroutputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1914,6 +1914,11 @@ spec:
loki:
description: out_loki plugin
properties:
bearerTokenFile:
description: |-
Set path to file with bearer authentication token
Can be used as alterntative to HTTP basic authentication
type: string
dropSingleKey:
description: If a record only has 1 key, then just set the
log line to the value and discard the key.
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/fluentd.fluent.io_outputs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1914,6 +1914,11 @@ spec:
loki:
description: out_loki plugin
properties:
bearerTokenFile:
description: |-
Set path to file with bearer authentication token
Can be used as alterntative to HTTP basic authentication
type: string
dropSingleKey:
description: If a record only has 1 key, then just set the
log line to the value and discard the key.
Expand Down
2 changes: 2 additions & 0 deletions docs/plugins/fluentbit/output/loki.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,10 @@ The loki output plugin, allows to ingest your records into a Loki service. <br /
| ----- | ----------- | ------ |
| host | Loki hostname or IP address. | string |
| port | Loki TCP port | *int32 |
| uri | Specify a custom HTTP URI. It must start with forward slash. | string |
| httpUser | Set HTTP basic authentication user name. | *[plugins.Secret](../secret.md) |
| httpPassword | Password for user defined in HTTP_User Set HTTP basic authentication password | *[plugins.Secret](../secret.md) |
| bearerToken | Set bearer token authentication token value. Can be used as alterntative to HTTP basic authentication | *[plugins.Secret](../secret.md) |
| tenantID | Tenant ID used by default to push logs to Loki. If omitted or empty it assumes Loki is running in single-tenant mode and no X-Scope-OrgID header is sent. | *[plugins.Secret](../secret.md) |
| labels | Stream labels for API request. It can be multiple comma separated of strings specifying key=value pairs. In addition to fixed parameters, it also allows to add custom record keys (similar to label_keys property). | []string |
| labelKeys | Optional list of record keys that will be placed as stream labels. This configuration property is for records key only. | []string |
Expand Down
1 change: 1 addition & 0 deletions docs/plugins/fluentd/output/loki.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ The loki output plugin, allows to ingest your records into a Loki service.
| url | Loki URL. | *string |
| httpUser | Set HTTP basic authentication user name. | *[plugins.Secret](../secret.md) |
| httpPassword | Password for user defined in HTTP_User Set HTTP basic authentication password | *[plugins.Secret](../secret.md) |
| bearerTokenFile | Set path to file with bearer authentication token Can be used as alterntative to HTTP basic authentication | *string |
| tenantID | Tenant ID used by default to push logs to Loki. If omitted or empty it assumes Loki is running in single-tenant mode and no X-Scope-OrgID header is sent. | *[plugins.Secret](../secret.md) |
| labels | Stream labels for API request. It can be multiple comma separated of strings specifying key=value pairs. In addition to fixed parameters, it also allows to add custom record keys (similar to label_keys property). | []string |
| labelKeys | Optional list of record keys that will be placed as stream labels. This configuration property is for records key only. | []string |
Expand Down
Loading

0 comments on commit f39b24f

Please sign in to comment.