At Kloudfuse, you can secure your ingestion paths by adding authentication. Follow these steps to configure it:
Configuration required on Okta and deployment side:
Configure Okta - https://oauth2-proxy.github.io/oauth2-proxy/7.3.x/configuration/oauth_provider/#okta Configure Okta by following the instructions on the provided link from steps 1 to 3.
Note: Under “General”, also set the “Allowed grant types” to Client Credentials
.
Note the the Client ID
, Client Secret
, Audience
, and Issuer URI
while setting up Okta.
Configure your deployment custom-values.yaml file
kfuse-auth: ingestOauthEnabled: true oauth2-proxy: extraArgs: extraJwtIssuers: "Issuer URI=Audience"
Replace Issuer URI and Audience with the actual values obtained from your Okta configuration. The format should follow this structure, for example:
extraJwtIssuers: "https://{okta-domain}.okta.com/oauth2/default=api://default"
Configuration required on the otel collector side in the values.yaml file
Follow the steps below to configure the OpenTelemetry Collector to send data securely using OAuth2 authentication. Update the values.yaml file with the appropriate configuration as described.
Configure Exporters - Add the following under the
opentelemetry-collector.config.exporters
section. This defines the endpoints where the OpenTelemetry Collector sends metrics and traces.
opentelemetry-collector: config: exporters: otlphttp/{deployment-namespace}: metrics_endpoint: https://<your-metrics-endpoint>/ingester/otlp/metrics traces_endpoint: https://<your-traces-endpoint>/ingester/otlp/traces auth: authenticator: oauth2client
Replace
<your-metrics-endpoint>
and<your-traces-endpoint>
with the actual URLs of kloudfuse.
Add Required Extensions - Include the
oauth2client
under theservice.extensions
section.
service: extensions: - oauth2client
Configure Extensions - Set up the detailed configurations for the extensions. Add the following under the
extensions
section:
extensions: oauth2client: client_id: xxxxx client_secret: xxxxx token_url: https://{okta-url}.okta.com/oauth2/default/v1/token endpoint_params: response_type: code prompt: none access_type: offline grant_type: client_credentials scopes: ["api.metrics"]
Replace
<your-client-id>
and<your-client-secret>
obtained from the previous step.Update
<your-okta-url>
with your Okta domain or OAuth2 provider.
Setup Pipelines - Specify how metrics, traces, and logs are processed and exported. Add the following under the
opentelemetry-collector.config.service.pipelines
section:
opentelemetry-collector: config: service: pipelines: metrics: exporters: - otlphttp/{deployment-namespace} traces: exporters: - otlphttp/{deployment-namespace}