Configure authentication on the ingestion paths

Owned by Suryakant Kashyap
Last updated: Dec 13, 2024
2 min read

At Kloudfuse, you can secure your ingestion paths by adding authentication. Follow these steps to configure it:

Configuration required on Okta and deployment side:

  1. Configure Okta - OAuth Provider Configuration | OAuth2 Proxy Configure Okta by following the instructions on the provided link from steps 1 to 3.

Note: Under “General”, also set the “Allowed grant types” to Client Credentials.

Note the the Client ID, Client Secret, Audience, and Issuer URI while setting up Okta.

  1. Configure your deployment custom-values.yaml file

kfuse-auth: ingestOauthEnabled: true oauth2-proxy: extraArgs: extraJwtIssuers: "Issuer URI=Audience"

Replace Issuer URI and Audience with the actual values obtained from your Okta configuration. The format should follow this structure, for example:

extraJwtIssuers: "https://{okta-domain}.okta.com/oauth2/default=api://your-audience-id""

Configuration required on the otel collector side in the values.yaml file

Follow the steps below to configure the OpenTelemetry Collector to send data securely using OAuth2 authentication. Update the values.yaml file with the appropriate configuration as described.

  1. Configure Exporters - Add the following under the opentelemetry-collector.config.exporters section. This defines the endpoints where the OpenTelemetry Collector sends metrics and traces.

opentelemetry-collector: config: exporters: otlphttp/{deployment-namespace}: metrics_endpoint: https://<kloudfuse-url>/ingester/otlp/metrics traces_endpoint: https://<kloudfuse-url>/ingester/otlp/traces logs_endpoint : https://<kloudfuse-url>/ingester/otlp/v1/logs auth: authenticator: oauth2client

  • Replace <kloudfuse-url> with the actual URL of kloudfuse.

  • Replace {deployment-namespace} with the namespace where you are installing the kfuse stack.

  1. Add Required Extensions - Include the oauth2client under the service.extensions section.

  1. Configure Extensions - Set up the detailed configurations for the extensions. Add the following under the extensions section:

  • Replace <your-client-id> and <your-client-secret> obtained from the previous step.

  • Update <your-okta-url> with your Okta domain or OAuth2 provider.

  1. Setup Pipelines - Specify how metrics, traces, and logs are processed and exported. Add the following under the opentelemetry-collector.config.service.pipelines section: