Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

In most cases, the ingestion to Kloudfuse data plane from various telemetry agents/collectors is secure (encrypted) due to using HTTPS (TLS) which provides transport layer encryption. More on the TLS handshake conducted between the clients and the server can be found online. This documentation explains how to add authentication to the ingestion in addition to confidentiality provided by HTTPS.

Kloudfuse supports many telemetry agents (choose the steps which are relevant to the agent you are using). To enable authentication for ingestion, follow these steps.

Step 1. Generate AUTH_TOKEN

Generate an auth token (referred to as AUTH_TOKEN) and store this value in a safe location. You will need to use this later in more than one place.

AUTH_TOKEN=`cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`

Base64 encode the AUTH_TOKEN (referred to as AUTH_TOKEN_ENCODED ) 

AUTH_TOKEN_ENCODED=`echo -n $AUTH_TOKEN | base64`

Step 2. Configure Telemetry agents/sources

Prometheus Remote Write

Update prometheus remote write configuration as shown below:

    prometheus.yml:
      remote_write:
      - url: https://<customer>.kloudfuse.io/ingester/write
        authorization:
          credentials: <AUTH_TOKEN>

Fluent Bit

Update/Add the following Headers field with AUTH_TOKEN replaced with the one generated in step 1, in the HTTP plugin section of the fluent-bit configuration file as shown below:

    [OUTPUT]
        Name http
        Match <match_pattern>
        Host <kfuse_ingress_ip>
        Port 443
        TLS on
        URI /ingester/v1/fluent_bit
        Headers Kf-Api-Key <AUTH_TOKEN>

DD/Kfuse agent

Update/Add the dd-agent configuration file to add the AUTH_TOKEN as the apiKey as shown below:

datadog:
  apiKey: <AUTH_TOKEN>
  ...

CloudWatch metrics & Logs (Kinesis)

If you already have a kinesis firehose data stream set up, then update the kinesis configuration to add or update the “access token". Use the AUTH_TOKEN value generated in step 1. Otherwise, please set one up and use the AUTH_TOKEN value in the “access token" field.

Step 3: Configure kfuse

Use the base64 encoded value of the AUTH_TOKEN (AUTH_TOKEN_ENCODED) and create a kubernetes secret with the name kfuse-auth-ingest:

apiVersion: v1
kind: Secret
metadata:  
  name: kfuse-auth-ingest
type: Opaque
data:
  authToken: <AUTH_TOKEN_ENCODED>

Update the custom-values.yaml file to include following in the ingester config section:

ingester:
  config:
    authConfig:
      enabled: true
  • No labels