Ingestion Authentication with OAuth2 Credential Token

To enable authentication for ingestion using OAuth2 credentials, perform these steps:

You cannot directly add labels that are based on the auth key when using an oauth2 credential token.

To attach labels, you must configure this on the agent.

Configure Okta and Deployment Site

  1. Configure Okta by consulting OAuth2 Proxy documentation Okta, Steps 1 through 3.

    In Step 3, under General, set the Allowed grant types to Authorization Code , Refresh Token, and also Client Credentials.

    While setting up Okta, note the Client ID, Client Secret, Audience, and Issuer URI values.

  2. Configure your deployment custom-values.yaml file.

    kfuse-auth:
  ingestOauthEnabled: true
  oauth2-proxy:
    extraArgs:
      extra-jwt-issuers: "Issuer URI=Audience" (1)
    yaml
    1 Issuer URI=Audience: Replace both Issuer URI and Audience`with values from your Okta configuration; for example `extra-jwt-issuers: "https://{okta-domain}.okta.com/oauth2/default=api://your-audience-id"

Configure OpenTelemetry Collector

Follow these steps to configure the OpenTelemetry Collector, and enable it to send data securely using OAuth2 authentication. Then update the custom-values.yaml file using these configuration details.

  1. Configure Exporters.

    Add the following code to the opentelemetry-collector.config.exporters section.

    It defines the endpoints where the OpenTelemetry Collector sends metrics and traces.

    opentelemetry-collector:
  config:
    exporters:
      otlphttp/{deployment-namespace}: (1)
        metrics_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/metrics (2)
        traces_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/traces
        logs_endpoint : https://<kloudfuse-url>/ingester/oauth2/otlp/v1/logs
        auth:
          authenticator: oauth2client
    yaml
    1 {deployment-namespace}: The namespace where the Kloudfuse stack is installed.
    2 <kloudfuse-url>: Change the placeholder to the URL of your Kloudfuse instance.

  2. Add the required extensions.

    Include the oauth2client in the service.extensions section.

    service:
  extensions:
  - oauth2client
    yaml

  3. Configure extensions.

    Set up the detailed configurations for the extensions. Add the `oauth2client` configuration to the `extensions` section.
    extensions:
  oauth2client:
    client_id: <client-id> (1)
    client_secret: <client-secret> (2)
    token_url: https://{okta-url}.okta.com/oauth2/default/v1/token (3)
    endpoint_params:
      response_type: code
      prompt: none
      access_type: offline
      grant_type: client_credentials
    scopes: ["api.metrics"]
    yaml
    1 client-id: Change the placeholder to your client id.
    2 client-secret: Change the placeholder to your client secret.
    3 okta-url: Change the placeholder to your Okta URL.

  4. Set up Pipelines.

    Specify how to process and export metrics, traces, and logs.

    Add the following information to the opentelemetry-collector.config.service.pipelines section.

    opentelemetry-collector:
  config:
    service:
      pipelines:
        metrics:
          exporters:
          - otlphttp/{deployment-namespace}
        traces:
          exporters:
          - otlphttp/{deployment-namespace}
        logs:
          exporters:
          - otlphttp/{deployment-namespace}
    yaml