Ingestion Authentication with OAuth2 Credential Token

To enable authentication for ingestion using AOauth2 credentials, perform these steps:

You cannot directly add labels that are based on the auth key when using an oauth2 credential token.

To attach labels, you must configure this on the agent.

Step 1 Configure Okta and Deployment Site

  1. Configure Okta by consulting OAuth2 Proxy documentation Okta, Steps 1 through 3.

    In Step 3, under General, set the Allowed grant types to Authorization Code , Refresh Token, and also Client Credentials.

    While setting up Okta, note the Client ID, Client Secret, Audience, and Issuer URI values.

  2. Configure your deployment custom-values.yaml file.

    kfuse-auth:
  ingestOauthEnabled: true
  oauth2-proxy:
    extraArgs:
      extra-jwt-issuers: "Issuer URI=Audience" (1)
    yaml
    1 Issuer URI=Audience: Replace both Issuer URI and Audience`with values from your Okta configuration; for example `extra-jwt-issuers: "https://{okta-domain}.okta.com/oauth2/default=api://your-audience-id"

Step 2 Configure OpenTelemetry Collector

Follow these steps to configure the OpenTelemetry Collector, and enable it to send data securely using OAuth2 authentication. Then update the custom-values.yaml file using these configuration details.

  1. Configure Exporters.

    Add the following code to the opentelemetry-collector.config.exporters section.

    It defines the endpoints where the OpenTelemetry Collector sends metrics and traces.

    opentelemetry-collector:
  config:
    exporters:
      otlphttp/{deployment-namespace}: (1)
        metrics_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/metrics (2)
        traces_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/traces
        logs_endpoint : https://<kloudfuse-url>/ingester/oauth2/otlp/v1/logs
        auth:
          authenticator: oauth2client
    yaml
    1 {deployment-namespace}: The namespace where the Kloudfuse stack is installed.
    2 <kloudfuse-url>: Change the placeholder to the URL of your Kloudfuse instance.

  2. Add the required extensions.

    Include the oauth2client in the service.extensions section.

    service:
  extensions:
  - oauth2client
    yaml

  3. Configure extensions.

    Set up the detailed configurations for the extensions. Add the `oauth2client` configuration to the `extensions` section.
    extensions:
  oauth2client:
    client_id: <client-id> (1)
    client_secret: <client-secret> (2)
    token_url: https://{okta-url}.okta.com/oauth2/default/v1/token (3)
    endpoint_params:
      response_type: code
      prompt: none
      access_type: offline
      grant_type: client_credentials
    scopes: ["api.metrics"]
    yaml
    1 client-id: Change the placeholder to your client id.
    2 client-secret: Change the placeholder to your client secret.
    3 okta-url: Change the placeholder to your Okta URL.

  4. Set up Pipelines.

    Specify how to process and export metrics, traces, and logs.

    Add the following information to the opentelemetry-collector.config.service.pipelines section.

    opentelemetry-collector:
  config:
    service:
      pipelines:
        metrics:
          exporters:
          - otlphttp/{deployment-namespace}
        traces:
          exporters:
          - otlphttp/{deployment-namespace}
        logs:
          exporters:
          - otlphttp/{deployment-namespace}
    yaml