Ingestion Authentication with OAuth2 Credential Token

To enable authentication for ingestion using AOauth2 credentials, perform these steps:

Configure Okta and Deployment Site
Configure OpenTelemetry Collector

Configure Okta and Deployment Site

Configure Okta by consulting OAuth2 Proxy documentation Okta, Steps 1 through 3.

In Step 3, under General, set the Allowed grant types to Authorization Code , Refresh Token, and also Client Credentials.

While setting up Okta, note the Client ID, Client Secret, Audience, and Issuer URI values.

Configure your deployment custom-values.yaml file.

kfuse-auth:
  ingestOauthEnabled: true
  oauth2-proxy:
    extraArgs:
      extra-jwt-issuers: "Issuer URI=Audience" (1)

1	`Issuer URI=Audience`: Replace both `Issuer URI` and Audience`with values from your Okta configuration; for example `extra-jwt-issuers: "https://{okta-domain}.okta.com/oauth2/default=api://your-audience-id"

Configure OpenTelemetry Collector

Follow these steps to configure the OpenTelemetry Collector, and enable it to send data securely using OAuth2 authentication. Then update the custom-values.yaml file using these configuration details.

Configure Exporters.

Add the following code to the opentelemetry-collector.config.exporters section.

It defines the endpoints where the OpenTelemetry Collector sends metrics and traces.

opentelemetry-collector:
  config:
    exporters:
      otlphttp/{deployment-namespace}: (1)
        metrics_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/metrics (2)
        traces_endpoint: https://<kloudfuse-url>/ingester/oauth2/otlp/traces
        logs_endpoint : https://<kloudfuse-url>/ingester/oauth2/otlp/v1/logs
        auth:
          authenticator: oauth2client

1	`{deployment-namespace}`: The namespace where the Kloudfuse stack is installed.
2	`<kloudfuse-url>`: Change the placeholder to the URL of your Kloudfuse instance.

Add the required extensions.

Include the oauth2client in the service.extensions section.
```
service:
  extensions:
  - oauth2client
```

Configure extensions.

Set up the detailed configurations for the extensions. Add the `oauth2client` configuration to the `extensions` section.

extensions:
  oauth2client:
    client_id: <client-id> (1)
    client_secret: <client-secret> (2)
    token_url: https://{okta-url}.okta.com/oauth2/default/v1/token (3)
    endpoint_params:
      response_type: code
      prompt: none
      access_type: offline
      grant_type: client_credentials
    scopes: ["api.metrics"]

1	`client-id`: Change the placeholder to your client id.
2	`client-secret`: Change the placeholder to your client secret.
3	`okta-url`: Change the placeholder to your Okta URL.

Set up Pipelines.

Specify how to process and export metrics, traces, and logs.

Add the following information to the opentelemetry-collector.config.service.pipelines section.

opentelemetry-collector:
  config:
    service:
      pipelines:
        metrics:
          exporters:
          - otlphttp/{deployment-namespace}
        traces:
          exporters:
          - otlphttp/{deployment-namespace}
        logs:
          exporters:
          - otlphttp/{deployment-namespace}