Skip to content

feat: implement support for OAuth2 authentication in the OTLP output #2706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TeodorSAP merged 51 commits into from
Jan 8, 2026
Merged

feat: implement support for OAuth2 authentication in the OTLP output #2706

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
f015a07
Add OAuth2 API definition
TeodorSAP Nov 18, 2025
920c585
Add API-level validation for authentication method types
TeodorSAP Nov 18, 2025
3cc86a0
Change API validation message
TeodorSAP Nov 19, 2025
652c155
Initial otelcollector config implementation
TeodorSAP Nov 20, 2025
bfbfa62
Fix Basic Auth check
TeodorSAP Nov 21, 2025
8f8ab14
Fix nil pointer panics
TeodorSAP Nov 21, 2025
3162718
Add UTs
TeodorSAP Nov 21, 2025
0d05342
Fix linting, manifests, CRDs, etc.
TeodorSAP Nov 21, 2025
35a6d7d
Add OAuth2 extension to the other config builders
TeodorSAP Nov 21, 2025
b81f54b
Add UTs for the actual configuration, with golden files
TeodorSAP Nov 21, 2025
216f22d
Merge branch 'main' into feat/oauth2
k15r Nov 25, 2025
3a6221f
Add OAuth2 documentation
TeodorSAP Nov 27, 2025
0544737
e2e oauth2 works
k15r Nov 27, 2025
cbdbf5e
properly label MTLS tests
k15r Nov 27, 2025
ce397e7
remove unnecessary file
k15r Nov 28, 2025
1969475
remove more files
k15r Nov 28, 2025
df3fea2
lint-fix
k15r Nov 28, 2025
0f974c2
oops
k15r Nov 28, 2025
afd6b85
wait for oauth2 mock
k15r Nov 28, 2025
8091f0d
use the correct url magically fixes the test ... :)
k15r Nov 28, 2025
e48ecb7
Implement CRD validation
TeodorSAP Nov 28, 2025
0350736
Generate resources based on validation rules
TeodorSAP Nov 28, 2025
39ee47a
Add e2e test cases for CRD validation rejection
TeodorSAP Nov 28, 2025
8374a2a
Fix CRD validation
TeodorSAP Nov 28, 2025
b9f55ee
Fix small spelling mistake
TeodorSAP Nov 28, 2025
747efe8
Merge branch 'main' into feat/oauth2
k15r Nov 28, 2025
906b8af
fix tests?
k15r Nov 28, 2025
53b246a
reorder tests to not run tests from different packages at the same time
k15r Nov 30, 2025
c0dbb31
Merge branch 'main' into feat/oauth2
k15r Nov 30, 2025
b836332
fix generate images formatting
k15r Dec 1, 2025
86e0f00
remove debug logs
k15r Dec 5, 2025
702afd2
change validation rules
k15r Dec 5, 2025
d4740e8
more validation for oauth
k15r Dec 5, 2025
5ee85f9
Merge remote-tracking branch 'upstream/main' into feat/oauth2
k15r Dec 5, 2025
dfce266
lint-fix
k15r Dec 8, 2025
c77bc2c
docs: Add disclaimer for OAuth2 with gRPC
TeodorSAP Dec 16, 2025
51f8f39
Add ENV_OTEL_COLLECTOR_CONTRIB_IMAGE comment and switch to latest
TeodorSAP Dec 16, 2025
df0e9ed
Merge branch 'main' into feat/oauth2
TeodorSAP Dec 17, 2025
96da8e1
Implement validation for GRPC without proper TLS configuration scenar…
TeodorSAP Dec 17, 2025
579686f
Update golden files
TeodorSAP Dec 17, 2025
df55c58
Remove tls=nil validation and adapt E2E tests to use HTTPS
TeodorSAP Dec 18, 2025
5cdb380
Merge branch 'main' into feat/oauth2
TeodorSAP Dec 18, 2025
5b8cb15
use HTTPS endpoints in all tests using TLS
TeodorSAP Dec 18, 2025
e9486cd
Adapt Busola configuration to OAuth2 implementation
TeodorSAP Dec 18, 2025
df99230
Merge branch 'main' into feat/oauth2
TeodorSAP Jan 7, 2026
a118b6c
make generate
TeodorSAP Jan 7, 2026
5ffc0ff
Invalidate HTTP scheme with TLS for HTTP output protocol as well
TeodorSAP Jan 7, 2026
40a8a14
Merge branch 'main' into feat/oauth2
TeodorSAP Jan 7, 2026
7678fa5
Merge branch 'main' into feat/oauth2
TeodorSAP Jan 8, 2026
612b490
Merge branch 'main' into feat/oauth2
TeodorSAP Jan 8, 2026
7ffc9fa
Fix newly added e2e test mismatch
TeodorSAP Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ ENV_GORELEASER_VERSION=v1.23.0
ENV_FLUENTBIT_EXPORTER_IMAGE="europe-docker.pkg.dev/kyma-project/prod/directory-size-exporter:v20251210-3d7f23ad"
ENV_FLUENTBIT_IMAGE="europe-docker.pkg.dev/kyma-project/prod/external/fluent/fluent-bit:4.2.2"
ENV_OTEL_COLLECTOR_IMAGE="europe-docker.pkg.dev/kyma-project/prod/kyma-otel-collector:0.141.0-main"
# ENV_OTEL_COLLECTOR_CONTRIB_IMAGE is used for OAuth2 E2E tests only, since they require the OIDC extension, which is not needed in production code.
ENV_OTEL_COLLECTOR_CONTRIB_IMAGE="otel/opentelemetry-collector-contrib:latest"
ENV_SELFMONITOR_IMAGE="europe-docker.pkg.dev/kyma-project/prod/tpi/telemetry-self-monitor:3.8.0-3d7f23a"
ENV_TEST_TELEMETRYGEN_IMAGE="ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.141.0"
ENV_ALPINE_IMAGE="europe-docker.pkg.dev/kyma-project/prod/external/library/alpine:3.23.2"
26 changes: 26 additions & 0 deletions apis/telemetry/v1alpha1/shared_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// OTLPOutput OTLP output configuration
// +kubebuilder:validation:XValidation:rule="(has(self.path) && size(self.path) > 0) ? self.protocol == 'http' : true",message="Path is only available with HTTP protocol"
// +kubebuilder:validation:XValidation:rule="(has(self.authentication) && has(self.authentication.oauth2) && self.protocol == 'grpc' && has(self.tls)) ? !(has(self.tls.insecure) && self.tls.insecure == true) : true",message="OAuth2 authentication requires TLS when using gRPC protocol"
type OTLPOutput struct {
// Protocol defines the OTLP protocol (`http` or `grpc`). Default is `grpc`.
// +kubebuilder:validation:Optional
Expand All @@ -63,10 +64,15 @@ type OTLPOutput struct {
TLS *OTLPTLS `json:"tls,omitempty"`
}

// AuthenticationOptions OTLP output authentication options
// +kubebuilder:validation:XValidation:rule="!(has(self.basic) && has(self.oauth2))",message="Only one authentication method can be specified"
type AuthenticationOptions struct {
// Basic activates `Basic` authentication for the destination providing relevant Secrets.
// +kubebuilder:validation:Optional
Basic *BasicAuthOptions `json:"basic,omitempty"`
// OAuth2 activates `OAuth2` authentication for the destination providing relevant Secrets.
// +kubebuilder:validation:Optional
OAuth2 *OAuth2Options `json:"oauth2,omitempty"`
}

type BasicAuthOptions struct {
Expand All @@ -78,6 +84,26 @@ type BasicAuthOptions struct {
Password ValueType `json:"password"`
}

// OAuth2Options contains OAuth2 authentication options.
type OAuth2Options struct {
// TokenURL contains the OAuth2 token endpoint URL or a Secret reference.
// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="tokenURL' missing"
// +kubebuilder:validation:XValidation:rule="(self.value != '' ) ? (isURL(self.value)) : true", message="'tokenURL' must be a valid URL"
TokenURL ValueType `json:"tokenURL"`
// ClientID contains the OAuth2 client ID or a Secret reference.
// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="'clientID' missing"
ClientID ValueType `json:"clientID"`
// ClientSecret contains the OAuth2 client secret or a Secret reference.
// +kubebuilder:validation:XValidation:rule="(self.value != '' ) || (has(self.valueFrom))", message="clientSecret' missing"
ClientSecret ValueType `json:"clientSecret"`
// Scopes contains optional OAuth2 scopes.
// +kubebuilder:validation:Optional
Scopes []string `json:"scopes,omitempty"`
// Params contains optional additional OAuth2 parameters that are sent to the token endpoint.
// +kubebuilder:validation:Optional
Params map[string]string `json:"params,omitempty"`
}

type Header struct {
// Defines the header value.
ValueType `json:",inline"`
Expand Down
52 changes: 52 additions & 0 deletions apis/telemetry/v1alpha1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 35 additions & 0 deletions apis/telemetry/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 24 additions & 0 deletions apis/telemetry/v1beta1/shared_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (

// OTLPOutput OTLP output configuration
// +kubebuilder:validation:XValidation:rule="(has(self.path) && size(self.path) > 0) ? self.protocol == 'http' : true",message="Path is only available with HTTP protocol"
// +kubebuilder:validation:XValidation:rule="(has(self.authentication) && has(self.authentication.oauth2) && self.protocol == 'grpc' && has(self.tls)) ? !(has(self.tls.insecure) && self.tls.insecure == true) : true",message="OAuth2 authentication requires TLS when using gRPC protocol"
type OTLPOutput struct {
// Protocol defines the OTLP protocol (`http` or `grpc`). Default is `grpc`.
// +kubebuilder:validation:Optional
Expand All @@ -65,10 +66,15 @@ type OTLPOutput struct {
TLS *OutputTLS `json:"tls,omitempty"`
}

// AuthenticationOptions OTLP output authentication options
// +kubebuilder:validation:XValidation:rule="!(has(self.basic) && has(self.oauth2))",message="Only one authentication method can be specified"
type AuthenticationOptions struct {
// Basic activates `Basic` authentication for the destination providing relevant Secrets.
// +kubebuilder:validation:Optional
Basic *BasicAuthOptions `json:"basic,omitempty"`
// OAuth2 activates `OAuth2` authentication for the destination providing relevant Secrets.
// +kubebuilder:validation:Optional
OAuth2 *OAuth2Options `json:"oauth2,omitempty"`
}

type BasicAuthOptions struct {
Expand All @@ -80,6 +86,24 @@ type BasicAuthOptions struct {
Password ValueType `json:"password"`
}

type OAuth2Options struct {
// TokenURL contains the OAuth2 token endpoint URL or a Secret reference.
// +kubebuilder:validation:Required
TokenURL ValueType `json:"tokenURL"`
// ClientID contains the OAuth2 client ID or a Secret reference.
// +kubebuilder:validation:Required
ClientID ValueType `json:"clientID"`
// ClientSecret contains the OAuth2 client secret or a Secret reference.
// +kubebuilder:validation:Required
ClientSecret ValueType `json:"clientSecret"`
// Scopes contains optional OAuth2 scopes.
// +kubebuilder:validation:Optional
Scopes []string `json:"scopes,omitempty"`
// Params contains optional additional OAuth2 parameters that are sent to the token endpoint.
// +kubebuilder:validation:Optional
Params map[string]string `json:"params,omitempty"`
}

type Header struct {
// Defines the header value.
ValueType `json:",inline"`
Expand Down
35 changes: 35 additions & 0 deletions apis/telemetry/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions dependencies/populateimages/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,9 @@ var templates = map[string]string{
package testkit

const (
DefaultTelemetryGenImage = "{{ .ENV_TEST_TELEMETRYGEN_IMAGE }}"
DefaultOTelCollectorImage = "{{ .ENV_OTEL_COLLECTOR_IMAGE }}"
DefaultTelemetryGenImage = "{{ .ENV_TEST_TELEMETRYGEN_IMAGE }}"
DefaultOTelCollectorContribImage = "{{ .ENV_OTEL_COLLECTOR_CONTRIB_IMAGE }}"
DefaultOTelCollectorImage = "{{ .ENV_OTEL_COLLECTOR_IMAGE }}"
)
`,
}
Expand Down
39 changes: 38 additions & 1 deletion docs/user/integrate-otlp-backend/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Ensure the port in your endpoint URL is correct for the chosen protocol.

## Set Up Authentication

For each pipeline, add authentication details (like user names, passwords, certificates, or tokens) to connect securely to your observability backend. You can use mutual TLS (mTLS), custom headers, or Basic Authentication.
For each pipeline, add authentication details (like user names, passwords, certificates, or tokens) to connect securely to your observability backend. You can use mutual TLS (mTLS), custom headers, OAuth2, or Basic Authentication.

While you can choose to add your authentication details from plain text, it’s recommended to store these sensitive details in a Kubernetes `Secret` and reference the Secret's keys in your pipeline configuration. When you rotate the `Secret` and update its values, Telemetry Manager detects the changes and applies the new `Secret` to your setup.

Expand Down Expand Up @@ -88,6 +88,43 @@ While you can choose to add your authentication details from plain text, it’s
key: token
```

- To use OAuth2 for authentication, configure the `authentication.oauth2` section.

```yaml
...
output:
otlp:
endpoint:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: endpoint
authentication:
oauth2:
clientId:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: clientId
clientSecret:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: clientSecret
tokenUrl:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: tokenUrl
```

> [!NOTE]
> If you want to use OAuth2 with gRPC, you must configure TLS for your backend connection as well.

- To use a username and password for authentication, configure the `authentication.basic` section.

```yaml
Expand Down
Loading
Loading