Story

The LokiStack operator includes a proxy to enforce multi-tennacy. To connect via the proxy, the Loki forwarder needs to present a bearer token. This story is for the vector collector, the fluentd collector is a separate story.

Design

The forwarder requires a bearer-token and CA to communicate securely.

It be able to use credentials from the cluster (for default LokiStack in same cluster) or from a user-provided Secret (for forwarding to LokiStack instances outside the cluster)

Credentials are searched in the following order (first one wins)

Bearer token:

1. Secret key "token"
2. Collector SA token: /var/run/secrets/kubernetes.io/serviceaccount/token

Certificate Authority (same as used for TLS)

1. Secret key "ca-bundle.crt" - same CA used for TLS communication.
2. CA injected in the Collector as a config map via inject-ca-bundle annotation

The field ClusterLogForwarder.spec.outputs[].loki.tenentKey identifies a field in the message record who's value is used as the tenent-key. The default value is "log_type" which yields the tenants ["application", "infrastructure", "audit"]. This is described in detail in the design document

Accpetance Criteria

• The Loki forwarder can connect and forward logs via the LokiStack proxy
• Logs are separated by tenant  as expected.
• Uses credentials from the output Secret if present.
• Uses credentials from SA and ca-bundle if present.
• tenetKey behaves as documented (note LOG-2356 this is buggy on fluentd, make sure it is correct for vector)

Open Questions

• Should the  use of injected CA be extended to all outputs that use TLS?
• Do we need a way to prevent the use of any token?
  • If so should use of a token be opt-in or opt-out?
  • SA token is always present, is it safe/reasonable to always use it?