[k8s-monitoring-v1] Adds bearerToken support for tempo (#829)

* [k8s-monitoring-v1] Adds bearerToken support for tempo

Also includes a schema fix to allow bearerToken authmode to be supplied
for the change in
#813 to allow bearer
token support for loki

Signed-off-by: Michael Tweten <mtweten@gmail.com>

* Run make clean build

* Update charts/k8s-monitoring-v1/templates/alloy_config/_traces_service.alloy.txt

Co-authored-by: Pete Wall <pete@petewall.net>

* Regenerate after change

---------

Signed-off-by: Michael Tweten <mtweten@gmail.com>
Co-authored-by: Pete Wall <pete@petewall.net>

charts/k8s-monitoring-v1/README.md

@@ -232,7 +232,7 @@ The Prometheus and Loki services may be hosted on the same cluster, or remotely
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| externalServices.loki.authMode | string | `"basic"` | one of "none", "basic", "oauth2" |
+| externalServices.loki.authMode | string | `"basic"` | one of "none", "basic", "oauth2", "bearerToken" |
 | externalServices.loki.basicAuth.password | string | `""` | Loki basic auth password |
 | externalServices.loki.basicAuth.passwordKey | string | `"password"` | The key for the password property in the secret |
 | externalServices.loki.basicAuth.username | string | `""` | Loki basic auth username |
@@ -370,11 +370,13 @@ The Prometheus and Loki services may be hosted on the same cluster, or remotely
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| externalServices.tempo.authMode | string | `"basic"` | one of "none", "basic" |
+| externalServices.tempo.authMode | string | `"basic"` | one of "none", "basic", "bearerToken" |
 | externalServices.tempo.basicAuth.password | string | `""` | Tempo basic auth password |
 | externalServices.tempo.basicAuth.passwordKey | string | `"password"` | The key for the password property in the secret |
 | externalServices.tempo.basicAuth.username | string | `""` | Tempo basic auth username |
 | externalServices.tempo.basicAuth.usernameKey | string | `"username"` | The key for the username property in the secret |
+| externalServices.tempo.bearerToken.token | string | `""` | Configure the Tempo Bearer Token |
+| externalServices.tempo.bearerToken.tokenKey | string | `"bearerToken"` | Configure the Key for Tempo Bearer Token secret |
 | externalServices.tempo.extraHeaders | object | `{}` | Extra headers to be set when sending metrics. All values are treated as strings and automatically quoted. |
 | externalServices.tempo.extraHeadersFrom | object | `{}` | Extra headers to be set when sending metrics through a dynamic reference. All values are treated as raw strings and not quoted. |
 | externalServices.tempo.host | string | `""` | Tempo host where traces will be sent |

charts/k8s-monitoring-v1/schema-mods/enums-and-types.json

@@ -34,7 +34,7 @@
           "properties": {
             "authMode": {
               "type": "string",
-              "enum": ["none", "basic", "oauth2"]
+              "enum": ["none", "basic", "oauth2", "bearerToken"]
             },
             "basicAuth": {
               "properties": {
@@ -53,6 +53,10 @@
         },
         "tempo": {
           "properties": {
+            "authMode": {
+              "type": "string",
+              "enum": ["none", "basic", "bearerToken"]
+            },
             "basicAuth": {
               "properties": {
                 "username": {

charts/k8s-monitoring-v1/templates/alloy_config/_traces_service.alloy.txt

@@ -11,6 +11,10 @@ otelcol.auth.basic "traces_service" {
   username = nonsensitive(remote.kubernetes.secret.traces_service.data[{{ .basicAuth.usernameKey | quote }}])
   password = remote.kubernetes.secret.traces_service.data[{{ .basicAuth.passwordKey | quote }}]
 }
+{{- else if eq .authMode "bearerToken" }}
+otelcol.auth.bearer "traces_service" {
+  token = remote.kubernetes.secret.traces_service.data[{{ .bearerToken.tokenKey | quote }}]
+}
 {{- end }}
 {{ if eq .protocol "otlp" }}
 otelcol.exporter.otlp "traces_service" {
@@ -21,6 +25,8 @@ otelcol.exporter.otlphttp "traces_service" {
     endpoint = nonsensitive(remote.kubernetes.secret.traces_service.data[{{ .hostKey | quote }}])
 {{ if eq .authMode "basic" }}
     auth = otelcol.auth.basic.traces_service.handler
+{{- else if eq .authMode "bearerToken" }}
+    auth = otelcol.auth.bearer.traces_service.handler
 {{- end }}
     headers = {
       "X-Scope-OrgID" = nonsensitive(remote.kubernetes.secret.traces_service.data[{{ .tenantIdKey | quote }}]),

charts/k8s-monitoring-v1/templates/trace-service-credentials.yaml

@@ -15,6 +15,9 @@ data:
 {{- if .basicAuth.password }}
   {{ .basicAuth.passwordKey }}: {{ .basicAuth.password | toString | b64enc | quote }}
 {{- end }}
+{{- if .bearerToken.token }}
+  {{ .bearerToken.tokenKey }}: {{ .bearerToken.token | toString | b64enc | quote }}
+{{- end }}
 {{- if .tenantId }}
   {{ .tenantIdKey }}: {{ .tenantId | toString | b64enc | quote }}
 {{- end }}

charts/k8s-monitoring-v1/values.schema.json

@@ -297,7 +297,8 @@
                             "enum": [
                                 "none",
                                 "basic",
-                                "oauth2"
+                                "oauth2",
+                                "bearerToken"
                             ]
                         },
                         "basicAuth": {
@@ -812,7 +813,12 @@
                     "type": "object",
                     "properties": {
                         "authMode": {
-                            "type": "string"
+                            "type": "string",
+                            "enum": [
+                                "none",
+                                "basic",
+                                "bearerToken"
+                            ]
                         },
                         "basicAuth": {
                             "type": "object",
@@ -834,6 +840,17 @@
                                 }
                             }
                         },
+                        "bearerToken": {
+                            "type": "object",
+                            "properties": {
+                                "token": {
+                                    "type": "string"
+                                },
+                                "tokenKey": {
+                                    "type": "string"
+                                }
+                            }
+                        },
                         "extraHeaders": {
                             "type": "object"
                         },

charts/k8s-monitoring-v1/values.yaml

@@ -318,7 +318,7 @@ externalServices:
     # @section -- External Services (Loki)
     tenantIdKey: tenantId
 
-    # -- one of "none", "basic", "oauth2"
+    # -- one of "none", "basic", "oauth2", "bearerToken"
     # @section -- External Services (Loki)
     authMode: basic
 
@@ -464,7 +464,7 @@ externalServices:
     # @section -- External Services (Tempo)
     tenantIdKey: tenantId
 
-    # -- one of "none", "basic"
+    # -- one of "none", "basic", "bearerToken"
     # @section -- External Services (Tempo)
     authMode: basic
 
@@ -483,6 +483,15 @@ externalServices:
       # @section -- External Services (Tempo)
       passwordKey: password
 
+    # Authenticate to Tempo using bearerToken
+    bearerToken:
+      # -- Configure the Tempo Bearer Token
+      # @section -- External Services (Tempo)
+      token: ""
+      # -- Configure the Key for Tempo Bearer Token secret
+      # @section -- External Services (Tempo)
+      tokenKey: "bearerToken"
+
     # Credential management
     secret:
       # -- Should this Helm chart create the secret. If false, you must define the name and namespace values.