// Module included in the following assemblies:
//
// * observability/monitoring/configuring-the-monitoring-stack.adoc

:_mod-docs-content-type: REFERENCE
[id="example-remote-write-authentication-settings_{context}"]
= Example remote write authentication settings

// Set attributes to distinguish between cluster monitoring example (core platform monitoring - CPM) and user workload monitoring (UWM) examples
// tag::CPM[]
:configmap-name: cluster-monitoring-config
:namespace-name: openshift-monitoring
:component: prometheusK8s
// end::CPM[]
// tag::UWM[]
:configmap-name: user-workload-monitoring-config
:namespace-name: openshift-user-workload-monitoring
:component: prometheus
// end::UWM[]

The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding `Secret` object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with
// tag::CPM[]
default platform monitoring
// end::CPM[]
// tag::UWM[]
monitoring for user-defined projects
// end::UWM[]
in the `{namespace-name}` namespace.

[id="remote-write-sample-yaml-aws-sigv4_{context}"]
== Sample YAML for AWS Signature Version 4 authentication

The following shows the settings for a `sigv4` secret named `sigv4-credentials` in the `{namespace-name}` namespace.

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: Secret
metadata:
  name: sigv4-credentials
  namespace: {namespace-name}
stringData:
  accessKey: <AWS_access_key> <1>
  secretKey: <AWS_secret_key> <2>
type: Opaque
----
<1> The AWS API access key.
<2> The AWS API secret key.

The following shows sample AWS Signature Version 4 remote write authentication settings that use a `Secret` object named `sigv4-credentials` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: {configmap-name}
  namespace: {namespace-name}
data:
  config.yaml: |
    {component}:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        sigv4:
          region: <AWS_region> <1>
          accessKey:
            name: sigv4-credentials <2>
            key: accessKey <3>
          secretKey:
            name: sigv4-credentials <2>
            key: secretKey <4>
          profile: <AWS_profile_name> <5>
          roleArn: <AWS_role_arn> <6>
----
<1> The AWS region.
<2> The name of the `Secret` object containing the AWS API access credentials.
<3> The key that contains the AWS API access key in the specified `Secret` object.
<4> The key that contains the AWS API secret key in the specified `Secret` object.
<5> The name of the AWS profile that is being used to authenticate.
<6> The unique identifier for the Amazon Resource Name (ARN) assigned to your role.

[id="remote-write-sample-yaml-basic-auth_{context}"]
== Sample YAML for Basic authentication

The following shows sample Basic authentication settings for a `Secret` object named `rw-basic-auth` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: Secret
metadata:
  name: rw-basic-auth
  namespace: {namespace-name}
stringData:
  user: <basic_username> <1>
  password: <basic_password> <2>
type: Opaque
----
<1> The username.
<2> The password.

The following sample shows a `basicAuth` remote write configuration that uses a `Secret` object named `rw-basic-auth` in the `{namespace-name}` namespace.
It assumes that you have already set up authentication credentials for the endpoint.

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: {configmap-name}
  namespace: {namespace-name}
data:
  config.yaml: |
    {component}:
      remoteWrite:
      - url: "https://basicauth.example.com/api/write"
        basicAuth:
          username:
            name: rw-basic-auth <1>
            key: user <2>
          password:
            name: rw-basic-auth <1>
            key: password <3>
----
<1> The name of the `Secret` object that contains the authentication credentials.
<2> The key that contains the username  in the specified `Secret` object.
<3> The key that contains the password in the specified `Secret` object.

[id="remote-write-sample-yaml-bearer-token_{context}"]
== Sample YAML for authentication with a bearer token using a `Secret` Object

The following shows bearer token settings for a `Secret` object named `rw-bearer-auth` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: Secret
metadata:
  name: rw-bearer-auth
  namespace: {namespace-name}
stringData:
  token: <authentication_token> <1>
type: Opaque
----
<1> The authentication token.

The following shows sample bearer token config map settings that use a `Secret` object named `rw-bearer-auth` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: {configmap-name}
  namespace: {namespace-name}
data:
  config.yaml: |
    {component}:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        authorization:
          type: Bearer <1>
          credentials:
            name: rw-bearer-auth <2>
            key: token <3>
----
<1> The authentication type of the request. The default value is `Bearer`.
<2> The name of the `Secret` object that contains the authentication credentials.
<3> The key that contains the authentication token in the specified `Secret` object.

[id="remote-write-sample-yaml-oauth-20_{context}"]
== Sample YAML for OAuth 2.0 authentication

The following shows sample OAuth 2.0 settings for a `Secret` object named `oauth2-credentials` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: Secret
metadata:
  name: oauth2-credentials
  namespace: {namespace-name}
stringData:
  id: <oauth2_id> <1>
  secret: <oauth2_secret> <2>
type: Opaque
----
<1> The Oauth 2.0 ID.
<2> The OAuth 2.0 secret.

The following shows an `oauth2` remote write authentication sample configuration that uses a `Secret` object named `oauth2-credentials` in the `{namespace-name}` namespace:

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: {configmap-name}
  namespace: {namespace-name}
data:
  config.yaml: |
    {component}:
      remoteWrite:
      - url: "https://test.example.com/api/write"
        oauth2:
          clientId:
            secret:
              name: oauth2-credentials <1>
              key: id <2>
          clientSecret:
            name: oauth2-credentials <1>
            key: secret <2>
          tokenUrl: https://example.com/oauth2/token <3>
          scopes: <4>
          - <scope_1>
          - <scope_2>
          endpointParams: <5>
            param1: <parameter_1>
            param2: <parameter_2>
----
<1> The name of the corresponding `Secret` object. Note that `ClientId` can alternatively refer to a `ConfigMap` object, although `clientSecret` must refer to a `Secret` object.
<2> The key that contains the OAuth 2.0 credentials in the specified `Secret` object.
<3> The URL used to fetch a token with the specified `clientId` and `clientSecret`.
<4> The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access.
<5> The OAuth 2.0 authorization request parameters required for the authorization server.

[id="remote-write-sample-yaml-tls_{context}"]
== Sample YAML for TLS client authentication

The following shows sample TLS client settings for a `tls` `Secret` object named `mtls-bundle` in the `{namespace-name}` namespace.

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: Secret
metadata:
  name: mtls-bundle
  namespace: {namespace-name}
data:
  ca.crt: <ca_cert> <1>
  client.crt: <client_cert> <2>
  client.key: <client_key> <3>
type: tls
----
<1> The CA certificate in the Prometheus container with which to validate the server certificate.
<2> The client certificate for authentication with the server.
<3> The client key.

The following sample shows a `tlsConfig` remote write authentication configuration that uses a TLS `Secret` object named `mtls-bundle`.

[source,yaml,subs="attributes+"]
----
apiVersion: v1
kind: ConfigMap
metadata:
  name: {configmap-name}
  namespace: {namespace-name}
data:
  config.yaml: |
    {component}:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        tlsConfig:
          ca:
            secret:
              name: mtls-bundle <1>
              key: ca.crt <2>
          cert:
            secret:
              name: mtls-bundle <1>
              key: client.crt <3>
          keySecret:
            name: mtls-bundle <1>
            key: client.key <4>
----
<1> The name of the corresponding `Secret` object that contains the TLS authentication credentials. Note that `ca` and `cert` can alternatively refer to a `ConfigMap` object, though `keySecret` must refer to a `Secret` object.
<2> The key in the specified `Secret` object that contains the CA certificate for the endpoint.
<3> The key in the specified `Secret` object that contains the client certificate for the endpoint.
<4> The key in the specified `Secret` object that contains the client key secret.

// Unset the source code block attributes just to be safe.
:!configmap-name:
:!namespace-name:
:!component: