kube-logging · pepov · Jun 13, 2025 · Jun 9, 2025 · Jun 10, 2025
diff --git a/api/telemetry/v1alpha1/output_types.go b/api/telemetry/v1alpha1/output_types.go
@@ -69,10 +69,12 @@ type OutputSpec struct {
 	Batch          *Batch         `json:"batch,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="(has(self.basicAuth) && has(self.bearerAuth)) == false",message="Only one authentication method can be specified: either basicAuth or bearerAuth, not both"
+
 // Output Authentication configuration.
 type OutputAuth struct {
-	BasicAuth  *BasicAuthConfig  `json:"basicauth,omitempty"`
-	BearerAuth *BearerAuthConfig `json:"bearerauth,omitempty"`
+	BasicAuth  *BasicAuthConfig  `json:"basicAuth,omitempty"`
+	BearerAuth *BearerAuthConfig `json:"bearerAuth,omitempty"`
 }
 
 type BasicAuthConfig struct {

diff --git a/charts/telemetry-controller/crds/telemetry.kube-logging.dev_outputs.yaml b/charts/telemetry-controller/crds/telemetry.kube-logging.dev_outputs.yaml
@@ -51,7 +51,7 @@ spec:
               authentication:
                 description: Output Authentication configuration.
                 properties:
-                  basicauth:
+                  basicAuth:
                     properties:
                       passwordField:
                         type: string
@@ -73,7 +73,7 @@ spec:
                       usernameField:
                         type: string
                     type: object
-                  bearerauth:
+                  bearerAuth:
                     properties:
                       secretRef:
                         description: |-
@@ -94,6 +94,10 @@ spec:
                         type: string
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: 'Only one authentication method can be specified: either
+                    basicAuth or bearerAuth, not both'
+                  rule: (has(self.basicAuth) && has(self.bearerAuth)) == false
               batch:
                 description: Batch processor configuration.
                 properties:

diff --git a/config/crd/bases/telemetry.kube-logging.dev_outputs.yaml b/config/crd/bases/telemetry.kube-logging.dev_outputs.yaml
@@ -51,7 +51,7 @@ spec:
               authentication:
                 description: Output Authentication configuration.
                 properties:
-                  basicauth:
+                  basicAuth:
                     properties:
                       passwordField:
                         type: string
@@ -73,7 +73,7 @@ spec:
                       usernameField:
                         type: string
                     type: object
-                  bearerauth:
+                  bearerAuth:
                     properties:
                       secretRef:
                         description: |-
@@ -94,6 +94,10 @@ spec:
                         type: string
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: 'Only one authentication method can be specified: either
+                    basicAuth or bearerAuth, not both'
+                  rule: (has(self.basicAuth) && has(self.bearerAuth)) == false
               batch:
                 description: Batch processor configuration.
                 properties:

diff --git a/controllers/telemetry/collector_controller.go b/controllers/telemetry/collector_controller.go
@@ -61,11 +61,6 @@ type CollectorReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-type BasicAuthClientAuthConfig struct {
-	Username string
-	Password string
-}
-
 func (r *CollectorReconciler) buildConfigInputForCollector(ctx context.Context, collector *v1alpha1.Collector) (otelcolconfgen.OtelColConfigInput, error) {
 	logger := log.FromContext(ctx)
 	tenantSubscriptionMap := make(map[string][]v1alpha1.NamespacedName)
@@ -114,18 +109,23 @@ func (r *CollectorReconciler) buildConfigInputForCollector(ctx context.Context,
 		outputNames := subscription.Status.Outputs
 		subscriptionOutputMap[subscription.NamespacedName()] = outputNames
 		for _, outputName := range outputNames {
-			outputWithSecretData := components.OutputWithSecretData{}
-
 			queriedOutput := &v1alpha1.Output{}
 			if err = r.Get(ctx, types.NamespacedName(outputName), queriedOutput); err != nil {
 				logger.Error(errors.WithStack(err), "failed getting outputs for subscription", "subscription", subscription.NamespacedName().String())
 				return otelcolconfgen.OtelColConfigInput{}, err
 			}
-			outputWithSecretData.Output = *queriedOutput
-
-			if err := r.populateSecretForOutput(ctx, queriedOutput, &outputWithSecretData); err != nil {
-				return otelcolconfgen.OtelColConfigInput{}, err
+			outputWithSecretData := components.OutputWithSecretData{
+				Output: *queriedOutput,
 			}
+			if queriedOutput.Spec.Authentication != nil {
+				outputSecret, err := components.QueryOutputSecretWithData(ctx, r.Client, queriedOutput)
+				if err != nil {
+					logger.Error(errors.WithStack(err), "failed querying output secret for output", "output", queriedOutput.NamespacedName().String())
+				} else {
+					outputWithSecretData.Secret = *outputSecret
+				}
+			}
+
 			outputs = append(outputs, outputWithSecretData)
 		}
 	}
@@ -144,31 +144,6 @@ func (r *CollectorReconciler) buildConfigInputForCollector(ctx context.Context,
 	}, nil
 }
 
-func (r *CollectorReconciler) populateSecretForOutput(ctx context.Context, queriedOutput *v1alpha1.Output, outputWithSecret *components.OutputWithSecretData) error {
-	logger := log.FromContext(ctx)
-
-	if queriedOutput.Spec.Authentication != nil {
-		if queriedOutput.Spec.Authentication.BasicAuth != nil && queriedOutput.Spec.Authentication.BasicAuth.SecretRef != nil {
-			queriedSecret := &corev1.Secret{}
-			if err := r.Get(ctx, types.NamespacedName{Namespace: queriedOutput.Spec.Authentication.BasicAuth.SecretRef.Namespace, Name: queriedOutput.Spec.Authentication.BasicAuth.SecretRef.Name}, queriedSecret); err != nil {
-				logger.Error(errors.WithStack(err), "failed getting secrets for output", "output", queriedOutput.NamespacedName().String())
-				return err
-			}
-			outputWithSecret.Secret = *queriedSecret
-		}
-		if queriedOutput.Spec.Authentication.BearerAuth != nil && queriedOutput.Spec.Authentication.BearerAuth.SecretRef != nil {
-			queriedSecret := &corev1.Secret{}
-			if err := r.Get(ctx, types.NamespacedName{Namespace: queriedOutput.Spec.Authentication.BearerAuth.SecretRef.Namespace, Name: queriedOutput.Spec.Authentication.BearerAuth.SecretRef.Name}, queriedSecret); err != nil {
-				logger.Error(errors.WithStack(err), "failed getting secrets for output", "output", queriedOutput.NamespacedName().String())
-				return err
-			}
-			outputWithSecret.Secret = *queriedSecret
-		}
-	}
-
-	return nil
-}
-
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors;tenants;subscriptions;outputs;bridges;,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors/status;tenants/status;subscriptions/status;outputs/status;bridges/status;,verbs=get;update;patch
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors/finalizers,verbs=update

diff --git a/controllers/telemetry/route_controller.go b/controllers/telemetry/route_controller.go
@@ -50,7 +50,7 @@ type RouteReconciler struct {
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors;tenants;subscriptions;outputs;bridges;,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors/status;tenants/status;subscriptions/status;outputs/status;bridges/status;,verbs=get;update;patch
 // +kubebuilder:rbac:groups=telemetry.kube-logging.dev,resources=collectors/finalizers,verbs=update
-// +kubebuilder:rbac:groups="",resources=nodes;namespaces;endpoints;nodes/proxy,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets;nodes;namespaces;endpoints;nodes/proxy,verbs=get;list;watch
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=services;persistentvolumeclaims;serviceaccounts;pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=statefulsets;daemonsets;replicasets,verbs=get;list;watch;create;update;patch;delete

diff --git a/pkg/resources/manager/tenant_resource_manager.go b/pkg/resources/manager/tenant_resource_manager.go
@@ -30,6 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/kube-logging/telemetry-controller/api/telemetry/v1alpha1"
+	"github.com/kube-logging/telemetry-controller/pkg/resources/otel_conf_gen/pipeline/components"
 	"github.com/kube-logging/telemetry-controller/pkg/sdk/model"
 	"github.com/kube-logging/telemetry-controller/pkg/sdk/model/state"
 )
@@ -201,7 +202,7 @@ func (t *TenantResourceManager) ValidateSubscriptionOutputs(ctx context.Context,
 			continue
 		}
 
-		// Ensure the output belongs to the same tenant
+		// ensure the output belongs to the same tenant
 		if checkedOutput.Status.Tenant != subscription.Status.Tenant {
 			t.Error(errors.New("output and subscription tenants mismatch"),
 				"output and subscription tenants mismatch",
@@ -214,6 +215,16 @@ func (t *TenantResourceManager) ValidateSubscriptionOutputs(ctx context.Context,
 			continue
 		}
 
+		// validate output secret
+		if checkedOutput.Spec.Authentication != nil {
+			if err := components.QueryOutputSecret(ctx, t.Client, checkedOutput); err != nil {
+				t.Error(err, "failed to query output secret", "output", checkedOutput.NamespacedName().String())
+
+				invalidOutputs = append(invalidOutputs, outputRef)
+				continue
+			}
+		}
+
 		// update the output state if validation was successful
 		checkedOutput.SetState(state.StateReady)
 		if updateErr := t.Status().Update(ctx, checkedOutput); updateErr != nil {

diff --git a/pkg/resources/otel_conf_gen/pipeline/components/common.go b/pkg/resources/otel_conf_gen/pipeline/components/common.go
@@ -15,11 +15,15 @@
 package components
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"slices"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/kube-logging/telemetry-controller/api/telemetry/v1alpha1"
 )
@@ -106,6 +110,60 @@ func (r *ResourceRelations) GetTenantByName(tenantName string) (*v1alpha1.Tenant
 	return nil, fmt.Errorf("tenant %s not found", tenantName)
 }
 
+// QueryOutputSecret retrieves the secret associated with the output's authentication configuration.
+// It returns an error if the output is nil, if no authentication is configured,
+// if multiple authentication methods are configured, or if the secret cannot be found.
+func QueryOutputSecret(ctx context.Context, client client.Client, output *v1alpha1.Output) error {
+	_, err := QueryOutputSecretWithData(ctx, client, output)
+	return err
+}
+
+// QueryOutputSecretWithData retrieves the secret associated with the output's authentication configuration.
+// It returns the secret and an error if the output is nil, if no authentication is configured,
+// if multiple authentication methods are configured, or if the secret cannot be found.
+func QueryOutputSecretWithData(ctx context.Context, client client.Client, output *v1alpha1.Output) (*corev1.Secret, error) {
+	auth := output.Spec.Authentication
+	authCount := 0
+	if auth.BasicAuth != nil && auth.BasicAuth.SecretRef != nil {
+		authCount++
+	}
+	if auth.BearerAuth != nil && auth.BearerAuth.SecretRef != nil {
+		authCount++
+	}
+	switch authCount {
+	case 0:
+		return nil, errors.New("no valid authentication method configured")
+	case 1:
+		// Proceed with the single authentication method
+	default:
+		return nil, errors.New("multiple authentication methods configured; only one is allowed")
+	}
+
+	var namespacedName types.NamespacedName
+	var authType string
+	if auth.BasicAuth != nil && auth.BasicAuth.SecretRef != nil {
+		namespacedName = types.NamespacedName{
+			Namespace: auth.BasicAuth.SecretRef.Namespace,
+			Name:      auth.BasicAuth.SecretRef.Name,
+		}
+		authType = "BasicAuth"
+	} else if auth.BearerAuth != nil && auth.BearerAuth.SecretRef != nil {
+		namespacedName = types.NamespacedName{
+			Namespace: auth.BearerAuth.SecretRef.Namespace,
+			Name:      auth.BearerAuth.SecretRef.Name,
+		}
+		authType = "BearerAuth"
+	}
+
+	var secret *corev1.Secret
+	if err := client.Get(ctx, namespacedName, secret); err != nil {
+		return nil, fmt.Errorf("failed to retrieve %s secret %s/%s: %w",
+			authType, namespacedName.Namespace, namespacedName.Name, err)
+	}
+
+	return secret, nil
+}
+
 func SortNamespacedNames(names []v1alpha1.NamespacedName) {
 	slices.SortFunc(names, func(a, b v1alpha1.NamespacedName) int {
 		return strings.Compare(a.String(), b.String())