Skip to content

fix: helm - nginx tenants proxy headers #16953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: helm - nginx tenants proxy headers #16953

wants to merge 2 commits into from

Conversation

a5r0n
Copy link
Contributor

@a5r0n a5r0n commented Mar 30, 2025
edited
Loading

What this PR does / why we need it:

When using basic auth, we set the X-Scope-OrgID to the user name with proxy_set_header,
but according to the nginx docs:

Allows redefining or appending fields to the request header passed to the proxied server.
The value can contain text, variables, and their combinations.
These directives are inherited from the previous configuration level if and only if there are no proxy_set_header directives defined on the current level.

So whenever we set proxy headers on the location block level, we should also include the X-Scope-OrgID set.

Which issue(s) this PR fixes:
Fixes #16938
Should close #7153 #11915

Special notes for your reviewer:

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@a5r0n a5r0n requested a review from a team as a code owner March 30, 2025 20:31
@github-actions github-actions bot added area/helm type/docs Issues related to technical documentation; the Docs Squad uses this label across many repositories labels Mar 30, 2025
@a5r0n a5r0n force-pushed the helm-nginx-headers branch from 71f0a92 to 51294aa Compare April 2, 2025 05:11
@a5r0n a5r0n force-pushed the helm-nginx-headers branch from 51294aa to 153fec4 Compare April 6, 2025 09:58
@a5r0n
Copy link
Contributor Author

a5r0n commented Apr 6, 2025
edited
Loading

@JStickler can you please review?🙏🏻

@pbecotte
Copy link

pbecotte commented Apr 17, 2025
edited
Loading

We have a different value for 'proxy_set_header' (we allow pushes without a password, but require a password for queries)

Would it be possible to have this as a template variable instead?

Maybe loki.tenants.proxy_set_header?

@a5r0n
Copy link
Contributor Author

a5r0n commented Apr 17, 2025

I'm not sure what your use case, and probably it will be out-of-scoop for the community chart.

this PR is to just fix some regression with the latest changes that broke the tenants option.

@a5r0n
Copy link
Contributor Author

a5r0n commented Apr 17, 2025

@trevorwhitney can we get this fix into the next chart release? 🙏

@pbecotte
Copy link

pbecotte commented Apr 17, 2025
edited
Loading

I'm not sure what your use case, and probably it will be out-of-scoop for the community chart.

this PR is to just fix some regression with the latest changes that broke the tenants option.

Yes, the regression broke the auth (for both me and the regular chart)

My comment was that if you fixed it slightly differently it would make my use case easier.

Instead of having the hardcoded string inside the "if" block, make that string a variable. It benefits the open source chart as well since it means you don't have to worry about updating that string in four different places next time.

#values.yaml
loki.gateway.proxy_set_statement: "proxy_set_header X-Scope-OrgID $remote_user;"

{{ if .Values.loki.tenants }}
{{ .Values.loki.gateway.proxy_set_statement }}

{{ end }}

@calebhansard
Copy link

calebhansard commented Apr 18, 2025
edited
Loading

#16938 also broke configurations that use an existing secret rather than relying on .Values.loki.tenants to build the htpasswd secret.

# Example values.yaml
gateway:
  basicAuth:
    enabled: true
    existingSecret: loki-tenants-htpasswd
  nginxConfig:
    httpSnippet: proxy_set_header X-Scope-OrgID $remote_user;

In my case, I'm manually setting the X-Scope-OrgID using gateway.nginxConfig.httpSnippet, however, it does not look like this PR will restore this use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/helm size/S type/docs Issues related to technical documentation; the Docs Squad uses this label across many repositories
Projects
None yet
Milestone
No milestone
3 participants
@a5r0n @pbecotte @calebhansard