@@ -166,6 +166,15 @@ gateway:
166166 default_type application/octet-stream;
167167 log_format main '{{ print "$" }}remote_addr - {{ print "$" }}remote_user [{{ print "$" }}time_local] "{{ print "$" }}request" {{ print "$" }}status';
168168 access_log /dev/stderr main;
169+
170+ # Determine if authentication is required based on the tenant ID
171+ # The 'default' tenant is used by global infra and smoke tests, so we bypass auth for it.
172+ map {{ print "$" }}http_x_scope_orgid {{ print "$" }}auth_realm {
173+ "default" "off";
174+ "" "off";
175+ default "Loki Tenant Authentication";
176+ }
177+
169178 server {
170179 listen 8080;
171180
@@ -175,20 +184,27 @@ gateway:
175184 auth_basic off;
176185 }
177186
178- # Readiness and push paths (no auth needed for readiness/push)
179- location ~ ^/(loki/api/v1/push|loki/api/v1/tail|ready|log) {
187+ # Log push paths (selecitvely authenticated via map)
188+ location ~ ^/(loki/api/v1/push|otlp/v1/logs|api/prom/push) {
189+ auth_basic {{ print "$" }}auth_realm;
190+ auth_basic_user_file /etc/nginx/secrets/.htpasswd;
180191 proxy_pass http://monitoring-loki-distributor.observability.svc.cluster.local:3100;
181192 proxy_http_version 1.1;
182- auth_basic off;
183193 }
184194
185- # Read path (BasicAuth required )
195+ # Log query/read paths (selectively authenticated via map )
186196 location / {
187- auth_basic "Loki Tenant Authentication" ;
197+ auth_basic {{ print "$" }}auth_realm ;
188198 auth_basic_user_file /etc/nginx/secrets/.htpasswd;
189199 proxy_pass http://monitoring-loki-query-frontend.observability.svc.cluster.local:3100;
190200 proxy_http_version 1.1;
191201 }
202+
203+ # Readiness path for distributor
204+ location = /ready {
205+ proxy_pass http://monitoring-loki-distributor.observability.svc.cluster.local:3100;
206+ auth_basic off;
207+ }
192208 }
193209 }
194210
0 commit comments