Promtail 401 errors when Loki ingress is configured for basic auth

bombasticlogs · November 20, 2023, 1:30pm

I am trying to configure basic authentication for Loki, and am running into an issue with the Promtail side.
I am using the Helm charts to deploy Loki on a K8s cluster.
Authentication is configured on the Loki ingress like this:

loki:
  auth_enabled: false
  serviceAccountName: loki 
.
.
.
ingress:
  enabled: true
  ingressClassName: "nginx-default"
  hosts:
    - loki.hostname.com
  annotations: {
    nginx.ingress.kubernetes.io/auth-type: basic,
    nginx.ingress.kubernetes.io/auth-secret: loki-basic-auth,
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  }

Promtail is configured with the username and password in plain text (ideally this should be pulled from a K8s secret):

config:
  enabled: true
  logLevel: info
  serverPort: 3100
  clients:
    - url: http://loki.hostname.com/loki/api/v1/push
      basic_auth:
        username: loki-user
        password: loki-password

Promtail fails to send logs with the following error:

level=error ts=2023-11-20T13:09:02.857907174Z caller=client.go:430 component=client host=loki.hostname.com msg="final error sending batch" status=401 tenant= error="server returned HTTP status 401 Unauthorized (401): <html>"

Having the same username and password configured for the logcli user works just fine, so I have excluded possible password mismatch issues as the cause.

Any suggestions on how to fix this would be appreciated.

tonyswumac · November 20, 2023, 4:26pm

I’d double check your endpoint. Looks like your auth is happening on an Nginx proxy, but your promtail is still configured to use port 3100, which most likely is incorrect (unless you purposely configured Nginx to take 3100 as well).

bombasticlogs · November 22, 2023, 7:15am

Thank you for your reply. As far as I understand the serverPort config in the Promtail values file is there to specify on which port Promtail would listen to receive logs as a server.
The same configuration works just fine when authentication is not enabled on the ingress.

tonyswumac · November 22, 2023, 5:34pm

I see. In that case I’d test the authentication with a curl command using Loki API. That should tell you whether it’s a problem with promtail or with how authentication is configured on nginx.

system · November 21, 2024, 5:34pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding basic auth to loki using Nginx Grafana Loki loki , nginx , auth	4	2102	January 12, 2024
Kubernetes Vanilla Parse Ingress Logs on Loki from Promtail Configuration loki	1	801	October 5, 2023
Promtail nginx basic auth Grafana Loki	7	1708	February 14, 2024
Authorization Required 401 when send logs from Fluentbit to Loki gateway with ingress and basic-auth Grafana Loki	6	441	April 18, 2024
Promtail basic auth using kubernetes secret Grafana Loki	3	2625	January 18, 2023

Promtail 401 errors when Loki ingress is configured for basic auth

Related topics