Support for mTLS in Loki Hook

maxhamon commented

2026-03-27 16:40:53 +00:00

Contributor

What I'd like to do and why

Grafana Loki does not come with any included authentication layer (doc) and relies on reverse proxies, effectively suggesting the use of basic auth, which can be used today in Borgmatic by doing things like this in URL : https://{loki_user}:{loki_password}@{loki_url}/loki/api/v1/push

If we want to go further we could use mTLS instead. In this setup, the client must present a certificate and a private key to the reverse proxy to be authorized.
Currently, Borgmatic's Loki hook does not provide a way to pass these TLS credentials, making it impossible to send logs to a Loki instance protected by mTLS.

Other notes / implementation ideas

I have tested a local modification of hooks/monitoring/loki.py that implements this feature using the cert parameter of the requests library. It works as expected in my mTLS environment.
I'm providing this file, just for checking.

I haven't opened a PR (yet ?) because I'm not sure about the best way to implement this. It might make more sense to implement this at another level rather than just for my specific Loki use case.

### What I'd like to do and why Grafana Loki does not come with any included authentication layer ([doc](https://grafana.com/docs/loki/latest/operations/authentication)) and relies on reverse proxies, effectively suggesting the use of basic auth, which can be used today in Borgmatic by doing things like this in URL : `https://{loki_user}:{loki_password}@{loki_url}/loki/api/v1/push` If we want to go further we could use mTLS instead. In this setup, the client must present a certificate and a private key to the reverse proxy to be authorized. Currently, Borgmatic's Loki hook does not provide a way to pass these TLS credentials, making it impossible to send logs to a Loki instance protected by mTLS. ### Other notes / implementation ideas I have tested a local modification of `hooks/monitoring/loki.py` that implements this feature using the cert parameter of the requests library. It works as expected in my mTLS environment. I'm providing this file, just for checking. I haven't opened a PR (yet ?) because I'm not sure about the best way to implement this. It might make more sense to implement this at another level rather than just for my specific Loki use case.

loki.py

5.6 KiB

maxhamon changed title from ~~Feature: support for mTLS in Loki Hook~~ to Support for mTLS in Loki Hook

2026-03-27 16:43:14 +00:00

witten referenced this issue

2026-03-30 18:33:10 +00:00

Basic auth for loki hook #1199

witten commented

2026-04-05 19:29:41 +00:00

Owner

Thanks for filing this. I had a look at your changes, and the general approach makes sense to me. I do think they make sense to do at this level, rather than, say, in some sort of generalized way that's not specific to the Loki hook. I will say that I'm not wild about the existing design of Loki_log_buffer insofar as it's a little OOPier than I'd like, but that well predates any of your changes. (And if it bothers me enough, I can always refactor after.) So if you're up to do a PR for this, that would be great.

Couple of minor points of pre-feedback though:

This will of course require schema.yaml changes to, which I assume you've already done separately.
I might suggest calling tls_options just tls, as everything in the schema is an option!
Doc updates for this feature would be ideal, but I'm also happy to do that if you'd prefer.

Also be aware of #1199, a related feature!

Thanks for filing this. I had a look at your changes, and the general approach makes sense to me. I do think they make sense to do at this level, rather than, say, in some sort of generalized way that's not specific to the Loki hook. I will say that I'm not wild about the existing design of `Loki_log_buffer` insofar as it's a little OOPier than I'd like, but that well predates any of your changes. (And if it bothers me enough, I can always refactor after.) So if you're up to do a PR for this, that would be great. Couple of minor points of pre-feedback though: - This will of course require `schema.yaml` changes to, which I assume you've already done separately. - I might suggest calling `tls_options` just `tls`, as everything in the schema is an option! - Doc updates for this feature would be ideal, but I'm also happy to do that if you'd prefer. Also be aware of #1199, a related feature!

maxhamon referenced this issue

2026-04-07 07:24:26 +00:00

Add mTLS support for Loki monitoring hook #1293

maxhamon commented

2026-04-07 07:31:41 +00:00

Author

Contributor

PR is up. Renamed tls_options to tls and updated cert filenames options too.
Docs are updated, I'll leave the versioning to you.

PR is up. Renamed `tls_options` to `tls` and updated cert filenames options too. Docs are updated, I'll leave the versioning to you.

witten referenced this issue from a commit

2026-04-13 16:07:59 +00:00

Add mTLS support for Loki monitoring hook (#1289).