From 7293de6c5314b9a26446fde14fa252c5ef09b6c4 Mon Sep 17 00:00:00 2001 From: "Eric D. Schabell" Date: Thu, 19 Mar 2026 20:02:52 +0100 Subject: [PATCH] docs: inputs: opentelemetry: add OAuth2 JWT validation and http_server.workers options Add six oauth2.* parameters introduced by the in_opentelemetry OAuth2 JWT validation support, inserted alphabetically into the config table: - oauth2.validate: enable JWT validation for incoming requests - oauth2.issuer: expected iss claim to enforce - oauth2.jwks_url: JWKS endpoint for public key retrieval - oauth2.jwks_refresh_interval: JWKS cache refresh in seconds (default: 300) - oauth2.allowed_audience: audience claim to enforce - oauth2.allowed_clients: authorized client_id/azp values (repeatable) Also add http_server.workers (default: 1) from the shared HTTP server integration which enables multi-threaded listener support for this plugin. Fixes #2485 Signed-off-by: Eric D. Schabell --- pipeline/inputs/opentelemetry.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pipeline/inputs/opentelemetry.md b/pipeline/inputs/opentelemetry.md index 23fdc22fe..6ab0efe9f 100644 --- a/pipeline/inputs/opentelemetry.md +++ b/pipeline/inputs/opentelemetry.md @@ -18,6 +18,7 @@ Fluent Bit has a compliant implementation which fully supports `OTLP/HTTP` and ` | `encode_profiles_as_log` | Encode profiles received as text and ingest them in the logging pipeline. | `true` | | `host` | The hostname. | `localhost` | | `http2` | Enable HTTP/2 protocol support for the OpenTelemetry receiver. | `true` | +| `http_server.workers` | Number of HTTP listener worker threads. | `1` | | `listen` | The network address to listen on. | `0.0.0.0` | | `log_level` | Specifies the log level for this plugin. If not set here, the plugin uses the global log level specified in the `service` section of your configuration file. | `info` | | `log_suppress_interval` | Suppresses log messages from this plugin that appear similar within a specified time interval. `0` no suppression. | `0` | @@ -30,6 +31,12 @@ Fluent Bit has a compliant implementation which fully supports `OTLP/HTTP` and ` | `net.io_timeout` | Set maximum time a connection can stay idle. | `0s` | | `net.keepalive` | Enable or disable keepalive support. | `true` | | `net.share_port` | Allow multiple plugins to bind to the same port. | `false` | +| `oauth2.allowed_audience` | Audience claim to enforce when validating incoming `OAuth 2.0` JSON Web Token (`JWT`) tokens. | _none_ | +| `oauth2.allowed_clients` | Authorized `client_id` or `azp` claim values. Can be specified multiple times. | _none_ | +| `oauth2.issuer` | Expected issuer (`iss`) claim for `OAuth 2.0` `JWT` validation. | _none_ | +| `oauth2.jwks_refresh_interval` | How often in seconds to refresh the cached JSON Web Key Set (`JWKS`) keys from `oauth2.jwks_url`. | `300` | +| `oauth2.jwks_url` | `JWKS` endpoint URL used to fetch public keys for `OAuth 2.0` `JWT` validation. | _none_ | +| `oauth2.validate` | Enable `OAuth 2.0` `JWT` validation for incoming requests. | `false` | | `port` | The port for Fluent Bit to listen for incoming connections. | `4318` | | `profiles_support` | This is an experimental feature, feel free to test it but don't enable this in production environments. | `false` | | `raw_traces` | Forward traces without processing. When set to `false` (default), traces are processed using the unified JSON parser with strict validation. When set to `true`, trace data is forwarded as raw log messages without validation or processing. | `false` |