Add API Key Authentication Support for Elasticsearch Storage (#7402)

<!--
!! Please DELETE this comment before posting.
We appreciate your contribution to the Jaeger project! 👋🎉
-->

## Which problem is this PR solving?
part of 
- #7225

## Description of the changes
- Adds API key authentication support to Elasticsearch storage backend
alongside existing basic and bearer token authentication.
- It is part of the planned work to add support for API authentication,
as discussed in
#7230 (comment)

### Changes
- Added new authentication method -` APIKeyAuthentication` struct to
support API key-based auth alongside existing basic/bearer token methods

- Dual source support - API keys can be loaded from files OR extracted
from request context

- Hot reloading - File-based API keys automatically reload at
configurable intervals (default 10s, 0 disables)
- New command flags - Added` --es.api-key-file`,
`--es.api-key-allow-from-context`, `--es.api-key-reload-interval`

- Flexible config - Optional `APIKeyAuthentication` struct with file
path, context flag, and reload interval
- New context module - Created `apikey-context.go `with` GetAPIKey()
`and `ContextWithAPIKey()` functions
- Conditional logic - Health check disabled when` AllowFromContext=true`
AND `FilePath=""` for both bearer tokens and API keys

## How was this change tested?
-  make test-ci 
- make lint

## Checklist
- [ ] I have read
https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
- [ ] I have signed all commits
- [ ] I have added unit tests for the new functionality
- [ ] I have run lint and test steps successfully
  - for `jaeger`: `make lint test`
  - for `jaeger-ui`: `npm run lint` and `npm run test`

---------

Signed-off-by: danish9039 <[email protected]>

Author: danish9039

cmd/query/app/token_propagation_test.go

@@ -85,12 +85,12 @@ func runQueryService(t *testing.T, esURL string) *Server {
 
 	f.InitFromViper(v, flagsSvc.Logger)
 	// set AllowTokenFromContext manually because we don't register the respective CLI flag from query svc
-	bearerAuth := escfg.BearerTokenAuthentication{
+	bearerAuth := escfg.TokenAuthentication{
 		AllowFromContext: true,
 	}
 	// set the authentication in the factory options
 	f.Options.Config.Authentication = escfg.Authentication{
-		BearerTokenAuthentication: configoptional.Some(bearerAuth),
+		BearerTokenAuth: configoptional.Some(bearerAuth),
 	}
 
 	// Initialize the factory with metrics and logger

internal/auth/apikey/apikey-context.go

@@ -0,0 +1,29 @@
+// Copyright (c) 2025 The Jaeger Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package apikey
+
+import "context"
+
+// apiKeyContextKey is the type used as a key for storing API keys in context.
+type apiKeyContextKey struct{}
+
+// GetAPIKey retrieves the API key from the context.
+func GetAPIKey(ctx context.Context) (string, bool) {
+	val := ctx.Value(apiKeyContextKey{})
+	if val == nil {
+		return "", false
+	}
+	if apiKey, ok := val.(string); ok {
+		return apiKey, true
+	}
+	return "", false
+}
+
+// ContextWithAPIKey sets the API key in the context if the key is non-empty.
+func ContextWithAPIKey(ctx context.Context, apiKey string) context.Context {
+	if apiKey == "" {
+		return ctx
+	}
+	return context.WithValue(ctx, apiKeyContextKey{}, apiKey)
+}

internal/auth/apikey/apikey-context_test.go

@@ -0,0 +1,60 @@
+// Copyright (c) 2025 The Jaeger Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package apikey
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetAPIKey(t *testing.T) {
+	// No value in context
+	emptyCtx := context.Background()
+	apiKey, ok := GetAPIKey(emptyCtx)
+	assert.Empty(t, apiKey)
+	assert.False(t, ok)
+
+	// Correct string value in context (via ContextWithAPIKey)
+	expectedApiKey := "test-api-key"
+	ctxWithApiKey := ContextWithAPIKey(context.Background(), expectedApiKey)
+	apiKey, ok = GetAPIKey(ctxWithApiKey)
+	assert.Equal(t, expectedApiKey, apiKey)
+	assert.True(t, ok)
+
+	// Non-string value in context (simulate misuse)
+	ctxWithNonString := context.WithValue(context.Background(), apiKeyContextKey{}, 123)
+	apiKey, ok = GetAPIKey(ctxWithNonString)
+	assert.Empty(t, apiKey)
+	assert.False(t, ok)
+
+	// No API key when empty string passed to ContextWithAPIKey
+	emptyStringCtx := ContextWithAPIKey(context.Background(), "")
+	apiKey, ok = GetAPIKey(emptyStringCtx)
+	assert.Empty(t, apiKey)
+	assert.False(t, ok)
+}
+
+func TestContextWithAPIKey(t *testing.T) {
+	baseCtx := context.Background()
+
+	// Non-empty apiKey: should set value in context
+	apiKey := "my-secret-key"
+	ctxWithKey := ContextWithAPIKey(baseCtx, apiKey)
+	val, ok := GetAPIKey(ctxWithKey)
+	assert.True(t, ok, "apiKey should be present in context")
+	assert.Equal(t, apiKey, val)
+
+	// Empty apiKey: should return original context, no value set
+	emptyCtx := ContextWithAPIKey(baseCtx, "")
+	val, ok = GetAPIKey(emptyCtx)
+	assert.False(t, ok, "apiKey should not be present for empty string")
+	assert.Empty(t, val)
+
+	// Should not mutate original context
+	val, ok = GetAPIKey(baseCtx)
+	assert.False(t, ok, "original context should remain unchanged")
+	assert.Empty(t, val)
+}

internal/auth/apikey/package_test.go

@@ -0,0 +1,14 @@
+// Copyright (c) 2023 The Jaeger Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package apikey
+
+import (
+	"testing"
+
+	"github.com/jaegertracing/jaeger/internal/testutils"
+)
+
+func TestMain(m *testing.M) {
+	testutils.VerifyGoLeaks(m)
+}

internal/storage/elasticsearch/config/auth_helper.go

@@ -13,50 +13,65 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/jaegertracing/jaeger/internal/auth"
+	"github.com/jaegertracing/jaeger/internal/auth/apikey"
 	"github.com/jaegertracing/jaeger/internal/auth/bearertoken"
 )
 
-// initBearerAuth initializes bearer token authentication method
-func initBearerAuth(bearerAuth *BearerTokenAuthentication, logger *zap.Logger) (*auth.Method, error) {
-	return initBearerAuthWithTime(bearerAuth, logger, time.Now)
-}
-
-// initBearerAuthWithTime initializes bearer token authentication method with injectable time for testing
-func initBearerAuthWithTime(bearerAuth *BearerTokenAuthentication, logger *zap.Logger, timeFn func() time.Time) (*auth.Method, error) {
-	if bearerAuth == nil || (bearerAuth.FilePath == "" && !bearerAuth.AllowFromContext) {
+// initTokenAuthWithTime initializes token authentication injectable time for testing
+func initTokenAuthWithTime(tokenAuth *TokenAuthentication, scheme string, logger *zap.Logger, timeFn func() time.Time) (*auth.Method, error) {
+	if tokenAuth == nil || (tokenAuth.FilePath == "" && !tokenAuth.AllowFromContext) {
 		return nil, nil
 	}
 
-	if bearerAuth.FilePath != "" && bearerAuth.AllowFromContext {
-		logger.Warn("Both Bearer Token file and context propagation are enabled - context token will take precedence over file-based token")
+	if tokenAuth.FilePath != "" && tokenAuth.AllowFromContext {
+		logger.Warn("Both token file and context propagation are enabled - context token will take precedence over file-based token",
+			zap.String("auth_scheme", scheme))
 	}
 
 	var tokenFn func() string
 	var fromCtx func(context.Context) (string, bool)
 
-	// file-based token setup
-	if bearerAuth.FilePath != "" {
-		reloadInterval := bearerAuth.ReloadInterval
-		tf, err := auth.TokenProviderWithTime(bearerAuth.FilePath, reloadInterval, logger, timeFn)
+	// File-based token setup
+	if tokenAuth.FilePath != "" {
+		tf, err := auth.TokenProviderWithTime(tokenAuth.FilePath, tokenAuth.ReloadInterval, logger, timeFn)
 		if err != nil {
 			return nil, err
 		}
 		tokenFn = tf
 	}
 
-	// context-based token setup
-	if bearerAuth.AllowFromContext {
-		fromCtx = bearertoken.GetBearerToken
+	// Context-based token setup
+	if tokenAuth.AllowFromContext {
+		if scheme == "Bearer" {
+			fromCtx = bearertoken.GetBearerToken
+		} else if scheme == "APIKey" {
+			fromCtx = apikey.GetAPIKey
+		}
 	}
 
-	// Return pointer to the auth method
 	return &auth.Method{
-		Scheme:  "Bearer",
+		Scheme:  scheme,
 		TokenFn: tokenFn,
 		FromCtx: fromCtx,
 	}, nil
 }
 
+// Simplified init functions - directly call shared implementation
+func initBearerAuth(tokenAuth *TokenAuthentication, logger *zap.Logger) (*auth.Method, error) {
+	if tokenAuth == nil {
+		return nil, nil
+	}
+	return initTokenAuthWithTime(tokenAuth, "Bearer", logger, time.Now)
+}
+
+func initAPIKeyAuth(tokenAuth *TokenAuthentication, logger *zap.Logger) (*auth.Method, error) {
+	if tokenAuth == nil {
+		return nil, nil
+	}
+	return initTokenAuthWithTime(tokenAuth, "APIKey", logger, time.Now)
+}
+
+// Keep initBasicAuth unchanged
 func initBasicAuth(basicAuth *BasicAuthentication, logger *zap.Logger) (*auth.Method, error) {
 	return initBasicAuthWithTime(basicAuth, logger, time.Now)
 }
@@ -74,8 +89,8 @@ func initBasicAuthWithTime(basicAuth *BasicAuthentication, logger *zap.Logger, t
 	if username == "" {
 		return nil, nil
 	}
-	var tokenFn func() string
 
+	var tokenFn func() string
 	// Handle password from file or static password
 	if basicAuth.PasswordFilePath != "" {
 		// Use TokenProvider for password loading
@@ -98,7 +113,6 @@ func initBasicAuthWithTime(basicAuth *BasicAuthentication, logger *zap.Logger, t
 		password := basicAuth.Password
 		credentials := username + ":" + password
 		encodedCredentials := base64.StdEncoding.EncodeToString([]byte(credentials))
-
 		tokenFn = func() string { return encodedCredentials }
 	}