search

grafana / mimir

Grafana Mimir provides horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus.
https://grafana.com/oss/mimir/
GNU Affero General Public License v3.0
3.98k stars 503 forks source link

Add support for secrets in Alertmanager receivers #8259

Open taobojlen opened 3 months ago

taobojlen commented 3 months ago

Is your feature request related to a problem? Please describe.

I want to set up an Alertmanager receiver. This receiver needs a bearer token included in any requests, so I'd like to set a credentials_file as defined in the Prometheus Alertmanager docs.

This is related to the discussion at https://github.com/grafana/mimir/discussions/5359.

Describe the solution you'd like

Basically, exactly what is specified in the Prometheus Alertmanager docs. Something that would allow me to use an existing Helm secret, e.g. with

alertmanager:
  extraVolumes:
    - name: webhook-token
       secret:
         secretName: webhook-token
  extraVolumeMounts:
    - name: webhook-token
       mountPath: /etc/secrets/webhook_token
       subpath: token
       readOnly: true
  fallbackConfig: |
    receivers:
      - name: my_webhook
         webhook_configs:
           - url: https://example.com
              http_config:
                authorization:
                  credentials_file: /etc/secrets/webhook_token

Describe alternatives you've considered

Alternatively, the ability to read from environment variables could work.

itspooya commented 2 months ago

Hi, just for clarification I think this feature already exists https://github.com/grafana/mimir/blob/main/operations/helm/charts/mimir-distributed/values.yaml#L687 https://github.com/grafana/mimir/blob/main/operations/helm/charts/mimir-distributed/values.yaml#L694

alessandro-verzicco commented 2 months ago

@itspooya mimirtool doesn't allow to use them https://github.com/grafana/mimir/blame/7d5f8506c0c86d74cf70453e40572a3a06768efa/pkg/alertmanager/api.go#L48

itspooya commented 2 months ago

@alessandro-verzicco That is nice to know I was also looking forward to this alertmanager config as secret but I thought maybe this is the answer I was looking for Thank you for clarification I will pick this up to proceed as it is not supported now

zeeZ commented 1 month ago

I was just looking to use secrets files and ended up here. As to why these were disallowed: https://github.com/cortexproject/cortex/pull/4129

Maybe something like the safe template path could be done for secrets, requiring them to be inside a tenant subdir within a common base.