Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ruler: Add support for alertmanager header authorization #6136

Merged
merged 6 commits into from
May 17, 2022
Merged

ruler: Add support for alertmanager header authorization #6136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
acec3f2
ruler: Add support for alertmanager header authorization
periklis May 10, 2022
d4d8ac0
Add changelog entry
periklis May 10, 2022
2ddd09d
Add alertmanager_client docs
periklis May 10, 2022
3bec268
Fix cli flag prefix
periklis May 11, 2022
b689949
Expose header authorization type as CLI param, defaults to Bearer
periklis May 16, 2022
0ec9ce5
Fix test
periklis May 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
## Main

* [6136](https://github.com/grafana/loki/pull/6136) **periklis**: Add support for alertmanager header authorization
* [6102](https://github.com/grafana/loki/pull/6102) **timchenko-a**: Add multi-tenancy support to lambda-promtail
* [5971](https://github.com/grafana/loki/pull/5971) **kavirajk**: Record statistics about metadata queries such as labels and series queries in `metrics.go` as well
* [5790](https://github.com/grafana/loki/pull/5790) **chaudum**: Add UDP support for Promtail's syslog target.
Expand Down
20 changes: 20 additions & 0 deletions docs/sources/configuration/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,26 @@ wal_cleaner:
# CLI flag: -ruler.alertmanager-url
[alertmanager_url: <string> | default = ""]


alertmanager_client:
# Sets the `Authorization` header on every remote write request with the
# configured username and password.
# password and password_file are mutually exclusive.
basic_auth:
[username: <string>]
[password: <secret>]

# Optional `Authorization` header configuration.
authorization:
# Sets the authentication type.
[type: <string> | default: Bearer]
# Sets the credentials. It is mutually exclusive with
# `credentials_file`.
[credentials: <secret>]
# Sets the credentials to the credentials read from the configured file.
# It is mutually exclusive with `credentials`.
[credentials_file: <filename>]

# Use DNS SRV records to discover Alertmanager hosts.
# CLI flag: -ruler.alertmanager-discovery
[enable_alertmanager_discovery: <boolean> | default = false]
Expand Down
21 changes: 19 additions & 2 deletions pkg/ruler/base/notifier.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,15 @@ import (
)

type NotifierConfig struct {
TLS tls.ClientConfig `yaml:",inline"`
BasicAuth util.BasicAuth `yaml:",inline"`
TLS tls.ClientConfig `yaml:",inline"`
BasicAuth util.BasicAuth `yaml:",inline"`
HeaderAuth util.HeaderAuth `yaml:",inline"`
}

func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) {
cfg.TLS.RegisterFlagsWithPrefix("ruler.alertmanager-client", f)
cfg.BasicAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f)
cfg.HeaderAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f)
}

// rulerNotifier bundles a notifier.Manager together with an associated
Expand Down Expand Up @@ -197,5 +199,20 @@ func amConfigFromURL(rulerConfig *Config, url *url.URL, apiVersion config.Alertm
}
}

if rulerConfig.Notifier.HeaderAuth.IsEnabled() {
if rulerConfig.Notifier.HeaderAuth.Credentials != "" {
amConfig.HTTPClientConfig.Authorization = &config_util.Authorization{
Type: rulerConfig.Notifier.HeaderAuth.Type,
Credentials: config_util.Secret(rulerConfig.Notifier.HeaderAuth.Credentials),
}
} else if rulerConfig.Notifier.HeaderAuth.CredentialsFile != "" {
amConfig.HTTPClientConfig.Authorization = &config_util.Authorization{
Type: rulerConfig.Notifier.HeaderAuth.Type,
CredentialsFile: rulerConfig.Notifier.HeaderAuth.CredentialsFile,
}

}
}

return amConfig
}
72 changes: 72 additions & 0 deletions pkg/ruler/base/notifier_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,78 @@ func TestBuildNotifierConfig(t *testing.T) {
},
},
},
{
name: "with Header Authorization",
cfg: &Config{
AlertmanagerURL: "http://alertmanager-0.default.svc.cluster.local/alertmanager",
Notifier: NotifierConfig{
HeaderAuth: util.HeaderAuth{
Type: "Bearer",
Credentials: "jacob",
},
},
},
ncfg: &config.Config{
AlertingConfig: config.AlertingConfig{
AlertmanagerConfigs: []*config.AlertmanagerConfig{
{
HTTPClientConfig: config_util.HTTPClientConfig{
Authorization: &config_util.Authorization{
Type: "Bearer",
Credentials: config_util.Secret("jacob"),
},
},
APIVersion: "v1",
Scheme: "http",
PathPrefix: "/alertmanager",
ServiceDiscoveryConfigs: discovery.Configs{
discovery.StaticConfig{
{
Targets: []model.LabelSet{{"__address__": "alertmanager-0.default.svc.cluster.local"}},
},
},
},
},
},
},
},
},
{
name: "with Header Authorization and credentials file",
cfg: &Config{
AlertmanagerURL: "http://alertmanager-0.default.svc.cluster.local/alertmanager",
Notifier: NotifierConfig{
HeaderAuth: util.HeaderAuth{
Type: "Bearer",
CredentialsFile: "/path/to/secret/file",
},
},
},
ncfg: &config.Config{
AlertingConfig: config.AlertingConfig{
AlertmanagerConfigs: []*config.AlertmanagerConfig{
{
HTTPClientConfig: config_util.HTTPClientConfig{
Authorization: &config_util.Authorization{
Type: "Bearer",
CredentialsFile: "/path/to/secret/file",
},
},
APIVersion: "v1",
Scheme: "http",
PathPrefix: "/alertmanager",
ServiceDiscoveryConfigs: discovery.Configs{
discovery.StaticConfig{
{
Targets: []model.LabelSet{{"__address__": "alertmanager-0.default.svc.cluster.local"}},
},
},
},
},
},
},
},
},
{
name: "with external labels",
cfg: &Config{
Expand Down
18 changes: 18 additions & 0 deletions pkg/util/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,24 @@ func (b BasicAuth) IsEnabled() bool {
return b.Username != "" || b.Password != ""
}

// HeaderAuth condigures header based authorization for HTTP clients.
type HeaderAuth struct {
Type string `yaml:"type,omitempty"`
Credentials string `yaml:"credentials,omitempty"`
CredentialsFile string `yaml:"credentials_file,omitempty"`
}

func (h *HeaderAuth) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) {
f.StringVar(&h.Type, prefix+"type", "Bearer", "HTTP Header authorization type (default: Bearer).")
f.StringVar(&h.Credentials, prefix+"credentials", "", "HTTP Header authorization credentials.")
f.StringVar(&h.CredentialsFile, prefix+"credentials-file", "", "HTTP Header authorization credentials file.")
}

// IsEnabled returns false if header authorization isn't enabled.
func (h HeaderAuth) IsEnabled() bool {
return h.Credentials != "" || h.CredentialsFile != ""
}

// WriteJSONResponse writes some JSON as a HTTP response.
func WriteJSONResponse(w http.ResponseWriter, v interface{}) {
w.Header().Set("Content-Type", "application/json")
Expand Down