mirror of
https://github.com/prometheus/prometheus.git
synced 2024-11-09 23:24:05 -08:00
feat: add AWS sigv4 support to alertmanager endpoints
Addresses: #12536 This commit adds support for configuring sigv4 to an `alertmanager_config`. Based heavily on the sigv4 work in the remote write client. Signed-off-by: TJ Hoplock <t.hoplock@gmail.com>
This commit is contained in:
parent
db816ce9db
commit
51d1d2cd96
|
@ -819,6 +819,7 @@ type AlertmanagerConfig struct {
|
|||
|
||||
ServiceDiscoveryConfigs discovery.Configs `yaml:"-"`
|
||||
HTTPClientConfig config.HTTPClientConfig `yaml:",inline"`
|
||||
SigV4Config *sigv4.SigV4Config `yaml:"sigv4,omitempty"`
|
||||
|
||||
// The URL scheme to use when talking to Alertmanagers.
|
||||
Scheme string `yaml:"scheme,omitempty"`
|
||||
|
@ -854,6 +855,13 @@ func (c *AlertmanagerConfig) UnmarshalYAML(unmarshal func(interface{}) error) er
|
|||
return err
|
||||
}
|
||||
|
||||
httpClientConfigAuthEnabled := c.HTTPClientConfig.BasicAuth != nil ||
|
||||
c.HTTPClientConfig.Authorization != nil || c.HTTPClientConfig.OAuth2 != nil
|
||||
|
||||
if httpClientConfigAuthEnabled && c.SigV4Config != nil {
|
||||
return fmt.Errorf("at most one of basic_auth, authorization, oauth2, & sigv4 must be configured")
|
||||
}
|
||||
|
||||
// Check for users putting URLs in target groups.
|
||||
if len(c.RelabelConfigs) == 0 {
|
||||
if err := checkStaticTargets(c.ServiceDiscoveryConfigs); err != nil {
|
||||
|
|
|
@ -3287,6 +3287,25 @@ authorization:
|
|||
# It is mutually exclusive with `credentials`.
|
||||
[ credentials_file: <filename> ]
|
||||
|
||||
# Optionally configures AWS's Signature Verification 4 signing process to
|
||||
# sign requests. Cannot be set at the same time as basic_auth, authorization, or oauth2.
|
||||
# To use the default credentials from the AWS SDK, use `sigv4: {}`.
|
||||
sigv4:
|
||||
# The AWS region. If blank, the region from the default credentials chain
|
||||
# is used.
|
||||
[ region: <string> ]
|
||||
|
||||
# The AWS API keys. If blank, the environment variables `AWS_ACCESS_KEY_ID`
|
||||
# and `AWS_SECRET_ACCESS_KEY` are used.
|
||||
[ access_key: <string> ]
|
||||
[ secret_key: <secret> ]
|
||||
|
||||
# Named AWS profile used to authenticate.
|
||||
[ profile: <string> ]
|
||||
|
||||
# AWS Role ARN, an alternative to using AWS API keys.
|
||||
[ role_arn: <string> ]
|
||||
|
||||
# Optional OAuth 2.0 configuration.
|
||||
# Cannot be used at the same time as basic_auth or authorization.
|
||||
oauth2:
|
||||
|
|
|
@ -31,6 +31,7 @@ import (
|
|||
"github.com/prometheus/alertmanager/api/v2/models"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
config_util "github.com/prometheus/common/config"
|
||||
"github.com/prometheus/common/sigv4"
|
||||
"github.com/prometheus/common/model"
|
||||
"github.com/prometheus/common/version"
|
||||
"go.uber.org/atomic"
|
||||
|
@ -640,6 +641,17 @@ func newAlertmanagerSet(cfg *config.AlertmanagerConfig, logger log.Logger, metri
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
t := client.Transport
|
||||
|
||||
if cfg.SigV4Config != nil {
|
||||
t, err = sigv4.NewSigV4RoundTripper(cfg.SigV4Config, client.Transport)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
client.Transport = t
|
||||
|
||||
s := &alertmanagerSet{
|
||||
client: client,
|
||||
cfg: cfg,
|
||||
|
|
Loading…
Reference in a new issue