Add support for Bearer Token authentication to Provider alertmanager

[d4rkfella]

I'm not a programmer, but after examining the other providers, i think this should be correct. Please let me know :)

Closes: #1020

[matheuscscp]

Thanks for this contribution, @d4rkfella! Left a few comments.

We also need to update the docs to mention this feature. Please update this file:

notification-controller/docs/spec/v1beta3/providers.md

Lines 922 to 947 in fa7d9f2

	To configure a Provider for Prometheus Alertmanager, create a Secret with [the
	`address`](#address-example) set to the Prometheus Alertmanager [HTTP API
	URL](https://prometheus.io/docs/alerting/latest/https/#http-traffic)
	including Basic Auth credentials, and a `alertmanager` Provider with a [Secret
	reference](#secret-reference).
	```yaml
	---
	apiVersion: notification.toolkit.fluxcd.io/v1beta3
	kind: Provider
	metadata:
	name: alertmanager
	namespace: default
	spec:
	type: alertmanager
	secretRef:
	name: alertmanager-address
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: alertmanager-address
	namespace: default
	stringData:
	address: https://username:password@<alertmanager-url>/api/v2/alerts/"
	```

Please mention that the authentication for this provider can now be done through two options: basic auth (the one already documented), and bearer token. You can duplicate the example of basic auth and adapt it for the token. In this case, instead of setting the address field in the secret, this field would be set directly in the Provider object, .spec.address, and the secret would contain the token field instead.

[d4rkfella]

Ok i made the changes you suggested, took me a while to figure out how to fix the Signed off by message hah .

[matheuscscp]

Thanks for working through my comments 🙏

There's a final batch, after those I think we won't need any more changes 😁

Before we merge this, I'll ask you to please kindly test this change in your environment and post here evidence that it works, e.g. logs, screenshots, etc.

Here are the steps to test this:

1. If you haven't done this already, please generate a GitHub Personal Access Token (Classic) with the write:packages permission in order to push images to the GitHub Container Registry (GHCR). Login locally in Docker using this token: docker login -u d4rkfella ghcr.io --password-stdin and paste the token in the prompt.
2. Edit the project Makefile in the root directory changing the image like this:

IMG ?= fluxcd/notification-controller:latest

Becomes:

IMG ?= ghcr.io/d4rkfella/fluxcd/notification-controller:am-bearer

3. Build an image using the following command: make docker-build docker-push
4. After this you should see a package in your GitHub profile. Click on it and make it public, so your cluster can download the image without a secret.
5. Update notification-controller in your test environment to use the image: ghcr.io/d4rkfella/fluxcd/notification-controller:am-bearer
6. Configure the feature and test.

Thanks in advance!

[d4rkfella]

Ok, i build the image locally and tested it by intentionally making a mistake in my kustomization resources and the event was successfully dispatched to alertmanager. I'm not sure why it includes Namespace/kubevirt configured, i have only set it up to send alerts with eventSeverity: error

{"level":"info","ts":"2025-01-26T17:40:20.874Z","logger":"event-server","msg":"dispatching event","eventInvolvedObject":{"kind":"Kustomization","namespace":"flux-system","name":"cluster-apps","uid":"a38a6e6b-ce01-4c64-9593-60e6f99e62ed","apiVersion":"kustomize.toolkit.fluxcd.io/v1","resourceVersion":"2768828"},"message":"Kustomization/vault/vault dry-run failed: failed to create typed patch object (vault/vault; kustomize.toolkit.fluxcd.io/v1, Kind=Kustomization): .spec.targetNamespacee: field not declared in schema\nNamespace/kubevirt configured\n"}

Request is authenticated to oauth2-proxy successfully and send to the upstream alertmanager service.

172.16.0.40 - 2b9be63a-45cf-4bf5-8b2d-dfc9ec9a4caf - [email protected] [2025/01/26 17:40:20] alertmanager-operated.observability.svc.cluster.local:8082 POST / "/api/v2/alerts/" HTTP/1.1 "Go-http-client/1.1" 200 0 0.001

[d4rkfella]

Does the fuzz_test need additional changes to test with token and with an empty string like how its setup for other providers that use token based authentication ?

func Fuzz_AlertManager(f *testing.F) {
	f.Add("token", "update", "", "", []byte{}, []byte("{}"))
	f.Add("", "something", "", "else", []byte{}, []byte(""))

	f.Fuzz(func(t *testing.T,
		token, commitStatus, urlSuffix, summary string, seed, response []byte) {

		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			w.Write(response)
			io.Copy(io.Discard, r.Body)
			r.Body.Close()
		}))
		defer ts.Close()

		var cert x509.CertPool
		_ = fuzz.NewConsumer(seed).GenerateStruct(&cert)

		alertmanager, err := NewAlertmanager(fmt.Sprintf("%s/%s", ts.URL, urlSuffix), "", token, &cert)
		if err != nil {
			return
		}

Sorry if asking stupid questions, trying to get a grasp of things :P

[matheuscscp]

Sorry to bug you with this @d4rkfella, the fuzz tests are flaky at the moment, don't worry about that.

The CI has passed 😀

Now the last thing before I merge this PR, I'll need you to please squash all the commits into one, with the message:

Add support for Bearer Token authentication to Provider alertmanager

(This will require a force push.)

[d4rkfella]

Oh man, i screwed that up

[matheuscscp]

No need to panic, I'm writing specific instructions for you to recover your work.

[d4rkfella]

I'm sorry for wasting more of your time.

[matheuscscp]

You work is in the commit c3a8185465e3ebb5e0f346d1a0561e786c3cdc94.

1. Reset your branch to the the Flux upstream latest commit: git reset --hard fa7d9f2. This will simply reset your local main branch to the exact same state of the main branch of github.com/fluxcd/notification-controller. If this command fails then it's because you probably need to add the Flux upstream remote to your local clone: git remote add upstream [email protected]:fluxcd/notification-controller.git && git fetch upstream. Then run the reset command again.
2. Cherry-pick pick the commit with your work: git cherry-pick c3a8185465e3ebb5e0f346d1a0561e786c3cdc94.
3. At this point, if you run git log you should see your commit on top of the latest commit of Flux upstream. If that's the case, now you can force push: git push --force

[d4rkfella]

Thanks for your patience. That should be it :)