Add support for Bearer Token authentication to Provider alertmanager

Signed-off-by: Georgi Panov <[email protected]>
Signed-off-by: Darkfella91 <[email protected]>

Update alertmanager_test.go

Signed-off-by: Georgi Panov <[email protected]>
Signed-off-by: Darkfella91 <[email protected]>

Update alertmanager_fuzz_test.go

Signed-off-by: Georgi Panov <[email protected]>
Signed-off-by: Darkfella91 <[email protected]>

Update factory.go

Signed-off-by: Georgi Panov <[email protected]>
Signed-off-by: Darkfella91 <[email protected]>

Update factory.go

Signed-off-by: Darkfella91 <[email protected]>

Fix a mistake with the last commit to update the docs

Signed-off-by: Darkfella91 <[email protected]>

Fix another formatting issue

Signed-off-by: Darkfella91 <[email protected]>

Screwed up my previous commit so implementing the suggested changes again and fixed formatting for the structs

Signed-off-by: Darkfella91 <[email protected]>

Tried to use better wording, to outline that authentication is optional

Signed-off-by: Darkfella91 <[email protected]>

Another small change to the explanation for bearer token authentication

Signed-off-by: Darkfella91 <[email protected]>

Fix incorrect article usage and the configured address example as suggested

Signed-off-by: Darkfella91 <[email protected]>

docs/spec/v1beta3/providers.md

@@ -919,10 +919,13 @@ and [TLS certificates](#tls-certificates).
 
 ###### Prometheus Alertmanager example
 
-To configure a Provider for Prometheus Alertmanager, create a Secret with [the
-`address`](#address-example) set to the Prometheus Alertmanager [HTTP API
+To configure a Provider for Prometheus Alertmanager, authentication can be done using either Basic Authentication or a Bearer Token. 
+Both methods are supported, but using authentication is optional based on your setup.
+
+Basic Authentication: 
+Create a Secret with [the `address`](#address-example) set to the Prometheus Alertmanager [HTTP API
 URL](https://prometheus.io/docs/alerting/latest/https/#http-traffic)
-including Basic Auth credentials, and a `alertmanager` Provider with a [Secret
+including Basic Auth credentials, and an `alertmanager` Provider with a [Secret
 reference](#secret-reference).
 
 ```yaml
@@ -943,7 +946,33 @@ metadata:
   name: alertmanager-address
   namespace: default
 stringData:
-    address: https://username:password@<alertmanager-url>/api/v2/alerts/"
+    address: https://<username>:<password>@<alertmanager-hostport>/api/v2/alerts/
+```
+Bearer Token Authentication:
+Create a Secret with [the `token`](#token-example), and an `alertmanager` Provider with a [Secret
+reference](#secret-reference) and the Prometheus Alertmanager [HTTP API
+URL](https://prometheus.io/docs/alerting/latest/https/#http-traffic) set directly in the `.spec.address` field.
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: alertmanager
+  namespace: default
+spec:
+  type: alertmanager
+  address: https://<alertmanager-hostport>/api/v2/alerts/
+  secretRef:
+    name: alertmanager-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: alertmanager-token
+  namespace: default
+stringData:
+    token: <token>
 ```
 
 ##### Webex

internal/notifier/alertmanager.go

@@ -24,6 +24,7 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/hashicorp/go-retryablehttp"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 
@@ -34,6 +35,7 @@ type Alertmanager struct {
 	URL      string
 	ProxyURL string
 	CertPool *x509.CertPool
+	Token    string
 }
 
 type AlertManagerAlert struct {
@@ -72,7 +74,7 @@ func (a *AlertManagerTime) UnmarshalJSON(jsonRepr []byte) error {
 	return nil
 }
 
-func NewAlertmanager(hookURL string, proxyURL string, certPool *x509.CertPool) (*Alertmanager, error) {
+func NewAlertmanager(hookURL string, proxyURL string, certPool *x509.CertPool, token string) (*Alertmanager, error) {
 	_, err := url.ParseRequestURI(hookURL)
 	if err != nil {
 		return nil, fmt.Errorf("invalid Alertmanager URL %s: '%w'", hookURL, err)
@@ -82,6 +84,7 @@ func NewAlertmanager(hookURL string, proxyURL string, certPool *x509.CertPool) (
 		URL:      hookURL,
 		ProxyURL: proxyURL,
 		CertPool: certPool,
+		Token:    token,
 	}, nil
 }
 
@@ -134,8 +137,13 @@ func (s *Alertmanager) Post(ctx context.Context, event eventv1.Event) error {
 		},
 	}
 
-	err := postMessage(ctx, s.URL, s.ProxyURL, s.CertPool, payload)
-
+	var opts []requestOptFunc
+	if s.Token != "" {
+		opts = append(opts, func(request *retryablehttp.Request) {
+			request.Header.Add("Authorization", "Bearer "+s.Token)
+		})
+	}
+	err := postMessage(ctx, s.URL, s.ProxyURL, s.CertPool, payload, opts...)
 	if err != nil {
 		return fmt.Errorf("postMessage failed: %w", err)
 	}

internal/notifier/alertmanager_fuzz_test.go

@@ -46,7 +46,7 @@ func Fuzz_AlertManager(f *testing.F) {
 		var cert x509.CertPool
 		_ = fuzz.NewConsumer(seed).GenerateStruct(&cert)
 
-		alertmanager, err := NewAlertmanager(fmt.Sprintf("%s/%s", ts.URL, urlSuffix), "", &cert)
+		alertmanager, err := NewAlertmanager(fmt.Sprintf("%s/%s", ts.URL, urlSuffix), "", &cert, "")
 		if err != nil {
 			return
 		}

internal/notifier/alertmanager_test.go

@@ -38,7 +38,7 @@ func TestAlertmanager_Post(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	alertmanager, err := NewAlertmanager(ts.URL, "", nil)
+	alertmanager, err := NewAlertmanager(ts.URL, "", nil, "")
 	require.NoError(t, err)
 
 	err = alertmanager.Post(context.TODO(), testEvent())

internal/notifier/factory.go

@@ -185,7 +185,7 @@ func opsgenieNotifierFunc(opts notifierOptions) (Interface, error) {
 }
 
 func alertmanagerNotifierFunc(opts notifierOptions) (Interface, error) {
-	return NewAlertmanager(opts.URL, opts.ProxyURL, opts.CertPool)
+	return NewAlertmanager(opts.URL, opts.ProxyURL, opts.CertPool, opts.Token)
 }
 
 func grafanaNotifierFunc(opts notifierOptions) (Interface, error) {