From 20bdf08d09a2aad6b7f6384ce0865da8ae74e7f3 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Fri, 15 Nov 2024 12:22:57 -0600 Subject: [PATCH 01/13] Support for proxies --- pkg/ruler/notifier.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index f8447aef9e7..3529ae22bd4 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -33,12 +33,14 @@ type NotifierConfig struct { TLSEnabled bool `yaml:"tls_enabled" category:"advanced"` TLS tls.ClientConfig `yaml:",inline"` BasicAuth util.BasicAuth `yaml:",inline"` + ProxyURL string `yaml:"proxy_url" category:"advanced"` } func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) { f.BoolVar(&cfg.TLSEnabled, "ruler.alertmanager-client.tls-enabled", true, "Enable TLS for gRPC client connecting to alertmanager.") cfg.TLS.RegisterFlagsWithPrefix("ruler.alertmanager-client", f) cfg.BasicAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f) + f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through.") } // rulerNotifier bundles a notifier.Manager together with an associated @@ -215,5 +217,14 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config } } + // Whether to use an optional HTTP, HTTP+CONNECT, or SOCKS5 proxy. + if rulerConfig.Notifier.ProxyURL != "" { + url, err := url.Parse(rulerConfig.Notifier.ProxyURL) + if err != nil { + return nil, err + } + amConfig.HTTPClientConfig.ProxyURL = config_util.URL{URL: url} + } + return amConfig, nil } From 3d10aad2af2af33b0853ea9d1dfbfe46feab47d9 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Fri, 15 Nov 2024 16:26:02 -0600 Subject: [PATCH 02/13] Flesh out oauth config --- pkg/ruler/notifier.go | 59 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 10 deletions(-) diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index 3529ae22bd4..9e892212c17 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -18,6 +18,7 @@ import ( "github.com/grafana/dskit/cache" "github.com/grafana/dskit/cancellation" "github.com/grafana/dskit/crypto/tls" + "github.com/grafana/dskit/flagext" config_util "github.com/prometheus/common/config" "github.com/prometheus/common/model" "github.com/prometheus/prometheus/config" @@ -33,6 +34,7 @@ type NotifierConfig struct { TLSEnabled bool `yaml:"tls_enabled" category:"advanced"` TLS tls.ClientConfig `yaml:",inline"` BasicAuth util.BasicAuth `yaml:",inline"` + OAuth2 OAuth2Config `yaml:"oauth2"` ProxyURL string `yaml:"proxy_url" category:"advanced"` } @@ -40,7 +42,26 @@ func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) { f.BoolVar(&cfg.TLSEnabled, "ruler.alertmanager-client.tls-enabled", true, "Enable TLS for gRPC client connecting to alertmanager.") cfg.TLS.RegisterFlagsWithPrefix("ruler.alertmanager-client", f) cfg.BasicAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f) - f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through.") + cfg.OAuth2.RegisterFlagsWithPrefix("ruler.alertmanager-client.oauth.", f) + f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests.") +} + +type OAuth2Config struct { + ClientID string `yaml:"client_id"` + ClientSecret flagext.Secret `yaml:"client_secret"` + TokenURL string `yaml:"token_url"` + Scopes flagext.StringSlice `yaml:"scopes,omitempty"` +} + +func (cfg *OAuth2Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { + f.StringVar(&cfg.ClientID, prefix+"client_id", "", "OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager.") + f.Var(&cfg.ClientSecret, prefix+"client_secret", "OAuth2 client secret.") + f.StringVar(&cfg.TokenURL, prefix+"token_url", "", "Endpoint used to fetch access token from.") + f.Var(&cfg.Scopes, prefix+"scopes", "Optional scopes to include with the token request.") +} + +func (cfg *OAuth2Config) IsEnabled() bool { + return cfg.ClientID != "" || cfg.TokenURL != "" } // rulerNotifier bundles a notifier.Manager together with an associated @@ -178,6 +199,33 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config } } + // Whether to use an optional HTTP, HTTP+CONNECT, or SOCKS5 proxy. + if rulerConfig.Notifier.ProxyURL != "" { + url, err := url.Parse(rulerConfig.Notifier.ProxyURL) + if err != nil { + return nil, err + } + amConfig.HTTPClientConfig.ProxyURL = config_util.URL{URL: url} + } + + // Whether to use OAuth2 or not. + if rulerConfig.Notifier.OAuth2.IsEnabled() { + amConfig.HTTPClientConfig.OAuth2 = &config_util.OAuth2{ + ClientID: rulerConfig.Notifier.OAuth2.ClientID, + ClientSecret: config_util.Secret(rulerConfig.Notifier.OAuth2.ClientSecret.String()), + TokenURL: rulerConfig.Notifier.OAuth2.TokenURL, + Scopes: rulerConfig.Notifier.OAuth2.Scopes, + } + + if rulerConfig.Notifier.ProxyURL != "" { + url, err := url.Parse(rulerConfig.Notifier.ProxyURL) + if err != nil { + return nil, err + } + amConfig.HTTPClientConfig.OAuth2.ProxyURL = config_util.URL{URL: url} + } + } + // Whether to use TLS or not. if rulerConfig.Notifier.TLSEnabled { if rulerConfig.Notifier.TLS.Reader == nil { @@ -217,14 +265,5 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config } } - // Whether to use an optional HTTP, HTTP+CONNECT, or SOCKS5 proxy. - if rulerConfig.Notifier.ProxyURL != "" { - url, err := url.Parse(rulerConfig.Notifier.ProxyURL) - if err != nil { - return nil, err - } - amConfig.HTTPClientConfig.ProxyURL = config_util.URL{URL: url} - } - return amConfig, nil } From d94e1cc09bf8bf96fdf794551cb6467f0448ef16 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 18 Nov 2024 16:03:11 -0600 Subject: [PATCH 03/13] Tests for proxy_url --- pkg/ruler/notifier_test.go | 50 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go index 2a063d91e16..8c2863f94fb 100644 --- a/pkg/ruler/notifier_test.go +++ b/pkg/ruler/notifier_test.go @@ -7,6 +7,7 @@ package ruler import ( "errors" + "net/url" "testing" "time" @@ -264,6 +265,38 @@ func TestBuildNotifierConfig(t *testing.T) { }, }, }, + { + name: "with service discovery URL, basic auth, and proxy URL", + cfg: &Config{ + AlertmanagerURL: "dnssrv+https://marco:hunter2@_http._tcp.alertmanager-0.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + ProxyURL: "http://my-proxy.proxy-namespace.svc.cluster.local.:1234", + }, + }, + ncfg: &config.Config{ + AlertingConfig: config.AlertingConfig{ + AlertmanagerConfigs: []*config.AlertmanagerConfig{ + { + HTTPClientConfig: config_util.HTTPClientConfig{ + BasicAuth: &config_util.BasicAuth{Username: "marco", Password: "hunter2"}, + ProxyConfig: config_util.ProxyConfig{ + ProxyURL: config_util.URL{URL: urlMustParse(t, "http://my-proxy.proxy-namespace.svc.cluster.local.:1234")}, + }, + }, + APIVersion: "v2", + Scheme: "https", + PathPrefix: "/alertmanager", + ServiceDiscoveryConfigs: discovery.Configs{ + dnsServiceDiscovery{ + Host: "_http._tcp.alertmanager-0.default.svc.cluster.local", + QType: dns.SRV, + }, + }, + }, + }, + }, + }, + }, { name: "with DNS service discovery and missing scheme", cfg: &Config{ @@ -285,6 +318,16 @@ func TestBuildNotifierConfig(t *testing.T) { }, err: errors.New("invalid DNS service discovery prefix \"dnsserv\""), }, + { + name: "misspelled proxy URL", + cfg: &Config{ + AlertmanagerURL: "http://alertmanager.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + ProxyURL: "http://example.local" + string(rune(0x7f)), + }, + }, + err: errors.New("parse \"http://example.local\\x7f\": net/url: invalid control character in URL"), + }, } for _, tt := range tests { @@ -299,3 +342,10 @@ func TestBuildNotifierConfig(t *testing.T) { }) } } + +func urlMustParse(t *testing.T, raw string) *url.URL { + t.Helper() + u, err := url.Parse(raw) + require.NoError(t, err) + return u +} From d6ab8a94ecd56a82c324d5c0e2ac19fdf1c2b788 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 18 Nov 2024 16:13:19 -0600 Subject: [PATCH 04/13] Tests for OAuth2 config options --- pkg/ruler/notifier_test.go | 122 +++++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go index 8c2863f94fb..9cc658fa937 100644 --- a/pkg/ruler/notifier_test.go +++ b/pkg/ruler/notifier_test.go @@ -297,6 +297,128 @@ func TestBuildNotifierConfig(t *testing.T) { }, }, }, + { + name: "with OAuth2", + cfg: &Config{ + AlertmanagerURL: "dnssrv+https://_http._tcp.alertmanager-0.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + OAuth2: OAuth2Config{ + ClientID: "oauth2-client-id", + ClientSecret: flagext.SecretWithValue("test"), + TokenURL: "https://oauth2-token-endpoint.local/token", + }, + }, + }, + ncfg: &config.Config{ + AlertingConfig: config.AlertingConfig{ + AlertmanagerConfigs: []*config.AlertmanagerConfig{ + { + HTTPClientConfig: config_util.HTTPClientConfig{ + OAuth2: &config_util.OAuth2{ + ClientID: "oauth2-client-id", + ClientSecret: "test", + TokenURL: "https://oauth2-token-endpoint.local/token", + }, + }, + APIVersion: "v2", + Scheme: "https", + PathPrefix: "/alertmanager", + ServiceDiscoveryConfigs: discovery.Configs{ + dnsServiceDiscovery{ + Host: "_http._tcp.alertmanager-0.default.svc.cluster.local", + QType: dns.SRV, + }, + }, + }, + }, + }, + }, + }, + { + name: "with OAuth2 and optional scopes", + cfg: &Config{ + AlertmanagerURL: "dnssrv+https://_http._tcp.alertmanager-0.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + OAuth2: OAuth2Config{ + ClientID: "oauth2-client-id", + ClientSecret: flagext.SecretWithValue("test"), + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + }, + }, + }, + ncfg: &config.Config{ + AlertingConfig: config.AlertingConfig{ + AlertmanagerConfigs: []*config.AlertmanagerConfig{ + { + HTTPClientConfig: config_util.HTTPClientConfig{ + OAuth2: &config_util.OAuth2{ + ClientID: "oauth2-client-id", + ClientSecret: "test", + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: []string{"action-1", "action-2"}, + }, + }, + APIVersion: "v2", + Scheme: "https", + PathPrefix: "/alertmanager", + ServiceDiscoveryConfigs: discovery.Configs{ + dnsServiceDiscovery{ + Host: "_http._tcp.alertmanager-0.default.svc.cluster.local", + QType: dns.SRV, + }, + }, + }, + }, + }, + }, + }, + { + name: "with OAuth2 and proxy_url simultaneously, inheriting proxy", + cfg: &Config{ + AlertmanagerURL: "dnssrv+https://_http._tcp.alertmanager-0.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + ProxyURL: "http://my-proxy.proxy-namespace.svc.cluster.local.:1234", + OAuth2: OAuth2Config{ + ClientID: "oauth2-client-id", + ClientSecret: flagext.SecretWithValue("test"), + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + }, + }, + }, + ncfg: &config.Config{ + AlertingConfig: config.AlertingConfig{ + AlertmanagerConfigs: []*config.AlertmanagerConfig{ + { + HTTPClientConfig: config_util.HTTPClientConfig{ + OAuth2: &config_util.OAuth2{ + ClientID: "oauth2-client-id", + ClientSecret: "test", + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: []string{"action-1", "action-2"}, + ProxyConfig: config_util.ProxyConfig{ + ProxyURL: config_util.URL{URL: urlMustParse(t, "http://my-proxy.proxy-namespace.svc.cluster.local.:1234")}, + }, + }, + ProxyConfig: config_util.ProxyConfig{ + ProxyURL: config_util.URL{URL: urlMustParse(t, "http://my-proxy.proxy-namespace.svc.cluster.local.:1234")}, + }, + }, + APIVersion: "v2", + Scheme: "https", + PathPrefix: "/alertmanager", + ServiceDiscoveryConfigs: discovery.Configs{ + dnsServiceDiscovery{ + Host: "_http._tcp.alertmanager-0.default.svc.cluster.local", + QType: dns.SRV, + }, + }, + }, + }, + }, + }, + }, { name: "with DNS service discovery and missing scheme", cfg: &Config{ From fb98133c7c6050bf9e43cf884d0895774cd4da0c Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 18 Nov 2024 16:19:16 -0600 Subject: [PATCH 05/13] Reject multiple auth schemes at the same time --- pkg/ruler/notifier.go | 9 ++++++++- pkg/ruler/notifier_test.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index 9e892212c17..14b3df44fd9 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -28,7 +28,10 @@ import ( "github.com/grafana/mimir/pkg/util" ) -var errRulerNotifierStopped = cancellation.NewErrorf("rulerNotifier stopped") +var ( + errRulerNotifierStopped = cancellation.NewErrorf("rulerNotifier stopped") + errRulerSimultaneousBasicAuthAndOAuth = errors.New("cannot use both Basic Auth and OAuth2 simultaneously") +) type NotifierConfig struct { TLSEnabled bool `yaml:"tls_enabled" category:"advanced"` @@ -210,6 +213,10 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config // Whether to use OAuth2 or not. if rulerConfig.Notifier.OAuth2.IsEnabled() { + if amConfig.HTTPClientConfig.BasicAuth != nil { + return nil, errRulerSimultaneousBasicAuthAndOAuth + } + amConfig.HTTPClientConfig.OAuth2 = &config_util.OAuth2{ ClientID: rulerConfig.Notifier.OAuth2.ClientID, ClientSecret: config_util.Secret(rulerConfig.Notifier.OAuth2.ClientSecret.String()), diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go index 9cc658fa937..84840d3e0b2 100644 --- a/pkg/ruler/notifier_test.go +++ b/pkg/ruler/notifier_test.go @@ -450,6 +450,39 @@ func TestBuildNotifierConfig(t *testing.T) { }, err: errors.New("parse \"http://example.local\\x7f\": net/url: invalid control character in URL"), }, + { + name: "basic auth and oauth provided at the same time", + cfg: &Config{ + AlertmanagerURL: "http://alertmanager.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + BasicAuth: util.BasicAuth{ + Username: "test-user", + }, + OAuth2: OAuth2Config{ + ClientID: "oauth2-client-id", + ClientSecret: flagext.SecretWithValue("test"), + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + }, + }, + }, + err: errRulerSimultaneousBasicAuthAndOAuth, + }, + { + name: "basic auth via URL and oauth provided at the same time", + cfg: &Config{ + AlertmanagerURL: "http://marco:hunter2@alertmanager.default.svc.cluster.local/alertmanager", + Notifier: NotifierConfig{ + OAuth2: OAuth2Config{ + ClientID: "oauth2-client-id", + ClientSecret: flagext.SecretWithValue("test"), + TokenURL: "https://oauth2-token-endpoint.local/token", + Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + }, + }, + }, + err: errRulerSimultaneousBasicAuthAndOAuth, + }, } for _, tt := range tests { From d7d33195fbc4fa219be6614fe5f677f843a7ec10 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 18 Nov 2024 16:38:01 -0600 Subject: [PATCH 06/13] Generate docs --- .../configuration-parameters/index.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/sources/mimir/configure/configuration-parameters/index.md b/docs/sources/mimir/configure/configuration-parameters/index.md index 3be5fb721d6..26dd1ab20a0 100644 --- a/docs/sources/mimir/configure/configuration-parameters/index.md +++ b/docs/sources/mimir/configure/configuration-parameters/index.md @@ -1951,6 +1951,30 @@ alertmanager_client: # CLI flag: -ruler.alertmanager-client.basic-auth-password [basic_auth_password: | default = ""] + oauth2: + # OAuth2 client ID. Enables the use of OAuth2 for authenticating with + # Alertmanager. + # CLI flag: -ruler.alertmanager-client.oauth.client_id + [client_id: | default = ""] + + # OAuth2 client secret. + # CLI flag: -ruler.alertmanager-client.oauth.client_secret + [client_secret: | default = ""] + + # Endpoint used to fetch access token from. + # CLI flag: -ruler.alertmanager-client.oauth.token_url + [token_url: | default = ""] + + # Optional scopes to include with the token request. + # CLI flag: -ruler.alertmanager-client.oauth.scopes + [scopes: | default = []] + + # (advanced) Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route + # requests through. Applies to all requests, including infra like oauth token + # requests. + # CLI flag: -ruler.alertmanager-client.proxy-url + [proxy_url: | default = ""] + # (advanced) Max time to tolerate outage for restoring "for" state of alert. # CLI flag: -ruler.for-outage-tolerance [for_outage_tolerance: | default = 1h] From 77151cbb45c6637fec5a33ab3044a7f7c8ad5781 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 18 Nov 2024 16:40:39 -0600 Subject: [PATCH 07/13] Make reference-help --- cmd/mimir/config-descriptor.json | 61 ++++++++++++++++++++++++++++++++ cmd/mimir/help-all.txt.tmpl | 10 ++++++ cmd/mimir/help.txt.tmpl | 8 +++++ 3 files changed, 79 insertions(+) diff --git a/cmd/mimir/config-descriptor.json b/cmd/mimir/config-descriptor.json index 4c19d3c988a..f60c8308c04 100644 --- a/cmd/mimir/config-descriptor.json +++ b/cmd/mimir/config-descriptor.json @@ -12347,6 +12347,67 @@ "fieldDefaultValue": "", "fieldFlag": "ruler.alertmanager-client.basic-auth-password", "fieldType": "string" + }, + { + "kind": "block", + "name": "oauth2", + "required": false, + "desc": "", + "blockEntries": [ + { + "kind": "field", + "name": "client_id", + "required": false, + "desc": "OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager.", + "fieldValue": null, + "fieldDefaultValue": "", + "fieldFlag": "ruler.alertmanager-client.oauth.client_id", + "fieldType": "string" + }, + { + "kind": "field", + "name": "client_secret", + "required": false, + "desc": "OAuth2 client secret.", + "fieldValue": null, + "fieldDefaultValue": "", + "fieldFlag": "ruler.alertmanager-client.oauth.client_secret", + "fieldType": "string" + }, + { + "kind": "field", + "name": "token_url", + "required": false, + "desc": "Endpoint used to fetch access token from.", + "fieldValue": null, + "fieldDefaultValue": "", + "fieldFlag": "ruler.alertmanager-client.oauth.token_url", + "fieldType": "string" + }, + { + "kind": "field", + "name": "scopes", + "required": false, + "desc": "Optional scopes to include with the token request.", + "fieldValue": null, + "fieldDefaultValue": [], + "fieldFlag": "ruler.alertmanager-client.oauth.scopes", + "fieldType": "list of strings" + } + ], + "fieldValue": null, + "fieldDefaultValue": null + }, + { + "kind": "field", + "name": "proxy_url", + "required": false, + "desc": "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests.", + "fieldValue": null, + "fieldDefaultValue": "", + "fieldFlag": "ruler.alertmanager-client.proxy-url", + "fieldType": "string", + "fieldCategory": "advanced" } ], "fieldValue": null, diff --git a/cmd/mimir/help-all.txt.tmpl b/cmd/mimir/help-all.txt.tmpl index 93c78c9ba5c..bb9f1d514a6 100644 --- a/cmd/mimir/help-all.txt.tmpl +++ b/cmd/mimir/help-all.txt.tmpl @@ -2821,6 +2821,16 @@ Usage of ./cmd/mimir/mimir: HTTP Basic authentication password. It overrides the password set in the URL (if any). -ruler.alertmanager-client.basic-auth-username string HTTP Basic authentication username. It overrides the username set in the URL (if any). + -ruler.alertmanager-client.oauth.client_id string + OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager. + -ruler.alertmanager-client.oauth.client_secret string + OAuth2 client secret. + -ruler.alertmanager-client.oauth.scopes string + Optional scopes to include with the token request. + -ruler.alertmanager-client.oauth.token_url string + Endpoint used to fetch access token from. + -ruler.alertmanager-client.proxy-url string + Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests. -ruler.alertmanager-client.tls-ca-path string Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used. -ruler.alertmanager-client.tls-cert-path string diff --git a/cmd/mimir/help.txt.tmpl b/cmd/mimir/help.txt.tmpl index a127af96ede..fdc61aec4a3 100644 --- a/cmd/mimir/help.txt.tmpl +++ b/cmd/mimir/help.txt.tmpl @@ -711,6 +711,14 @@ Usage of ./cmd/mimir/mimir: HTTP Basic authentication password. It overrides the password set in the URL (if any). -ruler.alertmanager-client.basic-auth-username string HTTP Basic authentication username. It overrides the username set in the URL (if any). + -ruler.alertmanager-client.oauth.client_id string + OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager. + -ruler.alertmanager-client.oauth.client_secret string + OAuth2 client secret. + -ruler.alertmanager-client.oauth.scopes string + Optional scopes to include with the token request. + -ruler.alertmanager-client.oauth.token_url string + Endpoint used to fetch access token from. -ruler.alertmanager-url string Comma-separated list of URL(s) of the Alertmanager(s) to send notifications to. Each URL is treated as a separate group. Multiple Alertmanagers in HA per group can be supported by using DNS service discovery format, comprehensive of the scheme. Basic auth is supported as part of the URL. -ruler.enable-api From e107e0b69db2a67266c251d533b96cc37f5eac64 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 11:29:55 -0600 Subject: [PATCH 08/13] Fix descriptions --- pkg/ruler/notifier.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index 14b3df44fd9..dc9b725ae22 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -46,7 +46,7 @@ func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) { cfg.TLS.RegisterFlagsWithPrefix("ruler.alertmanager-client", f) cfg.BasicAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f) cfg.OAuth2.RegisterFlagsWithPrefix("ruler.alertmanager-client.oauth.", f) - f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests.") + f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests.") } type OAuth2Config struct { @@ -59,7 +59,7 @@ type OAuth2Config struct { func (cfg *OAuth2Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { f.StringVar(&cfg.ClientID, prefix+"client_id", "", "OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager.") f.Var(&cfg.ClientSecret, prefix+"client_secret", "OAuth2 client secret.") - f.StringVar(&cfg.TokenURL, prefix+"token_url", "", "Endpoint used to fetch access token from.") + f.StringVar(&cfg.TokenURL, prefix+"token_url", "", "Endpoint used to fetch access token.") f.Var(&cfg.Scopes, prefix+"scopes", "Optional scopes to include with the token request.") } From c66d334b4940e920dea00ec394c7519ff71e60aa Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 11:32:17 -0600 Subject: [PATCH 09/13] Make reference-help --- cmd/mimir/config-descriptor.json | 4 ++-- cmd/mimir/help-all.txt.tmpl | 4 ++-- cmd/mimir/help.txt.tmpl | 2 +- .../mimir/configure/configuration-parameters/index.md | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/mimir/config-descriptor.json b/cmd/mimir/config-descriptor.json index f60c8308c04..d626353e02e 100644 --- a/cmd/mimir/config-descriptor.json +++ b/cmd/mimir/config-descriptor.json @@ -12378,7 +12378,7 @@ "kind": "field", "name": "token_url", "required": false, - "desc": "Endpoint used to fetch access token from.", + "desc": "Endpoint used to fetch access token.", "fieldValue": null, "fieldDefaultValue": "", "fieldFlag": "ruler.alertmanager-client.oauth.token_url", @@ -12402,7 +12402,7 @@ "kind": "field", "name": "proxy_url", "required": false, - "desc": "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests.", + "desc": "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests.", "fieldValue": null, "fieldDefaultValue": "", "fieldFlag": "ruler.alertmanager-client.proxy-url", diff --git a/cmd/mimir/help-all.txt.tmpl b/cmd/mimir/help-all.txt.tmpl index bb9f1d514a6..eb9625c20f2 100644 --- a/cmd/mimir/help-all.txt.tmpl +++ b/cmd/mimir/help-all.txt.tmpl @@ -2828,9 +2828,9 @@ Usage of ./cmd/mimir/mimir: -ruler.alertmanager-client.oauth.scopes string Optional scopes to include with the token request. -ruler.alertmanager-client.oauth.token_url string - Endpoint used to fetch access token from. + Endpoint used to fetch access token. -ruler.alertmanager-client.proxy-url string - Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including infra like oauth token requests. + Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests. -ruler.alertmanager-client.tls-ca-path string Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used. -ruler.alertmanager-client.tls-cert-path string diff --git a/cmd/mimir/help.txt.tmpl b/cmd/mimir/help.txt.tmpl index fdc61aec4a3..53bdccca7ab 100644 --- a/cmd/mimir/help.txt.tmpl +++ b/cmd/mimir/help.txt.tmpl @@ -718,7 +718,7 @@ Usage of ./cmd/mimir/mimir: -ruler.alertmanager-client.oauth.scopes string Optional scopes to include with the token request. -ruler.alertmanager-client.oauth.token_url string - Endpoint used to fetch access token from. + Endpoint used to fetch access token. -ruler.alertmanager-url string Comma-separated list of URL(s) of the Alertmanager(s) to send notifications to. Each URL is treated as a separate group. Multiple Alertmanagers in HA per group can be supported by using DNS service discovery format, comprehensive of the scheme. Basic auth is supported as part of the URL. -ruler.enable-api diff --git a/docs/sources/mimir/configure/configuration-parameters/index.md b/docs/sources/mimir/configure/configuration-parameters/index.md index 26dd1ab20a0..e28b00da85f 100644 --- a/docs/sources/mimir/configure/configuration-parameters/index.md +++ b/docs/sources/mimir/configure/configuration-parameters/index.md @@ -1961,7 +1961,7 @@ alertmanager_client: # CLI flag: -ruler.alertmanager-client.oauth.client_secret [client_secret: | default = ""] - # Endpoint used to fetch access token from. + # Endpoint used to fetch access token. # CLI flag: -ruler.alertmanager-client.oauth.token_url [token_url: | default = ""] @@ -1970,8 +1970,8 @@ alertmanager_client: [scopes: | default = []] # (advanced) Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route - # requests through. Applies to all requests, including infra like oauth token - # requests. + # requests through. Applies to all requests, including auxiliary traffic such + # as OAuth token requests. # CLI flag: -ruler.alertmanager-client.proxy-url [proxy_url: | default = ""] From 1be45dbaa9c7ee88879d111da861c77ef51bc250 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 11:38:15 -0600 Subject: [PATCH 10/13] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b993c3e115..74beb64d336 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -69,6 +69,7 @@ * [ENHANCEMENT] Distributor: Initialize ha_tracker cache before ha_tracker and distributor reach running state and begin serving writes. #9826 #9976 * [ENHANCEMENT] Ingester: `-ingest-storage.kafka.max-buffered-bytes` to limit the memory for buffered records when using concurrent fetching. #9892 * [ENHANCEMENT] Querier: improve performance and memory consumption of queries that select many series. #9914 +* [ENHANCEMENT] Ruler: Support OAuth2 and proxies in Alertmanager client #9945 * [BUGFIX] Fix issue where functions such as `rate()` over native histograms could return incorrect values if a float stale marker was present in the selected range. #9508 * [BUGFIX] Fix issue where negation of native histograms (eg. `-some_native_histogram_series`) did nothing. #9508 * [BUGFIX] Fix issue where `metric might not be a counter, name does not end in _total/_sum/_count/_bucket` annotation would be emitted even if `rate` or `increase` did not have enough samples to compute a result. #9508 From e75facce8a9fd13b7b6155072307a869fa7528da Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 11:44:42 -0600 Subject: [PATCH 11/13] Add comma and regenerate --- cmd/mimir/config-descriptor.json | 2 +- cmd/mimir/help-all.txt.tmpl | 2 +- docs/sources/mimir/configure/configuration-parameters/index.md | 2 +- pkg/ruler/notifier.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/mimir/config-descriptor.json b/cmd/mimir/config-descriptor.json index d626353e02e..4e92e28b6d1 100644 --- a/cmd/mimir/config-descriptor.json +++ b/cmd/mimir/config-descriptor.json @@ -12402,7 +12402,7 @@ "kind": "field", "name": "proxy_url", "required": false, - "desc": "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests.", + "desc": "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic, such as OAuth token requests.", "fieldValue": null, "fieldDefaultValue": "", "fieldFlag": "ruler.alertmanager-client.proxy-url", diff --git a/cmd/mimir/help-all.txt.tmpl b/cmd/mimir/help-all.txt.tmpl index eb9625c20f2..017b8b407ce 100644 --- a/cmd/mimir/help-all.txt.tmpl +++ b/cmd/mimir/help-all.txt.tmpl @@ -2830,7 +2830,7 @@ Usage of ./cmd/mimir/mimir: -ruler.alertmanager-client.oauth.token_url string Endpoint used to fetch access token. -ruler.alertmanager-client.proxy-url string - Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests. + Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic, such as OAuth token requests. -ruler.alertmanager-client.tls-ca-path string Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used. -ruler.alertmanager-client.tls-cert-path string diff --git a/docs/sources/mimir/configure/configuration-parameters/index.md b/docs/sources/mimir/configure/configuration-parameters/index.md index e28b00da85f..7aef639c867 100644 --- a/docs/sources/mimir/configure/configuration-parameters/index.md +++ b/docs/sources/mimir/configure/configuration-parameters/index.md @@ -1970,7 +1970,7 @@ alertmanager_client: [scopes: | default = []] # (advanced) Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route - # requests through. Applies to all requests, including auxiliary traffic such + # requests through. Applies to all requests, including auxiliary traffic, such # as OAuth token requests. # CLI flag: -ruler.alertmanager-client.proxy-url [proxy_url: | default = ""] diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index dc9b725ae22..4e918d4295f 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -46,7 +46,7 @@ func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) { cfg.TLS.RegisterFlagsWithPrefix("ruler.alertmanager-client", f) cfg.BasicAuth.RegisterFlagsWithPrefix("ruler.alertmanager-client.", f) cfg.OAuth2.RegisterFlagsWithPrefix("ruler.alertmanager-client.oauth.", f) - f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic such as OAuth token requests.") + f.StringVar(&cfg.ProxyURL, "ruler.alertmanager-client.proxy-url", "", "Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route requests through. Applies to all requests, including auxiliary traffic, such as OAuth token requests.") } type OAuth2Config struct { From 422f20c218df15740eee0802be3ebe9767bd43ba Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 15:26:52 -0600 Subject: [PATCH 12/13] Migrate to StringSliceCSV as it seems to be the standard and StringSlice seems incomplete --- pkg/ruler/notifier.go | 8 ++++---- pkg/ruler/notifier_test.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go index 4e918d4295f..0fd0175b1cd 100644 --- a/pkg/ruler/notifier.go +++ b/pkg/ruler/notifier.go @@ -50,10 +50,10 @@ func (cfg *NotifierConfig) RegisterFlags(f *flag.FlagSet) { } type OAuth2Config struct { - ClientID string `yaml:"client_id"` - ClientSecret flagext.Secret `yaml:"client_secret"` - TokenURL string `yaml:"token_url"` - Scopes flagext.StringSlice `yaml:"scopes,omitempty"` + ClientID string `yaml:"client_id"` + ClientSecret flagext.Secret `yaml:"client_secret"` + TokenURL string `yaml:"token_url"` + Scopes flagext.StringSliceCSV `yaml:"scopes,omitempty"` } func (cfg *OAuth2Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go index 84840d3e0b2..54c56f46fee 100644 --- a/pkg/ruler/notifier_test.go +++ b/pkg/ruler/notifier_test.go @@ -343,7 +343,7 @@ func TestBuildNotifierConfig(t *testing.T) { ClientID: "oauth2-client-id", ClientSecret: flagext.SecretWithValue("test"), TokenURL: "https://oauth2-token-endpoint.local/token", - Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + Scopes: flagext.StringSliceCSV([]string{"action-1", "action-2"}), }, }, }, @@ -383,7 +383,7 @@ func TestBuildNotifierConfig(t *testing.T) { ClientID: "oauth2-client-id", ClientSecret: flagext.SecretWithValue("test"), TokenURL: "https://oauth2-token-endpoint.local/token", - Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + Scopes: flagext.StringSliceCSV([]string{"action-1", "action-2"}), }, }, }, @@ -462,7 +462,7 @@ func TestBuildNotifierConfig(t *testing.T) { ClientID: "oauth2-client-id", ClientSecret: flagext.SecretWithValue("test"), TokenURL: "https://oauth2-token-endpoint.local/token", - Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + Scopes: flagext.StringSliceCSV([]string{"action-1", "action-2"}), }, }, }, @@ -477,7 +477,7 @@ func TestBuildNotifierConfig(t *testing.T) { ClientID: "oauth2-client-id", ClientSecret: flagext.SecretWithValue("test"), TokenURL: "https://oauth2-token-endpoint.local/token", - Scopes: flagext.StringSlice([]string{"action-1", "action-2"}), + Scopes: flagext.StringSliceCSV([]string{"action-1", "action-2"}), }, }, }, From 43dcb0bd653c9c4e34423c801564a88b3c01d8e7 Mon Sep 17 00:00:00 2001 From: Alex Weaver Date: Mon, 25 Nov 2024 16:16:01 -0600 Subject: [PATCH 13/13] Remake docs and reference help --- cmd/mimir/config-descriptor.json | 4 ++-- cmd/mimir/help-all.txt.tmpl | 2 +- cmd/mimir/help.txt.tmpl | 2 +- .../sources/mimir/configure/configuration-parameters/index.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/mimir/config-descriptor.json b/cmd/mimir/config-descriptor.json index 4e92e28b6d1..798dad46ed5 100644 --- a/cmd/mimir/config-descriptor.json +++ b/cmd/mimir/config-descriptor.json @@ -12390,9 +12390,9 @@ "required": false, "desc": "Optional scopes to include with the token request.", "fieldValue": null, - "fieldDefaultValue": [], + "fieldDefaultValue": "", "fieldFlag": "ruler.alertmanager-client.oauth.scopes", - "fieldType": "list of strings" + "fieldType": "string" } ], "fieldValue": null, diff --git a/cmd/mimir/help-all.txt.tmpl b/cmd/mimir/help-all.txt.tmpl index 017b8b407ce..cb7cc339794 100644 --- a/cmd/mimir/help-all.txt.tmpl +++ b/cmd/mimir/help-all.txt.tmpl @@ -2825,7 +2825,7 @@ Usage of ./cmd/mimir/mimir: OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager. -ruler.alertmanager-client.oauth.client_secret string OAuth2 client secret. - -ruler.alertmanager-client.oauth.scopes string + -ruler.alertmanager-client.oauth.scopes comma-separated-list-of-strings Optional scopes to include with the token request. -ruler.alertmanager-client.oauth.token_url string Endpoint used to fetch access token. diff --git a/cmd/mimir/help.txt.tmpl b/cmd/mimir/help.txt.tmpl index 53bdccca7ab..f0f3b3eba43 100644 --- a/cmd/mimir/help.txt.tmpl +++ b/cmd/mimir/help.txt.tmpl @@ -715,7 +715,7 @@ Usage of ./cmd/mimir/mimir: OAuth2 client ID. Enables the use of OAuth2 for authenticating with Alertmanager. -ruler.alertmanager-client.oauth.client_secret string OAuth2 client secret. - -ruler.alertmanager-client.oauth.scopes string + -ruler.alertmanager-client.oauth.scopes comma-separated-list-of-strings Optional scopes to include with the token request. -ruler.alertmanager-client.oauth.token_url string Endpoint used to fetch access token. diff --git a/docs/sources/mimir/configure/configuration-parameters/index.md b/docs/sources/mimir/configure/configuration-parameters/index.md index 7aef639c867..8a06067d199 100644 --- a/docs/sources/mimir/configure/configuration-parameters/index.md +++ b/docs/sources/mimir/configure/configuration-parameters/index.md @@ -1967,7 +1967,7 @@ alertmanager_client: # Optional scopes to include with the token request. # CLI flag: -ruler.alertmanager-client.oauth.scopes - [scopes: | default = []] + [scopes: | default = ""] # (advanced) Optional HTTP, HTTPS via CONNECT, or SOCKS5 proxy URL to route # requests through. Applies to all requests, including auxiliary traffic, such