alertmanager icon indicating copy to clipboard operation
alertmanager copied to clipboard
Published 3 months ago verified publisher icon prometheus

Ability to set request headers of amtool

Open ryan-dyer-sp opened this issue 4 years ago • 8 comments

Proposal

For the amtool to support passing in HTTP request headers via parameters. We manage over a dozen AMs each fronted with a Cloudflare reverse proxy. Currently we cant use the amtool to manage AM (create/delete silences) as we need to be able to pass in cloudflare specific headers for auth purposes. The scenario would occur for anyone with a reverse proxy with auth in front of their AM.

Being able to specify request headers via a simple --header key:value would allow most users to be able to access their AM ingresses and deal with auth.

I have investigated adding this functionality myself via PR, but want to make sure this is something that could potentially get approved.

Thanks.

ryan-dyer-sp avatar May 24 '21 17:05 ryan-dyer-sp

@roidelapluie I'd like to know your thoughts on this when you have time - I could use this functionality as well, although I know in the past that we have shyed away from adding anything "business logic-y" to alertmanager

sinkingpoint avatar Nov 19 '21 01:11 sinkingpoint

At this point to you think we could have an "http_client" config file? that would enable all the auth scenarios and avoid passwords in the command line.

roidelapluie avatar Nov 19 '21 14:11 roidelapluie

That would work for static auth tokens, but a lot of oauth proxies rotate their credentials fairly regularly so updating the file each time might be a pain. I agree that having passwords in plaintext in a bash history isn't ideal though.

Maybe we could compromise and support something like @file syntax (similar to curl etc)? e.g.

amtool -H '[email protected]' silence query ...`

That would at least allow a simple get_auth_token > authtoken.secret && amtool ... rather than having to parse yaml (or whatever structure our config is in) in order to update things

sinkingpoint avatar Nov 21 '21 23:11 sinkingpoint

We could have https://github.com/prometheus/alertmanager/pull/2764 take bearer-token-file instead of bearer-token then? However, the OP does not specify which header they want to address, is it authorization?

roidelapluie avatar Nov 22 '21 07:11 roidelapluie

Considering the OP mentions Cloudflare I'd imagine they're referring to Cloudflare Access, which uses the Cf-Access-Token header (just to be difficult...)

sinkingpoint avatar Nov 22 '21 11:11 sinkingpoint

@sinkingpoint That's correct.

ryan-dyer-sp avatar Nov 22 '21 16:11 ryan-dyer-sp

I am against passing secrets in command line it but I do not want to be "on the way" so I have reached the community for more data/ideas/opinions: https://groups.google.com/g/prometheus-developers/c/-lXLx2nYKlk

roidelapluie avatar Nov 23 '21 16:11 roidelapluie

Any movement on this?

ohaiwalt avatar Dec 08 '23 15:12 ohaiwalt