Allow to fetch Alertmanager configuration from a ConfigMap

[multani]

What is missing?

The Prometheus Operator always fetches the Alertmanager configuration from a Kubernetes Secret (configSecret key from the alertmanagerSpec).

I suppose the configuration was fetched from a Secret because traditionally, password, API keys/or tokens, etc. were directly part of Alertmanager's configuration file.

Since a few releases already, Alertmanager supports reading secrets from external file, rendering the main configuration file secret-free for most of the secrets, see: prometheus/alertmanager#2498

It would be nice if, instead of storing the whole Alertmanager configuration into a Secret, to be able to store it in a normal ConfigMap and reference external secrets through the new _file options.

Why do we need it?

This would cleanly separate the non-secret configuration part from the really secret configuration parts, and would make the main configuration file easier to manipulate through normal Kubernetes ConfigMap accesss, without leaking secrets.

Environment

• Prometheus Operator version:

  prometheus-operator:v0.59.2
  kube-prometheus-stack-41.7.4
  

Anything else we need to know?:

[simonpasquier]

One pitfall if we were to implement this is that users may start putting sensitive data in the ConfigMap. At least the secret approach makes it obvious that it has security implications.
A better approach would be to promote the usage of the new spec.alertmanagerConfiguration field in the Alertmanager CRD like described here.

[multani]

@simonpasquier Ah yes, this is actually a nice alternative that I completely missed 👍