Generally enable reading secrets from files

[beorn7]

This is the same as prometheus/prometheus#8551 , just for Alertmanager.

[roidelapluie]

Some fields we are missing:

smtp_auth_password_file
smtp_auth_secret_file
slack_api_url_file
victorops_api_key_file
opsgenie_api_key_file
wechat_api_secret_file

[gr8Adakron]

When can we expect to have configuration for victorops_api_key_file ??

[beorn7]

I guess the implementation for all the other fields will follow the same pattern as #2534. PRs welcome. 😃

[sinkingpoint]

Would anyone object to a general case of something like api_key: file:/tmp/foo to read the value for api_key from /tmp/foo? Seems like the most generic solution, if a bit "magic" but I'd be happy to PR it

[beorn7]

That would collide with any secret that happens to start with file: (unlikely, but who knows…).

I guess including a "schema" from the beginning would have been the best solution (file:/tmp/foo vs passwd:9euo9.y.3t3).

We could switch to such a generic solution with AM, in principle, because we are still pre 1.x, but on the other hand, keeping things consistent with Prometheus (where we cannot change easily) has its value, too.

Just my random thoughts…

[Duologic]

There are a few more not mentioned above:

• pagerduty.service_key_file
• pagerduty.routing_key_file
• pushover.user_key_file
• pushover.token_file

[roidelapluie]

I like to have multiple keys. Having file: would just lead to more yaml issues for new users.

[jkroepke]

I found a workaround for Opsgenie, Pagerduty and Pushover:

While coding #2728 I detect a hidden functionality inside Alertmanager.

I saw this functionally for pagerduty and pushover

• pagerduty.service_key_file
  

  alertmanager/notify/pagerduty/pagerduty.go

  Line 157 in 70abccc

  ServiceKey: tmpl(string(n.conf.ServiceKey)),

• pagerduty.routing_key_file
  

  alertmanager/notify/pagerduty/pagerduty.go

  Line 215 in 70abccc

  RoutingKey: tmpl(string(n.conf.RoutingKey)),

• pushover.user_key_file
• pushover.token_file
  

  alertmanager/notify/pushover/pushover.go

  Lines 78 to 79 in 70abccc

  	parameters.Add("token", tmpl(string(n.conf.Token)))
  	parameters.Add("user", tmpl(string(n.conf.UserKey)))

All properties are piped through Alertmanager template engine.

A possible workaround would be to define template (this can be a file on the filesystem, maybe mounted through an kubernetes secret) a like:

{{ define "pushover.default.user_key" }}API_KEY{{ end }}

And inside the configuration of Aertmanager, use this template inside the configuration:

receivers:
- name: 'team-X'
  pushover_configs:
  - user_key: '{{ template "pushover.default.user_key" . }}'

That could be a workaround some users. Except for VictorOps.

[parberge]

It would be nice to use the feature #2728. Any plans on doing a release soon?

[valvin1]

I found a workaround for Opsgenie, Pagerduty and Pushover:
...
A possible workaround would be to define template (this can be a file on the filesystem, maybe mounted through an kubernetes secret) a like:

{{ define "pushover.default.user_key" }}API_KEY{{ end }}

And inside the configuration of Aertmanager, use this template inside the configuration:

receivers:
- name: 'team-X'
  pushover_configs:
  - user_key: '{{ template "pushover.default.user_key" . }}'

I was so happy while reading this workaround unfortunately it doesn't work for smtp configuration.

https://github.com/prometheus/alertmanager/blob/main/notify/email/email.go#L103

really hope #3038 will be accepted and available.