Loki basic auth towards mimir/prometheus alertmanager

danieldagfinrud · May 16, 2023, 4:03pm

Context:
I’m running the latest available version of Loki in single binary mode using the helm chart here: loki/production/helm/loki at main · grafana/loki · GitHub and I am trying to send alerts to my Mimir Alertmanager (which is already in charge of my other prometheus alerts).

Question:
I have been looking through your documentation to see if I can find any way for loki to authenticate towards my Alertmanager with basic auth and I stumbled upon this:

github.com/grafana/loki

Alertmanager authentication configuration for ruler

opened 10:55AM - 20 Nov 20 UTC

closed 08:00AM - 17 May 22 UTC

pgassmann

help wanted keepalive

**Is your feature request related to a problem? Please describe.** There is c…urrently no option to configure authentication for the loki ruler to alertmanager connection. Currently `ruler_config` only has a simple string option for alertmanager_url: https://grafana.com/docs/loki/latest/configuration/#ruler_config ```yaml # Comma-separated list of Alertmanager URLs to send notifications to. # Each Alertmanager URL is treated as a separate group in the configuration. # Multiple Alertmanagers in HA per group can be supported by using DNS # resolution via -ruler.alertmanager-discovery. # CLI flag: -ruler.alertmanager-url [alertmanager_url: <string> | default = ""] ``` **Describe the solution you'd like** Options to configure authentication. like in promtail for connection to loki: https://grafana.com/docs/loki/latest/clients/promtail/configuration/#client_config Or prometheus configuration for alertmanager https://www.prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config Extract from promtail configuration: ```yaml # If using basic auth, configures the username and password # sent. basic_auth: # The username to use for basic auth [username: <string>] # The password to use for basic auth [password: <string>] # The file containing the password for basic auth [password_file: <filename>] # Bearer token to send to the server. [bearer_token: <secret>] ``` **Describe alternatives you've considered** Currently the only option seems to connect without authentication over a secure internal network, or otherwise restrict access to alertmanager by ip whitelisting. or use a cryptic url.

From what I gathered from this particular thread, it seems like this is possible but poorly documented. I’ve come up with the following configuration in my Loki helm chart:

rulerConfig: 
    wal:
      dir: /loki/ruler-wal
    alertmanager_url: https://mimir-alertmanager/alertmanager/
    alertmanager_client:
      basic_auth_username: ${loki_alertmanager_username}
      basic_auth_password: ${loki_alertmanager_password}
    ring:
      kvstore:
        store: inmemory
    enable_api: true
    rule_path: /loki/rules/fake/
    storage:
      type: azure
      local:
        directory: /loki/rules

The basic auth variables are mounted as extraEnvFrom for the single binary pods.
When I trigger some test alerts - I am seeing the following in my loki pods:

level=error ts=2023-05-16T15:04:25.585026679Z caller=notifier.go:534 user=1 alertmanager=https://mimir-alertmanager/alertmanager/api/v1/alerts count=1 msg="Error sending alert" err="bad response status 401 Unauthorized"

Any pointers in the right direction would be very much appreciated. If this ends up working, and there actually is no documentation for it, I will gladly contribute and add this as well.
Thanks!