prometheus: Add ability to authenticate with bearer token from file

Documentation/api.md

@@ -66,6 +66,7 @@ AlertmanagerEndpoints defines a selection of a single Endpoints object containin
 | scheme | Scheme to use when firing alerts. | string | false |
 | pathPrefix | Prefix for the HTTP path alerts are pushed to. | string | false |
 | tlsConfig | TLS Config to use for alertmanager connection. | *[TLSConfig](#tlsconfig) | false |
+| bearerTokenFile | BearerTokenFile to read from filesystem to use when authenticating to Alertmanager. | string | false |
 
 [Back to TOC](#table-of-contents)
 

example/prometheus-operator-crd/prometheus.crd.yaml

@@ -544,6 +544,10 @@ spec:
                       Endpoints object containing alertmanager IPs to fire alerts
                       against.
                     properties:
+                      bearerTokenFile:
+                        description: BearerTokenFile to read from filesystem to use
+                          when authenticating to Alertmanager.
+                        type: string
                       name:
                         description: Name of Endpoints object in Namespace.
                         type: string

pkg/client/monitoring/v1/openapi_generated.go

@@ -134,6 +134,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 								Ref:         ref("github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.TLSConfig"),
 							},
 						},
+						"bearerTokenFile": {
+							SchemaProps: spec.SchemaProps{
+								Description: "BearerTokenFile to read from filesystem to use when authenticating to Alertmanager.",
+								Type:        []string{"string"},
+								Format:      "",
+							},
+						},
 					},
 					Required: []string{"namespace", "name", "port"},
 				},

pkg/client/monitoring/v1/types.go

@@ -271,6 +271,9 @@ type AlertmanagerEndpoints struct {
 	PathPrefix string `json:"pathPrefix,omitempty"`
 	// TLS Config to use for alertmanager connection.
 	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
+	// BearerTokenFile to read from filesystem to use when authenticating to
+	// Alertmanager.
+	BearerTokenFile string `json:"bearerTokenFile,omitempty"`
 }
 
 // ServiceMonitor defines monitoring for a set of services.

pkg/prometheus/promcfg.go

@@ -497,6 +497,10 @@ func generateAlertmanagerConfig(version semver.Version, am v1.AlertmanagerEndpoi
 		cfg = append(cfg, k8sSDWithNamespaces([]string{am.Namespace}))
 	}
 
+	if am.BearerTokenFile != "" {
+		cfg = append(cfg, yaml.MapItem{Key: "bearer_token_file", Value: am.BearerTokenFile})
+	}
+
 	var relabelings []yaml.MapSlice
 
 	relabelings = append(relabelings, yaml.MapSlice{

pkg/prometheus/promcfg_test.go

@@ -83,6 +83,70 @@ func TestNamespaceSetCorrectly(t *testing.T) {
 	}
 }
 
+func TestAlertmanagerBearerToken(t *testing.T) {
+	cfg, err := generateConfig(
+		&monitoringv1.Prometheus{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test",
+				Namespace: "default",
+			},
+			Spec: monitoringv1.PrometheusSpec{
+				Alerting: &monitoringv1.AlertingSpec{
+					Alertmanagers: []monitoringv1.AlertmanagerEndpoints{
+						{
+							Name:            "alertmanager-main",
+							Namespace:       "default",
+							Port:            intstr.FromString("web"),
+							BearerTokenFile: "/some/file/on/disk",
+						},
+					},
+				},
+			},
+		},
+		nil,
+		0,
+		map[string]BasicAuthCredentials{},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// If this becomes an endless sink of maintenance, then we should just
+	// change this to check that just the `bearer_token_file` is set with
+	// something like json-path.
+	expected := `global:
+  evaluation_interval: 30s
+  scrape_interval: 30s
+  external_labels: {}
+scrape_configs: []
+alerting:
+  alertmanagers:
+  - path_prefix: /
+    scheme: http
+    kubernetes_sd_configs:
+    - role: endpoints
+      namespaces:
+        names:
+        - default
+    bearer_token_file: /some/file/on/disk
+    relabel_configs:
+    - action: keep
+      source_labels:
+      - __meta_kubernetes_service_name
+      regex: alertmanager-main
+    - action: keep
+      source_labels:
+      - __meta_kubernetes_endpoint_port_name
+      regex: web
+`
+
+	result := string(cfg)
+
+	if expected != result {
+		t.Fatalf("Unexpected result.\n\nGot:\n\n%s\n\nExpected:\n\n%s\n\n", result, expected)
+	}
+}
+
 func generateTestConfig(version string) ([]byte, error) {
 	replicas := int32(1)
 	return generateConfig(