Updated to use non-pointer version

Signed-off-by: Anand Rajagopal <anrajag@amazon.com>

Author: rajagopalanand

cmd/alertmanager/main.go

@@ -17,8 +17,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/prometheus/alertmanager/secrets"
-	"github.com/prometheus/alertmanager/secrets/providers"
 	"log/slog"
 	"net"
 	"net/http"
@@ -32,6 +30,9 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/prometheus/alertmanager/secrets"
+	"github.com/prometheus/alertmanager/secrets/providers"
+
 	"github.com/KimMachineGun/automemlimit/memlimit"
 	"github.com/alecthomas/kingpin/v2"
 	"github.com/prometheus/client_golang/prometheus"
@@ -160,10 +161,10 @@ func run() int {
 		httpTimeout    = kingpin.Flag("web.timeout", "Timeout for HTTP requests. If negative or zero, no timeout is set.").Default("0").Duration()
 
 		memlimitRatio = kingpin.Flag("auto-gomemlimit.ratio", "The ratio of reserved GOMEMLIMIT memory to the detected maximum container or system memory. The value must be greater than 0 and less than or equal to 1.").
-			Default("0.9").Float64()
+				Default("0.9").Float64()
 
 		clusterBindAddr = kingpin.Flag("cluster.listen-address", "Listen address for cluster. Set to empty string to disable HA mode.").
-			Default(defaultClusterAddr).String()
+				Default(defaultClusterAddr).String()
 		clusterAdvertiseAddr   = kingpin.Flag("cluster.advertise-address", "Explicit address to advertise in cluster.").String()
 		peers                  = kingpin.Flag("cluster.peer", "Initial peers (may be repeated).").Strings()
 		peerTimeout            = kingpin.Flag("cluster.peer-timeout", "Time to wait between peers to send notifications.").Default("15s").Duration()
@@ -435,8 +436,10 @@ func run() int {
 		})
 
 		spRegistry := secrets.NewSecretsProviderRegistry(logger, prometheus.NewRegistry())
-		// currently only one secrets providers is supported
-		spRegistry.Register(providers.AWSSecretsManagerSecretProviderDiscoveryConfig{})
+		// currently only one secrets provider is registered. Inline secrets provider is always available
+		if spRegistry.Register(providers.AWSSecretsManagerSecretProviderDiscoveryConfig{}) != nil {
+			configLogger.Error("failed to register secrets provider", "err", err)
+		}
 		spRegistry.Init()
 		// Build the map of receiver to integrations.
 		receivers := make(map[string][]notify.Integration, len(activeReceivers))

config/config_test.go

@@ -23,6 +23,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/prometheus/alertmanager/secrets"
+
 	commoncfg "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/common/promslog"
@@ -528,6 +530,8 @@ func TestHideConfigSecrets(t *testing.T) {
 func TestShowMarshalSecretValues(t *testing.T) {
 	MarshalSecretValue = true
 	defer func() { MarshalSecretValue = false }()
+	secrets.MarshalSecretValue = true
+	defer func() { secrets.MarshalSecretValue = false }()
 
 	c, err := LoadFile("testdata/conf.good.yml")
 	if err != nil {

config/notifiers.go

@@ -16,13 +16,14 @@ package config
 import (
 	"errors"
 	"fmt"
-	"github.com/prometheus/alertmanager/secrets"
 	"net/textproto"
 	"regexp"
 	"strings"
 	"text/template"
 	"time"
 
+	"github.com/prometheus/alertmanager/secrets"
+
 	commoncfg "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/sigv4"
@@ -329,22 +330,22 @@ type PagerdutyConfig struct {
 
 	HTTPConfig *commoncfg.HTTPClientConfig `yaml:"http_config,omitempty" json:"http_config,omitempty"`
 
-	ServiceKey     *secrets.GenericSecret `yaml:"service_key,omitempty" json:"service_key,omitempty"`
-	ServiceKeyFile string                 `yaml:"service_key_file,omitempty" json:"service_key_file,omitempty"`
-	RoutingKey     *secrets.GenericSecret `yaml:"routing_key,omitempty" json:"routing_key,omitempty"`
-	RoutingKeyFile string                 `yaml:"routing_key_file,omitempty" json:"routing_key_file,omitempty"`
-	URL            *URL                   `yaml:"url,omitempty" json:"url,omitempty"`
-	Client         string                 `yaml:"client,omitempty" json:"client,omitempty"`
-	ClientURL      string                 `yaml:"client_url,omitempty" json:"client_url,omitempty"`
-	Description    string                 `yaml:"description,omitempty" json:"description,omitempty"`
-	Details        map[string]string      `yaml:"details,omitempty" json:"details,omitempty"`
-	Images         []PagerdutyImage       `yaml:"images,omitempty" json:"images,omitempty"`
-	Links          []PagerdutyLink        `yaml:"links,omitempty" json:"links,omitempty"`
-	Source         string                 `yaml:"source,omitempty" json:"source,omitempty"`
-	Severity       string                 `yaml:"severity,omitempty" json:"severity,omitempty"`
-	Class          string                 `yaml:"class,omitempty" json:"class,omitempty"`
-	Component      string                 `yaml:"component,omitempty" json:"component,omitempty"`
-	Group          string                 `yaml:"group,omitempty" json:"group,omitempty"`
+	ServiceKey     secrets.GenericSecret `yaml:"service_key,omitempty" json:"service_key,omitempty"`
+	ServiceKeyFile string                `yaml:"service_key_file,omitempty" json:"service_key_file,omitempty"`
+	RoutingKey     secrets.GenericSecret `yaml:"routing_key,omitempty" json:"routing_key,omitempty"`
+	RoutingKeyFile string                `yaml:"routing_key_file,omitempty" json:"routing_key_file,omitempty"`
+	URL            *URL                  `yaml:"url,omitempty" json:"url,omitempty"`
+	Client         string                `yaml:"client,omitempty" json:"client,omitempty"`
+	ClientURL      string                `yaml:"client_url,omitempty" json:"client_url,omitempty"`
+	Description    string                `yaml:"description,omitempty" json:"description,omitempty"`
+	Details        map[string]string     `yaml:"details,omitempty" json:"details,omitempty"`
+	Images         []PagerdutyImage      `yaml:"images,omitempty" json:"images,omitempty"`
+	Links          []PagerdutyLink       `yaml:"links,omitempty" json:"links,omitempty"`
+	Source         string                `yaml:"source,omitempty" json:"source,omitempty"`
+	Severity       string                `yaml:"severity,omitempty" json:"severity,omitempty"`
+	Class          string                `yaml:"class,omitempty" json:"class,omitempty"`
+	Component      string                `yaml:"component,omitempty" json:"component,omitempty"`
+	Group          string                `yaml:"group,omitempty" json:"group,omitempty"`
 }
 
 // PagerdutyLink is a link.
@@ -360,20 +361,24 @@ type PagerdutyImage struct {
 	Href string `yaml:"href,omitempty" json:"href,omitempty"`
 }
 
+func (c *PagerdutyConfig) isKeyZero() bool {
+	return c.ServiceKey.IsZero() && c.RoutingKey.IsZero()
+}
+
 // UnmarshalYAML implements the yaml.Unmarshaler interface.
 func (c *PagerdutyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	*c = DefaultPagerdutyConfig
 	type plain PagerdutyConfig
 	if err := unmarshal((*plain)(c)); err != nil {
 		return err
 	}
-	if c.RoutingKey == nil && c.ServiceKey == nil && c.RoutingKeyFile == "" && c.ServiceKeyFile == "" {
+	if c.isKeyZero() && c.RoutingKeyFile == "" && c.ServiceKeyFile == "" {
 		return errors.New("missing service or routing key in PagerDuty config")
 	}
-	if c.RoutingKey != nil && len(c.RoutingKeyFile) > 0 {
+	if !c.RoutingKey.IsZero() && len(c.RoutingKeyFile) > 0 {
 		return errors.New("at most one of routing_key & routing_key_file must be configured")
 	}
-	if c.ServiceKey != nil && len(c.ServiceKeyFile) > 0 {
+	if !c.ServiceKey.IsZero() && len(c.ServiceKeyFile) > 0 {
 		return errors.New("at most one of service_key & service_key_file must be configured")
 	}
 	if c.Details == nil {

config/notifiers_test.go

@@ -142,7 +142,7 @@ routing_key_file: 'xyz'
 func TestPagerdutyServiceKey(t *testing.T) {
 	t.Run("error if no service key or key file", func(t *testing.T) {
 		in := `
-service_key: ''
+service_key:
 `
 		var cfg PagerdutyConfig
 		err := yaml.UnmarshalStrict([]byte(in), &cfg)

config/receiver/receiver.go

@@ -14,9 +14,10 @@
 package receiver
 
 import (
-	"github.com/prometheus/alertmanager/secrets"
 	"log/slog"
 
+	"github.com/prometheus/alertmanager/secrets"
+
 	commoncfg "github.com/prometheus/common/config"
 	"github.com/prometheus/common/promslog"
 

config/receiver/receiver_test.go

@@ -16,6 +16,11 @@ package receiver
 import (
 	"testing"
 
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/common/promslog"
+
+	"github.com/prometheus/alertmanager/secrets"
+
 	commoncfg "github.com/prometheus/common/config"
 	"github.com/stretchr/testify/require"
 
@@ -71,7 +76,8 @@ func TestBuildReceiverIntegrations(t *testing.T) {
 	} {
 		tc := tc
 		t.Run("", func(t *testing.T) {
-			integrations, err := BuildReceiverIntegrations(tc.receiver, nil, nil)
+			sp := secrets.NewSecretsProviderRegistry(promslog.NewNopLogger(), prometheus.DefaultRegisterer)
+			integrations, err := BuildReceiverIntegrations(tc.receiver, nil, nil, sp)
 			if tc.err {
 				require.Error(t, err)
 				return

notify/pagerduty/pagerduty.go

@@ -19,13 +19,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/prometheus/alertmanager/secrets"
 	"io"
 	"log/slog"
 	"net/http"
 	"os"
 	"strings"
 
+	"github.com/prometheus/alertmanager/secrets"
+
 	"github.com/alecthomas/units"
 	commoncfg "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
@@ -62,14 +63,21 @@ func New(c *config.PagerdutyConfig, t *template.Template, l *slog.Logger, spRegi
 		return nil, err
 	}
 	n := &Notifier{conf: c, tmpl: t, logger: l, client: client}
-	if c.ServiceKey != nil || c.ServiceKeyFile != "" {
+
+	if !c.ServiceKey.IsZero() {
 		n.secretsFetcher, err = spRegistry.RegisterSecret(c.ServiceKey)
+	} else if !c.RoutingKey.IsZero() {
+		n.secretsFetcher, err = spRegistry.RegisterSecret(c.RoutingKey)
+	}
+	if err != nil {
+		l.Error("error registering secret", "err", err)
+	}
+	if !c.ServiceKey.IsZero() || c.ServiceKeyFile != "" {
 		n.apiV1 = "https://events.pagerduty.com/generic/2010-04-15/create_event.json"
 		// Retrying can solve the issue on 403 (rate limiting) and 5xx response codes.
 		// https://v2.developer.pagerduty.com/docs/trigger-events
 		n.retrier = &notify.Retrier{RetryCodes: []int{http.StatusForbidden}, CustomDetailsFunc: errDetails}
 	} else {
-		n.secretsFetcher, err = spRegistry.RegisterSecret(c.RoutingKey)
 		// Retrying can solve the issue on 429 (rate limiting) and 5xx response codes.
 		// https://v2.developer.pagerduty.com/docs/events-api-v2#api-response-codes--retry-logic
 		n.retrier = &notify.Retrier{RetryCodes: []int{http.StatusTooManyRequests}, CustomDetailsFunc: errDetails}
@@ -148,19 +156,22 @@ func (n *Notifier) encodeMessage(msg *pagerDutyMessage) (bytes.Buffer, error) {
 }
 
 func (n *Notifier) getSecret(ctx context.Context) string {
-	var secret *secrets.GenericSecret
-	if n.conf.ServiceKey != nil {
+	var secret secrets.GenericSecret
+	if !n.conf.ServiceKey.IsZero() {
 		secret = n.conf.ServiceKey
-	} else {
+	} else if !n.conf.RoutingKey.IsZero() {
 		secret = n.conf.RoutingKey
 	}
+	if secret.IsZero() || n.secretsFetcher == nil {
+		return ""
+	}
 
-	if sec, err := n.secretsFetcher.FetchSecret(ctx, secret); err != nil {
-		n.logger.Error("unable to fetch secret", err)
+	sec, err := n.secretsFetcher.FetchSecret(ctx, secret)
+	if err != nil {
+		n.logger.Error("unable to fetch secret", "error", err)
 		return ""
-	} else {
-		return sec
 	}
+	return sec
 }
 
 func (n *Notifier) notifyV1(
@@ -179,9 +190,8 @@ func (n *Notifier) notifyV1(
 		n.logger.Warn("Truncated description", "key", key, "max_runes", maxV1DescriptionLenRunes)
 	}
 
-	//serviceKey := string(n.conf.ServiceKey)
 	serviceKey := n.getSecret(ctx)
-	if serviceKey == "" {
+	if serviceKey == "" && n.conf.ServiceKeyFile != "" {
 		content, fileErr := os.ReadFile(n.conf.ServiceKeyFile)
 		if fileErr != nil {
 			return false, fmt.Errorf("failed to read service key from file: %w", fileErr)
@@ -220,6 +230,9 @@ func (n *Notifier) notifyV1(
 	if err != nil {
 		return true, fmt.Errorf("failed to post message to PagerDuty v1: %w", err)
 	}
+	if resp.StatusCode == 403 {
+		n.secretsFetcher.RefreshCredentialsAsync()
+	}
 	defer notify.Drain(resp)
 
 	return n.retrier.Check(resp.StatusCode, resp.Body)
@@ -245,9 +258,8 @@ func (n *Notifier) notifyV2(
 		n.logger.Warn("Truncated summary", "key", key, "max_runes", maxV2SummaryLenRunes)
 	}
 
-	//routingKey := string(n.conf.RoutingKey)
 	routingKey := n.getSecret(ctx)
-	if routingKey == "" {
+	if routingKey == "" && n.conf.RoutingKeyFile != "" {
 		content, fileErr := os.ReadFile(n.conf.RoutingKeyFile)
 		if fileErr != nil {
 			return false, fmt.Errorf("failed to read routing key from file: %w", fileErr)
@@ -317,6 +329,9 @@ func (n *Notifier) notifyV2(
 	}
 	defer notify.Drain(resp)
 
+	if resp.StatusCode == 403 {
+		n.secretsFetcher.RefreshCredentialsAsync()
+	}
 	retry, err := n.retrier.Check(resp.StatusCode, resp.Body)
 	if err != nil {
 		return retry, notify.NewErrorWithReason(notify.GetFailureReasonFromStatusCode(resp.StatusCode), err)