TLS config for connecting to Alertmanager

Dockerfile

@@ -13,6 +13,8 @@ RUN make all
 
 FROM debian:bookworm-slim
 
+RUN apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*
+
 COPY --from=builder /build/alerts_exporter /usr/local/bin/alerts_exporter
 
 ENTRYPOINT [ "alerts_exporter" ]

go.mod

@@ -3,6 +3,7 @@ module github.com/appuio/alerts_exporter
 go 1.21.3
 
 require (
+	github.com/go-openapi/runtime v0.26.0
 	github.com/prometheus/alertmanager v0.26.0
 	github.com/prometheus/client_golang v1.17.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
@@ -19,7 +20,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.26.0 // indirect
 	github.com/go-openapi/spec v0.20.8 // indirect
 	github.com/go-openapi/strfmt v0.21.7 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect

main.go

@@ -7,7 +7,8 @@ import (
 	"net/http"
 
 	alertscollector "github.com/appuio/alerts_exporter/internal/alerts_collector"
-	"github.com/prometheus/alertmanager/api/v2/client"
+	openapiclient "github.com/go-openapi/runtime/client"
+	alertmanagerclient "github.com/prometheus/alertmanager/api/v2/client"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -16,9 +17,23 @@ var host string
 var withInhibited, withSilenced, withUnprocessed, withActive bool
 var filters stringSliceFlag
 
+var tlsCert, tlsCertKey, tlsCaCert, tlsServerName string
+var tlsInsecure bool
+var useTLS bool
+var bearerToken string
+
 func main() {
 	flag.StringVar(&host, "host", "localhost:9093", "The host of the Alertmanager")
 
+	flag.BoolVar(&useTLS, "tls", false, "Use TLS when connecting to Alertmanager")
+	flag.StringVar(&tlsCert, "tls-cert", "", "Path to client certificate for TLS authentication")
+	flag.StringVar(&tlsCertKey, "tls-cert-key", "", "Path to client certificate key for TLS authentication")
+	flag.StringVar(&tlsCaCert, "tls-ca-cert", "", "Path to CA certificate. System certificates are used if not provided.")
+	flag.StringVar(&tlsServerName, "tls-server-name", "", "Server name to verify the hostname on the returned certificates. It must be a substring of either the Common Name or a Subject Alternative Name in the certificate. If empty, the hostname given in the address parameter is used.")
+	flag.BoolVar(&tlsInsecure, "insecure", false, "Disable TLS host verification")
+
+	flag.StringVar(&bearerToken, "bearer-token", "", "Bearer token to use for authentication")
+
 	flag.BoolVar(&withActive, "with-active", true, "Query for active alerts")
 	flag.BoolVar(&withInhibited, "with-inhibited", true, "Query for inhibited alerts")
 	flag.BoolVar(&withSilenced, "with-silenced", true, "Query for silenced alerts")
@@ -27,7 +42,33 @@ func main() {
 
 	flag.Parse()
 
-	ac := client.NewHTTPClientWithConfig(nil, client.DefaultTransportConfig().WithHost(host))
+	opts := openapiclient.TLSClientOptions{
+		Certificate: tlsCert,
+		Key:         tlsCertKey,
+		CA:          tlsCaCert,
+		ServerName:  tlsServerName,
+	}
+	if tlsInsecure {
+		opts.InsecureSkipVerify = true
+		opts.ServerName = ""
+	}
+	var schemes []string
+	if useTLS {
+		schemes = []string{"https"}
+	}
+
+	hc, err := openapiclient.TLSClient(opts)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	rt := openapiclient.NewWithClient(host, alertmanagerclient.DefaultBasePath, schemes, hc)
+
+	if bearerToken != "" {
+		rt.DefaultAuthentication = openapiclient.BearerToken(bearerToken)
+	}
+
+	ac := alertmanagerclient.New(rt, nil)
 
 	reg := prometheus.NewRegistry()