diff --git a/pkg/alertmanager/api.go b/pkg/alertmanager/api.go index 907a7cc888..cefbbbc634 100644 --- a/pkg/alertmanager/api.go +++ b/pkg/alertmanager/api.go @@ -296,6 +296,9 @@ func validateReceiverHTTPConfig(cfg commoncfg.HTTPClientConfig) error { if cfg.BasicAuth != nil && cfg.BasicAuth.PasswordFile != "" { return errPasswordFileNotAllowed } + if cfg.Authorization != nil && cfg.Authorization.CredentialsFile != "" { + return errPasswordFileNotAllowed + } if cfg.BearerTokenFile != "" { return errPasswordFileNotAllowed } diff --git a/pkg/alertmanager/api_test.go b/pkg/alertmanager/api_test.go index 230f3877fa..86f10c688d 100644 --- a/pkg/alertmanager/api_test.go +++ b/pkg/alertmanager/api_test.go @@ -253,6 +253,22 @@ alertmanager_config: | http_config: bearer_token_file: /secrets + route: + receiver: 'default-receiver' + receivers: + - name: default-receiver +`, + err: errors.Wrap(errPasswordFileNotAllowed, "error validating Alertmanager config"), + }, + { + name: "Should return error if global HTTP credentials_file is set", + cfg: ` +alertmanager_config: | + global: + http_config: + authorization: + credentials_file: /secrets + route: receiver: 'default-receiver' receivers: @@ -288,6 +304,23 @@ alertmanager_config: | http_config: bearer_token_file: /secrets + route: + receiver: 'default-receiver' +`, + err: errors.Wrap(errPasswordFileNotAllowed, "error validating Alertmanager config"), + }, + { + name: "Should return error if receiver's HTTP credentials_file is set", + cfg: ` +alertmanager_config: | + receivers: + - name: default-receiver + webhook_configs: + - url: http://localhost + http_config: + authorization: + credentials_file: /secrets + route: receiver: 'default-receiver' `, @@ -480,7 +513,7 @@ func TestValidateAlertmanagerConfig(t *testing.T) { for testName, testData := range tests { t.Run(testName, func(t *testing.T) { err := validateAlertmanagerConfig(testData.input) - assert.True(t, errors.Is(err, testData.expected)) + assert.ErrorIs(t, err, testData.expected) }) } }