Disable authentication for Management API

[ogibily]

Proposal

Hi,

I setup basic auth (using --web.config.file), when I deploy my image of alertmanager on Kubernetes, probes (startup, readiness) are not able to check the Management API because they are not providing authentication header (HTTP 401).
As a consequence the pod is not healthy.

Could it be possible to disable authentication for Management API ?

From our in-house Kubernetes expert:
Probe definitions are part of the static Pod specification and are validated before the container starts. Vault secrets are injected only at runtime, which means probes cannot consume Vault secrets, environment variables, or templated values (Helm, ArgoCD, etc.) for authentication headers.
The recommended and Kubernetes-approved approach is to keep health endpoints unauthenticated. Health checks should be lightweight, fast, and dependency-free.

As an example, such feature is implemented in InfluxDb by specifying a startup parameter "--disable-authz health" which disabled in this example the "health" api.

Thanks.

[TheMeier]

Hm this is from github.com/prometheus/exporter-toolkit/web if I am not mistaken. So I guess it would be the same for prometheus.

[SoloJacobs]

From what I have investigated, it appears that TheMeier is correct: To implement this feature we cannot use the handler, which is constructed by calling web.ListenAndServe. We would have to fix this issue upstream:

https://github.com/prometheus/exporter-toolkit/blob/7f8f4610a9a73abe1c1dba83d7dca0539ef1a00d/web/handler.go#L90

It does not seem completely out of question to allow users of that library to bypass authentication with something like:

bypassAuth    func(*http.Request) bool

If such a PR is accepted, then I would consider this feature, but not otherwise. Here are the relevant issues:

prometheus/exporter-toolkit#151
prometheus/prometheus#9166