Chore: add WeChat global config secret validation in Alertmanager (#7977)

* add wechat global config validation * move to cb method * add missing import * trigger ci * move to amcfg file * trigger ci * validate: add wechat semantic validation to cover url validation case * validation: update wechat validation to prevent nil pointer exception
2026-02-05 06:45:27 +01:00 · 2026-01-07 21:30:05 +08:00
parent 37ac74f402
commit 4a393db953
2 changed files with 60 additions and 1 deletions
--- a/pkg/alertmanager/amcfg.go
+++ b/pkg/alertmanager/amcfg.go
@@ -282,7 +282,7 @@ func (cb *ConfigBuilder) initializeFromAlertmanagerConfig(ctx context.Context, g
 		return err
 	}

-	if err := validationv1.ValidateAlertmanagerGlobalConfig(globalConfig); err != nil {
+	if err := cb.checkAlertmanagerGlobalConfigResource(ctx, globalConfig, crKey.Namespace); err != nil {
 		return err
 	}

@@ -3122,3 +3122,45 @@ func checkIsV2Matcher(in ...[]monitoringv1alpha1.Matcher) bool {
 	}
 	return false
 }
+
+func (cb *ConfigBuilder) checkAlertmanagerGlobalConfigResource(
+	ctx context.Context,
+	gc *monitoringv1.AlertmanagerGlobalConfig,
+	namespace string,
+) error {
+	if gc == nil {
+		return nil
+	}
+
+	// Perform semantic validation irrespective of the Alertmanager version.
+	if err := validationv1.ValidateAlertmanagerGlobalConfig(gc); err != nil {
+		return err
+	}
+
+	// Perform more specific validations which depend on the Alertmanager
+	// version. It also retrieves data from referenced secrets and configmaps
+	// (and fails in case of missing/invalid references).
+	if err := cb.checkGlobalWeChatConfig(ctx, gc.WeChatConfig, namespace); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (cb *ConfigBuilder) checkGlobalWeChatConfig(
+	ctx context.Context,
+	wc *monitoringv1.GlobalWeChatConfig,
+	namespace string,
+) error {
+	if wc == nil {
+		return nil
+	}
+
+	if wc.APISecret != nil {
+		if _, err := cb.store.GetSecretKey(ctx, namespace, *wc.APISecret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/pkg/alertmanager/validation/v1/validation.go
+++ b/pkg/alertmanager/validation/v1/validation.go
@@ -17,6 +17,7 @@ package v1
 import (
 	"fmt"

+	"github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 )

@@ -29,5 +30,21 @@ func ValidateAlertmanagerGlobalConfig(gc *monitoringv1.AlertmanagerGlobalConfig)
 		return fmt.Errorf("httpConfig: %w", err)
 	}

+	if err := validateGlobalWeChatConfig(gc.WeChatConfig); err != nil {
+		return fmt.Errorf("wechatConfig: %w", err)
+	}
+
+	return nil
+}
+
+func validateGlobalWeChatConfig(wc *monitoringv1.GlobalWeChatConfig) error {
+	if wc == nil {
+		return nil
+	}
+
+	if err := validation.ValidateURLPtr((*string)(wc.APIURL)); err != nil {
+		return fmt.Errorf("invalid apiURL: %w", err)
+	}
+
 	return nil
 }