Add support for authenticating by bearer or JWT token to mimirtool

CHANGELOG.md

@@ -79,6 +79,7 @@
 
 ### Mimirtool
 
+* [FEATURE] Added bearer token support for when Mimir is behind a gateway authenticating by bearer token. #2146
 * [BUGFIX] mimirtool analyze: Fix dashboard JSON unmarshalling errors (#1840). #1973
 
 ### Mimir Continuous Test

operations/mimir-rules-action/README.md

@@ -11,6 +11,7 @@ This action is configured using environment variables defined in the workflow. T
 | `MIMIR_ADDRESS`              | URL address for the target Mimir cluster                                                                                                                                                                                                                                                           | `false`  | N/A     |
 | `MIMIR_TENANT_ID`            | ID for the desired tenant in the target Mimir cluster. Used as the username under HTTP Basic authentication.                                                                                                                                                                                       | `false`  | N/A     |
 | `MIMIR_API_KEY`              | Optional password that is required for password-protected Mimir clusters. An encrypted [github secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) is recommended. Used as the password under HTTP Basic authentication. | `false`  | N/A     |
+| `MIMIR_AUTH_TOKEN`           | Optional bearer or JWT token that is required for Mimir clusters authenticating by bearer or JWT token. An encrypted [github secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) is recommended.                         | `false`  | N/A     |
 | `ACTION`                     | Which action to take. One of `lint`, `prepare`, `check`, `diff` or `sync`                                                                                                                                                                                                                          | `true`   | N/A     |
 | `RULES_DIR`                  | Comma-separated list of directories to walk in order to source rules files                                                                                                                                                                                                                         | `false`  | `./`    |
 | `LABEL_EXCLUDED_RULE_GROUPS` | Comma separated list of rule group names to exclude when including the configured label to aggregations. This option is supported only by the `prepare` action.                                                                                                                                    | `false`  | N/A     |

pkg/mimirtool/client/client.go

@@ -38,17 +38,19 @@ type Config struct {
 	Address         string `yaml:"address"`
 	ID              string `yaml:"id"`
 	TLS             tls.ClientConfig
-	UseLegacyRoutes bool `yaml:"use_legacy_routes"`
+	UseLegacyRoutes bool   `yaml:"use_legacy_routes"`
+	AuthToken       string `yaml:"auth_token"`
 }
 
 // MimirClient is used to get and load rules into a Mimir ruler.
 type MimirClient struct {
-	user     string
-	key      string
-	id       string
-	endpoint *url.URL
-	Client   http.Client
-	apiPath  string
+	user      string
+	key       string
+	id        string
+	endpoint  *url.URL
+	Client    http.Client
+	apiPath   string
+	authToken string
 }
 
 // New returns a new MimirClient.
@@ -90,12 +92,13 @@ func New(cfg Config) (*MimirClient, error) {
 	}
 
 	return &MimirClient{
-		user:     cfg.User,
-		key:      cfg.Key,
-		id:       cfg.ID,
-		endpoint: endpoint,
-		Client:   client,
-		apiPath:  path,
+		user:      cfg.User,
+		key:       cfg.Key,
+		id:        cfg.ID,
+		endpoint:  endpoint,
+		Client:    client,
+		apiPath:   path,
+		authToken: cfg.AuthToken,
 	}, nil
 }
 
@@ -119,10 +122,24 @@ func (r *MimirClient) doRequest(path, method string, payload []byte) (*http.Resp
 		return nil, err
 	}
 
-	if r.user != "" {
+	switch {
+	case (r.user != "" || r.key != "") && r.authToken != "":
+		err := errors.New("at most one of basic auth or auth token should be configured")
+		log.WithFields(log.Fields{
+			"url":    req.URL.String(),
+			"method": req.Method,
+			"error":  err,
+		}).Errorln("error during setting up request to mimir api")
+		return nil, err
+
+	case r.user != "":
 		req.SetBasicAuth(r.user, r.key)
-	} else if r.key != "" {
+
+	case r.key != "":
 		req.SetBasicAuth(r.id, r.key)
+
+	case r.authToken != "":
+		req.Header.Add("Authorization", "Bearer "+r.authToken)
 	}
 
 	req.Header.Add("X-Scope-OrgID", r.id)

pkg/mimirtool/commands/alerts.go

@@ -72,7 +72,7 @@ func (a *AlertmanagerCommand) Register(app *kingpin.Application, envVars EnvVarN
 	alertCmd.Flag("tls-ca-path", "TLS CA certificate to verify Grafana Mimir API as part of mTLS; alternatively, set "+envVars.TLSCAPath+".").Default("").Envar(envVars.TLSCAPath).StringVar(&a.ClientConfig.TLS.CAPath)
 	alertCmd.Flag("tls-cert-path", "TLS client certificate to authenticate with the Grafana Mimir API as part of mTLS; alternatively, set "+envVars.TLSCertPath+".").Default("").Envar(envVars.TLSCertPath).StringVar(&a.ClientConfig.TLS.CertPath)
 	alertCmd.Flag("tls-key-path", "TLS client certificate private key to authenticate with the Grafana Mimir API as part of mTLS; alternatively, set "+envVars.TLSKeyPath+".").Default("").Envar(envVars.TLSKeyPath).StringVar(&a.ClientConfig.TLS.KeyPath)
-
+	alertCmd.Flag("auth-token", "Authentication token bearer authentication; alternatively, set "+envVars.AuthToken+".").Default("").Envar(envVars.AuthToken).StringVar(&a.ClientConfig.AuthToken)
 	// Get Alertmanager Configs Command
 	getAlertsCmd := alertCmd.Command("get", "Get the Alertmanager configuration that is currently in the Grafana Mimir Alertmanager.").Action(a.getConfig)
 	getAlertsCmd.Flag("disable-color", "disable colored output").BoolVar(&a.DisableColor)
@@ -147,6 +147,7 @@ func (a *AlertCommand) Register(app *kingpin.Application, envVars EnvVarNames) {
 	alertCmd.Flag("id", "Mimir tenant id, alternatively set "+envVars.TenantID+".").Envar(envVars.TenantID).Required().StringVar(&a.ClientConfig.ID)
 	alertCmd.Flag("user", fmt.Sprintf("API user to use when contacting Grafana Mimir, alternatively set %s. If empty, %s will be used instead.", envVars.APIUser, envVars.TenantID)).Default("").Envar(envVars.APIUser).StringVar(&a.ClientConfig.User)
 	alertCmd.Flag("key", "API key to use when contacting Grafana Mimir; alternatively, set "+envVars.APIKey+".").Default("").Envar(envVars.APIKey).StringVar(&a.ClientConfig.Key)
+	alertCmd.Flag("auth-token", "Authentication token for bearer token or JWT auth, alternatively set "+envVars.AuthToken+".").Default("").Envar(envVars.AuthToken).StringVar(&a.ClientConfig.AuthToken)
 
 	verifyAlertsCmd := alertCmd.Command("verify", "Verifies whether or not alerts in an Alertmanager cluster are deduplicated; useful for verifying correct configuration when transferring from Prometheus to Grafana Mimir alert evaluation.").Action(a.verifyConfig)
 	verifyAlertsCmd.Flag("ignore-alerts", "A comma separated list of Alert names to ignore in deduplication checks.").StringVar(&a.IgnoreString)

pkg/mimirtool/commands/env_var.go

@@ -11,6 +11,7 @@ type EnvVarNames struct {
 	TLSKeyPath      string
 	TenantID        string
 	UseLegacyRoutes string
+	AuthToken       string
 }
 
 func NewEnvVarsWithPrefix(prefix string) EnvVarNames {
@@ -23,6 +24,7 @@ func NewEnvVarsWithPrefix(prefix string) EnvVarNames {
 		tlsCertPath     = "TLS_CERT_PATH"
 		tlsKeyPath      = "TLS_KEY_PATH"
 		useLegacyRoutes = "USE_LEGACY_ROUTES"
+		authToken       = "AUTH_TOKEN"
 	)
 
 	if len(prefix) > 0 && prefix[len(prefix)-1] != '_' {
@@ -38,5 +40,6 @@ func NewEnvVarsWithPrefix(prefix string) EnvVarNames {
 		TLSKeyPath:      prefix + tlsKeyPath,
 		TenantID:        prefix + tenantID,
 		UseLegacyRoutes: prefix + useLegacyRoutes,
+		AuthToken:       prefix + authToken,
 	}
 }

pkg/mimirtool/commands/rules.go

@@ -97,6 +97,7 @@ func (r *RuleCommand) Register(app *kingpin.Application, envVars EnvVarNames) {
 	rulesCmd.Flag("user", fmt.Sprintf("API user to use when contacting Grafana Mimir; alternatively, set %s. If empty, %s is used instead.", envVars.APIUser, envVars.TenantID)).Default("").Envar(envVars.APIUser).StringVar(&r.ClientConfig.User)
 	rulesCmd.Flag("key", "API key to use when contacting Grafana Mimir; alternatively, set "+envVars.APIKey+".").Default("").Envar(envVars.APIKey).StringVar(&r.ClientConfig.Key)
 	rulesCmd.Flag("backend", "Backend type to interact with (deprecated)").Default(rules.MimirBackend).EnumVar(&r.Backend, backends...)
+	rulesCmd.Flag("auth-token", "Authentication token for bearer token or JWT auth, alternatively set "+envVars.AuthToken+".").Default("").Envar(envVars.AuthToken).StringVar(&r.ClientConfig.AuthToken)
 
 	// Register rule commands
 	listCmd := rulesCmd.