use AlertmanagerConfigAllowList for alertmanager secret informer

[william-tran]

Description

Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.

I want to use the operator to handle PrometheusRule CRDs in many namespaces but only handle Prometheus CRDs in one namespace. I saw the default RBAC in the helm chart was far too broad and wrote my own, having secrets operations as Roles instead of ClusterRoles, attached only to the namespaces where I want to set up prometheus instances. I noticed after setting --namespaces and --prometheus-instance-selector to different values, that list/watch of secrets was being attempted in the namespaces under --namespaces, with access denied.

Fixes #3544 (and #3298 in the case --namespaces is unset, which results in attempting to watch all secrets)

Type of change

What type of changes does your code introduce to the Prometheus operator? Put an x in the box that apply.

• CHANGE (fix or feature that would cause existing functionality to not work as expected)
• FEATURE (non-breaking change which adds functionality)
• BUGFIX (non-breaking change which fixes an issue)
• ENHANCEMENT (non-breaking change which improves existing functionality)
• NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Changelog entry

Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.

Added `-alertmanager-config-namespaces` CLI flag to the operator. 

[simonpasquier]

This secrets informer exists for AlertmanagerConfig custom resources which themselves can reference secret keys (for defining receiver's credentials for instance). These resources live in the namespaces defined by --namespaces and not --alertmanager-instance-namespaces which is why the informer is set up this way.
Now the operator should probably have another secrets informer watching for alertmanager-instance-namespaces to reconcile changes to the base Alertmanager configuration's secret...
cc @philipgough

[william-tran]

These resources live in the namespaces defined by --namespaces

Ahh I see now with the Alertmanager CRD vs AlertmanagerConfig which can reference secrets e.g. https://prometheus-operator.dev/docs/operator/api/#slackconfig apiURL

To address tighter scoping of secrets permissions, we could add an option alertmanager-config-namespaces. This could cater to those who setup alertmanager config centrally versus having anyone provide that config.

[simonpasquier]

To address tighter scoping of secrets permissions, we could add an option alertmanager-config-namespaces

I wouldn't be opposed to this. To be consistent with the other flags, the logic should be:

• use --alertmanager-config-namespaces if not empty.
• otherwise use --namespaces (as before).

@fpetkovski @paulfantom thoughts?

[philipgough]

@simonpasquier Sounds reasonable to me. Will wait for others to chime in.

[fpetkovski]

This suggestion makes sense to me as well 👍

[paulfantom]

Simon's suggestion sounds good to me.

[william-tran]

Great, I'll get to work on this and will have something by end of week.

[simonpasquier]

lgtm

[william-tran]

@simonpasquier is there a release we can expect this in?

[fpetkovski]

@william-tran some CI jobs are failing, you should be able to fix them with make format generate.

[fpetkovski]

@simonpasquier okay with you to merge?

[william-tran]

The check docs error seems unrelated to this PR:

https://github.com/prometheus-operator/prometheus-operator/runs/5004881958?check_suite_focus=true#step:5:254

error: 		ADOPTERS.md:32: "https://www.clyso.com/en" not accessible even after retry; status code 0: Get "https://www.clyso.com/en": unexpected EOF

[philipgough]

@william-tran - if you rebase on top of main that check should resolve. It is not required however so we can merge as is.

[william-tran]

@philipgough done

[simonpasquier]

thanks!