FIX(alertmanager): alertmanager smtp auth by

- loading config from secret
- Add ExternalSecret to generate alertmanager.yml with SMTP password
  from Vault
- Disable helm chart config (ConfigMap) and use extraSecretMounts
  instead
- Fixes "535 5.7.8 Error: authentication failed" SMTP error

alertmanager/helm-values.yaml

@@ -20,56 +20,13 @@ serviceMonitor:
     release: prometheus
   namespace: prometheus
 
-# SMTP Secret 환경변수 주입
+# Disable default config - use secret instead
-extraEnv:
-  - name: SMTP_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: alertmanager-smtp
-        key: smtp_auth_password
-
 config:
-  global:
+  enabled: false
-    resolve_timeout: 5m
+
-    smtp_smarthost: "smtp.mail.me.com:587"
+# Mount config from ExternalSecret
-    smtp_from: "bluemayne0213@icloud.com"
+extraSecretMounts:
-    smtp_auth_username: "bluemayne0213@icloud.com"
+  - name: alertmanager-config
-    smtp_auth_password: $(SMTP_PASSWORD)
+    mountPath: /etc/alertmanager
-    smtp_require_tls: true
+    secretName: alertmanager-config
-  route:
+    readOnly: true
-    group_by: ["alertname", "cluster", "service"]
-    group_wait: 30s
-    group_interval: 5m
-    repeat_interval: 4h
-    receiver: "email"
-    routes:
-    # Critical - 즉시 전송
-    - match:
-        severity: critical
-      receiver: "email"
-      group_wait: 10s
-      repeat_interval: 1h
-    # Warning
-    - match:
-        severity: warning
-      receiver: "email"
-      group_wait: 1m
-      repeat_interval: 4h
-    # Watchdog 제외 (항상 firing)
-    - match:
-        alertname: Watchdog
-      receiver: "null"
-  receivers:
-  - name: "email"
-    email_configs:
-    - to: "bluemayne0213@icloud.com"
-      send_resolved: true
-      headers:
-        subject: "[{{ .Status | toUpper }}] {{ .CommonLabels.alertname }}"
-  - name: "null"
-  inhibit_rules:
-  - source_match:
-      severity: "critical"
-    target_match:
-      severity: "warning"
-    equal: ["alertname", "cluster", "service"]

alertmanager/vault/alertmanager-secrets.yaml

@@ -16,3 +16,67 @@ spec:
       remoteRef:
         key: monitoring/alertmanager
         property: SMTP_PASSWORD
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: alertmanager-config
+  namespace: alertmanager
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: alertmanager-config
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        alertmanager.yml: |
+          global:
+            resolve_timeout: 5m
+            smtp_smarthost: "smtp.mail.me.com:587"
+            smtp_from: "bluemayne0213@icloud.com"
+            smtp_auth_username: "bluemayne0213@icloud.com"
+            smtp_auth_password: "{{ .smtp_password }}"
+            smtp_require_tls: true
+          route:
+            group_by: ["alertname", "cluster", "service"]
+            group_wait: 30s
+            group_interval: 5m
+            repeat_interval: 4h
+            receiver: "email"
+            routes:
+            - match:
+                severity: critical
+              receiver: "email"
+              group_wait: 10s
+              repeat_interval: 1h
+            - match:
+                severity: warning
+              receiver: "email"
+              group_wait: 1m
+              repeat_interval: 4h
+            - match:
+                alertname: Watchdog
+              receiver: "null"
+          receivers:
+          - name: "email"
+            email_configs:
+            - to: "bluemayne0213@icloud.com"
+              send_resolved: true
+              headers:
+                subject: "[{{ "{{" }} .Status | toUpper {{ "}}" }}] {{ "{{" }} .CommonLabels.alertname {{ "}}" }}"
+          - name: "null"
+          inhibit_rules:
+          - source_match:
+              severity: "critical"
+            target_match:
+              severity: "warning"
+            equal: ["alertname", "cluster", "service"]
+  data:
+    - secretKey: smtp_password
+      remoteRef:
+        key: monitoring/alertmanager
+        property: SMTP_PASSWORD