Allow using service account token for Prometheus/Alertmanager auth (even not in openshift) (#1968)

arikalon1 · web-flow · commit f7a22f7b4c29 · 2025-12-03T20:02:52.000+02:00
diff --git a/docs/configuration/metric-providers-external.rst b/docs/configuration/metric-providers-external.rst
@@ -55,6 +55,17 @@ Authentication
         prometheus_auth: "Bearer YOUR_TOKEN_HERE"
         alertmanager_auth: "Bearer YOUR_TOKEN_HERE"
 
+On some clusters, the pod service account token is used for Prometheus/Alertmanager authentication.
+To use this token add the following env var to the ``runner``:
+
+.. code-block:: yaml
+
+    runner:
+      additional_env_vars:
+        - name: PROMETHEUS_CLUSTER_TOKEN_AUTH
+          value: "true"
+
+
 **Basic Authentication**:
 
 .. code-block:: yaml
diff --git a/docs/configuration/metric-providers-in-cluster.rst b/docs/configuration/metric-providers-in-cluster.rst
@@ -92,6 +92,16 @@ If Prometheus and/or AlertManager require authentication, add the following:
 
 These settings may be configured independently.
 
+On some clusters, the pod service account token is used for Prometheus/Alertmanager authentication.
+To use this token add the following env var to the ``runner``:
+
+.. code-block:: yaml
+
+    runner:
+      additional_env_vars:
+        - name: PROMETHEUS_CLUSTER_TOKEN_AUTH
+          value: "true"
+
 SSL Verification
 ^^^^^^^^^^^^^^^^
 
diff --git a/src/robusta/core/model/env_vars.py b/src/robusta/core/model/env_vars.py
@@ -114,6 +114,8 @@ def load_bool(env_var, default: bool):
 CLUSTER_DOMAIN = os.environ.get("CLUSTER_DOMAIN", "cluster.local")
 
 IS_OPENSHIFT = load_bool("IS_OPENSHIFT", False)
+PROMETHEUS_CLUSTER_TOKEN_AUTH = load_bool("PROMETHEUS_CLUSTER_TOKEN_AUTH", False)
+
 OPENSHIFT_GROUPS = load_bool("OPENSHIFT_GROUPS", False)
 
 ENABLE_GRAPH_BLOCK = load_bool("ENABLE_GRAPH_BLOCK", True)
diff --git a/src/robusta/integrations/openshift/token.py b/src/robusta/integrations/openshift/token.py
@@ -1,13 +1,13 @@
 from typing import Optional
 
-from robusta.core.model.env_vars import IS_OPENSHIFT
+from robusta.core.model.env_vars import IS_OPENSHIFT, PROMETHEUS_CLUSTER_TOKEN_AUTH
 
 # NOTE: This one will be mounted if openshift is enabled in values.yaml
 TOKEN_LOCATION = '/var/run/secrets/kubernetes.io/serviceaccount/token'
 
 
 def load_token() -> Optional[str]:
-    if not IS_OPENSHIFT:
+    if not (IS_OPENSHIFT or PROMETHEUS_CLUSTER_TOKEN_AUTH):
         return None
 
     try:
