fix(infra-monitoring): improve security of alertmanager-matrix bot

infra-monitoring/templates/alertmanager/alertmanager-config.yaml

@@ -26,8 +26,8 @@ spec:
     {{- end }}
     {{- with .Values.alertmanager.receiver.matrix }}
     {{- if .enabled }}
-     - name: "matrix-default"
+    - name: "matrix-default"
-       webhookConfigs:
+      webhookConfigs:
         - url: "http://alertmanager-matrix:4051/{{ .default }}"
           sendResolved: {{ .sendResolved }}
     {{- range $receiver, $conf := .rooms }}

infra-monitoring/templates/alertmanager/matrix/release.yaml

@@ -41,15 +41,67 @@ spec:
           {{- range $item := .rooms }}
           - {{ $item.room | quote }}
           {{- end }}
+      {{- if $.Values.alertmanager.ingress.enabled }}
       alertmanager: "https://{{ $.Values.alertmanager.ingress.host | default (printf "alertmanager.%s" $.Values.commons.ingress.domain) }}"
+      {{- else }}
+      alertmanager: "http://kube-prometheus-stack-alertmanager:9093"
+      {{- end }}
       showLabels: true
-
+      {{`
+      template:
+        html: >
+          {{ range .Alerts }}
+            <font color="{{.StatusString|color}}">
+              {{.StatusString|icon}}
+              <b>{{.StatusString|upper}}</b>
+            </font>
+            <b>{{.AlertName}}</b><br/>
+            {{if ne .Summary "" }}
+            Summary: {{.Summary}} 
+            {{end}}
+            {{if ne .Fingerprint ""}}
+              ({{.Fingerprint}})
+            {{end}}
+            {{if ne .GeneratorURL ""}}
+              <a href="{{.GeneratorURL}}">more</a>
+            {{end}}
+            {{- $labels := dict }}
+            {{- range $key, $value := .Alert.Labels }}
+            {{- $labels = set $labels $key $value }}
+            {{- end }}
+            <br/>
+            {{ coalesce $labels.exported_namespace $labels.namespace "unknown" }}
+            {{if $.ShowLabels}}
+              <br/>
+              <b>Labels:</b>
+              <table>
+              {{ range $key := omit $labels "alertname" "severity" "exported_namespace" "namespace" |
+                keys | sortAlpha }}
+                {{ $value := get $labels $key }}
+                <tr>
+                  <td>{{ $key }}</td>
+                  <td>{{ $value }}</td>
+                </tr>
+              {{ end }}
+              </table>
+             {{end}}
+             <br/>
+          {{- end -}}
+      `}}
     serviceAccount:
       create: false
 
+    podSecurityContext:
+      fsGroup: 1000
+
     securityContext:
-      runAsUser: 65534
+      allowPrivilegeEscalation: false
-      runAsGroup: 65534
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsUser: 1000
+      runAsGroup: 1000
 
     resources:
       requests:
@@ -57,6 +109,7 @@ spec:
         cpu: "100m"
       limits:
         memory: "256Mi"
+        cpu: 4
 
     tolerations:
       {{- toYaml $.Values.commons.tolerations | nindent 6 }}

infra-monitoring/templates/kube-prometheus-stack/release.yaml

@@ -116,7 +116,7 @@ spec:
         {{- if .Values.alertmanager.ingress.enabled }}
         externalUrl: "https://{{ $hostAlertmanager }}"
         {{- end }}
-        replicas: 1
+        replicas: 2
         alertmanagerConfiguration:
           name: "global-alertmanager-conf"
         alertmanagerConfigSelector: