Feature request: Configurable HMAC request signing for outgoing webhooks

[alexander-akhmetov]

Hi,

I'd like to propose adding HMAC SHA256 request signing to the Alertmanager HTTP client for outgoing webhooks. This would help ensure message authenticity.

Proposed Solution
It seems there is no standard for HMAC request signing and different services implement it in slightly different ways. Some sign only the request body, while others include headers, the request path, or query parameters.

I've looked into some of the existing implementations (Slack, Docusign, Azure) and followed an approach similar to Slack:

• The signature is generated using only the request body.
• A timestamp can be included to mitigate replay attacks, but it's optional.
• Header names are configurable.

I’ve prepared a PR that adds this via an optional custom RoundTripper, so we can see how it'd look like:

prometheus/common#758

What do you think?

[grobinson-grafana]

Hi Alex! As you are proposing to add it to prometheus/common, it will also affect Prometheus. You might also want to get consensus in https://groups.google.com/g/prometheus-developers as I suspect this change has a wider impact than just the Alertmanager.