add sprig template functions

[TheMeier]

fixes #3726
fixes #3762
fixes #603

[TheMeier]

Looks like circleci has a problem :(

[TheMeier]

can I get a review @gotjosh

[TheMeier]

Also I noticed the code is actually prepared to allow for users to pass custom functions to the templating.
https://github.com/prometheus/alertmanager/blob/main/template/template.go#L68C23-L70
https://github.com/prometheus/alertmanager/blob/main/template/template_test.go#L406-L468

But that is not accessible from what I have seen in code and docs.
If it is accessible it is a bigger issue if you consider users might use an alertmanager provided by someone else, since the user could execute harmful code. So I wonder if option for template.New and template.FromGlobs should be removed.

[grobinson-grafana]

Also I noticed the code is actually prepared to allow for users to pass custom functions to the templating. https://github.com/prometheus/alertmanager/blob/main/template/template.go#L68C23-L70 https://github.com/prometheus/alertmanager/blob/main/template/template_test.go#L406-L468

But that is not accessible from what I have seen in code and docs. If it is accessible it is a bigger issue if you consider users might use an alertmanager provided by someone else, since the user could execute harmful code. So I wonder if option for template.New and template.FromGlobs should be removed.

This is all internal code. Users cannot add their own functions without changing and re-compiling the code.

[verdel]

@grobinson-grafana, @TheMeier, how can we speed up the review of this PR?

The functionality to be added, if this PR is accepted, will eliminate a large number of existing limitations. For example, time-related functions will allow for creating links to Grafana dashboards with a time range tied to the time the alert was triggered.

[TheMeier]

@grobinson-grafana, @TheMeier, how can we speed up the review of this PR?

The functionality to be added, if this PR is accepted, will eliminate a large number of existing limitations. For example, time-related functions will allow for creating links to Grafana dashboards with a time range tied to the time the alert was triggered.

The only ones who can help here are the maintainers. I guess they are busy with other stuff, so you just have to wait

[verdel]

The only ones who can help here are the maintainers. I guess they are busy with other stuff, so you just have to wait

Yep, I'll be hoping that they can find the time. This feature would indeed be very useful.

[grobinson-grafana]

While we figure out whether or not to accept sprig, I've opened a PR that adds much requested date and timezone functions here.

[grobinson-grafana]

I've spent some time thinking about this and my preference is that we don't add Sprig. Instead, we implement template functions as needed. We can also implement the most common functions in prometheus/common so they can be used in both Prometheus and Alertmanager.

The reasons I don't think we should add Sprig are the following:

1. We need to maintain an allow list of functions that we consider safe, and disable functions that do filesystem operations, network calls, etc.
2. Sprig adds 11 new dependencies to Alertmanager. I would like to reduce the number of dependencies we have over time, not increase them.
3. We need to track Sprig for updates and vet changes to existing functions.
4. If Sprig is ever deprecated or archived we need to implement every single function ourselves anyway, because users now depend on them.

[TheMeier]

@grobinson-grafana your points are all valid, but it is missing a bit of context IMHO:

• sprig releases 1-2 times per year (actually no release at all since November 2022)
• sprig is extremely conservative with any changes
• the logic about deprecation or archiving does apply to each and every dependency you will ever use. so by that logic, you never would use any prior art ;)

The 11 extra dependencies are a very good reason not to go this route though.
Given many, if not most, functions are trivial it should be not a lot of work.