From 6fb210ef9e88c7b461a68363ddf3d9829eab0e86 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Fri, 7 Nov 2025 17:22:27 +0000
Subject: [PATCH 1/8] Add a new mimir.alerts.kubernetes component

---
 .github/ISSUE_TEMPLATE/blank.yaml             |   1 +
 .github/ISSUE_TEMPLATE/bug_report.yaml        |   1 +
 .github/ISSUE_TEMPLATE/docs.yaml              |   1 +
 .github/ISSUE_TEMPLATE/feature_request.yaml   |   1 +
 .github/ISSUE_TEMPLATE/proposal.yaml          |   1 +
 .github/workflows/integration-tests-k8s.yml   |  23 +
 CHANGELOG.md                                  |   2 +
 Makefile                                      |   7 +-
 .../mimir/mimir.alerts.kubernetes.md          | 494 ++++++++++++++++++
 go.mod                                        |  37 +-
 go.sum                                        |  62 +--
 .../tests/mimir-alerts-kubernetes/k8s_test.go |  92 ++++
 .../mimir-alerts-kubernetes/kubernetes.yml    | 229 ++++++++
 .../tests/mimir-alerts-kubernetes/setup.sh    |  13 +
 .../cmd/integration-tests-k8s/util/util.go    | 105 ++++
 internal/component/all/all.go                 |   1 +
 .../mimir/alerts/kubernetes/alerts.go         | 349 +++++++++++++
 .../mimir/alerts/kubernetes/alerts_test.go    | 201 +++++++
 .../mimir/alerts/kubernetes/debug.go          |   6 +
 .../mimir/alerts/kubernetes/events.go         | 280 ++++++++++
 .../mimir/alerts/kubernetes/events_test.go    | 445 ++++++++++++++++
 .../mimir/alerts/kubernetes/health.go         |  32 ++
 .../mimir/alerts/kubernetes/types.go          |  35 ++
 .../mimir/rules/kubernetes/events.go          |   2 +-
 .../mimir/rules/kubernetes/events_test.go     |   2 +-
 .../component/mimir/rules/kubernetes/rules.go |   2 +-
 internal/component/mimir/util/util.go         |  36 ++
 .../configgen/config_gen_podmonitor.go        |   8 +-
 .../configgen/config_gen_podmonitor_test.go   |  18 +-
 .../operator/configgen/config_gen_probe.go    |   4 +-
 .../configgen/config_gen_probe_test.go        |  20 +-
 .../config_gen_servicemonitor_test.go         |   4 +-
 internal/mimir/client/alerts.go               |  45 ++
 internal/mimir/client/alerts_test.go          |  66 +++
 internal/mimir/client/client.go               |   7 +-
 .../testdata/alertmanager/conf.good.yml       | 117 +++++
 .../testdata/alertmanager/response.good.yml   | 249 +++++++++
 operations/helm/charts/alloy/CHANGELOG.md     |   4 +
 operations/helm/charts/alloy/README.md        |  11 +-
 operations/helm/charts/alloy/values.yaml      |   4 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../clustering/alloy/templates/rbac.yaml      |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../custom-config/alloy/templates/rbac.yaml   |   8 +
 .../default-values/alloy/templates/rbac.yaml  |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../tests/envFrom/alloy/templates/rbac.yaml   |   8 +
 .../existing-config/alloy/templates/rbac.yaml |   8 +
 .../tests/extra-env/alloy/templates/rbac.yaml |   8 +
 .../extra-manifests/alloy/templates/rbac.yaml |   8 +
 .../extra-ports/alloy/templates/rbac.yaml     |   8 +
 .../faro-ingress/alloy/templates/rbac.yaml    |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../host-alias/alloy/templates/rbac.yaml      |   8 +
 .../initcontainers/alloy/templates/rbac.yaml  |   8 +
 .../lifecycle-hooks/alloy/templates/rbac.yaml |   8 +
 .../livinessprobe/alloy/templates/rbac.yaml   |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../tests/nonroot/alloy/templates/rbac.yaml   |   8 +
 .../pod_annotations/alloy/templates/rbac.yaml |   8 +
 .../readinessprobe/alloy/templates/rbac.yaml  |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../tests/sidecars/alloy/templates/rbac.yaml  |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../alloy/templates/rbac.yaml                 |   8 +
 .../with-digests/alloy/templates/rbac.yaml    |   8 +
 84 files changed, 3289 insertions(+), 80 deletions(-)
 create mode 100644 .github/workflows/integration-tests-k8s.yml
 create mode 100644 docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
 create mode 100644 internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
 create mode 100644 internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml
 create mode 100755 internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh
 create mode 100644 internal/cmd/integration-tests-k8s/util/util.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/alerts.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/alerts_test.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/debug.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/events.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/events_test.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/health.go
 create mode 100644 internal/component/mimir/alerts/kubernetes/types.go
 create mode 100644 internal/component/mimir/util/util.go
 create mode 100644 internal/mimir/client/alerts.go
 create mode 100644 internal/mimir/client/alerts_test.go
 create mode 100644 internal/mimir/client/testdata/alertmanager/conf.good.yml
 create mode 100644 internal/mimir/client/testdata/alertmanager/response.good.yml

diff --git a/.github/ISSUE_TEMPLATE/blank.yaml b/.github/ISSUE_TEMPLATE/blank.yaml
index 9d6245a49e8..6a7a0d1a6b0 100644
--- a/.github/ISSUE_TEMPLATE/blank.yaml
+++ b/.github/ISSUE_TEMPLATE/blank.yaml
@@ -78,6 +78,7 @@ body:
       - loki.source.syslog
       - loki.source.windowsevent
       - loki.write
+      - mimir.alerts.kubernetes
       - mimir.rules.kubernetes
       - otelcol.auth.basic
       - otelcol.auth.bearer
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml
index 76be2e90ebc..7fc726d80fc 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -78,6 +78,7 @@ body:
       - loki.source.syslog
       - loki.source.windowsevent
       - loki.write
+      - mimir.alerts.kubernetes
       - mimir.rules.kubernetes
       - otelcol.auth.basic
       - otelcol.auth.bearer
diff --git a/.github/ISSUE_TEMPLATE/docs.yaml b/.github/ISSUE_TEMPLATE/docs.yaml
index 407b39a686d..e69a0a34300 100644
--- a/.github/ISSUE_TEMPLATE/docs.yaml
+++ b/.github/ISSUE_TEMPLATE/docs.yaml
@@ -81,6 +81,7 @@ body:
       - loki.source.syslog
       - loki.source.windowsevent
       - loki.write
+      - mimir.alerts.kubernetes
       - mimir.rules.kubernetes
       - otelcol.auth.basic
       - otelcol.auth.bearer
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml
index aff80db9c0b..1f0956bd518 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -78,6 +78,7 @@ body:
       - loki.source.syslog
       - loki.source.windowsevent
       - loki.write
+      - mimir.alerts.kubernetes
       - mimir.rules.kubernetes
       - otelcol.auth.basic
       - otelcol.auth.bearer
diff --git a/.github/ISSUE_TEMPLATE/proposal.yaml b/.github/ISSUE_TEMPLATE/proposal.yaml
index 77eafe2ec25..1adf8f6b83f 100644
--- a/.github/ISSUE_TEMPLATE/proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/proposal.yaml
@@ -78,6 +78,7 @@ body:
       - loki.source.syslog
       - loki.source.windowsevent
       - loki.write
+      - mimir.alerts.kubernetes
       - mimir.rules.kubernetes
       - otelcol.auth.basic
       - otelcol.auth.bearer
diff --git a/.github/workflows/integration-tests-k8s.yml b/.github/workflows/integration-tests-k8s.yml
new file mode 100644
index 00000000000..77789c30fb7
--- /dev/null
+++ b/.github/workflows/integration-tests-k8s.yml
@@ -0,0 +1,23 @@
+name: Integration Tests on Kubernetes
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  run_tests:
+    runs-on:
+      labels: github-hosted-ubuntu-x64-large
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
+    - name: Run tests
+      run: make integration-test-k8s
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f24a497b08..e65e0ae83cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -85,6 +85,8 @@ v1.12.0-rc.0
   - The `otelcol.processor.servicegraph` component now supports defining the maximum number of buckets for generated exponential histograms.
   - See the upstream [core][https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md] and [contrib][https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md] changelogs for more details.
 
+- A new `mimir.alerts.kubernetes` component which discovers `AlertmanagerConfig` Kubernetes resources and loads them into a Mimir instance. (@ptodev)
+
 ### Enhancements
 
 - Add per-application rate limiting with the `strategy` attribute in the `faro.receiver` component, to prevent one application from consuming the rate limit quota of others. (@hhertout)
diff --git a/Makefile b/Makefile
index 9ffaffaadb1..fdba97cf948 100644
--- a/Makefile
+++ b/Makefile
@@ -158,7 +158,7 @@ run-alloylint: alloylint
 # more for packages that exclude tests via //go:build !race due to known race detection issues. The
 # final command runs tests for syntax module.
 test:
-	$(GO_ENV) go test $(GO_FLAGS) -race $(shell go list ./... | grep -v /integration-tests/)
+	$(GO_ENV) go test $(GO_FLAGS) -race $(shell go list ./... | grep -v -E '/integration-tests/|/integration-tests-k8s/')
 	$(GO_ENV) go test $(GO_FLAGS) ./internal/static/integrations/node_exporter
 	$(GO_ENV) cd ./syntax && go test -race ./...
 
@@ -180,6 +180,11 @@ test-pyroscope:
 	cd ./internal/component/pyroscope/util/internal/cmd/playground/ && \
 		$(GO_ENV) go build .
 
+.PHONY: integration-test-k8s
+integration-test-k8s: alloy-image
+	cd ./internal/cmd/integration-tests-k8s/ && \
+		$(GO_ENV) go test -timeout 10m ./...
+
 #
 # Targets for building binaries
 #
diff --git a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
new file mode 100644
index 00000000000..73355dd544b
--- /dev/null
+++ b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
@@ -0,0 +1,494 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/reference/components/mimir/mimir.alerts.kubernetes/
+aliases:
+  - ../mimir.alerts.kubernetes/ # /docs/alloy/latest/reference/components/mimir.alerts.kubernetes/
+description: Learn about mimir.alerts.kubernetes
+labels:
+  stage: experimental
+  products:
+    - oss
+title: mimir.alerts.kubernetes
+---
+
+# `mimir.alerts.kubernetes`
+
+{{< docs/shared lookup="stability/experimental.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+`mimir.alerts.kubernetes` discovers `AlertmanagerConfig` Kubernetes resources and loads them into a Mimir instance.
+
+* You can specify multiple `mimir.alerts.kubernetes` components by giving them different labels.
+* [Kubernetes label selectors][] can be used to limit the `Namespace` and `AlertmanagerConfig` resources considered during reconciliation.
+* Compatible with the Alertmanager APIs of Grafana Mimir, Grafana Cloud, and Grafana Enterprise Metrics.
+* Compatible with the `AlertmanagerConfig` CRD from the [`prometheus-operator`][prometheus-operator].
+* This component accesses the Kubernetes REST API from [within a Pod][].
+
+{{< admonition type="note" >}}
+This component requires [Role-based access control (RBAC)][] to be set up in Kubernetes in order for {{< param "PRODUCT_NAME" >}} to access it via the Kubernetes REST API.
+
+[Role-based access control (RBAC)]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+{{< /admonition >}}
+
+`mimir.alerts.kubernetes` does not support [clustering][clustered mode].
+[clustered mode]: ../../../../get-started/clustering/
+
+[Kubernetes label selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+[prometheus-operator]: https://prometheus-operator.dev/
+[within a Pod]: https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
+
+## Usage
+
+```alloy
+mimir.alerts.kubernetes "<LABEL>" {
+  address       = "<MIMIR_URL>"
+  global_config = "..."
+}
+```
+
+## Arguments
+
+You can use the following arguments with `mimir.alerts.kubernetes`:
+
+| Name                     | Type                | Description                                                                                      | Default       | Required |
+| ------------------------ | ------------------- | ------------------------------------------------------------------------------------------------ | ------------- | -------- |
+| `address`                | `string`            | URL of the Mimir Alertmanager.                                                                   |               | yes      |
+| `global_config`          | `secret`            | [Alertmanager configuration][global-cfg] to be merged with AlertmanagerConfig CRDs.              |               | yes      |
+| `bearer_token_file`      | `string`            | File containing a bearer token to authenticate with.                                             |               | no       |
+| `bearer_token`           | `secret`            | Bearer token to authenticate with.                                                               |               | no       |
+| `enable_http2`           | `bool`              | Whether HTTP2 is supported for requests.                                                         | `true`        | no       |
+| `follow_redirects`       | `bool`              | Whether redirects returned by the server should be followed.                                     | `true`        | no       |
+| `http_headers`           | `map(list(secret))` | Custom HTTP headers to be sent along with each request. The map key is the header name.          |               | no       |
+| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |               | no       |
+| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |               | no       |
+| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false`       | no       |
+| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |               | no       |
+| `template_files`         | `map(string)`       | A map of Alertmanager [template files][mimir-api-set-alertmgr-cfg].                              |  `{}`         | no       |
+
+At most, one of the following can be provided:
+
+* [`authorization`][authorization] block
+* [`basic_auth`][basic_auth] block
+* [`bearer_token_file`][arguments]argument
+* [`bearer_token`][arguments] argument
+* [`oauth2`][oauth2] block
+
+ [arguments]: #arguments
+
+{{< docs/shared lookup="reference/components/http-client-proxy-config-description.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+[global-cfg]: https://prometheus.io/docs/alerting/latest/configuration/
+[mimir-api-set-alertmgr-cfg]: https://grafana.com/docs/mimir/latest/references/http-api/#set-alertmanager-configuration
+
+## Blocks
+
+The following blocks are supported inside the definition of
+`mimir.alerts.kubernetes`:
+
+| Block                                                                            | Description                                                | Required |
+| -------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------- |
+| [`authorization`][authorization]                                                 | Configure generic authorization to the endpoint.           | no       |
+| [`basic_auth`][basic_auth]                                                       | Configure `basic_auth` for authenticating to the endpoint. | no       |
+| [`oauth2`][oauth2]                                                               | Configure OAuth 2.0 for authenticating to the endpoint.    | no       |
+| `oauth2` > [`tls_config`][tls_config]                                            | Configure TLS settings for connecting to the endpoint.     | no       |
+| [`alertmanagerconfig_namespace_selector`][label_selector]                        | Label selector for `Namespace` resources.                  | no       |
+| `alertmanagerconfig_namespace_selector` > [`match_expression`][match_expression] | Label match expression for `Namespace` resources.          | no       |
+| [`alertmanagerconfig_selector`][label_selector]                                  | Label selector for `AlertmanagerConfig` resources.         | no       |
+| `alertmanagerconfig_selector` > [`match_expression`][match_expression]           | Label match expression for `AlertmanagerConfig` resources. | no       |
+| [`tls_config`][tls_config]                                                       | Configure TLS settings for connecting to the endpoint.     | no       |
+
+The > symbol indicates deeper levels of nesting.
+For example, `oauth2` > `tls_config` refers to a `tls_config` block defined inside an `oauth2` block.
+
+[authorization]: #authorization
+[basic_auth]: #basic_auth
+[label_selector]: #alertmanagerconfig_selector-and-alertmanagerconfig_namespace_selector
+[match_expression]: #match_expression
+[oauth2]: #oauth2
+[tls_config]: #tls_config
+
+### `authorization`
+
+{{< docs/shared lookup="reference/components/authorization-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `basic_auth`
+
+{{< docs/shared lookup="reference/components/basic-auth-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `alertmanagerconfig_selector` and `alertmanagerconfig_namespace_selector`
+
+The `alertmanagerconfig_selector` and `alertmanagerconfig_namespace_selector` blocks describe a Kubernetes label selector for AlertmanagerConfig CRDs or namespace discovery.
+
+The following arguments are supported:
+
+| Name           | Type          | Description                                       | Default | Required |
+| -------------- | ------------- | ------------------------------------------------- | ------- | -------- |
+| `match_labels` | `map(string)` | Label keys and values used to discover resources. | `{}`    | yes      |
+
+When the `match_labels` argument is empty, all resources are matched.
+
+### `match_expression`
+
+The `match_expression` block describes a Kubernetes label match expression for AlertmanagerConfig CRDs or namespace discovery.
+
+The following arguments are supported:
+
+| Name       | Type           | Description                        | Default | Required |
+| ---------- | -------------- | ---------------------------------- | ------- | -------- |
+| `key`      | `string`       | The label name to match against.   |         | yes      |
+| `operator` | `string`       | The operator to use when matching. |         | yes      |
+| `values`   | `list(string)` | The values used when matching.     |         | no       |
+
+The `operator` argument should be one of the following strings:
+
+* `"In"`
+* `"NotIn"`
+* `"Exists"`
+* `"DoesNotExist"`
+
+The `values` argument must not be provided when `operator` is set to `"Exists"` or `"DoesNotExist"`.
+
+### `oauth2`
+
+{{< docs/shared lookup="reference/components/oauth2-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls_config`
+
+{{< docs/shared lookup="reference/components/tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+## Exported fields
+
+`mimir.alerts.kubernetes` doesn't export any fields.
+
+## Component health
+
+`mimir.alerts.kubernetes` is reported as unhealthy if given an invalid configuration or an error occurs during reconciliation.
+
+## Debug information
+
+`mimir.alerts.kubernetes` does not expose debug information.
+
+## Debug metrics
+
+| Metric Name                                    | Type        | Description                                                              |
+| ---------------------------------------------- | ----------- | ------------------------------------------------------------------------ |
+| `mimir_alerts_client_request_duration_seconds` | `histogram` | Duration of requests to the Mimir API.                                   |
+| `mimir_alerts_config_updates_total`            | `counter`   | Number of times the configuration has been updated.                      |
+| `mimir_alerts_events_failed_total`             | `counter`   | Number of events that failed to be processed, partitioned by event type. |
+| `mimir_alerts_events_retried_total`            | `counter`   | Number of events that were retried, partitioned by event type.           |
+| `mimir_alerts_events_total`                    | `counter`   | Number of events processed, partitioned by event type.                   |
+
+## Example
+
+This example creates a `mimir.alerts.kubernetes` component which only loads namespace and `AlertmanagerConfig` resources if they contain an `alloy` label set to `yes`.
+
+```alloy
+remote.kubernetes.configmap "default" {
+  namespace = "default"
+  name      = "alertmgr-global"
+}
+
+mimir.alerts.kubernetes "default" {
+  address       = "http://mimir-nginx.mimir-test.svc:80"
+  global_config = remote.kubernetes.configmap.default.data["glbl"]
+
+  template_files = {
+    `default_template` = 
+`{{ define "__alertmanager" }}AlertManager{{ end }}
+{{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}`,
+  }
+
+  alertmanagerconfig_selector {
+      match_labels = {
+          alloy = "yes",
+      }
+  }
+
+  alertmanagerconfig_namespace_selector {
+      match_labels = {
+          alloy = "yes",
+      }
+  }
+}
+```
+
+The following example is an RBAC configuration for Kubernetes.
+It authorizes {{< param "PRODUCT_NAME" >}} to query the Kubernetes REST API:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: alloy
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: alloy
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["monitoring.coreos.com"]
+  resources: ["alertmanagerconfigs"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: alloy
+subjects:
+- kind: ServiceAccount
+  name: alloy
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: alloy
+  apiGroup: rbac.authorization.k8s.io
+```
+
+The following is an example of a complete Kubernetes configuration:
+
+{{< collapse title="Example Kubernetes configuration." >}}
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: testing
+  labels:
+    alloy: "yes"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-alloy
+  namespace: testing
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: grafana-alloy
+rules:
+- apiGroups: [""]
+  resources: ["namespaces", "configmaps"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["monitoring.coreos.com"]
+  resources: ["alertmanagerconfigs"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grafana-alloy
+subjects:
+- kind: ServiceAccount
+  name: grafana-alloy
+  namespace: testing
+roleRef:
+  kind: ClusterRole
+  name: grafana-alloy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-alloy
+spec:
+  type: NodePort
+  selector:
+    app: grafana-alloy
+  ports:
+      # By default and for convenience, the `targetPort` is set to the same value as the `port` field.
+    - port: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: testing
+  name: grafana-alloy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grafana-alloy
+  template:
+    metadata:
+      labels:
+        app: grafana-alloy
+    spec:
+      serviceAccount: grafana-alloy
+      containers:
+      - name: alloy
+        image: grafana/alloy:latest
+        imagePullPolicy: Never
+        args:
+        - run
+        - /etc/config/config.alloy
+        - --stability.level=experimental
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: alloy-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alloy-config
+  namespace: testing
+data:
+  config.alloy: |
+      remote.kubernetes.configmap "default" {
+        namespace = "testing"
+        name = "alertmgr-global"
+      }
+
+      mimir.alerts.kubernetes "default" {
+        address = "http://mimir-nginx.mimir-test.svc:80"
+        global_config = remote.kubernetes.configmap.default.data["glbl"]
+        template_files = {
+          `default_template` = 
+      `{{ define "__alertmanager" }}AlertManager{{ end }}
+      {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}`,
+        }
+        alertmanagerconfig_namespace_selector {
+            match_labels = {
+                alloy = "yes",
+            }
+        }
+        alertmanagerconfig_selector {
+            match_labels = {
+                alloy = "yes",
+            }
+        }
+      }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alertmgr-global
+  namespace: testing
+data:
+  glbl: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+    receivers:
+    - name: "null"
+    - name: "alloy-namespace/global-config/myreceiver"
+    templates:
+    - 'default_template'
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config1
+  namespace: testing
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: myamc
+      continue: true
+  receivers:
+  - name: "null"
+  - name: myamc
+    webhookConfigs:
+    - url: http://test.url
+      httpConfig:
+        followRedirects: true
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config2
+  namespace: testing
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: 'database-pager'
+      groupWait: 10s
+      matchers:
+      - name: service
+        value: webapp
+  receivers:
+  - name: "null"
+  - name: "database-pager"
+```
+
+{{< /collapse >}}
+
+The Kubernetes configuration above will create the Alertmanager configuration below and send it to Mimir:
+
+{{< collapse title="Example merged configuration sent to Mimir." >}}
+
+```yaml
+template_files:
+    default_template: |-
+        {{ define "__alertmanager" }}AlertManager{{ end }}
+        {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}
+alertmanager_config: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+      continue: false
+      routes:
+      - receiver: testing/alertmgr-config1/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config1/myamc
+          continue: true
+      - receiver: testing/alertmgr-config2/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config2/database-pager
+          matchers:
+          - service="webapp"
+          continue: false
+          group_wait: 10s
+    receivers:
+    - name: "null"
+    - name: alloy-namespace/global-config/myreceiver
+    - name: testing/alertmgr-config1/null
+    - name: testing/alertmgr-config1/myamc
+      webhook_configs:
+      - send_resolved: false
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+        url: <secret>
+        url_file: ""
+        max_alerts: 0
+        timeout: 0s
+    - name: testing/alertmgr-config2/null
+    - name: testing/alertmgr-config2/database-pager
+    templates:
+    - default_template
+```
+
+{{< /collapse >}}
diff --git a/go.mod b/go.mod
index ae1fa070c32..0da1f43ede2 100644
--- a/go.mod
+++ b/go.mod
@@ -188,9 +188,10 @@ require (
 	github.com/prometheus-community/stackdriver_exporter v0.18.0
 	github.com/prometheus-community/windows_exporter v0.31.3 // if you update the windows_exporter version, make sure to update the PROM_WIN_EXP_VERSION in _index
 	github.com/prometheus-community/yet-another-cloudwatch-exporter v0.62.1
-	github.com/prometheus-operator/prometheus-operator v0.82.2
-	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.82.2
-	github.com/prometheus-operator/prometheus-operator/pkg/client v0.82.2
+	github.com/prometheus-operator/prometheus-operator v0.86.1
+	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.86.1
+	github.com/prometheus-operator/prometheus-operator/pkg/client v0.86.1
+	github.com/prometheus/alertmanager v0.28.1
 	github.com/prometheus/blackbox_exporter v0.24.1-0.20230623125439-bd22efa1c900
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2
@@ -200,7 +201,7 @@ require (
 	github.com/prometheus/mysqld_exporter v0.17.2
 	github.com/prometheus/node_exporter v1.9.1
 	github.com/prometheus/procfs v0.17.0
-	github.com/prometheus/prometheus v0.305.1-0.20250806170547-208187eaa19b // replaced by a fork of v3.7.1 further down this file
+	github.com/prometheus/prometheus v0.305.1-0.20250818080900-0a40df33fb4e // replaced by a fork of v3.7.1 further down this file
 	github.com/prometheus/sigv4 v0.2.1
 	github.com/prometheus/snmp_exporter v0.29.0 // if you update the snmp_exporter version, make sure to update the SNMP_VERSION in _index
 	github.com/prometheus/statsd_exporter v0.28.0
@@ -306,10 +307,10 @@ require (
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.33.0
+	k8s.io/component-base v0.34.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
-	sigs.k8s.io/controller-runtime v0.21.0
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/controller-runtime v0.22.2
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -577,16 +578,16 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/analysis v0.24.0 // indirect
 	github.com/go-openapi/errors v0.22.3 // indirect
 	github.com/go-openapi/jsonpointer v0.22.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.2 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/runtime v0.28.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/loads v0.23.1 // indirect
+	github.com/go-openapi/runtime v0.29.0 // indirect
+	github.com/go-openapi/spec v0.22.0 // indirect
 	github.com/go-openapi/strfmt v0.24.0 // indirect
 	github.com/go-openapi/swag v0.25.1 // indirect
-	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-openapi/validate v0.25.0 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/go-zookeeper/zk v1.0.4 // indirect
@@ -812,8 +813,7 @@ require (
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus-community/go-runit v0.1.0 // indirect
-	github.com/prometheus-community/prom-label-proxy v0.11.0 // indirect
-	github.com/prometheus/alertmanager v0.28.1 // indirect
+	github.com/prometheus-community/prom-label-proxy v0.12.1 // indirect
 	github.com/prometheus/exporter-toolkit v0.14.1 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
@@ -887,9 +887,9 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.21 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.21 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.21 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.mongodb.org/mongo-driver/v2 v2.3.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
@@ -968,7 +968,7 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.33.0 // indirect
+	k8s.io/apiextensions-apiserver v0.34.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
@@ -1004,6 +1004,7 @@ require (
 	github.com/go-openapi/swag/typeutils v0.25.1 // indirect
 	github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
 	github.com/linode/go-metadata v0.2.2 // indirect
+	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/twmb/franz-go/pkg/kadm v1.17.1 // indirect
 	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
 )
diff --git a/go.sum b/go.sum
index 4c50bc62079..824fb67b9e2 100644
--- a/go.sum
+++ b/go.sum
@@ -898,20 +898,20 @@ github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
-github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
+github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
+github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
 github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
 github.com/go-openapi/errors v0.22.3/go.mod h1:+WvbaBBULWCOna//9B9TbLNGSFOfF8lY9dw4hGiEiKQ=
 github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk=
 github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM=
 github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU=
 github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ=
-github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
-github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
-github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
-github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
-github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
-github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
+github.com/go-openapi/loads v0.23.1 h1:H8A0dX2KDHxDzc797h0+uiCZ5kwE2+VojaQVaTlXvS0=
+github.com/go-openapi/loads v0.23.1/go.mod h1:hZSXkyACCWzWPQqizAv/Ye0yhi2zzHwMmoXQ6YQml44=
+github.com/go-openapi/runtime v0.29.0 h1:Y7iDTFarS9XaFQ+fA+lBLngMwH6nYfqig1G+pHxMRO0=
+github.com/go-openapi/runtime v0.29.0/go.mod h1:52HOkEmLL/fE4Pg3Kf9nxc9fYQn0UsIWyGjGIJE9dkg=
+github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0Tw=
+github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0=
 github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc=
 github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4=
 github.com/go-openapi/swag v0.25.1 h1:6uwVsx+/OuvFVPqfQmOOPsqTcm5/GkBhNwLqIR916n8=
@@ -940,8 +940,8 @@ github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3
 github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8=
 github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk=
 github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg=
-github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
-github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
+github.com/go-openapi/validate v0.25.0 h1:JD9eGX81hDTjoY3WOzh6WqxVBVl7xjsLnvDo1GL5WPU=
+github.com/go-openapi/validate v0.25.0/go.mod h1:SUY7vKrN5FiwK6LyvSwKjDfLNirSfWwHNgxd2l29Mmw=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s=
 github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
@@ -1663,6 +1663,8 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
 github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0=
+github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
@@ -2030,20 +2032,20 @@ github.com/prometheus-community/elasticsearch_exporter v1.5.0 h1:1k8CK7aPMdmJ/Lc
 github.com/prometheus-community/elasticsearch_exporter v1.5.0/go.mod h1:ZITzMapK/TzzsaKOBlNCatKGcCfp/6xIQg2ucoLHA5c=
 github.com/prometheus-community/go-runit v0.1.0 h1:uTWEj/Fn2RoLdfg/etSqwzgYNOYPrARx1BHUN052tGA=
 github.com/prometheus-community/go-runit v0.1.0/go.mod h1:AvJ9Jo3gAFu2lbM4+qfjdpq30FfiLDJZKbQ015u08IQ=
-github.com/prometheus-community/prom-label-proxy v0.11.0 h1:IO02WiiFMfcIqvjhwMbCYnDJiTNcSHBrkCGRQ/7KDd0=
-github.com/prometheus-community/prom-label-proxy v0.11.0/go.mod h1:lfvrG70XqsxWDrSh1843QXBG0fSg8EbIXmAo8xGsvw8=
+github.com/prometheus-community/prom-label-proxy v0.12.1 h1:vJ6tGz4NMge140Ua3T/zh3HO0CA3bmnCsfkWK/cujG0=
+github.com/prometheus-community/prom-label-proxy v0.12.1/go.mod h1:/tZNtOMcbPbE1VFcY8b48mPqT1bb2jVpXx2WdjjM8TY=
 github.com/prometheus-community/stackdriver_exporter v0.18.0 h1:nB7JwloiBziunaujql5XEjB06WOo0ePgBTCJxFeaOhY=
 github.com/prometheus-community/stackdriver_exporter v0.18.0/go.mod h1:f7T7XXRVc390sVc7rk2yNflf+RkClE4mlfsaSsW2K5Q=
 github.com/prometheus-community/windows_exporter v0.31.3 h1:v5HRhiSL/AgFtp96GjUATrtRMedNhjaMHogJBecgFSE=
 github.com/prometheus-community/windows_exporter v0.31.3/go.mod h1:tlw5aYgPu1kFassCBSBwnDBFHUlwznekAVJ0xiDuIko=
 github.com/prometheus-community/yet-another-cloudwatch-exporter v0.62.1 h1:tPCmjxeBXKAw9lShPqomjo38urqGK8+vuuoc4ZDbAA8=
 github.com/prometheus-community/yet-another-cloudwatch-exporter v0.62.1/go.mod h1:fiLXxDhLUhecZIOLStoYBYObHdycsWhhTmjP+b8Hkh4=
-github.com/prometheus-operator/prometheus-operator v0.82.2 h1:qalPLM8wkvCtu9aHcoSKGDpCZR3aWRMKeHev5WomTBQ=
-github.com/prometheus-operator/prometheus-operator v0.82.2/go.mod h1:y3t/ppLWBbUYDB9SLuLb8ShcJjdzXSV6eEmnsG4kLbk=
-github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.82.2 h1:XXoaK87apyXqLm7xVEQ63pk8+GDupbVtHaBiW8IxPow=
-github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.82.2/go.mod h1:hY5yoQsoIalncoxYqXXCDL5y7f+GGYYlW9Bi2IdU5KY=
-github.com/prometheus-operator/prometheus-operator/pkg/client v0.82.2 h1:b1hxYDNCPjVtj7v2TfRxKSIJaX4pfV/Y3j5YF1VO4g4=
-github.com/prometheus-operator/prometheus-operator/pkg/client v0.82.2/go.mod h1:v0FyOD1KpmiRrecXU5X1OA0tGuAzFPzzIZ3GYLk3NXY=
+github.com/prometheus-operator/prometheus-operator v0.86.1 h1:pHUuiRErcFb3nFDox7RxoxpEN0FyT24GtYOkr2GBu04=
+github.com/prometheus-operator/prometheus-operator v0.86.1/go.mod h1:uNwW4SQz9lgeWV6CeERONLEsuN7Avd8vn19C8eHwiWg=
+github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.86.1 h1:j/GvU9UxlK5nuUKOWYOY0LRqcfHZl1ffTOa46+00Cys=
+github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.86.1/go.mod h1:nPk0OteXBkbT0CRCa2oZQL1jRLW6RJ2fuIijHypeJdk=
+github.com/prometheus-operator/prometheus-operator/pkg/client v0.86.1 h1:IqbpBVUahr2978vI6GkoCeaaugklgtq0M0FRJ5Ytdkk=
+github.com/prometheus-operator/prometheus-operator/pkg/client v0.86.1/go.mod h1:dquFiWkRGsMzjxckZAOFSsqqhUYQ9UZtwBeqaOsrWCk=
 github.com/prometheus/alertmanager v0.28.1 h1:BK5pCoAtaKg01BYRUJhEDV1tqJMEtYBGzPw8QdvnnvA=
 github.com/prometheus/alertmanager v0.28.1/go.mod h1:0StpPUDDHi1VXeM7p2yYfeZgLVi/PPlt39vo9LQUHxM=
 github.com/prometheus/blackbox_exporter v0.24.1-0.20230623125439-bd22efa1c900 h1:mb3ShwohzXGV4JUW0XlEGPElmCMTQzEaVnWUzuoGMak=
@@ -2425,14 +2427,14 @@ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
 go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
-go.etcd.io/etcd/api/v3 v3.5.21 h1:A6O2/JDb3tvHhiIz3xf9nJ7REHvtEFJJ3veW3FbCnS8=
-go.etcd.io/etcd/api/v3 v3.5.21/go.mod h1:c3aH5wcvXv/9dqIw2Y810LDXJfhSYdHQ0vxmP3CCHVY=
+go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
+go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
 go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/pkg/v3 v3.5.21 h1:lPBu71Y7osQmzlflM9OfeIV2JlmpBjqBNlLtcoBqUTc=
-go.etcd.io/etcd/client/pkg/v3 v3.5.21/go.mod h1:BgqT/IXPjK9NkeSDjbzwsHySX3yIle2+ndz28nVsjUs=
+go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
+go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
 go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
-go.etcd.io/etcd/client/v3 v3.5.21 h1:T6b1Ow6fNjOLOtM0xSoKNQt1ASPCLWrF9XMHcH9pEyY=
-go.etcd.io/etcd/client/v3 v3.5.21/go.mod h1:mFYy67IOqmbRf/kRUvsHixzo3iG+1OF2W2+jVIQRAnU=
+go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
+go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
 go.mongodb.org/mongo-driver/v2 v2.3.0 h1:sh55yOXA2vUjW1QYw/2tRlHSQViwDyPnW61AwpZ4rtU=
@@ -3261,20 +3263,20 @@ howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
 k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
-k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs=
-k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc=
+k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=
+k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc=
 k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
 k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
 k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
 k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
-k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk=
-k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU=
+k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A=
+k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
new file mode 100644
index 00000000000..6ec92fafceb
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
@@ -0,0 +1,92 @@
+package main
+
+import (
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/grafana/alloy/internal/cmd/integration-tests-k8s/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Running the test in a stateful way means that k8s resources won't be deleted at the end.
+// It's useful for debugging. You can run the test like this:
+// ALLOY_STATEFUL_K8S_TEST=true make integration-test-k8s
+func isStateful() bool {
+	stateful, _ := strconv.ParseBool(os.Getenv("ALLOY_STATEFUL_K8S_TEST"))
+	return stateful
+}
+
+func TestMimirAlerts(t *testing.T) {
+	testDir := "./"
+
+	cleanupFunc := util.BootstrapTest(testDir, "mimir-alerts-kubernetes", isStateful())
+	defer cleanupFunc()
+
+	terminatePortFwd := util.ExecuteBackgroundCommand(
+		"kubectl", []string{"port-forward", "service/mimir-nginx", "12346:80", "--namespace=mimir-test"},
+		"Port forward Mimir")
+	defer terminatePortFwd()
+
+	expectedMimirConfig := `template_files:
+    default_template: |-
+        {{ define "__alertmanager" }}AlertManager{{ end }}
+        {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}
+alertmanager_config: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+      continue: false
+      routes:
+      - receiver: testing/alertmgr-config1/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config1/myamc
+          continue: true
+      - receiver: testing/alertmgr-config2/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config2/database-pager
+          matchers:
+          - service="webapp"
+          continue: false
+          group_wait: 10s
+    receivers:
+    - name: "null"
+    - name: alloy-namespace/global-config/myreceiver
+    - name: testing/alertmgr-config1/null
+    - name: testing/alertmgr-config1/myamc
+      webhook_configs:
+      - send_resolved: false
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+        url: http://test.url
+        url_file: ""
+        max_alerts: 0
+        timeout: 0s
+    - name: testing/alertmgr-config2/null
+    - name: testing/alertmgr-config2/database-pager
+    templates:
+    - default_template
+`
+
+	require.EventuallyWithT(t, func(c *assert.CollectT) {
+		actualMimirConfig := util.Curl(c, "http://localhost:12346/api/v1/alerts")
+		require.Equal(c, expectedMimirConfig, actualMimirConfig)
+	}, 15*time.Second, 100*time.Millisecond)
+	// TODO: Print Alloy's logs if the test fails.
+	// TODO: Try changing some k8s resources and check Mimir's config again.
+}
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml
new file mode 100644
index 00000000000..c9245f49a00
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml
@@ -0,0 +1,229 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: testing
+  labels:
+    alloy: "yes"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-alloy
+  namespace: testing
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: grafana-alloy
+rules:
+- apiGroups: [""]
+  resources: ["namespaces", "configmaps"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["monitoring.coreos.com"]
+  resources: ["alertmanagerconfigs"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grafana-alloy
+subjects:
+- kind: ServiceAccount
+  name: grafana-alloy
+  namespace: testing
+roleRef:
+  kind: ClusterRole
+  name: grafana-alloy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-alloy
+spec:
+  type: NodePort
+  selector:
+    app: grafana-alloy
+  ports:
+      # By default and for convenience, the `targetPort` is set to the same value as the `port` field.
+    - port: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: testing
+  name: grafana-alloy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grafana-alloy
+  template:
+    metadata:
+      labels:
+        app: grafana-alloy
+    spec:
+      serviceAccount: grafana-alloy
+      containers:
+      - name: alloy
+        image: grafana/alloy:latest
+        imagePullPolicy: Never
+        args:
+        - run
+        - /etc/config/config.alloy
+        - --stability.level=experimental
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: alloy-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alloy-config
+  namespace: testing
+data:
+  config.alloy: |
+      remote.kubernetes.configmap "default" {
+        namespace = "testing"
+        name = "alertmgr-global"
+      }
+
+      mimir.alerts.kubernetes "default" {
+        address = "http://mimir-nginx.mimir-test.svc:80"
+        global_config = remote.kubernetes.configmap.default.data["glbl"]
+        template_files = {
+          `default_template` = 
+      `{{ define "__alertmanager" }}AlertManager{{ end }}
+      {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}`,
+        }
+        alertmanagerconfig_namespace_selector {
+            match_labels = {
+                alloy = "yes",
+            }
+        }
+        alertmanagerconfig_selector {
+            match_labels = {
+                alloy = "yes",
+            }
+        }
+      }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alertmgr-global
+  namespace: testing
+data:
+  glbl: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+    receivers:
+    - name: "null"
+    - name: "alloy-namespace/global-config/myreceiver"
+    templates:
+    - 'default_template'
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config1
+  namespace: testing
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: myamc
+      continue: true
+  receivers:
+  - name: "null"
+  - name: myamc
+    webhookConfigs:
+    - url: http://test.url
+      httpConfig:
+        followRedirects: true
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config2
+  namespace: testing
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: 'database-pager'
+      groupWait: 10s
+      matchers:
+      - name: service
+        value: webapp
+  receivers:
+  - name: "null"
+  - name: "database-pager"
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config3
+  namespace: testing
+  # This config should not have the label required for 
+  # mimir.alerts.kubernetes to pick up the CRD. 
+  # 
+  # labels:
+  #   alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: 'database-pager'
+      group_wait: 10s
+      matchers:
+      - name: service
+        value: webapp
+  receivers:
+  - name: "null"
+  - name: "database-pager"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: othernamespace
+---
+apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config3
+  # This config should be in a namespace which
+  # mimir.alerts.kubernetes is not watching.
+  namespace: othernamespace
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: team-X-mails
+      matchers:
+      - service
+        foo1|foo2|baz"
+  receivers:
+  - name: "null"
+  - name: "team-X-mails"
+    emailConfigs:
+    - to: 'team-X+alerts@example.org'
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh
new file mode 100755
index 00000000000..0898f522583
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -x #echo on
+
+# Install the Prometheus Operator
+LATEST=$(curl -s https://api.github.com/repos/prometheus-operator/prometheus-operator/releases/latest | jq -cr .tag_name)
+curl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/${LATEST}/bundle.yaml | kubectl create -f -
+
+# Install Mimir
+kubectl create namespace mimir-test
+helm repo add grafana https://grafana.github.io/helm-charts
+helm repo update
+# TODO: Upgrade to version 6 of Mimir's Helm chart.
+helm -n mimir-test install mimir grafana/mimir-distributed --version 5.8.0
diff --git a/internal/cmd/integration-tests-k8s/util/util.go b/internal/cmd/integration-tests-k8s/util/util.go
new file mode 100644
index 00000000000..9b567209850
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/util/util.go
@@ -0,0 +1,105 @@
+package util
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type CleanupFunc func()
+
+func BootstrapTest(testDir, clusterName string, stateful bool) CleanupFunc {
+	image := "grafana/alloy:latest"
+
+	// Create a new cluster
+	// Minikube will raise an error if the cluster already exists.
+	// We don't need to check it explicitly.
+	ExecuteCommand(
+		"minikube", []string{"start", "-p", clusterName},
+		fmt.Sprintf("Creating the `%s` cluster", clusterName))
+
+	var cleanupFunc CleanupFunc
+	if stateful {
+		// In stateful mode, don't delete the cluster to allow for fast iteration
+		cleanupFunc = func() {
+			fmt.Printf("Stateful mode enabled: Skipping cluster deletion for `%s`\n", clusterName)
+		}
+	} else {
+		cleanupFunc = func() {
+			ExecuteCommand(
+				"minikube", []string{"delete", "-p", clusterName},
+				fmt.Sprintf("Deleting the `%s` cluster", clusterName))
+		}
+	}
+
+	// Load the Alloy image
+	ExecuteCommand(
+		"minikube", []string{"image", "load", image, "-p", clusterName},
+		fmt.Sprintf("Loading the `%s` image in the `%s` cluster", image, clusterName))
+
+	// Run a setup script. Install the operator
+	setupScript := testDir + "setup.sh"
+	ExecuteCommand(
+		setupScript, []string{},
+		fmt.Sprintf("Running the `%s`", setupScript))
+
+	// Run the kuberenetes.yaml file from each folder in each cluster
+	ExecuteCommand(
+		"kubectl", []string{"apply", "-f", testDir + "kubernetes.yml"},
+		"Applying the yaml manifest")
+
+	return cleanupFunc
+}
+
+// TODO: Reuse the function from the other int tests
+func ExecuteCommand(command string, args []string, taskDescription string) {
+	fmt.Printf("----- %s...\n", taskDescription)
+	cmd := exec.Command(command, args...)
+	fmt.Printf("Executing: %s %v\n", command, args)
+
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Run(); err != nil {
+		log.Printf("Command finished with error: %v", err)
+	}
+}
+
+func ExecuteBackgroundCommand(command string, args []string, taskDescription string) CleanupFunc {
+	fmt.Printf("----- %s...\n", taskDescription)
+	cmd := exec.Command(command, args...)
+	fmt.Printf("Executing: %s %v\n", command, args)
+
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Start(); err != nil {
+		log.Fatalf("Error: %s\n", err)
+	}
+
+	return func() {
+		if err := cmd.Process.Kill(); err != nil {
+			log.Fatalf("Error: %s\n", err)
+		}
+	}
+}
+
+func Curl(c *assert.CollectT, url string) string {
+	resp, err := http.Get(url)
+	if err != nil {
+		c.Errorf("Failed to make HTTP request: %v", err)
+		c.FailNow()
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Fatalf("Failed to read response body: %v", err)
+	}
+
+	return string(body)
+}
diff --git a/internal/component/all/all.go b/internal/component/all/all.go
index 201850ff906..adcb28db54f 100644
--- a/internal/component/all/all.go
+++ b/internal/component/all/all.go
@@ -61,6 +61,7 @@ import (
 	_ "github.com/grafana/alloy/internal/component/loki/source/syslog"                       // Import loki.source.syslog
 	_ "github.com/grafana/alloy/internal/component/loki/source/windowsevent"                 // Import loki.source.windowsevent
 	_ "github.com/grafana/alloy/internal/component/loki/write"                               // Import loki.write
+	_ "github.com/grafana/alloy/internal/component/mimir/alerts/kubernetes"                  // Import mimir.alerts.kubernetes
 	_ "github.com/grafana/alloy/internal/component/mimir/rules/kubernetes"                   // Import mimir.rules.kubernetes
 	_ "github.com/grafana/alloy/internal/component/otelcol/auth/basic"                       // Import otelcol.auth.basic
 	_ "github.com/grafana/alloy/internal/component/otelcol/auth/bearer"                      // Import otelcol.auth.bearer
diff --git a/internal/component/mimir/alerts/kubernetes/alerts.go b/internal/component/mimir/alerts/kubernetes/alerts.go
new file mode 100644
index 00000000000..dfacc284a50
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/alerts.go
@@ -0,0 +1,349 @@
+package alerts
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"maps"
+	"sync"
+	"time"
+
+	"github.com/go-kit/log"
+	"github.com/grafana/dskit/backoff"
+	alertmgr_cfg "github.com/prometheus/alertmanager/config"
+	coreListers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/util/workqueue"
+	_ "k8s.io/component-base/metrics/prometheus/workqueue"
+	controller "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/yaml"
+
+	"github.com/grafana/alloy/internal/component"
+	"github.com/grafana/alloy/internal/component/mimir/util"
+	"github.com/grafana/alloy/internal/featuregate"
+	mimirClient "github.com/grafana/alloy/internal/mimir/client"
+	"github.com/grafana/alloy/internal/runtime/logging/level"
+
+	commonK8s "github.com/grafana/alloy/internal/component/common/kubernetes"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+
+	promExternalVersions "github.com/prometheus-operator/prometheus-operator/pkg/client/informers/externalversions"
+	promListers_v1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/client/listers/monitoring/v1alpha1"
+	promVersioned "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned"
+)
+
+const (
+	configurationUpdate = "configuration-update"
+)
+
+var (
+	errShutdown = errors.New("component is shutting down")
+)
+
+func init() {
+	component.Register(component.Registration{
+		Name:      "mimir.alerts.kubernetes",
+		Stability: featuregate.StabilityExperimental,
+		Args:      Arguments{},
+		Exports:   nil,
+		Build: func(o component.Options, c component.Arguments) (component.Component, error) {
+			return New(o, c.(Arguments))
+		},
+	})
+}
+
+type Component struct {
+	log  log.Logger
+	opts component.Options
+	args Arguments
+
+	mimirClient mimirClient.AlertmanagerInterface
+
+	configUpdates chan ConfigUpdate
+
+	healthMut sync.RWMutex
+	health    component.Health
+	metrics   *metrics
+
+	k8sClient         kubernetes.Interface
+	namespaceSelector labels.Selector
+	cfgSelector       labels.Selector
+	eventProcessor    *eventProcessor
+	promClient        promVersioned.Interface
+}
+
+type ConfigUpdate struct {
+	args Arguments
+}
+
+var _ component.Component = (*Component)(nil)
+var _ component.DebugComponent = (*Component)(nil)
+var _ component.HealthComponent = (*Component)(nil)
+
+// New creates a new Component and initializes required clients based on the provided configuration.
+// TODO: Add clustering support
+func New(o component.Options, args Arguments) (*Component, error) {
+	c, err := newNoInit(o, args)
+	if err != nil {
+		return nil, err
+	}
+
+	err = c.init()
+	if err != nil {
+		return nil, fmt.Errorf("initializing component failed: %w", err)
+	}
+
+	return c, nil
+}
+
+func newNoInit(o component.Options, args Arguments) (*Component, error) {
+	m := newMetrics()
+	if err := m.register(o.Registerer); err != nil {
+		return nil, fmt.Errorf("registering metrics failed: %w", err)
+	}
+
+	c := &Component{
+		log:           o.Logger,
+		opts:          o,
+		args:          args,
+		configUpdates: make(chan ConfigUpdate),
+		metrics:       m,
+	}
+
+	return c, nil
+}
+
+func (c *Component) Run(ctx context.Context) error {
+	c.startupWithRetries(ctx, c, c)
+
+	for {
+		// iteration only returns a sentinel error to indicate shutdown, otherwise it handles
+		// any errors encountered itself by logging and marking the component as unhealthy.
+		err := c.iteration(ctx, c, c)
+		if errors.Is(err, errShutdown) {
+			break
+		} else if err != nil {
+			level.Error(c.log).Log("msg", "unexpected error from iteration loop; this is a bug", "err", err)
+			c.ReportUnhealthy(err)
+		}
+	}
+	return nil
+}
+
+func (c *Component) Update(newConfig component.Arguments) error {
+	c.configUpdates <- ConfigUpdate{
+		args: newConfig.(Arguments),
+	}
+	return nil
+}
+
+func (c *Component) startupWithRetries(ctx context.Context, state util.Lifecycle[Arguments], health util.HealthReporter) {
+	startupBackoff := backoff.New(
+		ctx,
+		backoff.Config{
+			MinBackoff: 1 * time.Second,
+			MaxBackoff: 10 * time.Second,
+			MaxRetries: 0, // infinite retries
+		},
+	)
+	for {
+		if err := state.Startup(ctx); err != nil {
+			level.Error(c.log).Log("msg", "starting up component failed, will retry", "err", err)
+			health.ReportUnhealthy(err)
+		} else {
+			break
+		}
+		startupBackoff.Wait()
+	}
+}
+
+func (c *Component) iteration(ctx context.Context, state util.Lifecycle[Arguments], health util.HealthReporter) error {
+	select {
+	case update := <-c.configUpdates:
+		c.metrics.configUpdatesTotal.Inc()
+		state.LifecycleUpdate(update.args)
+
+		if err := state.Restart(ctx); err != nil {
+			level.Error(c.log).Log("msg", "restarting component failed", "trigger", configurationUpdate, "err", err)
+			health.ReportUnhealthy(err)
+		}
+	case <-ctx.Done():
+		state.Shutdown()
+		return errShutdown
+	}
+
+	return nil
+}
+
+// update updates the Arguments used to create new Kubernetes or Mimir clients
+// when restarting the component in response to configuration or cluster updates.
+func (c *Component) LifecycleUpdate(args Arguments) {
+	c.args = args
+}
+
+// restart stops any existing event processor and starts a new one. This method is
+// a shortcut for calling shutdown, init, and startup in sequence.
+func (c *Component) Restart(ctx context.Context) error {
+	c.Shutdown()
+	if err := c.init(); err != nil {
+		return err
+	}
+
+	return c.Startup(ctx)
+}
+
+// startup launches the informers and starts the event loop if this instance is
+// the leader. If it is not the leader, startup does nothing.
+func (c *Component) Startup(ctx context.Context) error {
+	cfg := workqueue.TypedRateLimitingQueueConfig[commonK8s.Event]{Name: "mimir.alerts.kubernetes"}
+	queue := workqueue.NewTypedRateLimitingQueueWithConfig(workqueue.DefaultTypedControllerRateLimiter[commonK8s.Event](), cfg)
+	informerStopChan := make(chan struct{})
+
+	namespaceLister, err := c.startNamespaceInformer(queue, informerStopChan)
+	if err != nil {
+		return err
+	}
+
+	cfgLister, err := c.startConfigInformer(queue, informerStopChan)
+	if err != nil {
+		return err
+	}
+
+	var baseCfg alertmgr_cfg.Config
+	err = yaml.Unmarshal([]byte(c.args.GlobalConfig), &baseCfg)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal global config: %w", err)
+	}
+
+	c.eventProcessor = c.newEventProcessor(queue, informerStopChan, namespaceLister, cfgLister, baseCfg)
+
+	go c.eventProcessor.run(ctx)
+	return nil
+}
+
+// shutdown stops processing new events and waits for currently queued ones to be
+// processed. After this method is called eventProcessor is unset and must be recreated.
+func (c *Component) Shutdown() {
+	if c.eventProcessor != nil {
+		c.eventProcessor.stop()
+		c.eventProcessor = nil
+	}
+}
+
+// syncState asks the eventProcessor to sync rule state from the Mimir Ruler. It does
+// not block waiting for state to be synced.
+func (c *Component) SyncState() {}
+
+func (c *Component) init() error {
+	level.Info(c.log).Log("msg", "initializing with configuration")
+
+	// TODO: allow overriding some stuff in RestConfig and k8s client options?
+	restConfig, err := controller.GetConfig()
+	if err != nil {
+		return fmt.Errorf("failed to get k8s config: %w", err)
+	}
+
+	c.k8sClient, err = kubernetes.NewForConfig(restConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create k8s client: %w", err)
+	}
+
+	c.promClient, err = promVersioned.NewForConfig(restConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create prometheus operator client: %w", err)
+	}
+
+	httpClient := c.args.HTTPClientConfig.Convert()
+
+	c.mimirClient, err = mimirClient.New(c.log, mimirClient.Config{
+		Address:          c.args.Address,
+		HTTPClientConfig: *httpClient,
+	}, c.metrics.mimirClientTiming)
+	if err != nil {
+		return err
+	}
+
+	c.namespaceSelector, err = commonK8s.ConvertSelectorToListOptions(c.args.AlertmanagerConfigNamespaceSelector)
+	if err != nil {
+		return err
+	}
+
+	c.cfgSelector, err = commonK8s.ConvertSelectorToListOptions(c.args.AlertmanagerConfigSelector)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Component) startNamespaceInformer(queue workqueue.TypedRateLimitingInterface[commonK8s.Event], stopChan chan struct{}) (coreListers.NamespaceLister, error) {
+	factory := informers.NewSharedInformerFactoryWithOptions(
+		c.k8sClient,
+		24*time.Hour,
+		informers.WithTweakListOptions(func(lo *metav1.ListOptions) {
+			lo.LabelSelector = c.namespaceSelector.String()
+		}),
+	)
+
+	namespaces := factory.Core().V1().Namespaces()
+	namespaceLister := namespaces.Lister()
+	namespaceInformer := namespaces.Informer()
+	_, err := namespaceInformer.AddEventHandler(commonK8s.NewQueuedEventHandler(c.log, queue))
+	if err != nil {
+		return nil, err
+	}
+
+	factory.Start(stopChan)
+
+	factory.WaitForCacheSync(stopChan)
+	return namespaceLister, nil
+}
+
+func (c *Component) startConfigInformer(queue workqueue.TypedRateLimitingInterface[commonK8s.Event], stopChan chan struct{}) (promListers_v1alpha1.AlertmanagerConfigLister, error) {
+	factory := promExternalVersions.NewSharedInformerFactoryWithOptions(
+		c.promClient,
+		24*time.Hour,
+		promExternalVersions.WithTweakListOptions(func(lo *metav1.ListOptions) {
+			lo.LabelSelector = c.cfgSelector.String()
+		}),
+	)
+
+	amConfigs := factory.Monitoring().V1alpha1().AlertmanagerConfigs()
+	ruleLister := amConfigs.Lister()
+	ruleInformer := amConfigs.Informer()
+	_, err := ruleInformer.AddEventHandler(commonK8s.NewQueuedEventHandler(c.log, queue))
+	if err != nil {
+		return nil, err
+	}
+
+	factory.Start(stopChan)
+	factory.WaitForCacheSync(stopChan)
+	return ruleLister, nil
+}
+
+func (c *Component) newEventProcessor(queue workqueue.TypedRateLimitingInterface[commonK8s.Event], stopChan chan struct{},
+	namespaceLister coreListers.NamespaceLister, cfgLister promListers_v1alpha1.AlertmanagerConfigLister,
+	baseCfg alertmgr_cfg.Config) *eventProcessor {
+
+	// Deep copy to make sure that a change in arguments won't immediately propagate to the event processor.
+	templateFiles := make(map[string]string, len(c.args.TemplateFiles))
+	maps.Copy(templateFiles, c.args.TemplateFiles)
+
+	return &eventProcessor{
+		queue:             queue,
+		stopChan:          stopChan,
+		health:            c,
+		mimirClient:       c.mimirClient,
+		namespaceLister:   namespaceLister,
+		cfgLister:         cfgLister,
+		baseCfg:           baseCfg,
+		namespaceSelector: c.namespaceSelector,
+		cfgSelector:       c.cfgSelector,
+		metrics:           c.metrics,
+		logger:            c.log,
+		kclient:           c.k8sClient,
+		templateFiles:     templateFiles,
+	}
+}
diff --git a/internal/component/mimir/alerts/kubernetes/alerts_test.go b/internal/component/mimir/alerts/kubernetes/alerts_test.go
new file mode 100644
index 00000000000..826dde5e363
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/alerts_test.go
@@ -0,0 +1,201 @@
+package alerts
+
+import (
+	"context"
+	"errors"
+	"sync"
+	"testing"
+
+	"github.com/go-kit/log"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/atomic"
+
+	"github.com/grafana/alloy/internal/component"
+	"github.com/grafana/alloy/syntax"
+)
+
+func TestAlloyConfigs(t *testing.T) {
+	var testCases = []struct {
+		name                  string
+		config                string
+		expectedErrorContains string
+	}{
+		{
+			name: "basic working config",
+			config: `
+	address = "GRAFANA_CLOUD_METRICS_URL"
+	global_config = ""
+	basic_auth {
+		username = "GRAFANA_CLOUD_USER"
+		password = "GRAFANA_CLOUD_API_KEY"
+	}`,
+		},
+		{
+			name: "invalid http config",
+			config: `
+	address = "GRAFANA_CLOUD_METRICS_URL"
+	global_config = ""
+	bearer_token = "token"
+	bearer_token_file = "/path/to/file.token"`,
+			expectedErrorContains: `at most one of basic_auth, authorization, oauth2, bearer_token & bearer_token_file must be configured`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var args Arguments
+			err := syntax.Unmarshal([]byte(tc.config), &args)
+			if tc.expectedErrorContains == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, tc.expectedErrorContains)
+			}
+		})
+	}
+}
+
+type fakeLifecycle struct {
+	updateCalled    atomic.Bool
+	startupCalled   atomic.Bool
+	restartCalled   atomic.Bool
+	shutdownCalled  atomic.Bool
+	syncStateCalled atomic.Bool
+
+	startupErr error
+	restartErr error
+}
+
+func (f *fakeLifecycle) LifecycleUpdate(Arguments) {
+	f.updateCalled.Store(true)
+}
+
+func (f *fakeLifecycle) Startup(context.Context) error {
+	f.startupCalled.Store(true)
+	return f.startupErr
+}
+
+func (f *fakeLifecycle) Restart(context.Context) error {
+	f.restartCalled.Store(true)
+	return f.restartErr
+}
+
+func (f *fakeLifecycle) Shutdown() {
+	f.shutdownCalled.Store(true)
+}
+
+func (f *fakeLifecycle) SyncState() {
+	f.syncStateCalled.Store(true)
+}
+
+type fakeHealthReporter struct {
+	mtx sync.Mutex
+	err error
+}
+
+func (f *fakeHealthReporter) ReportUnhealthy(err error) {
+	f.mtx.Lock()
+	f.err = err
+	f.mtx.Unlock()
+}
+
+func (f *fakeHealthReporter) ReportHealthy() {
+	f.mtx.Lock()
+	f.err = nil
+	f.mtx.Unlock()
+}
+
+func (f *fakeHealthReporter) getErr() error {
+	f.mtx.Lock()
+	defer f.mtx.Unlock()
+	return f.err
+}
+
+func newComponentForTesting(t *testing.T, reg prometheus.Registerer, logger log.Logger) *Component {
+	opts := component.Options{
+		ID:         "mimir.alerts.kubernetes",
+		Logger:     logger,
+		Registerer: reg,
+	}
+
+	args := Arguments{Address: "http://localhost:8080/"}
+	args.SetToDefault()
+
+	c, err := newNoInit(opts, args)
+	require.NoError(t, err)
+	return c
+}
+
+func TestIterationHandlesUpdate(t *testing.T) {
+	t.Run("error during restart", func(t *testing.T) {
+		reg := prometheus.NewPedanticRegistry()
+		logger := log.NewNopLogger()
+
+		health := &fakeHealthReporter{}
+		state := &fakeLifecycle{}
+		state.restartErr = errors.New("expected test error")
+
+		newArgs := Arguments{}
+		newArgs.SetToDefault()
+		newArgs.Address = "http://localhost:8080/"
+
+		var wg sync.WaitGroup
+		wg.Add(1)
+
+		c := newComponentForTesting(t, reg, logger)
+		go func() {
+			defer wg.Done()
+			require.NoError(t, c.iteration(t.Context(), state, health))
+		}()
+
+		require.NoError(t, c.Update(newArgs))
+		wg.Wait()
+
+		require.Error(t, health.getErr())
+		require.True(t, state.restartCalled.Load())
+	})
+
+	t.Run("success", func(t *testing.T) {
+		reg := prometheus.NewPedanticRegistry()
+		logger := log.NewNopLogger()
+
+		health := &fakeHealthReporter{}
+		state := &fakeLifecycle{}
+
+		newArgs := Arguments{}
+		newArgs.SetToDefault()
+		newArgs.Address = "http://localhost:8080/"
+
+		var wg sync.WaitGroup
+		wg.Add(1)
+
+		c := newComponentForTesting(t, reg, logger)
+		go func() {
+			defer wg.Done()
+			require.NoError(t, c.iteration(t.Context(), state, health))
+		}()
+
+		require.NoError(t, c.Update(newArgs))
+		wg.Wait()
+
+		require.NoError(t, health.getErr())
+		require.True(t, state.restartCalled.Load())
+	})
+}
+
+func TestIterationHandlesContextCanceled(t *testing.T) {
+	ctx, cancel := context.WithCancel(t.Context())
+	reg := prometheus.NewPedanticRegistry()
+	logger := log.NewNopLogger()
+
+	health := &fakeHealthReporter{}
+	state := &fakeLifecycle{}
+
+	c := newComponentForTesting(t, reg, logger)
+	go func() {
+		require.ErrorIs(t, c.iteration(ctx, state, health), errShutdown)
+	}()
+
+	cancel()
+	require.NoError(t, health.getErr())
+}
diff --git a/internal/component/mimir/alerts/kubernetes/debug.go b/internal/component/mimir/alerts/kubernetes/debug.go
new file mode 100644
index 00000000000..d11eeff6cef
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/debug.go
@@ -0,0 +1,6 @@
+package alerts
+
+// TODO: Implement a useful DebugInfo
+func (c *Component) DebugInfo() interface{} {
+	return nil
+}
diff --git a/internal/component/mimir/alerts/kubernetes/events.go b/internal/component/mimir/alerts/kubernetes/events.go
new file mode 100644
index 00000000000..c4e2adffe06
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/events.go
@@ -0,0 +1,280 @@
+package alerts
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/blang/semver/v4"
+	"github.com/go-kit/log"
+	"github.com/grafana/dskit/instrument"
+	"github.com/prometheus-operator/prometheus-operator/pkg/alertmanager"
+	validation_v1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/validation/v1alpha1"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	promv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1alpha1"
+	"github.com/prometheus-operator/prometheus-operator/pkg/assets"
+	promListers_v1alpha "github.com/prometheus-operator/prometheus-operator/pkg/client/listers/monitoring/v1alpha1"
+	alertmgr_cfg "github.com/prometheus/alertmanager/config"
+	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/apimachinery/pkg/labels"
+	go_k8s "k8s.io/client-go/kubernetes"
+	coreListers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/util/workqueue"
+	"sigs.k8s.io/yaml" // Used for CRD compatibility instead of gopkg.in/yaml.v2
+
+	"github.com/grafana/alloy/internal/component/common/kubernetes"
+	"github.com/grafana/alloy/internal/component/mimir/util"
+	"github.com/grafana/alloy/internal/mimir/client"
+	"github.com/grafana/alloy/internal/runtime/logging"
+	"github.com/grafana/alloy/internal/runtime/logging/level"
+)
+
+type eventProcessor struct {
+	queue    workqueue.TypedRateLimitingInterface[kubernetes.Event]
+	stopChan chan struct{}
+	health   util.HealthReporter
+
+	mimirClient       client.AlertmanagerInterface
+	namespaceLister   coreListers.NamespaceLister
+	baseCfg           alertmgr_cfg.Config
+	cfgLister         promListers_v1alpha.AlertmanagerConfigLister
+	namespaceSelector labels.Selector
+	cfgSelector       labels.Selector
+	templateFiles     map[string]string
+
+	kclient go_k8s.Interface
+
+	metrics *metrics
+	logger  log.Logger
+}
+
+type metrics struct {
+	configUpdatesTotal prometheus.Counter
+
+	eventsTotal   *prometheus.CounterVec
+	eventsFailed  *prometheus.CounterVec
+	eventsRetried *prometheus.CounterVec
+
+	mimirClientTiming *prometheus.HistogramVec
+}
+
+// TODO: Write unit tests which check metrics
+func newMetrics() *metrics {
+	return &metrics{
+		configUpdatesTotal: prometheus.NewCounter(prometheus.CounterOpts{
+			Subsystem: "mimir_alerts",
+			Name:      "config_updates_total",
+			Help:      "Total number of times the configuration has been updated.",
+		}),
+		eventsTotal: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Subsystem: "mimir_alerts",
+			Name:      "events_total",
+			Help:      "Total number of events processed, partitioned by event type.",
+		}, []string{"type"}),
+		eventsFailed: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Subsystem: "mimir_alerts",
+			Name:      "events_failed_total",
+			Help:      "Total number of events that failed to be processed, even after retries, partitioned by event type.",
+		}, []string{"type"}),
+		eventsRetried: prometheus.NewCounterVec(prometheus.CounterOpts{
+			Subsystem: "mimir_alerts",
+			Name:      "events_retried_total",
+			Help:      "Total number of retries across all events, partitioned by event type.",
+		}, []string{"type"}),
+		mimirClientTiming: prometheus.NewHistogramVec(prometheus.HistogramOpts{
+			Subsystem: "mimir_alerts",
+			Name:      "mimir_client_request_duration_seconds",
+			Help:      "Duration of requests to the Mimir API.",
+			Buckets:   instrument.DefBuckets,
+		}, instrument.HistogramCollectorBuckets),
+	}
+}
+
+func (m *metrics) register(r prometheus.Registerer) error {
+	for _, c := range []prometheus.Collector{
+		m.configUpdatesTotal,
+		m.eventsTotal,
+		m.eventsFailed,
+		m.eventsRetried,
+		m.mimirClientTiming,
+	} {
+		if err := r.Register(c); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// run processes events added to the queue until the queue is shutdown.
+func (e *eventProcessor) run(ctx context.Context) {
+	// Do an initial reconciliation so that Mimir is updated if there are no AlertmanagerConfig CRDs.
+	err := e.reconcileState(ctx)
+	if err != nil {
+		level.Error(e.logger).Log(
+			"msg", "failed to do an initial configuration update",
+			"err", err,
+		)
+		e.health.ReportUnhealthy(err)
+	} else {
+		e.health.ReportHealthy()
+	}
+
+	for {
+		evt, shutdown := e.queue.Get()
+		if shutdown {
+			level.Info(e.logger).Log("msg", "shutting down event loop")
+			return
+		}
+
+		e.metrics.eventsTotal.WithLabelValues(string(evt.Typ)).Inc()
+		err := e.processEvent(ctx, evt)
+
+		if err != nil {
+			retries := e.queue.NumRequeues(evt)
+			if retries < 5 && client.IsRecoverable(err) {
+				e.metrics.eventsRetried.WithLabelValues(string(evt.Typ)).Inc()
+				e.queue.AddRateLimited(evt)
+				level.Error(e.logger).Log(
+					"msg", "failed to process event, will retry",
+					"retries", fmt.Sprintf("%d/5", retries),
+					"err", err,
+				)
+				continue
+			} else {
+				e.metrics.eventsFailed.WithLabelValues(string(evt.Typ)).Inc()
+				level.Error(e.logger).Log(
+					"msg", "failed to process event, unrecoverable error or max retries exceeded",
+					"retries", fmt.Sprintf("%d/5", retries),
+					"err", err,
+				)
+				e.health.ReportUnhealthy(err)
+			}
+		} else {
+			e.health.ReportHealthy()
+		}
+
+		e.queue.Forget(evt)
+	}
+}
+
+// stop stops adding new Kubernetes events to the queue and blocks until all existing
+// events have been processed by the run loop.
+func (e *eventProcessor) stop() {
+	close(e.stopChan)
+	// Because this method blocks until the queue is empty, it's important that we don't
+	// stop the run loop and let it continue to process existing items in the queue.
+	e.queue.ShutDownWithDrain()
+}
+
+func (e *eventProcessor) processEvent(ctx context.Context, event kubernetes.Event) error {
+	defer e.queue.Done(event)
+	return e.reconcileState(ctx)
+}
+
+func (c *eventProcessor) provisionAlertmanagerConfiguration(ctx context.Context,
+	amConfigs map[string]*promv1alpha1.AlertmanagerConfig, store *assets.StoreBuilder) (*alertmgr_cfg.Config, error) {
+
+	var (
+		// TODO: Make this configurable?
+		version, _ = semver.New("0.29.0")
+		// TODO: Add an option to get an Alertmanager CRD through k8s informers.
+		cfgBuilder = alertmanager.NewConfigBuilder(slog.New(logging.NewSlogGoKitHandler(c.logger)), *version, store, &monitoringv1.Alertmanager{})
+	)
+
+	convertedCfg := c.baseCfg.String()
+	err := cfgBuilder.InitializeFromRawConfiguration([]byte(convertedCfg))
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize from global AlertmangerConfig: %w", err)
+	}
+
+	if err := cfgBuilder.AddAlertmanagerConfigs(ctx, amConfigs); err != nil {
+		return nil, fmt.Errorf("failed to generate Alertmanager configuration: %w", err)
+	}
+
+	generatedConfig, err := cfgBuilder.MarshalJSON()
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal configuration: %w", err)
+	}
+
+	var res alertmgr_cfg.Config
+	err = yaml.Unmarshal(generatedConfig, &res)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal generated final configuration: %w", err)
+	}
+
+	return &res, nil
+}
+
+func (e *eventProcessor) reconcileState(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	cfg, err := e.desiredStateFromKubernetes(ctx)
+	if err != nil {
+		return err
+	}
+
+	err = e.mimirClient.CreateAlertmanagerConfigs(ctx, cfg, e.templateFiles)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Load AlertmanagerConfig resources from Kubernetes and
+// merge them into one together with the global Alertmanager configuration.
+func (e *eventProcessor) desiredStateFromKubernetes(ctx context.Context) (*alertmgr_cfg.Config, error) {
+	cfgs, err := e.getKubernetesState()
+	if err != nil {
+		return nil, err
+	}
+
+	amConfigs := make(map[string]*promv1alpha1.AlertmanagerConfig)
+	for namespace, configs := range cfgs {
+		for _, config := range configs {
+			// Validate the AlertmanagerConfig CRDs
+			err := validation_v1alpha1.ValidateAlertmanagerConfig(config)
+			if err != nil {
+				level.Error(e.logger).Log(
+					"msg", "got an invalid AlertmanagerConfig CRD from Kubernetes",
+					"namespace", namespace,
+					"name", config.Name,
+					"err", err,
+				)
+				continue
+			}
+
+			id := namespace + `/` + config.Name
+			amConfigs[id] = config
+		}
+	}
+
+	cfg, err := e.provisionAlertmanagerConfiguration(ctx, amConfigs, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to provision Alertmanager configuration: %w", err)
+	}
+
+	return cfg, nil
+}
+
+// Returns AlertmanagerConfig resources indexed by Kubernetes namespace.
+func (e *eventProcessor) getKubernetesState() (map[string][]*promv1alpha1.AlertmanagerConfig, error) {
+	namespaces, err := e.namespaceLister.List(e.namespaceSelector)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list namespaces: %w", err)
+	}
+
+	out := make(map[string][]*promv1alpha1.AlertmanagerConfig)
+	for _, namespace := range namespaces {
+		alertmanagerConfigs, err := e.cfgLister.AlertmanagerConfigs(namespace.Name).List(e.cfgSelector)
+		if err != nil {
+			return nil, fmt.Errorf("failed to list AlertmanagerConfig CRDs: %w", err)
+		}
+		out[namespace.Name] = append(out[namespace.Name], alertmanagerConfigs...)
+	}
+
+	return out, nil
+}
diff --git a/internal/component/mimir/alerts/kubernetes/events_test.go b/internal/component/mimir/alerts/kubernetes/events_test.go
new file mode 100644
index 00000000000..5baa136a11f
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/events_test.go
@@ -0,0 +1,445 @@
+package alerts
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"testing"
+	"time"
+
+	"sigs.k8s.io/yaml"
+
+	"github.com/go-kit/log"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	monitoringv1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1alpha1"
+	promListers_v1alpha1 "github.com/prometheus-operator/prometheus-operator/pkg/client/listers/monitoring/v1alpha1"
+	"github.com/prometheus/alertmanager/config"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	coreListers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+
+	"github.com/grafana/alloy/internal/component/common/kubernetes"
+	mimirClient "github.com/grafana/alloy/internal/mimir/client"
+	"github.com/grafana/alloy/internal/util"
+	"github.com/grafana/alloy/internal/util/syncbuffer"
+	"github.com/grafana/alloy/syntax"
+)
+
+type fakeMimirClient struct {
+	alertMgrConfigsMut sync.RWMutex
+	alertMgrConfig     config.Config
+	templateFiles      map[string]string
+}
+
+var _ mimirClient.AlertmanagerInterface = &fakeMimirClient{}
+
+func newFakeMimirClient() *fakeMimirClient {
+	return &fakeMimirClient{}
+}
+
+func (m *fakeMimirClient) CreateAlertmanagerConfigs(ctx context.Context, conf *config.Config, templateFiles map[string]string) error {
+	m.alertMgrConfigsMut.Lock()
+	defer m.alertMgrConfigsMut.Unlock()
+	// These are just shallow copies, but it should be sufficient.
+	m.alertMgrConfig = *conf
+	m.templateFiles = templateFiles
+	return nil
+}
+
+func (m *fakeMimirClient) getAlertmanagerConfig() config.Config {
+	m.alertMgrConfigsMut.RLock()
+	defer m.alertMgrConfigsMut.RUnlock()
+	return m.alertMgrConfig
+}
+
+func convertToAlertmanagerType(t *testing.T, alertmanagerConf string) config.Config {
+	config.MarshalSecretValue = true
+
+	var res config.Config
+	err := yaml.Unmarshal([]byte(alertmanagerConf), &res)
+	assert.NoError(t, err)
+	return res
+}
+
+// createTestLoggerWithBuffer creates a logger that writes to a thread-safe buffer for testing
+func createTestLoggerWithBuffer(t *testing.T) (log.Logger, *syncbuffer.Buffer) {
+	t.Helper()
+
+	logBuffer := &syncbuffer.Buffer{}
+	logger := log.NewLogfmtLogger(log.NewSyncWriter(logBuffer))
+	logger = log.WithPrefix(logger,
+		"test", t.Name(),
+		"ts", log.DefaultTimestampUTC,
+	)
+
+	return logger, logBuffer
+}
+
+func TestEventLoop(t *testing.T) {
+	emptyCfg := "templates: []\n"
+
+	baseCfg := `
+global:
+  resolve_timeout: 5m
+  http_config:
+    follow_redirects: true
+    enable_http2: true
+  smtp_hello: localhost
+  smtp_require_tls: true
+route:
+  receiver: "null"
+  continue: false
+receivers:
+- name: "null"
+templates: []`
+
+	amConfCrd1 := `apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config1
+  namespace: %s
+  labels: %s
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: myamc
+      continue: true
+  receivers:
+  - name: "null"
+  - name: myamc
+    webhookConfigs:
+    - url: http://test.url
+      httpConfig:
+        followRedirects: true`
+
+	amConfCrd1_mynamespace := fmt.Sprintf(amConfCrd1, "mynamespace", "")
+	amConfCrd1_mynamespace_alloyLabel := fmt.Sprintf(amConfCrd1, "mynamespace", `{alloy: "yes"}`)
+
+	amConfCrd2 := `apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config2
+  namespace: %s
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: 'database-pager'
+      groupWait: 10s
+      matchers:
+      - name: service
+        value: webapp
+  receivers:
+  - name: "null"
+  - name: "database-pager"`
+
+	amConfCrd2_mynamespace := fmt.Sprintf(amConfCrd2, "mynamespace")
+	amConfCrd2_myOtherNamespace := fmt.Sprintf(amConfCrd2, "myOtherNamespace")
+
+	final_amConf_1 := `global:
+  resolve_timeout: 5m
+  http_config:
+    follow_redirects: true
+    enable_http2: true
+  smtp_hello: localhost
+  smtp_require_tls: true
+route:
+  receiver: "null"
+  continue: false
+  routes:
+  - receiver: mynamespace/alertmgr-config1/null
+    matchers:
+    - namespace="mynamespace"
+    continue: true
+    routes:
+    - receiver: mynamespace/alertmgr-config1/myamc
+      continue: true
+receivers:
+- name: "null"
+- name: mynamespace/alertmgr-config1/null
+- name: mynamespace/alertmgr-config1/myamc
+  webhook_configs:
+  - send_resolved: false
+    http_config:
+      follow_redirects: true
+      enable_http2: true
+    url: http://test.url
+    url_file: ""
+    max_alerts: 0
+    timeout: 0s
+templates: []`
+
+	final_amConf_1_and_2 := `global:
+  resolve_timeout: 5m
+  http_config:
+    follow_redirects: true
+    enable_http2: true
+  smtp_hello: localhost
+  smtp_require_tls: true
+route:
+  receiver: "null"
+  continue: false
+  routes:
+  - receiver: mynamespace/alertmgr-config1/null
+    matchers:
+    - namespace="mynamespace"
+    continue: true
+    routes:
+    - receiver: mynamespace/alertmgr-config1/myamc
+      continue: true
+  - receiver: mynamespace/alertmgr-config2/null
+    matchers:
+    - namespace="mynamespace"
+    continue: true
+    routes:
+    - receiver: mynamespace/alertmgr-config2/database-pager
+      matchers:
+      - "service=\"webapp\""
+      continue: false
+      group_wait: 10s
+receivers:
+- name: "null"
+- name: mynamespace/alertmgr-config1/null
+- name: mynamespace/alertmgr-config1/myamc
+  webhook_configs:
+  - send_resolved: false
+    timeout: 0s
+    http_config:
+      follow_redirects: true
+      enable_http2: true
+    url: http://test.url
+    url_file: ""
+    max_alerts: 0
+- name: mynamespace/alertmgr-config2/null
+- name: mynamespace/alertmgr-config2/database-pager
+templates: []`
+
+	tests := []struct {
+		name              string
+		baseCfgStr        string
+		matcherStrategy   monitoringv1.AlertmanagerConfigMatcherStrategy
+		amConfig          []string
+		namespaceSelector string
+		cfgSelector       string
+		want              string
+		expectLogMessage  string // Expected error log message to check for
+	}{
+		{
+			name:       "No AlertmanagerConfig CRDs",
+			baseCfgStr: baseCfg,
+			amConfig:   []string{},
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want: baseCfg,
+		},
+		{
+			name:       "2 AlertmanagerConfig CRDs",
+			baseCfgStr: baseCfg,
+			amConfig: []string{
+				amConfCrd1_mynamespace,
+				amConfCrd2_mynamespace,
+			},
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want: final_amConf_1_and_2,
+		},
+		{
+			name:       "2 AlertmanagerConfig CRDs and no base config",
+			baseCfgStr: "",
+			amConfig: []string{
+				amConfCrd1_mynamespace,
+				amConfCrd2_mynamespace,
+			},
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want:             emptyCfg,
+			expectLogMessage: "failed to do an initial configuration update",
+		},
+		{
+			name:       "2 AlertmanagerConfig CRDs - 1 in another namespace",
+			baseCfgStr: baseCfg,
+			amConfig: []string{
+				amConfCrd1_mynamespace,
+				amConfCrd2_myOtherNamespace,
+			},
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want: final_amConf_1,
+		},
+		{
+			name:       "With selectors",
+			baseCfgStr: baseCfg,
+			amConfig: []string{
+				amConfCrd1_mynamespace_alloyLabel,
+				amConfCrd2_mynamespace,
+			},
+			namespaceSelector: `
+		match_labels = {
+			alloy = "yes",
+		}`,
+			cfgSelector: `
+		match_labels = {
+			alloy = "yes",
+		}`,
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want: final_amConf_1,
+		},
+		{
+			name:       "1 invalid AlertmanagerConfig CRD",
+			baseCfgStr: baseCfg,
+			amConfig: []string{
+				`apiVersion: monitoring.coreos.com/v1alpha1
+kind: AlertmanagerConfig
+metadata:
+  name: alertmgr-config3
+  # This config should be in a namespace which
+  # mimir.alerts.kubernetes is not watching.
+  namespace: mynamespace
+  labels:
+    alloy: "yes"
+spec:
+  route:
+    receiver: "null"
+    routes:
+    - receiver: team-X-mails
+      matchers:
+      - service=~"foo1|foo2|baz"
+  receivers:
+  - name: "null"
+  - name: "team-X-mails"
+    emailConfigs:
+    - to: 'team-X+alerts@example.org'`,
+			},
+			matcherStrategy: monitoringv1.AlertmanagerConfigMatcherStrategy{
+				Type: "OnNamespace",
+			},
+			want:             baseCfg,
+			expectLogMessage: "got an invalid AlertmanagerConfig CRD from Kubernetes",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			nsIndexer := testNamespaceIndexer()
+			ruleIndexer := testRuleIndexer()
+
+			mimirClient := newFakeMimirClient()
+
+			ns := &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "mynamespace",
+					UID:  types.UID("33f8860c-bd06-4c0d-a0b1-a114d6b9937b"),
+					Labels: map[string]string{
+						"alloy": "yes",
+					},
+				},
+			}
+
+			namespaceSelector := labels.Everything()
+			if tt.namespaceSelector != "" {
+				namespaceSelector = convertStringToSelector(t, tt.namespaceSelector)
+			}
+
+			cfgSelector := labels.Everything()
+			if tt.cfgSelector != "" {
+				cfgSelector = convertStringToSelector(t, tt.cfgSelector)
+			}
+
+			// Create logger with buffer to capture log messages
+			var testLogger log.Logger
+			var logBuffer *syncbuffer.Buffer
+			if tt.expectLogMessage != "" {
+				testLogger, logBuffer = createTestLoggerWithBuffer(t)
+			} else {
+				testLogger = util.TestLogger(t)
+			}
+
+			processor := &eventProcessor{
+				queue:             workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[kubernetes.Event]()),
+				stopChan:          make(chan struct{}),
+				health:            &fakeHealthReporter{},
+				mimirClient:       mimirClient,
+				baseCfg:           convertToAlertmanagerType(t, tt.baseCfgStr),
+				namespaceLister:   coreListers.NewNamespaceLister(nsIndexer),
+				cfgLister:         promListers_v1alpha1.NewAlertmanagerConfigLister(ruleIndexer),
+				namespaceSelector: namespaceSelector,
+				cfgSelector:       cfgSelector,
+				metrics:           newMetrics(),
+				logger:            testLogger,
+			}
+
+			go processor.run(t.Context())
+			defer processor.stop()
+
+			eventHandler := kubernetes.NewQueuedEventHandler(processor.logger, processor.queue)
+
+			// Add a namespace to kubernetes
+			require.NoError(t, nsIndexer.Add(ns))
+
+			// Add a AlertmanagerConfigs to kubernetes
+			for _, amConfigStr := range tt.amConfig {
+				var amConfig monitoringv1alpha1.AlertmanagerConfig
+				err := yaml.Unmarshal([]byte(amConfigStr), &amConfig)
+				assert.NoError(t, err)
+
+				require.NoError(t, ruleIndexer.Add(&amConfig))
+				eventHandler.OnAdd(&amConfig, false)
+			}
+
+			// Wait for the configs to be added to mimir
+			require.EventuallyWithT(t, func(c *assert.CollectT) {
+				actual := mimirClient.getAlertmanagerConfig().String()
+				require.YAMLEq(c, tt.want, actual, "want", tt.want, "actual", actual)
+			}, 10*time.Second, 100*time.Millisecond)
+
+			// Check for expected log messages if specified
+			if tt.expectLogMessage != "" && logBuffer != nil {
+				require.EventuallyWithT(t, func(c *assert.CollectT) {
+					logOutput := logBuffer.String()
+					require.Contains(c, logOutput, tt.expectLogMessage,
+						"Expected log message not found in output: %s", logOutput)
+				}, 5*time.Second, 100*time.Millisecond)
+			}
+
+			// TODO: Check the component health
+		})
+	}
+}
+
+func convertStringToSelector(t *testing.T, labelSelector string) labels.Selector {
+	var alloySelector kubernetes.LabelSelector
+	err := syntax.Unmarshal([]byte(labelSelector), &alloySelector)
+	assert.NoError(t, err)
+
+	selector, err := kubernetes.ConvertSelectorToListOptions(alloySelector)
+	assert.NoError(t, err)
+	return selector
+}
+
+func testRuleIndexer() cache.Indexer {
+	ruleIndexer := cache.NewIndexer(
+		cache.DeletionHandlingMetaNamespaceKeyFunc,
+		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+	)
+	return ruleIndexer
+}
+
+func testNamespaceIndexer() cache.Indexer {
+	nsIndexer := cache.NewIndexer(
+		cache.DeletionHandlingMetaNamespaceKeyFunc,
+		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+	)
+	return nsIndexer
+}
diff --git a/internal/component/mimir/alerts/kubernetes/health.go b/internal/component/mimir/alerts/kubernetes/health.go
new file mode 100644
index 00000000000..a119f6e3bf3
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/health.go
@@ -0,0 +1,32 @@
+package alerts
+
+import (
+	"time"
+
+	"github.com/grafana/alloy/internal/component"
+)
+
+func (c *Component) ReportUnhealthy(err error) {
+	c.healthMut.Lock()
+	defer c.healthMut.Unlock()
+	c.health = component.Health{
+		Health:     component.HealthTypeUnhealthy,
+		Message:    err.Error(),
+		UpdateTime: time.Now(),
+	}
+}
+
+func (c *Component) ReportHealthy() {
+	c.healthMut.Lock()
+	defer c.healthMut.Unlock()
+	c.health = component.Health{
+		Health:     component.HealthTypeHealthy,
+		UpdateTime: time.Now(),
+	}
+}
+
+func (c *Component) CurrentHealth() component.Health {
+	c.healthMut.RLock()
+	defer c.healthMut.RUnlock()
+	return c.health
+}
diff --git a/internal/component/mimir/alerts/kubernetes/types.go b/internal/component/mimir/alerts/kubernetes/types.go
new file mode 100644
index 00000000000..c1ffc6aeed8
--- /dev/null
+++ b/internal/component/mimir/alerts/kubernetes/types.go
@@ -0,0 +1,35 @@
+package alerts
+
+import (
+	"github.com/grafana/alloy/internal/component/common/config"
+	"github.com/grafana/alloy/internal/component/common/kubernetes"
+	"github.com/grafana/alloy/syntax/alloytypes"
+)
+
+type Arguments struct {
+	Address          string                  `alloy:"address,attr"`
+	HTTPClientConfig config.HTTPClientConfig `alloy:",squash"`
+
+	TemplateFiles map[string]string `alloy:"template_files,attr,optional"`
+	GlobalConfig  alloytypes.Secret `alloy:"global_config,attr"`
+
+	// TODO: Add an attr for the matcher strategy?
+
+	AlertmanagerConfigSelector          kubernetes.LabelSelector `alloy:"alertmanagerconfig_selector,block,optional"`
+	AlertmanagerConfigNamespaceSelector kubernetes.LabelSelector `alloy:"alertmanagerconfig_namespace_selector,block,optional"`
+}
+
+var DefaultArguments = Arguments{
+	HTTPClientConfig: config.DefaultHTTPClientConfig,
+}
+
+// SetToDefault implements syntax.Defaulter.
+func (args *Arguments) SetToDefault() {
+	*args = DefaultArguments
+}
+
+// Validate implements syntax.Validator.
+func (args *Arguments) Validate() error {
+	// We must explicitly Validate because HTTPClientConfig is squashed and it won't run otherwise
+	return args.HTTPClientConfig.Validate()
+}
diff --git a/internal/component/mimir/rules/kubernetes/events.go b/internal/component/mimir/rules/kubernetes/events.go
index 1e307661ec5..2397f018987 100644
--- a/internal/component/mimir/rules/kubernetes/events.go
+++ b/internal/component/mimir/rules/kubernetes/events.go
@@ -35,7 +35,7 @@ type eventProcessor struct {
 	stopChan chan struct{}
 	health   healthReporter
 
-	mimirClient        client.Interface
+	mimirClient        client.RulerInterface
 	namespaceLister    coreListers.NamespaceLister
 	ruleLister         promListers.PrometheusRuleLister
 	namespaceSelector  labels.Selector
diff --git a/internal/component/mimir/rules/kubernetes/events_test.go b/internal/component/mimir/rules/kubernetes/events_test.go
index f1969612b4a..04c8fadbe17 100644
--- a/internal/component/mimir/rules/kubernetes/events_test.go
+++ b/internal/component/mimir/rules/kubernetes/events_test.go
@@ -31,7 +31,7 @@ type fakeMimirClient struct {
 	rules    map[string][]client.MimirRuleGroup
 }
 
-var _ client.Interface = &fakeMimirClient{}
+var _ client.RulerInterface = &fakeMimirClient{}
 
 func newFakeMimirClient() *fakeMimirClient {
 	return &fakeMimirClient{
diff --git a/internal/component/mimir/rules/kubernetes/rules.go b/internal/component/mimir/rules/kubernetes/rules.go
index 162486152b2..223ef6687ad 100644
--- a/internal/component/mimir/rules/kubernetes/rules.go
+++ b/internal/component/mimir/rules/kubernetes/rules.go
@@ -60,7 +60,7 @@ type Component struct {
 	opts component.Options
 	args Arguments
 
-	mimirClient       mimirClient.Interface
+	mimirClient       mimirClient.RulerInterface
 	k8sClient         kubernetes.Interface
 	promClient        promVersioned.Interface
 	namespaceSelector labels.Selector
diff --git a/internal/component/mimir/util/util.go b/internal/component/mimir/util/util.go
new file mode 100644
index 00000000000..479f849f876
--- /dev/null
+++ b/internal/component/mimir/util/util.go
@@ -0,0 +1,36 @@
+package util
+
+import (
+	"context"
+)
+
+// TODO: Use the functions in this file in the mimir.rules.kubernetes component.
+
+// healthReporter encapsulates the logic for marking a component as healthy or
+// not healthy to make testing portions of the Component easier.
+type HealthReporter interface {
+	// reportUnhealthy marks the owning component as unhealthy
+	ReportUnhealthy(err error)
+	// reportHealthy marks the owning component as healthy
+	ReportHealthy()
+}
+
+// lifecycle encapsulates state transitions and mutable state to make testing
+// portions of the Component easier.
+type Lifecycle[T any] interface {
+	// update updates the Arguments used for configuring the Component.
+	LifecycleUpdate(args T)
+
+	// startup starts processing events from Kubernetes object changes.
+	Startup(ctx context.Context) error
+
+	// restart stops the component if running and then starts it again.
+	Restart(ctx context.Context) error
+
+	// shutdown stops the component, blocking until existing events are processed.
+	Shutdown()
+
+	// syncState requests that Mimir ruler state be synced independent of any
+	// changes made to Kubernetes objects.
+	SyncState()
+}
diff --git a/internal/component/prometheus/operator/configgen/config_gen_podmonitor.go b/internal/component/prometheus/operator/configgen/config_gen_podmonitor.go
index e7ea74e1583..9fb6ed393b9 100644
--- a/internal/component/prometheus/operator/configgen/config_gen_podmonitor.go
+++ b/internal/component/prometheus/operator/configgen/config_gen_podmonitor.go
@@ -73,16 +73,16 @@ func (cg *ConfigGenerator) GeneratePodMonitorConfig(m *promopv1.PodMonitor, ep p
 	if ep.FollowRedirects != nil {
 		cfg.HTTPClientConfig.FollowRedirects = *ep.FollowRedirects
 	}
-	if ep.EnableHttp2 != nil {
-		cfg.HTTPClientConfig.EnableHTTP2 = *ep.EnableHttp2
+	if ep.EnableHTTP2 != nil {
+		cfg.HTTPClientConfig.EnableHTTP2 = *ep.EnableHTTP2
 	}
 	if ep.TLSConfig != nil {
 		if cfg.HTTPClientConfig.TLSConfig, err = cg.generateSafeTLS(*ep.TLSConfig, m.Namespace); err != nil {
 			return nil, err
 		}
 	}
-	if ep.BearerTokenSecret.Name != "" { //nolint:staticcheck
-		val, err := cg.Secrets.GetSecretValue(m.Namespace, ep.BearerTokenSecret) //nolint:staticcheck
+	if ep.BearerTokenSecret != nil && ep.BearerTokenSecret.Name != "" { //nolint:staticcheck
+		val, err := cg.Secrets.GetSecretValue(m.Namespace, *ep.BearerTokenSecret) //nolint:staticcheck
 		if err != nil {
 			return nil, err
 		}
diff --git a/internal/component/prometheus/operator/configgen/config_gen_podmonitor_test.go b/internal/component/prometheus/operator/configgen/config_gen_podmonitor_test.go
index b96bc07febf..16634bdf167 100644
--- a/internal/component/prometheus/operator/configgen/config_gen_podmonitor_test.go
+++ b/internal/component/prometheus/operator/configgen/config_gen_podmonitor_test.go
@@ -392,27 +392,31 @@ func TestGeneratePodMonitorConfig(t *testing.T) {
 			},
 			ep: promopv1.PodMetricsEndpoint{
 				Port:            stringPtr("metrics"),
-				EnableHttp2:     falsePtr,
 				Path:            "/foo",
 				Params:          map[string][]string{"a": {"b"}},
-				FollowRedirects: falsePtr,
-				ProxyURL:        &proxyURL,
 				Scheme:          "https",
 				ScrapeTimeout:   "17s",
 				Interval:        "12m",
 				HonorLabels:     true,
 				HonorTimestamps: falsePtr,
 				FilterRunning:   falsePtr,
-				TLSConfig: &promopv1.SafeTLSConfig{
-					ServerName:         stringPtr("foo.com"),
-					InsecureSkipVerify: boolPtr(true),
-				},
 				RelabelConfigs: []promopv1.RelabelConfig{
 					{
 						SourceLabels: []promopv1.LabelName{"foo"},
 						TargetLabel:  "bar",
 					},
 				},
+				HTTPConfig: promopv1.HTTPConfig{
+					EnableHTTP2:     falsePtr,
+					FollowRedirects: falsePtr,
+					ProxyConfig: promopv1.ProxyConfig{
+						ProxyURL: &proxyURL,
+					},
+					TLSConfig: &promopv1.SafeTLSConfig{
+						ServerName:         stringPtr("foo.com"),
+						InsecureSkipVerify: boolPtr(true),
+					},
+				},
 			},
 			expectedRelabels: util.Untab(`
 				- target_label: __meta_foo
diff --git a/internal/component/prometheus/operator/configgen/config_gen_probe.go b/internal/component/prometheus/operator/configgen/config_gen_probe.go
index 19b12faa4ec..d13cb29b00e 100644
--- a/internal/component/prometheus/operator/configgen/config_gen_probe.go
+++ b/internal/component/prometheus/operator/configgen/config_gen_probe.go
@@ -42,8 +42,8 @@ func (cg *ConfigGenerator) GenerateProbeConfig(m *promopv1.Probe) (cfg *config.S
 	if m.Spec.ProberSpec.Scheme != "" {
 		cfg.Scheme = m.Spec.ProberSpec.Scheme
 	}
-	if m.Spec.ProberSpec.ProxyURL != "" {
-		if u, err := url.Parse(m.Spec.ProberSpec.ProxyURL); err != nil {
+	if m.Spec.ProberSpec.ProxyURL != nil && *m.Spec.ProberSpec.ProxyURL != "" {
+		if u, err := url.Parse(*m.Spec.ProberSpec.ProxyURL); err != nil {
 			return nil, fmt.Errorf("parsing ProxyURL from probe: %w", err)
 		} else {
 			cfg.HTTPClientConfig.ProxyURL = commonConfig.URL{URL: u}
diff --git a/internal/component/prometheus/operator/configgen/config_gen_probe_test.go b/internal/component/prometheus/operator/configgen/config_gen_probe_test.go
index 0dce3154f56..4f3a4a19715 100644
--- a/internal/component/prometheus/operator/configgen/config_gen_probe_test.go
+++ b/internal/component/prometheus/operator/configgen/config_gen_probe_test.go
@@ -121,10 +121,12 @@ func TestGenerateProbeConfig(t *testing.T) {
 				},
 				Spec: promopv1.ProbeSpec{
 					ProberSpec: promopv1.ProberSpec{
-						Scheme:   "http",
-						URL:      "blackbox.exporter.io",
-						Path:     "/probe",
-						ProxyURL: "socks://myproxy:9095",
+						Scheme: "http",
+						URL:    "blackbox.exporter.io",
+						Path:   "/probe",
+						ProxyConfig: promopv1.ProxyConfig{
+							ProxyURL: stringPtr("socks://myproxy:9095"),
+						},
 					},
 					Module: "http_2xx",
 					Targets: promopv1.ProbeTargets{
@@ -215,10 +217,12 @@ func TestGenerateProbeConfig(t *testing.T) {
 				},
 				Spec: promopv1.ProbeSpec{
 					ProberSpec: promopv1.ProberSpec{
-						Scheme:   "http",
-						URL:      "blackbox.exporter.io",
-						Path:     "/probe",
-						ProxyURL: "socks://myproxy:9095",
+						Scheme: "http",
+						URL:    "blackbox.exporter.io",
+						Path:   "/probe",
+						ProxyConfig: promopv1.ProxyConfig{
+							ProxyURL: stringPtr("socks://myproxy:9095"),
+						},
 					},
 					Interval:      promopv1.Duration("30s"),
 					ScrapeTimeout: promopv1.Duration("15s"),
diff --git a/internal/component/prometheus/operator/configgen/config_gen_servicemonitor_test.go b/internal/component/prometheus/operator/configgen/config_gen_servicemonitor_test.go
index c74c2036149..50a09ba70d2 100644
--- a/internal/component/prometheus/operator/configgen/config_gen_servicemonitor_test.go
+++ b/internal/component/prometheus/operator/configgen/config_gen_servicemonitor_test.go
@@ -389,7 +389,9 @@ func TestGenerateServiceMonitorConfig(t *testing.T) {
 				Path:            "/foo",
 				Params:          map[string][]string{"a": {"b"}},
 				FollowRedirects: falsePtr,
-				ProxyURL:        &proxyURL,
+				ProxyConfig: promopv1.ProxyConfig{
+					ProxyURL: &proxyURL,
+				},
 				Scheme:          "https",
 				ScrapeTimeout:   "17s",
 				Interval:        "12m",
diff --git a/internal/mimir/client/alerts.go b/internal/mimir/client/alerts.go
new file mode 100644
index 00000000000..d54b3802d39
--- /dev/null
+++ b/internal/mimir/client/alerts.go
@@ -0,0 +1,45 @@
+package client
+
+import (
+	"context"
+
+	"github.com/grafana/alloy/internal/runtime/logging/level"
+	alertmgr_cfg "github.com/prometheus/alertmanager/config"
+	"gopkg.in/yaml.v3"
+)
+
+// This struct is what Mimir expects to receive:
+// https://github.com/grafana/mimir/blob/8a08500af3c50763d21a78b2a08007a2abcb5af1/pkg/mimirtool/client/alerts.go#L20-L23
+// TODO: Export the struct in the Mimir repo, so that we can import it instead of copying it.
+type configCompat struct {
+	TemplateFiles      map[string]string `yaml:"template_files"`
+	AlertmanagerConfig string            `yaml:"alertmanager_config"`
+}
+
+func (r *MimirClient) CreateAlertmanagerConfigs(ctx context.Context, conf *alertmgr_cfg.Config, templateFiles map[string]string) error {
+	// If we don't set this, secrets will be obfuscated by being set to "<secret>".
+	alertmgr_cfg.MarshalSecretValue = true
+
+	payload := configCompat{
+		AlertmanagerConfig: conf.String(),
+		TemplateFiles:      templateFiles,
+	}
+	payloadStr, err := yaml.Marshal(&payload)
+	if err != nil {
+		return err
+	}
+
+	level.Debug(r.logger).Log("msg", "sending Alertmanager config to Mimir", "config", payloadStr)
+
+	op := "/api/v1/alerts"
+	path := "/api/v1/alerts"
+
+	res, err := r.doRequest(op, path, "POST", payloadStr)
+	if err != nil {
+		return err
+	}
+
+	res.Body.Close()
+
+	return nil
+}
diff --git a/internal/mimir/client/alerts_test.go b/internal/mimir/client/alerts_test.go
new file mode 100644
index 00000000000..d6dc3599acc
--- /dev/null
+++ b/internal/mimir/client/alerts_test.go
@@ -0,0 +1,66 @@
+package client
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/go-kit/log"
+	alertmgr_cfg "github.com/prometheus/alertmanager/config"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMimirClient_CreateAlertmanagerConfigs(t *testing.T) {
+	requestCh := make(chan *http.Request, 1)
+	bodyCh := make(chan []byte, 1)
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestCh <- r
+		body, err := io.ReadAll(r.Body)
+		require.NoError(t, err)
+		bodyCh <- body
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintln(w, "success")
+	}))
+	defer ts.Close()
+
+	clientConfig := Config{
+		Address: ts.URL,
+	}
+
+	client, err := New(log.NewNopLogger(), clientConfig, nil)
+	require.NoError(t, err)
+
+	// This Alertmanager config was copied from:
+	// https://github.com/prometheus/alertmanager/blob/v0.28.1/config/testdata/conf.good.yml
+	config, err := alertmgr_cfg.LoadFile("testdata/alertmanager/conf.good.yml")
+	require.NoError(t, err)
+	require.NotNil(t, config)
+
+	templateFiles := map[string]string{
+		"template1.tmpl": "{{ range .Alerts }}Alert: {{ .Summary }}{{ end }}",
+		"template2.tmpl": "{{ .CommonLabels.alertname }}",
+	}
+
+	ctx := t.Context()
+	err = client.CreateAlertmanagerConfigs(ctx, config, templateFiles)
+	require.NoError(t, err)
+
+	// Verify the request
+	req := <-requestCh
+	require.Equal(t, "POST", req.Method)
+	require.Equal(t, "/api/v1/alerts", req.URL.Path)
+
+	// Verify the request body
+	body := <-bodyCh
+
+	// Load expected response from test data file
+	expectedResponseBytes, err := os.ReadFile("testdata/alertmanager/response.good.yml")
+	require.NoError(t, err)
+	expectedResponse := string(expectedResponseBytes)
+
+	require.Equal(t, expectedResponse, string(body))
+}
diff --git a/internal/mimir/client/client.go b/internal/mimir/client/client.go
index 76d4e9763e3..1d901153a2c 100644
--- a/internal/mimir/client/client.go
+++ b/internal/mimir/client/client.go
@@ -16,6 +16,7 @@ import (
 	"github.com/grafana/alloy/internal/useragent"
 	"github.com/grafana/dskit/instrument"
 	"github.com/grafana/dskit/user"
+	alertmgr_cfg "github.com/prometheus/alertmanager/config"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/common/config"
 )
@@ -38,12 +39,16 @@ type Config struct {
 	PrometheusHTTPPrefix string
 }
 
-type Interface interface {
+type RulerInterface interface {
 	CreateRuleGroup(ctx context.Context, namespace string, rg MimirRuleGroup) error
 	DeleteRuleGroup(ctx context.Context, namespace, groupName string) error
 	ListRules(ctx context.Context, namespace string) (map[string][]MimirRuleGroup, error)
 }
 
+type AlertmanagerInterface interface {
+	CreateAlertmanagerConfigs(ctx context.Context, conf *alertmgr_cfg.Config, templateFiles map[string]string) error
+}
+
 // MimirClient is a client to the Mimir API.
 type MimirClient struct {
 	id string
diff --git a/internal/mimir/client/testdata/alertmanager/conf.good.yml b/internal/mimir/client/testdata/alertmanager/conf.good.yml
new file mode 100644
index 00000000000..2429f7961cd
--- /dev/null
+++ b/internal/mimir/client/testdata/alertmanager/conf.good.yml
@@ -0,0 +1,117 @@
+global:
+  # The smarthost and SMTP sender used for mail notifications.
+  smtp_smarthost: 'localhost:25'
+  smtp_from: 'alertmanager@example.org'
+  smtp_auth_username: 'alertmanager'
+  smtp_auth_password: "multiline\nmysecret"
+  smtp_hello: "host.example.org"
+  slack_api_url: "http://mysecret.example.com/"
+  http_config:
+    proxy_url: 'http://127.0.0.1:1025'
+# The directory from which notification templates are read.
+templates:
+  - '/etc/alertmanager/template/*.tmpl'
+# The root route on which each incoming alert enters.
+route:
+  # The labels by which incoming alerts are grouped together. For example,
+  # multiple alerts coming in for cluster=A and alertname=LatencyHigh would
+  # be batched into a single group.
+  group_by: ['alertname', 'cluster', 'service']
+  # When a new group of alerts is created by an incoming alert, wait at
+  # least 'group_wait' to send the initial notification.
+  # This way ensures that you get multiple alerts for the same group that start
+  # firing shortly after another are batched together on the first
+  # notification.
+  group_wait: 30s
+  # When the first notification was sent, wait 'group_interval' to send a batch
+  # of new alerts that started firing for that group.
+  group_interval: 5m
+  # If an alert has successfully been sent, wait 'repeat_interval' to
+  # resend them.
+  repeat_interval: 3h
+  # A default receiver
+  receiver: team-X-mails
+  # All the above attributes are inherited by all child routes and can
+  # overwritten on each.
+
+  # The child route trees.
+  routes:
+    # This routes performs a regular expression match on alert labels to
+    # catch alerts that are related to a list of services.
+    - match_re:
+        service: ^(foo1|foo2|baz)$
+      receiver: team-X-mails
+      # The service has a sub-route for critical alerts, any alerts
+      # that do not match, i.e. severity != critical, fall-back to the
+      # parent node and are sent to 'team-X-mails'
+      routes:
+        - match:
+            severity: critical
+          receiver: team-X-pager
+    - match:
+        service: files
+      receiver: team-Y-mails
+      routes:
+        - match:
+            severity: critical
+          receiver: team-Y-pager
+    # This route handles all alerts coming from a database service. If there's
+    # no team to handle it, it defaults to the DB team.
+    - match:
+        service: database
+      receiver: team-DB-pager
+      # Also group alerts by affected database.
+      group_by: [alertname, cluster, database]
+      routes:
+        - match:
+            owner2: team-X
+          receiver: team-X-pager
+          continue: true
+        - match:
+            owner: team-Y
+          receiver: team-Y-pager
+          # continue: true
+# Inhibition rules allow to mute a set of alerts given that another alert is
+# firing.
+# We use this to mute any warning-level notifications if the same alert is
+# already critical.
+inhibit_rules:
+  - source_match:
+      severity: 'critical'
+    target_match:
+      severity: 'warning'
+    # Apply inhibition if the alertname is the same.
+    equal: ['alertname', 'cluster', 'service']
+receivers:
+  - name: 'team-X-mails'
+    email_configs:
+      - to: 'team-X+alerts@example.org'
+  - name: 'team-X-pager'
+    email_configs:
+      - to: 'team-X+alerts-critical@example.org'
+    pagerduty_configs:
+      - routing_key: "mysecret"
+  - name: 'team-Y-mails'
+    email_configs:
+      - to: 'team-Y+alerts@example.org'
+  - name: 'team-Y-pager'
+    pagerduty_configs:
+      - routing_key: "mysecret"
+  - name: 'team-DB-pager'
+    pagerduty_configs:
+      - routing_key: "mysecret"
+  - name: victorOps-receiver
+    victorops_configs:
+      - api_key: mysecret
+        routing_key: Sample_route
+  - name: opsGenie-receiver
+    opsgenie_configs:
+      - api_key: mysecret
+  - name: pushover-receiver
+    pushover_configs:
+      - token: mysecret
+        user_key: key
+  - name: slack-receiver
+    slack_configs:
+      - channel: '#my-channel'
+        image_url: 'http://some.img.com/img.png'
diff --git a/internal/mimir/client/testdata/alertmanager/response.good.yml b/internal/mimir/client/testdata/alertmanager/response.good.yml
new file mode 100644
index 00000000000..0c96af8d1f2
--- /dev/null
+++ b/internal/mimir/client/testdata/alertmanager/response.good.yml
@@ -0,0 +1,249 @@
+template_files:
+    template1.tmpl: '{{ range .Alerts }}Alert: {{ .Summary }}{{ end }}'
+    template2.tmpl: '{{ .CommonLabels.alertname }}'
+alertmanager_config: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+        proxy_url: http://127.0.0.1:1025
+      smtp_from: alertmanager@example.org
+      smtp_hello: host.example.org
+      smtp_smarthost: localhost:25
+      smtp_auth_username: alertmanager
+      smtp_auth_password: |-
+        multiline
+        mysecret
+      smtp_require_tls: true
+      smtp_tls_config:
+        insecure_skip_verify: false
+      slack_api_url: http://mysecret.example.com/
+      pagerduty_url: https://events.pagerduty.com/v2/enqueue
+      opsgenie_api_url: https://api.opsgenie.com/
+      wechat_api_url: https://qyapi.weixin.qq.com/cgi-bin/
+      victorops_api_url: https://alert.victorops.com/integrations/generic/20131114/alert/
+      telegram_api_url: https://api.telegram.org
+      webex_api_url: https://webexapis.com/v1/messages
+      rocketchat_api_url: https://open.rocket.chat/
+    route:
+      receiver: team-X-mails
+      group_by:
+      - alertname
+      - cluster
+      - service
+      continue: false
+      routes:
+      - receiver: team-X-mails
+        match_re:
+          service: ^(foo1|foo2|baz)$
+        continue: false
+        routes:
+        - receiver: team-X-pager
+          match:
+            severity: critical
+          continue: false
+      - receiver: team-Y-mails
+        match:
+          service: files
+        continue: false
+        routes:
+        - receiver: team-Y-pager
+          match:
+            severity: critical
+          continue: false
+      - receiver: team-DB-pager
+        group_by:
+        - alertname
+        - cluster
+        - database
+        match:
+          service: database
+        continue: false
+        routes:
+        - receiver: team-X-pager
+          match:
+            owner2: team-X
+          continue: true
+        - receiver: team-Y-pager
+          match:
+            owner: team-Y
+          continue: false
+      group_wait: 30s
+      group_interval: 5m
+      repeat_interval: 3h
+    inhibit_rules:
+    - source_match:
+        severity: critical
+      target_match:
+        severity: warning
+      equal:
+      - alertname
+      - cluster
+      - service
+    receivers:
+    - name: team-X-mails
+      email_configs:
+      - send_resolved: false
+        to: team-X+alerts@example.org
+        from: alertmanager@example.org
+        hello: host.example.org
+        smarthost: localhost:25
+        auth_username: alertmanager
+        auth_password: |-
+          multiline
+          mysecret
+        html: '{{ template "email.default.html" . }}'
+        require_tls: true
+        tls_config:
+          insecure_skip_verify: false
+    - name: team-X-pager
+      email_configs:
+      - send_resolved: false
+        to: team-X+alerts-critical@example.org
+        from: alertmanager@example.org
+        hello: host.example.org
+        smarthost: localhost:25
+        auth_username: alertmanager
+        auth_password: |-
+          multiline
+          mysecret
+        html: '{{ template "email.default.html" . }}'
+        require_tls: true
+        tls_config:
+          insecure_skip_verify: false
+      pagerduty_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        routing_key: mysecret
+        url: https://events.pagerduty.com/v2/enqueue
+        client: '{{ template "pagerduty.default.client" . }}'
+        client_url: '{{ template "pagerduty.default.clientURL" . }}'
+        description: '{{ template "pagerduty.default.description" .}}'
+        details:
+          firing: '{{ template "pagerduty.default.instances" .Alerts.Firing }}'
+          num_firing: '{{ .Alerts.Firing | len }}'
+          num_resolved: '{{ .Alerts.Resolved | len }}'
+          resolved: '{{ template "pagerduty.default.instances" .Alerts.Resolved }}'
+        source: '{{ template "pagerduty.default.client" . }}'
+    - name: team-Y-mails
+      email_configs:
+      - send_resolved: false
+        to: team-Y+alerts@example.org
+        from: alertmanager@example.org
+        hello: host.example.org
+        smarthost: localhost:25
+        auth_username: alertmanager
+        auth_password: |-
+          multiline
+          mysecret
+        html: '{{ template "email.default.html" . }}'
+        require_tls: true
+        tls_config:
+          insecure_skip_verify: false
+    - name: team-Y-pager
+      pagerduty_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        routing_key: mysecret
+        url: https://events.pagerduty.com/v2/enqueue
+        client: '{{ template "pagerduty.default.client" . }}'
+        client_url: '{{ template "pagerduty.default.clientURL" . }}'
+        description: '{{ template "pagerduty.default.description" .}}'
+        details:
+          firing: '{{ template "pagerduty.default.instances" .Alerts.Firing }}'
+          num_firing: '{{ .Alerts.Firing | len }}'
+          num_resolved: '{{ .Alerts.Resolved | len }}'
+          resolved: '{{ template "pagerduty.default.instances" .Alerts.Resolved }}'
+        source: '{{ template "pagerduty.default.client" . }}'
+    - name: team-DB-pager
+      pagerduty_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        routing_key: mysecret
+        url: https://events.pagerduty.com/v2/enqueue
+        client: '{{ template "pagerduty.default.client" . }}'
+        client_url: '{{ template "pagerduty.default.clientURL" . }}'
+        description: '{{ template "pagerduty.default.description" .}}'
+        details:
+          firing: '{{ template "pagerduty.default.instances" .Alerts.Firing }}'
+          num_firing: '{{ .Alerts.Firing | len }}'
+          num_resolved: '{{ .Alerts.Resolved | len }}'
+          resolved: '{{ template "pagerduty.default.instances" .Alerts.Resolved }}'
+        source: '{{ template "pagerduty.default.client" . }}'
+    - name: victorOps-receiver
+      victorops_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        api_key: mysecret
+        api_url: https://alert.victorops.com/integrations/generic/20131114/alert/
+        routing_key: Sample_route
+        message_type: CRITICAL
+        state_message: '{{ template "victorops.default.state_message" . }}'
+        entity_display_name: '{{ template "victorops.default.entity_display_name" . }}'
+        monitoring_tool: '{{ template "victorops.default.monitoring_tool" . }}'
+    - name: opsGenie-receiver
+      opsgenie_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        api_key: mysecret
+        api_url: https://api.opsgenie.com/
+        message: '{{ template "opsgenie.default.message" . }}'
+        description: '{{ template "opsgenie.default.description" . }}'
+        source: '{{ template "opsgenie.default.source" . }}'
+    - name: pushover-receiver
+      pushover_configs:
+      - send_resolved: true
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        user_key: key
+        token: mysecret
+        title: '{{ template "pushover.default.title" . }}'
+        message: '{{ template "pushover.default.message" . }}'
+        url: '{{ template "pushover.default.url" . }}'
+        priority: '{{ if eq .Status "firing" }}2{{ else }}0{{ end }}'
+        retry: 1m0s
+        expire: 1h0m0s
+        html: false
+    - name: slack-receiver
+      slack_configs:
+      - send_resolved: false
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+          proxy_url: http://127.0.0.1:1025
+        api_url: http://mysecret.example.com/
+        channel: '#my-channel'
+        username: '{{ template "slack.default.username" . }}'
+        color: '{{ if eq .Status "firing" }}danger{{ else }}good{{ end }}'
+        title: '{{ template "slack.default.title" . }}'
+        title_link: '{{ template "slack.default.titlelink" . }}'
+        pretext: '{{ template "slack.default.pretext" . }}'
+        text: '{{ template "slack.default.text" . }}'
+        short_fields: false
+        footer: '{{ template "slack.default.footer" . }}'
+        fallback: '{{ template "slack.default.fallback" . }}'
+        callback_id: '{{ template "slack.default.callbackid" . }}'
+        icon_emoji: '{{ template "slack.default.iconemoji" . }}'
+        icon_url: '{{ template "slack.default.iconurl" . }}'
+        image_url: http://some.img.com/img.png
+        link_names: false
+    templates:
+    - /etc/alertmanager/template/*.tmpl
diff --git a/operations/helm/charts/alloy/CHANGELOG.md b/operations/helm/charts/alloy/CHANGELOG.md
index 750fd6884f8..f6272ac159a 100644
--- a/operations/helm/charts/alloy/CHANGELOG.md
+++ b/operations/helm/charts/alloy/CHANGELOG.md
@@ -10,6 +10,10 @@ internal API changes are not present.
 Unreleased
 ----------
 
+### Enhancements
+
+- Update RBAC rules to permit `mimir.alerts.kubernetes` to work by default. (@ptodev)
+
 ### Bug fixes
 
 - Correct `extraEnv` indentation in container template (@orkhan-huseyn)
diff --git a/operations/helm/charts/alloy/README.md b/operations/helm/charts/alloy/README.md
index c0621a09d8c..884ba0c55fe 100644
--- a/operations/helm/charts/alloy/README.md
+++ b/operations/helm/charts/alloy/README.md
@@ -164,15 +164,16 @@ useful if just using the default DaemonSet isn't sufficient.
 | rbac.clusterRules[1] | object | `{"nonResourceURLs":["/metrics"],"verbs":["get"]}` | Rules required for accessing metrics endpoint. |
 | rbac.create | bool | `true` | Whether to create RBAC resources for Alloy. |
 | rbac.namespaces | list | `[]` | If set, only create Roles and RoleBindings in the given list of namespaces, rather than ClusterRoles and ClusterRoleBindings. If not using ClusterRoles, bear in mind that Alloy will not be able to discover cluster-scoped resources such as Nodes. |
-| rbac.rules | list | `[{"apiGroups":["","discovery.k8s.io","networking.k8s.io"],"resources":["endpoints","endpointslices","ingresses","pods","services"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["pods","pods/log","namespaces"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.grafana.com"],"resources":["podlogs"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["prometheusrules"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["podmonitors","servicemonitors","probes","scrapeconfigs"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["configmaps","secrets"],"verbs":["get","list","watch"]},{"apiGroups":["apps","extensions"],"resources":["replicasets"],"verbs":["get","list","watch"]}]` | The rules to create for the ClusterRole or Role objects. |
+| rbac.rules | list | `[{"apiGroups":["","discovery.k8s.io","networking.k8s.io"],"resources":["endpoints","endpointslices","ingresses","pods","services"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["pods","pods/log","namespaces"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.grafana.com"],"resources":["podlogs"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["prometheusrules"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["alertmanagerconfigs"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["podmonitors","servicemonitors","probes","scrapeconfigs"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["configmaps","secrets"],"verbs":["get","list","watch"]},{"apiGroups":["apps","extensions"],"resources":["replicasets"],"verbs":["get","list","watch"]}]` | The rules to create for the ClusterRole or Role objects. |
 | rbac.rules[0] | object | `{"apiGroups":["","discovery.k8s.io","networking.k8s.io"],"resources":["endpoints","endpointslices","ingresses","pods","services"],"verbs":["get","list","watch"]}` | Rules required for the `discovery.kubernetes` component. |
 | rbac.rules[1] | object | `{"apiGroups":[""],"resources":["pods","pods/log","namespaces"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.kubernetes` component. |
 | rbac.rules[2] | object | `{"apiGroups":["monitoring.grafana.com"],"resources":["podlogs"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.podlogs` component. |
 | rbac.rules[3] | object | `{"apiGroups":["monitoring.coreos.com"],"resources":["prometheusrules"],"verbs":["get","list","watch"]}` | Rules required for the `mimir.rules.kubernetes` component. |
-| rbac.rules[4] | object | `{"apiGroups":["monitoring.coreos.com"],"resources":["podmonitors","servicemonitors","probes","scrapeconfigs"],"verbs":["get","list","watch"]}` | Rules required for the `prometheus.operator.*` components. |
-| rbac.rules[5] | object | `{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.kubernetes_events` component. |
-| rbac.rules[6] | object | `{"apiGroups":[""],"resources":["configmaps","secrets"],"verbs":["get","list","watch"]}` | Rules required for the `remote.kubernetes.*` components. |
-| rbac.rules[7] | object | `{"apiGroups":["apps","extensions"],"resources":["replicasets"],"verbs":["get","list","watch"]}` | Rules required for the `otelcol.processor.k8sattributes` component. |
+| rbac.rules[4] | object | `{"apiGroups":["monitoring.coreos.com"],"resources":["alertmanagerconfigs"],"verbs":["get","list","watch"]}` | Rules required for the `mimir.alerts.kubernetes` component. |
+| rbac.rules[5] | object | `{"apiGroups":["monitoring.coreos.com"],"resources":["podmonitors","servicemonitors","probes","scrapeconfigs"],"verbs":["get","list","watch"]}` | Rules required for the `prometheus.operator.*` components. |
+| rbac.rules[6] | object | `{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.kubernetes_events` component. |
+| rbac.rules[7] | object | `{"apiGroups":[""],"resources":["configmaps","secrets"],"verbs":["get","list","watch"]}` | Rules required for the `remote.kubernetes.*` components. |
+| rbac.rules[8] | object | `{"apiGroups":["apps","extensions"],"resources":["replicasets"],"verbs":["get","list","watch"]}` | Rules required for the `otelcol.processor.k8sattributes` component. |
 | service.annotations | object | `{}` |  |
 | service.clusterIP | string | `""` | Cluster IP, can be set to None, empty "" or an IP address |
 | service.enabled | bool | `true` | Creates a Service for the controller's pods. |
diff --git a/operations/helm/charts/alloy/values.yaml b/operations/helm/charts/alloy/values.yaml
index 2e08eb7ee66..a656fd65137 100644
--- a/operations/helm/charts/alloy/values.yaml
+++ b/operations/helm/charts/alloy/values.yaml
@@ -177,6 +177,10 @@ rbac:
     - apiGroups: ["monitoring.coreos.com"]
       resources: ["prometheusrules"]
       verbs: ["get", "list", "watch"]
+    # -- Rules required for the `mimir.alerts.kubernetes` component.
+    - apiGroups: ["monitoring.coreos.com"]
+      resources: ["alertmanagerconfigs"]
+      verbs: ["get", "list", "watch"]
     # -- Rules required for the `prometheus.operator.*` components.
     - apiGroups: ["monitoring.coreos.com"]
       resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
diff --git a/operations/helm/tests/additional-serviceaccount-label/alloy/templates/rbac.yaml b/operations/helm/tests/additional-serviceaccount-label/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/additional-serviceaccount-label/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/additional-serviceaccount-label/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/clustering/alloy/templates/rbac.yaml b/operations/helm/tests/clustering/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/clustering/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/clustering/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-deployment-pdb-max-unavailable/alloy/templates/rbac.yaml b/operations/helm/tests/controller-deployment-pdb-max-unavailable/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-deployment-pdb-max-unavailable/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-deployment-pdb-max-unavailable/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-deployment-pdb-min-available/alloy/templates/rbac.yaml b/operations/helm/tests/controller-deployment-pdb-min-available/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-deployment-pdb-min-available/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-deployment-pdb-min-available/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-extraLabels-label/alloy/templates/rbac.yaml b/operations/helm/tests/controller-extraLabels-label/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-extraLabels-label/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-extraLabels-label/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-statefulset-pdb-max-unavailable/alloy/templates/rbac.yaml b/operations/helm/tests/controller-statefulset-pdb-max-unavailable/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-statefulset-pdb-max-unavailable/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-statefulset-pdb-max-unavailable/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-statefulset-pdb-min-available/alloy/templates/rbac.yaml b/operations/helm/tests/controller-statefulset-pdb-min-available/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-statefulset-pdb-min-available/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-statefulset-pdb-min-available/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/controller-volumes-extra/alloy/templates/rbac.yaml b/operations/helm/tests/controller-volumes-extra/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/controller-volumes-extra/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/controller-volumes-extra/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-daemonset-hostnetwork/alloy/templates/rbac.yaml b/operations/helm/tests/create-daemonset-hostnetwork/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-daemonset-hostnetwork/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-daemonset-hostnetwork/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-daemonset/alloy/templates/rbac.yaml b/operations/helm/tests/create-daemonset/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-daemonset/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-daemonset/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-deployment-autoscaling/alloy/templates/rbac.yaml b/operations/helm/tests/create-deployment-autoscaling/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-deployment-autoscaling/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-deployment-autoscaling/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-deployment/alloy/templates/rbac.yaml b/operations/helm/tests/create-deployment/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-deployment/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-deployment/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-networkpolicy/alloy/templates/rbac.yaml b/operations/helm/tests/create-networkpolicy/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-networkpolicy/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-networkpolicy/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-statefulset-autoscaling/alloy/templates/rbac.yaml b/operations/helm/tests/create-statefulset-autoscaling/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-statefulset-autoscaling/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-statefulset-autoscaling/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-statefulset-vertical-autoscaling/alloy/templates/rbac.yaml b/operations/helm/tests/create-statefulset-vertical-autoscaling/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-statefulset-vertical-autoscaling/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-statefulset-vertical-autoscaling/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/create-statefulset/alloy/templates/rbac.yaml b/operations/helm/tests/create-statefulset/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/create-statefulset/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/create-statefulset/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/custom-config/alloy/templates/rbac.yaml b/operations/helm/tests/custom-config/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/custom-config/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/custom-config/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/default-values/alloy/templates/rbac.yaml b/operations/helm/tests/default-values/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/default-values/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/default-values/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/disable-http-server-port/alloy/templates/rbac.yaml b/operations/helm/tests/disable-http-server-port/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/disable-http-server-port/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/disable-http-server-port/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/enable-servicemonitor-tls/alloy/templates/rbac.yaml b/operations/helm/tests/enable-servicemonitor-tls/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/enable-servicemonitor-tls/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/enable-servicemonitor-tls/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/enable-servicemonitor/alloy/templates/rbac.yaml b/operations/helm/tests/enable-servicemonitor/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/enable-servicemonitor/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/enable-servicemonitor/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/envFrom/alloy/templates/rbac.yaml b/operations/helm/tests/envFrom/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/envFrom/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/envFrom/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/existing-config/alloy/templates/rbac.yaml b/operations/helm/tests/existing-config/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/existing-config/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/existing-config/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/extra-env/alloy/templates/rbac.yaml b/operations/helm/tests/extra-env/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/extra-env/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/extra-env/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/extra-manifests/alloy/templates/rbac.yaml b/operations/helm/tests/extra-manifests/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/extra-manifests/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/extra-manifests/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/extra-ports/alloy/templates/rbac.yaml b/operations/helm/tests/extra-ports/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/extra-ports/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/extra-ports/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/faro-ingress/alloy/templates/rbac.yaml b/operations/helm/tests/faro-ingress/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/faro-ingress/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/faro-ingress/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/global-image-pullsecrets/alloy/templates/rbac.yaml b/operations/helm/tests/global-image-pullsecrets/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/global-image-pullsecrets/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/global-image-pullsecrets/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/global-image-registry/alloy/templates/rbac.yaml b/operations/helm/tests/global-image-registry/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/global-image-registry/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/global-image-registry/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/host-alias/alloy/templates/rbac.yaml b/operations/helm/tests/host-alias/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/host-alias/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/host-alias/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/initcontainers/alloy/templates/rbac.yaml b/operations/helm/tests/initcontainers/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/initcontainers/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/initcontainers/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/lifecycle-hooks/alloy/templates/rbac.yaml b/operations/helm/tests/lifecycle-hooks/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/lifecycle-hooks/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/lifecycle-hooks/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/livinessprobe/alloy/templates/rbac.yaml b/operations/helm/tests/livinessprobe/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/livinessprobe/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/livinessprobe/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/local-image-pullsecrets/alloy/templates/rbac.yaml b/operations/helm/tests/local-image-pullsecrets/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/local-image-pullsecrets/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/local-image-pullsecrets/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/local-image-registry/alloy/templates/rbac.yaml b/operations/helm/tests/local-image-registry/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/local-image-registry/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/local-image-registry/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/nodeselectors-and-tolerations/alloy/templates/rbac.yaml b/operations/helm/tests/nodeselectors-and-tolerations/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/nodeselectors-and-tolerations/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/nodeselectors-and-tolerations/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/nonroot/alloy/templates/rbac.yaml b/operations/helm/tests/nonroot/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/nonroot/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/nonroot/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/pod_annotations/alloy/templates/rbac.yaml b/operations/helm/tests/pod_annotations/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/pod_annotations/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/pod_annotations/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/readinessprobe/alloy/templates/rbac.yaml b/operations/helm/tests/readinessprobe/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/readinessprobe/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/readinessprobe/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/roles-and-rolebindings/alloy/templates/rbac.yaml b/operations/helm/tests/roles-and-rolebindings/alloy/templates/rbac.yaml
index 03a48423aaf..8a7d0887981 100644
--- a/operations/helm/tests/roles-and-rolebindings/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/roles-and-rolebindings/alloy/templates/rbac.yaml
@@ -53,6 +53,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/sidecars/alloy/templates/rbac.yaml b/operations/helm/tests/sidecars/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/sidecars/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/sidecars/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/termination-grace-period/alloy/templates/rbac.yaml b/operations/helm/tests/termination-grace-period/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/termination-grace-period/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/termination-grace-period/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/topologyspreadconstraints/alloy/templates/rbac.yaml b/operations/helm/tests/topologyspreadconstraints/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/topologyspreadconstraints/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/topologyspreadconstraints/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:
diff --git a/operations/helm/tests/with-digests/alloy/templates/rbac.yaml b/operations/helm/tests/with-digests/alloy/templates/rbac.yaml
index d8b334d8175..86ad6f4d487 100644
--- a/operations/helm/tests/with-digests/alloy/templates/rbac.yaml
+++ b/operations/helm/tests/with-digests/alloy/templates/rbac.yaml
@@ -52,6 +52,14 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - alertmanagerconfigs
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - monitoring.coreos.com
     resources:

From e4893e1d20bc97d9ddaac32c85c60c2a7c6c3076 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Thu, 13 Nov 2025 16:01:59 +0200
Subject: [PATCH 2/8] Sync Mimir periodically, test the case of a CRD deletion

---
 .../mimir/mimir.alerts.kubernetes.md          |  1 +
 .../tests/mimir-alerts-kubernetes/k8s_test.go | 77 +++++--------------
 .../testdata/expected_1.yml                   | 51 ++++++++++++
 .../testdata/expected_2.yml                   | 39 ++++++++++
 .../{ => testdata}/kubernetes.yml             |  3 +
 .../{ => testdata}/setup.sh                   |  0
 .../mimir/alerts/kubernetes/alerts.go         | 45 ++++++++---
 .../mimir/alerts/kubernetes/debug.go          |  6 --
 .../mimir/alerts/kubernetes/events.go         | 29 ++++---
 .../mimir/alerts/kubernetes/events_test.go    | 21 +++--
 .../mimir/alerts/kubernetes/types.go          |  4 +
 .../mimir/rules/kubernetes/events.go          |  9 +--
 internal/component/mimir/util/util.go         |  6 ++
 13 files changed, 186 insertions(+), 105 deletions(-)
 create mode 100644 internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_1.yml
 create mode 100644 internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_2.yml
 rename internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/{ => testdata}/kubernetes.yml (95%)
 rename internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/{ => testdata}/setup.sh (100%)
 delete mode 100644 internal/component/mimir/alerts/kubernetes/debug.go

diff --git a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
index 73355dd544b..93e107c0b8a 100644
--- a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
+++ b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
@@ -61,6 +61,7 @@ You can use the following arguments with `mimir.alerts.kubernetes`:
 | `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |               | no       |
 | `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false`       | no       |
 | `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |               | no       |
+| `sync_interval`          | `duration`          | Amount of time between reconciliations with Mimir.                                               | `"5m"`        | no       |
 | `template_files`         | `map(string)`       | A map of Alertmanager [template files][mimir-api-set-alertmgr-cfg].                              |  `{}`         | no       |
 
 At most, one of the following can be provided:
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
index 6ec92fafceb..f0ac490a484 100644
--- a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
@@ -14,15 +14,18 @@ import (
 // Running the test in a stateful way means that k8s resources won't be deleted at the end.
 // It's useful for debugging. You can run the test like this:
 // ALLOY_STATEFUL_K8S_TEST=true make integration-test-k8s
+//
+// After you're done with the test, run a command like this to clean up:
+// minikube delete -p mimir-alerts-kubernetes
 func isStateful() bool {
 	stateful, _ := strconv.ParseBool(os.Getenv("ALLOY_STATEFUL_K8S_TEST"))
 	return stateful
 }
 
 func TestMimirAlerts(t *testing.T) {
-	testDir := "./"
+	testDataDir := "./testdata/"
 
-	cleanupFunc := util.BootstrapTest(testDir, "mimir-alerts-kubernetes", isStateful())
+	cleanupFunc := util.BootstrapTest(testDataDir, "mimir-alerts-kubernetes", isStateful())
 	defer cleanupFunc()
 
 	terminatePortFwd := util.ExecuteBackgroundCommand(
@@ -30,63 +33,23 @@ func TestMimirAlerts(t *testing.T) {
 		"Port forward Mimir")
 	defer terminatePortFwd()
 
-	expectedMimirConfig := `template_files:
-    default_template: |-
-        {{ define "__alertmanager" }}AlertManager{{ end }}
-        {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}
-alertmanager_config: |
-    global:
-      resolve_timeout: 5m
-      http_config:
-        follow_redirects: true
-        enable_http2: true
-      smtp_hello: localhost
-      smtp_require_tls: true
-    route:
-      receiver: "null"
-      continue: false
-      routes:
-      - receiver: testing/alertmgr-config1/null
-        matchers:
-        - namespace="testing"
-        continue: true
-        routes:
-        - receiver: testing/alertmgr-config1/myamc
-          continue: true
-      - receiver: testing/alertmgr-config2/null
-        matchers:
-        - namespace="testing"
-        continue: true
-        routes:
-        - receiver: testing/alertmgr-config2/database-pager
-          matchers:
-          - service="webapp"
-          continue: false
-          group_wait: 10s
-    receivers:
-    - name: "null"
-    - name: alloy-namespace/global-config/myreceiver
-    - name: testing/alertmgr-config1/null
-    - name: testing/alertmgr-config1/myamc
-      webhook_configs:
-      - send_resolved: false
-        http_config:
-          follow_redirects: true
-          enable_http2: true
-        url: http://test.url
-        url_file: ""
-        max_alerts: 0
-        timeout: 0s
-    - name: testing/alertmgr-config2/null
-    - name: testing/alertmgr-config2/database-pager
-    templates:
-    - default_template
-`
+	checkMimirConfig(t, testDataDir, "expected_1.yml")
+
+	util.ExecuteCommand(
+		"kubectl", []string{"delete", "alertmanagerconfig", "alertmgr-config2", "-n", "testing"},
+		"Delete an Alertmanagerconfig CRD")
+
+	// Mimir's config should now omit the deleted Alertmanagerconfig CRD.
+	checkMimirConfig(t, testDataDir, "expected_2.yml")
+}
+
+func checkMimirConfig(t *testing.T, testDataDir, expectedFile string) {
+	expectedMimirConfigBytes, err := os.ReadFile(testDataDir + expectedFile)
+	require.NoError(t, err)
+	expectedMimirConfig := string(expectedMimirConfigBytes)
 
 	require.EventuallyWithT(t, func(c *assert.CollectT) {
 		actualMimirConfig := util.Curl(c, "http://localhost:12346/api/v1/alerts")
 		require.Equal(c, expectedMimirConfig, actualMimirConfig)
-	}, 15*time.Second, 100*time.Millisecond)
-	// TODO: Print Alloy's logs if the test fails.
-	// TODO: Try changing some k8s resources and check Mimir's config again.
+	}, 60*time.Second, 500*time.Millisecond)
 }
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_1.yml b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_1.yml
new file mode 100644
index 00000000000..3250aad9f43
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_1.yml
@@ -0,0 +1,51 @@
+template_files:
+    default_template: |-
+        {{ define "__alertmanager" }}AlertManager{{ end }}
+        {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}
+alertmanager_config: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+      continue: false
+      routes:
+      - receiver: testing/alertmgr-config1/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config1/myamc
+          continue: true
+      - receiver: testing/alertmgr-config2/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config2/database-pager
+          matchers:
+          - service="webapp"
+          continue: false
+          group_wait: 10s
+    receivers:
+    - name: "null"
+    - name: alloy-namespace/global-config/myreceiver
+    - name: testing/alertmgr-config1/null
+    - name: testing/alertmgr-config1/myamc
+      webhook_configs:
+      - send_resolved: false
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+        url: http://test.url
+        url_file: ""
+        max_alerts: 0
+        timeout: 0s
+    - name: testing/alertmgr-config2/null
+    - name: testing/alertmgr-config2/database-pager
+    templates:
+    - default_template
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_2.yml b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_2.yml
new file mode 100644
index 00000000000..088f6537d43
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/expected_2.yml
@@ -0,0 +1,39 @@
+template_files:
+    default_template: |-
+        {{ define "__alertmanager" }}AlertManager{{ end }}
+        {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver | urlquery }}{{ end }}
+alertmanager_config: |
+    global:
+      resolve_timeout: 5m
+      http_config:
+        follow_redirects: true
+        enable_http2: true
+      smtp_hello: localhost
+      smtp_require_tls: true
+    route:
+      receiver: "null"
+      continue: false
+      routes:
+      - receiver: testing/alertmgr-config1/null
+        matchers:
+        - namespace="testing"
+        continue: true
+        routes:
+        - receiver: testing/alertmgr-config1/myamc
+          continue: true
+    receivers:
+    - name: "null"
+    - name: alloy-namespace/global-config/myreceiver
+    - name: testing/alertmgr-config1/null
+    - name: testing/alertmgr-config1/myamc
+      webhook_configs:
+      - send_resolved: false
+        http_config:
+          follow_redirects: true
+          enable_http2: true
+        url: http://test.url
+        url_file: ""
+        max_alerts: 0
+        timeout: 0s
+    templates:
+    - default_template
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/kubernetes.yml
similarity index 95%
rename from internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml
rename to internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/kubernetes.yml
index c9245f49a00..d98fa150ab4 100644
--- a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/kubernetes.yml
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/kubernetes.yml
@@ -96,6 +96,9 @@ data:
 
       mimir.alerts.kubernetes "default" {
         address = "http://mimir-nginx.mimir-test.svc:80"
+        // Set a short sync interval so that Alloy retries soon after starting.
+        // There's a high chance that Mimir is not yet ready when Alloy starts sending requests to it.
+        sync_interval = "5s"
         global_config = remote.kubernetes.configmap.default.data["glbl"]
         template_files = {
           `default_template` = 
diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/setup.sh
similarity index 100%
rename from internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/setup.sh
rename to internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/testdata/setup.sh
diff --git a/internal/component/mimir/alerts/kubernetes/alerts.go b/internal/component/mimir/alerts/kubernetes/alerts.go
index dfacc284a50..480657f478a 100644
--- a/internal/component/mimir/alerts/kubernetes/alerts.go
+++ b/internal/component/mimir/alerts/kubernetes/alerts.go
@@ -59,19 +59,28 @@ type Component struct {
 	opts component.Options
 	args Arguments
 
+	// The client via which Alertmanager configs are sent to Mimir.
 	mimirClient mimirClient.AlertmanagerInterface
 
+	// Signal an update to the Arguments.
 	configUpdates chan ConfigUpdate
 
+	ticker *time.Ticker
+
 	healthMut sync.RWMutex
 	health    component.Health
 	metrics   *metrics
 
-	k8sClient         kubernetes.Interface
+	// Connection to the Kubernetes API.
+	k8sClient kubernetes.Interface
+	// Selector for "Namespace" k8s resources which to watch.
 	namespaceSelector labels.Selector
-	cfgSelector       labels.Selector
-	eventProcessor    *eventProcessor
-	promClient        promVersioned.Interface
+	// Selector for "AlertmanagerConfig" k8s resources which to watch.
+	cfgSelector labels.Selector
+	// A Prometheus Operator client via which "AlertmanagerConfigs" are retrieved from the Kubernetes API.
+	promClient promVersioned.Interface
+	// The event processor that watches for changes in the Kubernetes API and updates the Mimir Alertmanager configs.
+	eventProcessor *eventProcessor
 }
 
 type ConfigUpdate struct {
@@ -79,9 +88,11 @@ type ConfigUpdate struct {
 }
 
 var _ component.Component = (*Component)(nil)
-var _ component.DebugComponent = (*Component)(nil)
 var _ component.HealthComponent = (*Component)(nil)
 
+// TODO: Implement DebugInfo()
+// var _ component.DebugComponent = (*Component)(nil)
+
 // New creates a new Component and initializes required clients based on the provided configuration.
 // TODO: Add clustering support
 func New(o component.Options, args Arguments) (*Component, error) {
@@ -110,6 +121,7 @@ func newNoInit(o component.Options, args Arguments) (*Component, error) {
 		args:          args,
 		configUpdates: make(chan ConfigUpdate),
 		metrics:       m,
+		ticker:        time.NewTicker(args.SyncInterval),
 	}
 
 	return c, nil
@@ -172,6 +184,11 @@ func (c *Component) iteration(ctx context.Context, state util.Lifecycle[Argument
 	case <-ctx.Done():
 		state.Shutdown()
 		return errShutdown
+	case <-c.ticker.C:
+		// It's useful to sync periodically:
+		// * If an event was missed earlier, it can be synced now.
+		// * If the connection to Mimir or to the k8s API didn't work last time, it might work now.
+		state.SyncState()
 	}
 
 	return nil
@@ -232,9 +249,11 @@ func (c *Component) Shutdown() {
 	}
 }
 
-// syncState asks the eventProcessor to sync rule state from the Mimir Ruler. It does
-// not block waiting for state to be synced.
-func (c *Component) SyncState() {}
+func (c *Component) SyncState() {
+	if c.eventProcessor != nil {
+		c.eventProcessor.enqueueSyncMimir()
+	}
+}
 
 func (c *Component) init() error {
 	level.Info(c.log).Log("msg", "initializing with configuration")
@@ -257,6 +276,8 @@ func (c *Component) init() error {
 
 	httpClient := c.args.HTTPClientConfig.Convert()
 
+	c.ticker.Reset(c.args.SyncInterval)
+
 	c.mimirClient, err = mimirClient.New(c.log, mimirClient.Config{
 		Address:          c.args.Address,
 		HTTPClientConfig: *httpClient,
@@ -311,16 +332,16 @@ func (c *Component) startConfigInformer(queue workqueue.TypedRateLimitingInterfa
 	)
 
 	amConfigs := factory.Monitoring().V1alpha1().AlertmanagerConfigs()
-	ruleLister := amConfigs.Lister()
-	ruleInformer := amConfigs.Informer()
-	_, err := ruleInformer.AddEventHandler(commonK8s.NewQueuedEventHandler(c.log, queue))
+	amConfigsLister := amConfigs.Lister()
+	amConfigsInformer := amConfigs.Informer()
+	_, err := amConfigsInformer.AddEventHandler(commonK8s.NewQueuedEventHandler(c.log, queue))
 	if err != nil {
 		return nil, err
 	}
 
 	factory.Start(stopChan)
 	factory.WaitForCacheSync(stopChan)
-	return ruleLister, nil
+	return amConfigsLister, nil
 }
 
 func (c *Component) newEventProcessor(queue workqueue.TypedRateLimitingInterface[commonK8s.Event], stopChan chan struct{},
diff --git a/internal/component/mimir/alerts/kubernetes/debug.go b/internal/component/mimir/alerts/kubernetes/debug.go
deleted file mode 100644
index d11eeff6cef..00000000000
--- a/internal/component/mimir/alerts/kubernetes/debug.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package alerts
-
-// TODO: Implement a useful DebugInfo
-func (c *Component) DebugInfo() interface{} {
-	return nil
-}
diff --git a/internal/component/mimir/alerts/kubernetes/events.go b/internal/component/mimir/alerts/kubernetes/events.go
index c4e2adffe06..f1cc5c449ed 100644
--- a/internal/component/mimir/alerts/kubernetes/events.go
+++ b/internal/component/mimir/alerts/kubernetes/events.go
@@ -35,15 +35,16 @@ type eventProcessor struct {
 	stopChan chan struct{}
 	health   util.HealthReporter
 
-	mimirClient       client.AlertmanagerInterface
+	mimirClient client.AlertmanagerInterface
+
 	namespaceLister   coreListers.NamespaceLister
-	baseCfg           alertmgr_cfg.Config
 	cfgLister         promListers_v1alpha.AlertmanagerConfigLister
 	namespaceSelector labels.Selector
 	cfgSelector       labels.Selector
-	templateFiles     map[string]string
+	kclient           go_k8s.Interface
 
-	kclient go_k8s.Interface
+	baseCfg       alertmgr_cfg.Config
+	templateFiles map[string]string
 
 	metrics *metrics
 	logger  log.Logger
@@ -109,18 +110,6 @@ func (m *metrics) register(r prometheus.Registerer) error {
 
 // run processes events added to the queue until the queue is shutdown.
 func (e *eventProcessor) run(ctx context.Context) {
-	// Do an initial reconciliation so that Mimir is updated if there are no AlertmanagerConfig CRDs.
-	err := e.reconcileState(ctx)
-	if err != nil {
-		level.Error(e.logger).Log(
-			"msg", "failed to do an initial configuration update",
-			"err", err,
-		)
-		e.health.ReportUnhealthy(err)
-	} else {
-		e.health.ReportHealthy()
-	}
-
 	for {
 		evt, shutdown := e.queue.Get()
 		if shutdown {
@@ -173,6 +162,12 @@ func (e *eventProcessor) processEvent(ctx context.Context, event kubernetes.Even
 	return e.reconcileState(ctx)
 }
 
+func (e *eventProcessor) enqueueSyncMimir() {
+	e.queue.Add(kubernetes.Event{
+		Typ: util.EventTypeSyncMimir,
+	})
+}
+
 func (c *eventProcessor) provisionAlertmanagerConfiguration(ctx context.Context,
 	amConfigs map[string]*promv1alpha1.AlertmanagerConfig, store *assets.StoreBuilder) (*alertmgr_cfg.Config, error) {
 
@@ -216,6 +211,8 @@ func (e *eventProcessor) reconcileState(ctx context.Context) error {
 		return err
 	}
 
+	// TODO: Get Mimir's current Alertmanager config and diff it with the one Alloy has.
+	//       If it's the same, do nothing. If it's different, update Mimir.
 	err = e.mimirClient.CreateAlertmanagerConfigs(ctx, cfg, e.templateFiles)
 	if err != nil {
 		return err
diff --git a/internal/component/mimir/alerts/kubernetes/events_test.go b/internal/component/mimir/alerts/kubernetes/events_test.go
index 5baa136a11f..c7b120f8ee0 100644
--- a/internal/component/mimir/alerts/kubernetes/events_test.go
+++ b/internal/component/mimir/alerts/kubernetes/events_test.go
@@ -263,7 +263,7 @@ templates: []`
 				Type: "OnNamespace",
 			},
 			want:             emptyCfg,
-			expectLogMessage: "failed to do an initial configuration update",
+			expectLogMessage: "failed to initialize from global AlertmangerConfig",
 		},
 		{
 			name:       "2 AlertmanagerConfig CRDs - 1 in another namespace",
@@ -333,7 +333,7 @@ spec:
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			nsIndexer := testNamespaceIndexer()
-			ruleIndexer := testRuleIndexer()
+			amConfigsIndexer := testAmConfigsIndexer()
 
 			mimirClient := newFakeMimirClient()
 
@@ -373,14 +373,19 @@ spec:
 				mimirClient:       mimirClient,
 				baseCfg:           convertToAlertmanagerType(t, tt.baseCfgStr),
 				namespaceLister:   coreListers.NewNamespaceLister(nsIndexer),
-				cfgLister:         promListers_v1alpha1.NewAlertmanagerConfigLister(ruleIndexer),
+				cfgLister:         promListers_v1alpha1.NewAlertmanagerConfigLister(amConfigsIndexer),
 				namespaceSelector: namespaceSelector,
 				cfgSelector:       cfgSelector,
 				metrics:           newMetrics(),
 				logger:            testLogger,
 			}
 
-			go processor.run(t.Context())
+			ctx := t.Context()
+
+			// Do an initial sync of the Mimir ruler state before starting the event processing loop.
+			processor.enqueueSyncMimir()
+
+			go processor.run(ctx)
 			defer processor.stop()
 
 			eventHandler := kubernetes.NewQueuedEventHandler(processor.logger, processor.queue)
@@ -394,7 +399,7 @@ spec:
 				err := yaml.Unmarshal([]byte(amConfigStr), &amConfig)
 				assert.NoError(t, err)
 
-				require.NoError(t, ruleIndexer.Add(&amConfig))
+				require.NoError(t, amConfigsIndexer.Add(&amConfig))
 				eventHandler.OnAdd(&amConfig, false)
 			}
 
@@ -428,12 +433,12 @@ func convertStringToSelector(t *testing.T, labelSelector string) labels.Selector
 	return selector
 }
 
-func testRuleIndexer() cache.Indexer {
-	ruleIndexer := cache.NewIndexer(
+func testAmConfigsIndexer() cache.Indexer {
+	amConfigsIndexer := cache.NewIndexer(
 		cache.DeletionHandlingMetaNamespaceKeyFunc,
 		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
 	)
-	return ruleIndexer
+	return amConfigsIndexer
 }
 
 func testNamespaceIndexer() cache.Indexer {
diff --git a/internal/component/mimir/alerts/kubernetes/types.go b/internal/component/mimir/alerts/kubernetes/types.go
index c1ffc6aeed8..137298b3212 100644
--- a/internal/component/mimir/alerts/kubernetes/types.go
+++ b/internal/component/mimir/alerts/kubernetes/types.go
@@ -1,6 +1,8 @@
 package alerts
 
 import (
+	"time"
+
 	"github.com/grafana/alloy/internal/component/common/config"
 	"github.com/grafana/alloy/internal/component/common/kubernetes"
 	"github.com/grafana/alloy/syntax/alloytypes"
@@ -9,6 +11,7 @@ import (
 type Arguments struct {
 	Address          string                  `alloy:"address,attr"`
 	HTTPClientConfig config.HTTPClientConfig `alloy:",squash"`
+	SyncInterval     time.Duration           `alloy:"sync_interval,attr,optional"`
 
 	TemplateFiles map[string]string `alloy:"template_files,attr,optional"`
 	GlobalConfig  alloytypes.Secret `alloy:"global_config,attr"`
@@ -20,6 +23,7 @@ type Arguments struct {
 }
 
 var DefaultArguments = Arguments{
+	SyncInterval:     5 * time.Minute,
 	HTTPClientConfig: config.DefaultHTTPClientConfig,
 }
 
diff --git a/internal/component/mimir/rules/kubernetes/events.go b/internal/component/mimir/rules/kubernetes/events.go
index 2397f018987..2d0e2a244f0 100644
--- a/internal/component/mimir/rules/kubernetes/events.go
+++ b/internal/component/mimir/rules/kubernetes/events.go
@@ -20,14 +20,11 @@ import (
 	"sigs.k8s.io/yaml" // Used for CRD compatibility instead of gopkg.in/yaml.v2
 
 	"github.com/grafana/alloy/internal/component/common/kubernetes"
+	"github.com/grafana/alloy/internal/component/mimir/util"
 	"github.com/grafana/alloy/internal/mimir/client"
 	"github.com/grafana/alloy/internal/runtime/logging/level"
 )
 
-const (
-	eventTypeSyncMimir kubernetes.EventType = "sync-mimir"
-)
-
 var sourceTenantsRegex = regexp.MustCompile(`\s*,\s*`)
 
 type eventProcessor struct {
@@ -106,7 +103,7 @@ func (e *eventProcessor) processEvent(ctx context.Context, event kubernetes.Even
 	switch event.Typ {
 	case kubernetes.EventTypeResourceChanged:
 		level.Info(e.logger).Log("msg", "processing event", "type", event.Typ, "key", event.ObjectKey)
-	case eventTypeSyncMimir:
+	case util.EventTypeSyncMimir:
 		level.Debug(e.logger).Log("msg", "syncing current state from ruler")
 		err := e.syncMimir(ctx)
 		if err != nil {
@@ -121,7 +118,7 @@ func (e *eventProcessor) processEvent(ctx context.Context, event kubernetes.Even
 
 func (e *eventProcessor) enqueueSyncMimir() {
 	e.queue.Add(kubernetes.Event{
-		Typ: eventTypeSyncMimir,
+		Typ: util.EventTypeSyncMimir,
 	})
 }
 
diff --git a/internal/component/mimir/util/util.go b/internal/component/mimir/util/util.go
index 479f849f876..75db318d718 100644
--- a/internal/component/mimir/util/util.go
+++ b/internal/component/mimir/util/util.go
@@ -2,10 +2,16 @@ package util
 
 import (
 	"context"
+
+	"github.com/grafana/alloy/internal/component/common/kubernetes"
 )
 
 // TODO: Use the functions in this file in the mimir.rules.kubernetes component.
 
+const (
+	EventTypeSyncMimir kubernetes.EventType = "sync-mimir"
+)
+
 // healthReporter encapsulates the logic for marking a component as healthy or
 // not healthy to make testing portions of the Component easier.
 type HealthReporter interface {

From b22e017cac03cf16c0e82d25f1450ea2a747cebc Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Mon, 17 Nov 2025 13:37:26 +0200
Subject: [PATCH 3/8] Add TODOs

---
 internal/component/mimir/alerts/kubernetes/alerts.go | 2 ++
 internal/component/mimir/alerts/kubernetes/events.go | 2 ++
 internal/component/mimir/rules/kubernetes/rules.go   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/internal/component/mimir/alerts/kubernetes/alerts.go b/internal/component/mimir/alerts/kubernetes/alerts.go
index 480657f478a..db028b9d43f 100644
--- a/internal/component/mimir/alerts/kubernetes/alerts.go
+++ b/internal/component/mimir/alerts/kubernetes/alerts.go
@@ -128,6 +128,8 @@ func newNoInit(o component.Options, args Arguments) (*Component, error) {
 }
 
 func (c *Component) Run(ctx context.Context) error {
+	//TODO: There's a chance that the startup function is stuck retrying forever.
+	// What's worse is that a config update wouldn't be able to fix it, since we haven't entered the config update loop yet.
 	c.startupWithRetries(ctx, c, c)
 
 	for {
diff --git a/internal/component/mimir/alerts/kubernetes/events.go b/internal/component/mimir/alerts/kubernetes/events.go
index f1cc5c449ed..1d4bcf4648a 100644
--- a/internal/component/mimir/alerts/kubernetes/events.go
+++ b/internal/component/mimir/alerts/kubernetes/events.go
@@ -151,6 +151,8 @@ func (e *eventProcessor) run(ctx context.Context) {
 // stop stops adding new Kubernetes events to the queue and blocks until all existing
 // events have been processed by the run loop.
 func (e *eventProcessor) stop() {
+	// TODO: This stops the informers, but the informers are not created by eventProcessor.
+	//       Create and stop the components in the same struct? To make it more clear what owns them.
 	close(e.stopChan)
 	// Because this method blocks until the queue is empty, it's important that we don't
 	// stop the run loop and let it continue to process existing items in the queue.
diff --git a/internal/component/mimir/rules/kubernetes/rules.go b/internal/component/mimir/rules/kubernetes/rules.go
index 223ef6687ad..83e4bdbd462 100644
--- a/internal/component/mimir/rules/kubernetes/rules.go
+++ b/internal/component/mimir/rules/kubernetes/rules.go
@@ -191,6 +191,8 @@ func newNoInit(o component.Options, args Arguments) (*Component, error) {
 }
 
 func (c *Component) Run(ctx context.Context) error {
+	//TODO: There's a chance that the startup function is stuck retrying forever.
+	//      What's worse is that a config update wouldn't be able to fix it, since we haven't entered the config update loop yet.
 	c.startupWithRetries(ctx, c.leader, c, c)
 
 	for {

From bdaf524dc3985a6e5c4884dc125b4ac9ff113d28 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Tue, 18 Nov 2025 01:12:28 +0200
Subject: [PATCH 4/8] Longer test timeout

---
 .../tests/mimir-alerts-kubernetes/k8s_test.go                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
index f0ac490a484..a69a7c397f5 100644
--- a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
@@ -51,5 +51,5 @@ func checkMimirConfig(t *testing.T, testDataDir, expectedFile string) {
 	require.EventuallyWithT(t, func(c *assert.CollectT) {
 		actualMimirConfig := util.Curl(c, "http://localhost:12346/api/v1/alerts")
 		require.Equal(c, expectedMimirConfig, actualMimirConfig)
-	}, 60*time.Second, 500*time.Millisecond)
+	}, 5*time.Minute, 500*time.Millisecond)
 }

From 31ad71ca8bc5e9df3ca6d7db569e1439e40e59a6 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Tue, 18 Nov 2025 13:57:45 +0000
Subject: [PATCH 5/8] Check if pods are running

---
 .../tests/mimir-alerts-kubernetes/k8s_test.go |  4 ++
 .../cmd/integration-tests-k8s/util/k8s.go     | 51 +++++++++++++++++++
 .../cmd/integration-tests-k8s/util/util.go    | 10 ++--
 3 files changed, 58 insertions(+), 7 deletions(-)
 create mode 100644 internal/cmd/integration-tests-k8s/util/k8s.go

diff --git a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
index a69a7c397f5..f4201fcf195 100644
--- a/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
+++ b/internal/cmd/integration-tests-k8s/tests/mimir-alerts-kubernetes/k8s_test.go
@@ -33,6 +33,10 @@ func TestMimirAlerts(t *testing.T) {
 		"Port forward Mimir")
 	defer terminatePortFwd()
 
+	tester := util.NewKubernetesTester(t)
+	tester.WaitForPodRunning("testing", "app=grafana-alloy")
+	tester.WaitForPodRunning("mimir-test", "app.kubernetes.io/component=alertmanager")
+
 	checkMimirConfig(t, testDataDir, "expected_1.yml")
 
 	util.ExecuteCommand(
diff --git a/internal/cmd/integration-tests-k8s/util/k8s.go b/internal/cmd/integration-tests-k8s/util/k8s.go
new file mode 100644
index 00000000000..bf0bf1a0937
--- /dev/null
+++ b/internal/cmd/integration-tests-k8s/util/k8s.go
@@ -0,0 +1,51 @@
+package util
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+type KubernetesTester struct {
+	t      *testing.T
+	client *kubernetes.Clientset
+}
+
+func NewKubernetesTester(t *testing.T) *KubernetesTester {
+	config, err := clientcmd.BuildConfigFromFlags("", clientcmd.RecommendedHomeFile)
+	require.NoError(t, err)
+
+	clientset, err := kubernetes.NewForConfig(config)
+	require.NoError(t, err)
+
+	return &KubernetesTester{
+		t:      t,
+		client: clientset,
+	}
+}
+
+func (t *KubernetesTester) WaitForPodRunning(namespace, labelSelector string) {
+	require.EventuallyWithT(t.t, func(c *assert.CollectT) {
+		// Get Alloy pods in the testing namespace
+		pods, err := t.client.CoreV1().Pods(namespace).List(t.t.Context(), metav1.ListOptions{
+			LabelSelector: labelSelector,
+		})
+		require.NoError(c, err)
+		require.NotEmpty(c, pods.Items, fmt.Sprintf("No pods found for namespace %s and label selector %s", namespace, labelSelector))
+
+		// Check if all pods are running and ready
+		for _, pod := range pods.Items {
+			// Check if pod is being deleted
+			require.Nil(c, pod.DeletionTimestamp, fmt.Sprintf("Pod %s in namespace %s is being deleted", pod.Name, namespace))
+			// Check if pod is running
+			require.Equal(c, pod.Status.Phase, corev1.PodRunning, fmt.Sprintf("Pod %s in namespace %s is not running", pod.Name, namespace))
+		}
+	}, 5*time.Minute, 2*time.Second)
+}
diff --git a/internal/cmd/integration-tests-k8s/util/util.go b/internal/cmd/integration-tests-k8s/util/util.go
index 9b567209850..06c4cc92264 100644
--- a/internal/cmd/integration-tests-k8s/util/util.go
+++ b/internal/cmd/integration-tests-k8s/util/util.go
@@ -9,6 +9,7 @@ import (
 	"os/exec"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 type CleanupFunc func()
@@ -91,15 +92,10 @@ func ExecuteBackgroundCommand(command string, args []string, taskDescription str
 
 func Curl(c *assert.CollectT, url string) string {
 	resp, err := http.Get(url)
-	if err != nil {
-		c.Errorf("Failed to make HTTP request: %v", err)
-		c.FailNow()
-	}
+	require.NoError(c, err)
 
 	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		log.Fatalf("Failed to read response body: %v", err)
-	}
+	require.NoError(c, err)
 
 	return string(body)
 }

From c2bc96175cbabe095a51e93601aaafbd92100d89 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Tue, 18 Nov 2025 14:36:54 +0000
Subject: [PATCH 6/8] Apply suggestions from code review

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
---
 .../reference/components/mimir/mimir.alerts.kubernetes.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
index 93e107c0b8a..5720f73e18b 100644
--- a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
+++ b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
@@ -17,7 +17,7 @@ title: mimir.alerts.kubernetes
 `mimir.alerts.kubernetes` discovers `AlertmanagerConfig` Kubernetes resources and loads them into a Mimir instance.
 
 * You can specify multiple `mimir.alerts.kubernetes` components by giving them different labels.
-* [Kubernetes label selectors][] can be used to limit the `Namespace` and `AlertmanagerConfig` resources considered during reconciliation.
+* You can use [Kubernetes label selectors][] to limit the `Namespace` and `AlertmanagerConfig` resources considered during reconciliation.
 * Compatible with the Alertmanager APIs of Grafana Mimir, Grafana Cloud, and Grafana Enterprise Metrics.
 * Compatible with the `AlertmanagerConfig` CRD from the [`prometheus-operator`][prometheus-operator].
 * This component accesses the Kubernetes REST API from [within a Pod][].
@@ -28,7 +28,7 @@ This component requires [Role-based access control (RBAC)][] to be set up in Kub
 [Role-based access control (RBAC)]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 {{< /admonition >}}
 
-`mimir.alerts.kubernetes` does not support [clustering][clustered mode].
+`mimir.alerts.kubernetes` doesn't support [clustering][clustered mode].
 [clustered mode]: ../../../../get-started/clustering/
 
 [Kubernetes label selectors]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
@@ -165,7 +165,7 @@ The `values` argument must not be provided when `operator` is set to `"Exists"`
 
 ## Debug information
 
-`mimir.alerts.kubernetes` does not expose debug information.
+`mimir.alerts.kubernetes` doesn't expose debug information.
 
 ## Debug metrics
 
@@ -434,7 +434,7 @@ spec:
 
 {{< /collapse >}}
 
-The Kubernetes configuration above will create the Alertmanager configuration below and send it to Mimir:
+The Kubernetes configuration above creates the Alertmanager configuration below and sends it to Mimir:
 
 {{< collapse title="Example merged configuration sent to Mimir." >}}
 

From a39e8b84d34b5b7135d5dc1cbaf2df5b2bd5fbfa Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Tue, 18 Nov 2025 15:37:51 +0000
Subject: [PATCH 7/8] Fix metric doc

---
 .../components/mimir/mimir.alerts.kubernetes.md    | 14 +++++++-------
 .../components/mimir/mimir.rules.kubernetes.md     | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
index 5720f73e18b..634e816d561 100644
--- a/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
+++ b/docs/sources/reference/components/mimir/mimir.alerts.kubernetes.md
@@ -169,13 +169,13 @@ The `values` argument must not be provided when `operator` is set to `"Exists"`
 
 ## Debug metrics
 
-| Metric Name                                    | Type        | Description                                                              |
-| ---------------------------------------------- | ----------- | ------------------------------------------------------------------------ |
-| `mimir_alerts_client_request_duration_seconds` | `histogram` | Duration of requests to the Mimir API.                                   |
-| `mimir_alerts_config_updates_total`            | `counter`   | Number of times the configuration has been updated.                      |
-| `mimir_alerts_events_failed_total`             | `counter`   | Number of events that failed to be processed, partitioned by event type. |
-| `mimir_alerts_events_retried_total`            | `counter`   | Number of events that were retried, partitioned by event type.           |
-| `mimir_alerts_events_total`                    | `counter`   | Number of events processed, partitioned by event type.                   |
+| Metric Name                                          | Type        | Description                                                              |
+| ---------------------------------------------------- | ----------- | ------------------------------------------------------------------------ |
+| `mimir_alerts_mimir_client_request_duration_seconds` | `histogram` | Duration of requests to the Mimir API.                                   |
+| `mimir_alerts_config_updates_total`                  | `counter`   | Number of times the configuration has been updated.                      |
+| `mimir_alerts_events_failed_total`                   | `counter`   | Number of events that failed to be processed, partitioned by event type. |
+| `mimir_alerts_events_retried_total`                  | `counter`   | Number of events that were retried, partitioned by event type.           |
+| `mimir_alerts_events_total`                          | `counter`   | Number of events processed, partitioned by event type.                   |
 
 ## Example
 
diff --git a/docs/sources/reference/components/mimir/mimir.rules.kubernetes.md b/docs/sources/reference/components/mimir/mimir.rules.kubernetes.md
index b05ae0c7635..fe7e487c754 100644
--- a/docs/sources/reference/components/mimir/mimir.rules.kubernetes.md
+++ b/docs/sources/reference/components/mimir/mimir.rules.kubernetes.md
@@ -230,13 +230,13 @@ Only resources managed by the component are exposed, regardless of how many actu
 
 ## Debug metrics
 
-| Metric Name                                   | Type        | Description                                                              |
-| --------------------------------------------- | ----------- | ------------------------------------------------------------------------ |
-| `mimir_rules_client_request_duration_seconds` | `histogram` | Duration of requests to the Mimir API.                                   |
-| `mimir_rules_config_updates_total`            | `counter`   | Number of times the configuration has been updated.                      |
-| `mimir_rules_events_failed_total`             | `counter`   | Number of events that failed to be processed, partitioned by event type. |
-| `mimir_rules_events_retried_total`            | `counter`   | Number of events that were retried, partitioned by event type.           |
-| `mimir_rules_events_total`                    | `counter`   | Number of events processed, partitioned by event type.                   |
+| Metric Name                                         | Type        | Description                                                              |
+| --------------------------------------------------- | ----------- | ------------------------------------------------------------------------ |
+| `mimir_rules_mimir_client_request_duration_seconds` | `histogram` | Duration of requests to the Mimir API.                                   |
+| `mimir_rules_config_updates_total`                  | `counter`   | Number of times the configuration has been updated.                      |
+| `mimir_rules_events_failed_total`                   | `counter`   | Number of events that failed to be processed, partitioned by event type. |
+| `mimir_rules_events_retried_total`                  | `counter`   | Number of events that were retried, partitioned by event type.           |
+| `mimir_rules_events_total`                          | `counter`   | Number of events processed, partitioned by event type.                   |
 
 ## Examples
 

From f2853fbd9ad877e2fab52f49455201ec5ca5f035 Mon Sep 17 00:00:00 2001
From: Paulin Todev <paulin.todev@gmail.com>
Date: Wed, 19 Nov 2025 10:06:50 +0000
Subject: [PATCH 8/8] Fix changelog

---
 CHANGELOG.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e65e0ae83cc..13d877ccf04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,10 @@ internal API changes are not present.
 Main (unreleased)
 -----------------
 
+### Features
+
+- A new `mimir.alerts.kubernetes` component which discovers `AlertmanagerConfig` Kubernetes resources and loads them into a Mimir instance. (@ptodev)
+
 ### Enhancements
 
 - update promtail converter to use `file_match` block for `loki.source.file` instead of going through `local.file_match`. (@kalleep)
@@ -85,8 +89,6 @@ v1.12.0-rc.0
   - The `otelcol.processor.servicegraph` component now supports defining the maximum number of buckets for generated exponential histograms.
   - See the upstream [core][https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md] and [contrib][https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md] changelogs for more details.
 
-- A new `mimir.alerts.kubernetes` component which discovers `AlertmanagerConfig` Kubernetes resources and loads them into a Mimir instance. (@ptodev)
-
 ### Enhancements
 
 - Add per-application rate limiting with the `strategy` attribute in the `faro.receiver` component, to prevent one application from consuming the rate limit quota of others. (@hhertout)