Observability Challenges - Help needed

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Developer Edition: 8.2.0.32929
    Running on Kubernetes

  • what are you trying to achieve
    Monitor computer resources and its health.

  • what have you tried so far to achieve this
    write a synthetic monitoring script to call the /api/system/health endpoint though it requires user/password. The [Security] problem is that such user needs to have administrative rights and therefore becomes unnecessary exposure. Ideally, sonarqube should have a limited policy (that can be bind to user(s)) with scope of metrics/health ONLY. This would mitigate this security risk.

My question is: does anyone know a way to call such endpoint using a user with very limited scope?

Last but not least, have not found support for metrics via prometheus. It looks like that Sonarqube does not support that? How can we monitor compute resource utilization and set alert rules then?

Thanks

Hi @peppe1977 ,

welcome to the community :wave:

we do not officially support kubernetes and therefore have no prometheus endpoint yet, but we plan on doing so in the future ;D
For the meantime you can use a 3rd party sidecar approach like this for example or develop your own to get metrics into prometheus.

As for the high permissions for the health endpoint there is a propertie called sonar.web.systemPasscode which you can set. when this is set you can use the header X-Sonar-Passcode to authenticate against this endpoint without exposing administrative permissions:

Example:

docker run --rm --name sonarqube-test -p 9000:9000 -e "SONAR_WEB_SYSTEMPASSCODE=Test" sonarqube:8-developer

curl -H "X-Sonar-Passcode: Test" localhost:9000/api/system/health

Hope this helps :slight_smile:

Hi Tobias

Thank you very much for the prompt answer as well as the welcome. Appreciated.
I thought you guys did not support custom made plugins? I recall reading that somewhere. Please advise.
Nice that can pass that property - it should address the security risk.

Thanks /Pedro

Hi @peppe1977 ,

yeah we do not officially support 3rd pary plugins in any form, because that would be waayyy too much :sweat_smile:
but this here is not a plugin but something that you can solve with the existing sonarqube API. We do not have a prometheus endpoint as of now but you can build your own using the metrics that we expose with the API or you can hop on the work that another one has already done. take it not as a recommendation but more as a hint how this problem can be solved within your environment :smile: