What Authorization Type Should I Use in scrape_config Files for Prometheus Monitoring?

I am currently using SonarQube Enterprise 9.4.

I am trying to set up a scrape_config job to have my Prometheus server monitor SonarQube. We’ve decided to go with using a system passcode for authenticating the API calls to the endpoint, /api/monitoring/metrics.

I’ve done some research on this and it seems that the config would possibly be something like this (note: provided two diff. options for the authorization section below):

scrape_configs:
  - job_name: 'sonarqube'
    metrics_path: '/api/monitoring/metrics'
    static_configs:
      - targets:
        - <ip>:<port>
    authorization:
      type: APIKEY OR X-Sonar-Passcode
      credentials: <systempasscode>
    OR
    authorization:
      credentials: <systempasscode>

From what I understand, Prometheus only provides the ability to use basic auth or bearer tokens for authentication. (Though it seems like there may be talk of providing the ability to pass in a custom API key in the future.)

However, when testing out this particular format using X-Sonar-Passcode as the authorization type for the authorization section in the scrape_config file, it returns a 403 error:

scrape_configs:
  - job_name: 'sonarqube'
    metrics_path: '/api/monitoring/metrics'
    static_configs:
      - targets:
        - <ip>:<port>
    authorization:
      type: X-Sonar-Passcode
      credentials: <systempasscode>

So my question is:
For authenticating calls to the /api/monitoring/metrics endpoint, is there are particular authorization type that needs to be used in Prometheus scrape_config files? (Or is there possibly a way to use the SonarQube system passcode with basic auth instead?)

Thanks!

Hi,

The docs should help.

 
Ann

Hi Ann,

Thanks for the quick reply! I did see that page, however it doesn’t seem to address how to use a SonarQube system passcode for authentication specifically, just tokens and basic auth.

There’re also these two sections covering Prometheus monitoring in the documentation:
https://docs.sonarqube.org/latest/setup/sonarqube-cluster-on-kubernetes/
https://docs.sonarqube.org/latest/instance-administration/monitoring/

It says you can access the endpoint in three ways, including using X-Sonar-Passcode:

  • X-Sonar-Passcode: xxxxx header: You can use X-Sonar-passcode during database upgrade and when SonarQube is fully operational. Define X-Sonar-passcode in the sonar.properties file using the sonar.web.systemPasscode property.

When I curl the SonarQube metrics endpoint using X-Sonar-Passcode as a header, it works.
However, when I include X-Sonar-Passcode as an Authorization Type in a Prometheus scrape configuration, it returns a 403 error.

I know that SonarQube provides the ability via its helm chart to have this scrape_config file autogenerated using a podmonitor; however, my company only uses manually added scrape config jobs for adding new services to be monitored by Prometheus.

So I guess I’m trying to figure out if SonarQube has a preference for the Authorization Type used in a Prometheus scrape_config file? (It seems that my including the wrong Authorization Type here would be the reason for the returned 403 error.)

Thanks again :slight_smile:

Hi @Alexandra ,

if i recall correctly you can use the monitoring passcode as a bearer token for prometheus as well to access the monitoring endpoint. If you want to use user credentials, bear in mind that sonarqube can not access user credentials until it is fully loaded, meaning that there will not be any metrics until the pod is marked healthy. I would use the bearer token :wink:

EDIT: found the old ticket with more information and a confirmation about the bearer token: [SONAR-15688] - Jira

hope that helps

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.