I am trying to set up a scrape_config job to have my Prometheus server monitor SonarQube. We’ve decided to go with using a system passcode for authenticating the API calls to the endpoint, /api/monitoring/metrics.
I’ve done some research on this and it seems that the config would possibly be something like this (note: provided two diff. options for the authorization section below):
From what I understand, Prometheus only provides the ability to use basic auth or bearer tokens for authentication. (Though it seems like there may be talk of providing the ability to pass in a custom API key in the future.)
However, when testing out this particular format using X-Sonar-Passcode as the authorization type for the authorization section in the scrape_config file, it returns a 403 error:
So my question is:
For authenticating calls to the /api/monitoring/metrics endpoint, is there are particular authorization type that needs to be used in Prometheus scrape_config files? (Or is there possibly a way to use the SonarQube system passcode with basic auth instead?)
Thanks for the quick reply! I did see that page, however it doesn’t seem to address how to use a SonarQube system passcode for authentication specifically, just tokens and basic auth.
There’re also these two sections covering Prometheus monitoring in the documentation:
It says you can access the endpoint in three ways, including using X-Sonar-Passcode:
X-Sonar-Passcode: xxxxx header: You can use X-Sonar-passcode during database upgrade and when SonarQube is fully operational. Define X-Sonar-passcode in the sonar.properties file using the sonar.web.systemPasscode property.
When I curl the SonarQube metrics endpoint using X-Sonar-Passcode as a header, it works.
However, when I include X-Sonar-Passcode as an Authorization Type in a Prometheus scrape configuration, it returns a 403 error.
I know that SonarQube provides the ability via its helm chart to have this scrape_config file autogenerated using a podmonitor; however, my company only uses manually added scrape config jobs for adding new services to be monitored by Prometheus.
So I guess I’m trying to figure out if SonarQube has a preference for the Authorization Type used in a Prometheus scrape_config file? (It seems that my including the wrong Authorization Type here would be the reason for the returned 403 error.)
if i recall correctly you can use the monitoring passcode as a bearer token for prometheus as well to access the monitoring endpoint. If you want to use user credentials, bear in mind that sonarqube can not access user credentials until it is fully loaded, meaning that there will not be any metrics until the pod is marked healthy. I would use the bearer token
EDIT: found the old ticket with more information and a confirmation about the bearer token: [SONAR-15688] - Jira
