feat: enable prometheus metrics for Made for UDS (#111)

## Description This enables prometheus metrics for SonarQube to make it "Made for UDS" ## Related Issue Fixes #99 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow) followed Release-As: v10.6.0-uds.1
defenseunicorns · Aug 6, 2024 · c1c569e · c1c569e
1 parent c298c80
commit c1c569e
Show file tree

Hide file tree

Showing 12 changed files with 107 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
-# 🏭 UDS SonarQube Zarf Package
+# 🏭 UDS SonarQube Package
 
+[<img alt="Made for UDS" src="https://raw.githubusercontent.com/defenseunicorns/uds-common/main/docs/made-for-uds.svg" height="20px"/>](https://github.com/defenseunicorns/uds-core)
 [![Latest Release](https://img.shields.io/github/v/release/defenseunicorns/uds-package-sonarqube)](https://github.com/defenseunicorns/uds-package-sonarqube/releases)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/uds-package-sonarqube/tag-and-release.yaml)](https://github.com/defenseunicorns/uds-package-sonarqube/actions/workflows/tag-and-release.yaml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-sonarqube/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-sonarqube)

diff --git a/chart/templates/sonarqube-monitoring-secret.yaml b/chart/templates/sonarqube-monitoring-secret.yaml
@@ -0,0 +1,16 @@
+{{- $namespace := .Release.Namespace }}
+{{- $existingSecret := lookup "v1" "Secret" $namespace "sonarqube-monitoring" }}
+{{- $password := (randAlphaNum 32) }}
+{{- if $existingSecret }}
+  {{- $decoded := index $existingSecret.data "passcode" | b64dec }}
+  {{- $password = $decoded }}
+{{- end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sonarqube-monitoring
+  namespace: {{ $namespace }}
+type: "Opaque"
+stringData:
+  passcode: {{ $password | quote }}
diff --git a/chart/templates/sonarqube-pod-monitor.yaml b/chart/templates/sonarqube-pod-monitor.yaml
@@ -0,0 +1,25 @@
+# This is required because of unconfigurable port names for the Web and CE bean monitoring endpoints
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: sonarqube-bean-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  scrapeClass: istio-certs
+  namespaceSelector:
+    matchNames:
+    - sonarqube
+  podMetricsEndpoints:
+  - path: /
+    port: monitoring-ce
+    scheme: https
+    enableHttp2: false
+  - path: /
+    port: monitoring-web
+    scheme: https
+    enableHttp2: false
+  selector:
+    matchLabels:
+      app: sonarqube
+{{- end }}
diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml
@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.sso.secretName }}
-  namespace:  {{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 type: "Opaque"
 stringData:
   secret.properties: |

diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -34,6 +34,19 @@ spec:
             sonar.auth.saml.user.email: email
             sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate)
   {{- end }}
+  monitor:
+    - portName: http
+      targetPort: 9000
+      selector:
+        app: sonarqube
+      kind: PodMonitor
+      path: /api/monitoring/metrics
+      authorization:
+        credentials:
+          name: sonarqube-monitoring
+          key: passcode
+          optional: false
+        type: "Bearer"
   network:
     expose:
       - service: sonarqube-sonarqube
@@ -74,6 +87,24 @@ spec:
         {{- end }}
         description: "Sonarqube Postgres"
 
+      - direction: Ingress
+        remoteNamespace: monitoring
+        remoteSelector:
+          app: prometheus
+        selector:
+          app: sonarqube
+        port: 8000
+        description: "Web Bean Monitor"
+
+      - direction: Ingress
+        remoteNamespace: monitoring
+        remoteSelector:
+          app: prometheus
+        selector:
+          app: sonarqube
+        port: 8001
+        description: "CE Bean Monitor"
+
       # Custom rules for unanticipated scenarios
       {{- range .Values.custom }}
       - direction: {{ .direction }}

diff --git a/common/zarf.yaml b/common/zarf.yaml
@@ -18,7 +18,13 @@ components:
         version: 10.6.1
         valuesFiles:
           - ../values/common-values.yaml
+    images:
+      - uds-package-sonarqube/monitoring:latest
     actions:
+      onCreate:
+        before:
+          - cmd: |
+              docker buildx build --load ../src/monitoring-image -t uds-package-sonarqube/monitoring:latest --platform linux/###ZARF_PKG_ARCH###
       onDeploy:
         after:
           - description: Validate SonarQube Package

diff --git a/src/monitoring-image/Dockerfile b/src/monitoring-image/Dockerfile
@@ -0,0 +1,14 @@
+FROM cgr.dev/chainguard/busybox:latest
+
+# renovate: datasource=github-tags depName=prometheus/jmx_exporter versioning=semver
+ENV JMX_PROMETHEUS_PLUGIN_VERSION=0.17.2
+
+USER root
+
+ADD https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/$JMX_PROMETHEUS_PLUGIN_VERSION/jmx_prometheus_javaagent-$JMX_PROMETHEUS_PLUGIN_VERSION.jar /
+
+COPY ./curl.sh /bin/curl
+
+RUN chmod -R 777 /*.jar
+
+ENTRYPOINT [ "/bin/curl" ]
diff --git a/src/monitoring-image/curl.sh b/src/monitoring-image/curl.sh
@@ -0,0 +1,7 @@
+#! /bin/sh
+
+set -e
+
+cp /jmx_prometheus_javaagent-$JMX_PROMETHEUS_PLUGIN_VERSION.jar /data/jmx_prometheus_javaagent.jar
+
+echo "finished loading jmx prometheus plugin"
diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -10,7 +10,11 @@ sonarProperties:
   sonar.updatecenter.activate: false
 
 prometheusExporter:
-  enabled: false
+  enabled: true
+  image: uds-package-sonarqube/monitoring:latest
+
+monitoringPasscodeSecretName: sonarqube-monitoring
+monitoringPasscodeSecretKey: passcode
 
 prometheusMonitoring:
   podMonitor:

diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml
@@ -5,9 +5,6 @@ image:
 initContainers:
   image: registry1.dso.mil/ironbank/big-bang/base:2.1.0
 
-prometheusExporter:
-  image: registry1.dso.mil/ironbank/big-bang/base:2.1.0
-
 # wget used by default probes not available in registry1 images
 livenessProbe:
   exec: null

diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml
@@ -4,6 +4,3 @@ image:
 
 initContainers:
   image: cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36
-
-prometheusExporter:
-  image: cgr.dev/du-uds-defenseunicorns/curl-fips:8-dev
diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
@@ -4,6 +4,3 @@ image:
 
 initContainers:
   image: busybox:1.36
-
-prometheusExporter:
-  image: curlimages/curl:8.8.0