Skip to content
This repository was archived by the owner on Jul 1, 2026. It is now read-only.

Prometheus#12

Merged
sleepkqq merged 2 commits into
masterfrom
feature/prometheus
Dec 6, 2025
Merged

Prometheus#12
sleepkqq merged 2 commits into
masterfrom
feature/prometheus

Conversation

@sleepkqq

@sleepkqq sleepkqq commented Dec 6, 2025

Copy link
Copy Markdown
Member

PR Type

Enhancement


Description

  • Add Prometheus metrics scraping and exposure

  • Configure Spring Boot Actuator endpoints for metrics

  • Add micrometer-registry-prometheus dependency

  • Update Kubernetes deployment annotations for Prometheus discovery


Diagram Walkthrough

flowchart LR
  A["Application"] -- "exposes metrics" --> B["Actuator /prometheus"]
  B -- "scraped by" --> C["Prometheus"]
  D["K8s Annotations"] -- "enables discovery" --> C
  E["micrometer-registry-prometheus"] -- "provides" --> B
Loading

File Walkthrough

Relevant files
Dependencies
pom.xml
Add Prometheus metrics registry dependency                             

solo-leveling-notification-service/pom.xml

  • Add micrometer-registry-prometheus dependency for Prometheus metrics
    support
  • Dependency added under new metrics section comment
+6/-0     
Configuration changes
application.yml
Configure Spring Boot Actuator Prometheus endpoints           

solo-leveling-notification-service/src/main/resources/application.yml

  • Add management endpoints configuration to expose health, info,
    prometheus, and metrics
  • Reorganize configuration sections for better structure
  • Maintain existing server port 10004 and logging configurations
+8/-3     
deployment.yml
Add Prometheus discovery annotations to deployment             

k8s/deployment.yml

  • Add Prometheus scrape annotations to pod metadata
  • Configure scrape port as 8080 and metrics path as /actuator/prometheus
  • Enable automatic Prometheus discovery via Kubernetes annotations
+3/-0     

@qodo-code-review

qodo-code-review Bot commented Dec 6, 2025

Copy link
Copy Markdown

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
Metrics exposure

Description: Exposing 'prometheus' and 'metrics' Actuator endpoints over the web without confirming
network restrictions or authentication can leak sensitive application metrics (e.g., JVM,
HTTP paths), which can aid attackers in reconnaissance.
application.yml [20-24]

Referred Code
management:
  endpoints:
    web:
      exposure:
        include: health,info,prometheus,metrics
Unrestricted scrape endpoint

Description: Enabling Prometheus scraping on the pod at path '/actuator/prometheus' and port '8080' via
annotations may publicly expose metrics if the service is externally accessible or lacks
NetworkPolicy/Ingress restrictions.
deployment.yml [16-18]

Referred Code
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/actuator/prometheus"
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status:
Audit coverage unclear: The added configuration exposes Prometheus metrics but does not demonstrate logging of
critical actions with required context, which may be handled elsewhere.

Referred Code
management:
  endpoints:
    web:
      exposure:
        include: health,info,prometheus,metrics
server:
  port: 10004

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status:
Error handling not shown: The changes add dependencies and configuration only, with no new code paths to assess
error handling or edge case management.

Referred Code
<!-- metrics -->
<dependency>
  <groupId>io.micrometer</groupId>
  <artifactId>micrometer-registry-prometheus</artifactId>
</dependency>

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
Metrics exposure risk: Exposing '/actuator/prometheus' on port 8080 is added but there is no evidence
of network restrictions or authentication, which may be acceptable in-cluster yet requires
environment review.

Referred Code
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/actuator/prometheus"

Learn more about managing compliance generic rules or creating your own custom rules

  • Update
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-code-review

qodo-code-review Bot commented Dec 6, 2025

Copy link
Copy Markdown

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Fix Prometheus port mismatch

Update the prometheus.io/port annotation in k8s/deployment.yml from "8080" to
"10004" to match the application's configured server port.

k8s/deployment.yml [17]

-prometheus.io/port: "8080"
+prometheus.io/port: "10004"
  • Apply / Chat
Suggestion importance[1-10]: 9

__

Why: The suggestion correctly identifies a port mismatch between the Prometheus scrape configuration (8080) and the application's server port (10004), which is a functional bug that would prevent metrics collection.

High
Security
Remove redundant and insecure endpoint

In application.yml, remove the redundant metrics endpoint from the list of
exposed management endpoints to improve security.

solo-leveling-notification-service/src/main/resources/application.yml [24]

-include: health,info,prometheus,metrics
+include: health,info,prometheus
  • Apply / Chat
Suggestion importance[1-10]: 6

__

Why: The suggestion correctly points out that the metrics endpoint is redundant when the prometheus endpoint is used, and removing it is a good security practice to reduce the attack surface.

Low
  • Update

@sleepkqq
sleepkqq merged commit 4d388cd into master Dec 6, 2025
2 checks passed
@sleepkqq
sleepkqq deleted the feature/prometheus branch December 6, 2025 12:25
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant