From 5dd74df29339be91439e63181a8c56453649b77f Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 16 May 2026 11:20:59 +0200 Subject: [PATCH] fix(obs): wire Prometheus metrics and Loki job label for Grafana dashboards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three root causes confirmed via live server investigation (issue #604): 1. ManagementWebSecurityAutoConfiguration applied HTTP Basic auth to the management port (8081), causing Prometheus to receive 401 HTML responses instead of metrics. Excluded the auto-config — the Docker network (archiv-net) provides the security boundary for this internal port. 2. promtail-config.yml had no `job` relabel rule. Grafana's Loki dashboards query {job="$app"} which matched nothing; logs were in Loki under compose_service but invisible to every dashboard panel. 3. prometheus.yml had a stale comment claiming the spring-boot target would be DOWN until micrometer-registry-prometheus was added — it has been present in pom.xml for some time. Co-Authored-By: Claude Sonnet 4.6 --- .../org/raddatz/familienarchiv/FamilienarchivApplication.java | 4 +++- infra/observability/prometheus/prometheus.yml | 2 -- infra/observability/promtail/promtail-config.yml | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/backend/src/main/java/org/raddatz/familienarchiv/FamilienarchivApplication.java b/backend/src/main/java/org/raddatz/familienarchiv/FamilienarchivApplication.java index 4fef338f..09227d27 100644 --- a/backend/src/main/java/org/raddatz/familienarchiv/FamilienarchivApplication.java +++ b/backend/src/main/java/org/raddatz/familienarchiv/FamilienarchivApplication.java @@ -1,9 +1,11 @@ package org.raddatz.familienarchiv; import org.springframework.boot.SpringApplication; +import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration; import org.springframework.boot.autoconfigure.SpringBootApplication; -@SpringBootApplication +// Excluded: management port (8081) is network-isolated inside archiv-net; no app-level auth needed. +@SpringBootApplication(exclude = {ManagementWebSecurityAutoConfiguration.class}) public class FamilienarchivApplication { public static void main(String[] args) { diff --git a/infra/observability/prometheus/prometheus.yml b/infra/observability/prometheus/prometheus.yml index 38a0f8d6..a29cc75b 100644 --- a/infra/observability/prometheus/prometheus.yml +++ b/infra/observability/prometheus/prometheus.yml @@ -15,8 +15,6 @@ scrape_configs: metrics_path: /actuator/prometheus static_configs: # Uses the Docker service name (not container_name) for reliable DNS resolution. - # Target will show as DOWN until backend instrumentation issue adds - # micrometer-registry-prometheus and exposes the endpoint — this is expected. - targets: ['backend:8081'] - job_name: ocr-service diff --git a/infra/observability/promtail/promtail-config.yml b/infra/observability/promtail/promtail-config.yml index b569c22f..b31781a4 100644 --- a/infra/observability/promtail/promtail-config.yml +++ b/infra/observability/promtail/promtail-config.yml @@ -28,3 +28,5 @@ scrape_configs: target_label: 'compose_project' - source_labels: ['__meta_docker_container_log_stream'] target_label: 'logstream' + - source_labels: ['__meta_docker_container_label_com_docker_compose_service'] + target_label: 'job'