COW-dev · wonjunYou · Sep 30, 2024 · Sep 30, 2024 · Sep 30, 2024 · Sep 30, 2024
@@ -3,7 +3,7 @@ name: prod-server-deployer
 on:
   push:
     branches:
-      - main
+      - chore/DEV-77
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -53,6 +53,7 @@ jobs:
           cp build/libs/*.jar deploy/application.jar
           cp Procfile deploy/Procfile
           cp -r promtail deploy/promtail
+          cp -r nodeexporter deploy/nodeexporter
           cp -r .ebextensions deploy/.ebextensions
           cp -r .platform deploy/.platform
           cd deploy && zip -r deploy.zip .
@@ -72,9 +73,3 @@ jobs:
 
       - name: Test with Gradle
         run: ./gradlew test --no-daemon
-
-      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-          file: ./build/reports/jacoco/test/jacocoTestReport.xml
@@ -0,0 +1,13 @@
+version: '3.8'
+
+services:
+  node-exporter:
+    image: quay.io/prometheus/node-exporter:latest
+    container_name: node-exporter
+    restart: always
+    network_mode: "host"
+    pid: "host"
+    volumes:
+      - "/:/host:ro,rslave"
+    command:
+      - '--path.rootfs=/host'
@@ -1,7 +1,6 @@
 version: '3'
 
 services:
-
   promtail:
     image: grafana/promtail:2.9.1
     container_name: promtail

@@ -7,13 +7,19 @@
 import ddingdong.ddingdongBE.common.handler.CustomAccessDeniedHandler;
 import ddingdong.ddingdongBE.common.handler.RestAuthenticationEntryPoint;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.cors.CorsConfiguration;
@@ -22,63 +28,56 @@
 
 @Configuration
 @EnableWebSecurity
+@EnableConfigurationProperties
 public class SecurityConfig {
 
     private static final String API_PREFIX = "/server";
 
-    @Value("security.actuator.base-path")
+    @Value("management.endpoints.web.base-path")
     private String actuatorPath;
 
+    @Value("actuator")
+    private String userName;
+
+    @Value("actuator")
+    private String password;
+
+    @Value("actuator")
+    private String roleName;
+
     @Bean
+    @Order(0)
     public SecurityFilterChain filterChain(HttpSecurity http, JwtAuthService authService, JwtConfig config)
-            throws Exception {
+        throws Exception {
         http
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers(API_PREFIX + "/auth/**",
-                    API_PREFIX + "/events/**")
-                .permitAll()
+                .requestMatchers(API_PREFIX + "/auth/**").permitAll()
                 .requestMatchers(API_PREFIX + "/admin/**").hasRole("ADMIN")
                 .requestMatchers(API_PREFIX + "/club/**").hasRole("CLUB")
-                .requestMatchers(actuatorPath).hasRole("ADMIN")
+                .requestMatchers(API_PREFIX + "/actuator/**").permitAll()
                 .requestMatchers(GET,
                     API_PREFIX + "/clubs/**",
                     API_PREFIX + "/notices/**",
                     API_PREFIX + "/banners/**",
                     API_PREFIX + "/documents/**",
                     API_PREFIX + "/questions/**",
-                    API_PREFIX + "/feeds/**")
-                .permitAll()
+                    API_PREFIX + "/feeds/**").permitAll()
                 .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-resources/**")
                 .permitAll()
-                .anyRequest()
-                .authenticated()
-            )
-            .cors(cors -> cors
-                .configurationSource(corsConfigurationSource())
+                .anyRequest().authenticated()
             )
-            /*
-            csrf, headers, http-basic, rememberMe, formLogin 비활성화
-            */
+            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
             .csrf(AbstractHttpConfigurer::disable)
             .headers(AbstractHttpConfigurer::disable)
             .httpBasic(AbstractHttpConfigurer::disable)
             .rememberMe(AbstractHttpConfigurer::disable)
             .formLogin(AbstractHttpConfigurer::disable)
             .logout(AbstractHttpConfigurer::disable)
-            /*
-            Session 설정
-             */
             .sessionManagement(session -> session
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             )
-            /*
-            Jwt 필터
-             */
             .addFilterBefore(authenticationFilter(authService, config),
                 UsernamePasswordAuthenticationFilter.class)
-            /*
-            exceptionHandling
-             */
             .exceptionHandling(exceptions -> exceptions
                 .authenticationEntryPoint(restAuthenticationEntryPoint())
                 .accessDeniedHandler(accessDeniedHandler())
@@ -87,17 +86,43 @@ public SecurityFilterChain filterChain(HttpSecurity http, JwtAuthService authSer
         return http.build();
     }
 
+    @Bean
+    @Order(1)
+    public SecurityFilterChain actuatorSecurity(HttpSecurity http, PasswordEncoder passwordEncoder)
+        throws Exception {
+        http
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers(actuatorPath + "/**").hasRole("ACTUATOR")
+                .anyRequest().denyAll()
+            )
+            .httpBasic(AbstractHttpConfigurer::disable)
+            .userDetailsService(userDetailsService(passwordEncoder))
+            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+            .csrf(AbstractHttpConfigurer::disable)
+            .sessionManagement(session -> session
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+            );
+
+        return http.build();
+    }
+
+    public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
+        User user = (User) User.withUsername(userName)
+            .password(passwordEncoder.encode(password))
+            .roles(roleName)
+            .build();
+        return new InMemoryUserDetailsManager(user);
+    }
+
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
-
         configuration.addAllowedOriginPattern("*");
         configuration.addAllowedHeader("*");
         configuration.addAllowedMethod("*");
         configuration.setAllowCredentials(true);
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
-
         return source;
     }
 
@@ -120,5 +145,4 @@ public RestAuthenticationEntryPoint restAuthenticationEntryPoint() {
     public CustomAccessDeniedHandler accessDeniedHandler() {
         return new CustomAccessDeniedHandler();
     }
-
 }
@@ -1,25 +1,30 @@
 package ddingdong.ddingdongBE.common.runner;
 
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.ApplicationArguments;
 import org.springframework.boot.ApplicationRunner;
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Component;
 
-import java.io.BufferedReader;
-import java.io.InputStreamReader;
-
 @Component
 @Profile("prod")
 @Slf4j
-public class PromtailDockerComposeRunner implements ApplicationRunner {
+public class MonitoringApplicationRunner implements ApplicationRunner {
 
     @Override
     public void run(ApplicationArguments args) throws Exception {
-        log.info("Running PromtailDockerComposeRunner");
+        log.info("Running Promtail & Node Exporter");
 
         ProcessBuilder processBuilder = new ProcessBuilder();
-        processBuilder.command("docker-compose", "-f", "/var/app/current/promtail/promtail-docker-compose.yml", "up", "-d");
+        processBuilder.command(
+            "docker-compose",
+            "-f", "/var/app/current/promtail/promtail-docker-compose.yml",
+            "-f", "/var/app/current/nodeexporter/node-exporter-compose.yml",
+            "up",
+            "-d"
+        );
 
         Process process = processBuilder.start();
 
@@ -40,9 +45,9 @@ public void run(ApplicationArguments args) throws Exception {
         int exitCode = process.waitFor();
         if (exitCode == 0) {
             log.info("Promtail started successfully using Docker Compose.");
-            log.info("promtial is tracking info level log");
-            log.warn("promtial is tracking warn level log");
-            log.error("promtial is tracking error level log");
+            log.info("promtail is tracking info level log");
+            log.warn("promtail is tracking warn level log");
+            log.error("promtail is tracking error level log");
         } else {
             log.error("Failed to start Promtail. Exit code: {}", exitCode);
         }

@@ -21,11 +21,6 @@ spring:
     init:
       mode: never
 
-  security:
-    user:
-      name: ${MONITORING_USERNAME}
-      password: ${MONITORING_USER_PASSWORD}
-
 jwt:
   header: "Authorization"
   prefix: "Bearer"
@@ -49,7 +44,7 @@ management:
   endpoints:
     web:
       exposure:
-        include: info, health
+        include: info, health, prometheus
       base-path: ${ACTUATOR_BASE_PATH}
     jmx:
       exposure:
@@ -58,3 +53,8 @@ management:
       enabled: true
   server:
     port: 9090
+
+actuator:
+  user-name: ${MONITORING_USERNAME}
+  password: ${MONITORING_USER_PASSWORD}
+  role-name: ACTUATOR