FlowWeaver · can019 · Sep 19, 2025 · Sep 19, 2025
diff --git a/.github/workflows/deploy-java.yml b/.github/workflows/deploy-java.yml
@@ -31,6 +31,9 @@ jobs:
           echo "LOKI_PASSWORD=${{ secrets.LOKI_PASSWORD }}" >> .env.prod
           echo "ENV_NAME=${{ secrets.ENV_NAME }}" >> .env.prod
           echo "FASTAPI_SERVER_HOST=${{ secrets.FASTAPI_SERVER_HOST }}" >> .env.prod
+          echo "GRAFANA_CLOUD_PROMETHEUS_URL=${{ secrets.GRAFANA_CLOUD_PROMETHEUS_URL }}" >> .env.prod
+          echo "GRAFANA_CLOUD_PROMETHEUS_USER=${{ secrets.GRAFANA_CLOUD_PROMETHEUS_USER }}" >> .env.prod
+          echo "GRAFANA_CLOUD_API_KEY=${{ secrets.GRAFANA_CLOUD_API_KEY }}" >> .env.prod
 
       - name: Set repo lowercase
         run: echo "REPO_LC=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
@@ -74,6 +77,16 @@ jobs:
           source: "docker/production/promtail-config.yml"
           target: "~/app"
 
+      - name: Copy promtail-config to EC2
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ubuntu
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          source: "docker/production/agent-config.yml"
+          target: "~/app"
+          overwrite: true
+
       - name: Deploy on EC2
         uses: appleboy/ssh-action@v1.0.3
         with:

diff --git a/apps/user-service/build.gradle b/apps/user-service/build.gradle
@@ -61,6 +61,7 @@ dependencies {
 
 	implementation "io.micrometer:micrometer-tracing-bridge-brave"
 	implementation "io.micrometer:micrometer-tracing"
+	implementation 'io.micrometer:micrometer-registry-prometheus'
 	implementation "org.springframework.boot:spring-boot-starter-actuator"
 
 	// Lombok

diff --git a/apps/user-service/src/main/java/site/icebang/global/config/security/SecurityConfig.java b/apps/user-service/src/main/java/site/icebang/global/config/security/SecurityConfig.java
@@ -4,6 +4,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -56,6 +57,17 @@ public SecureRandom secureRandom() {
     return new SecureRandom();
   }
 
+  @Bean
+  @Order(1) // 높은 우선순위로 설정
+  public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
+    return http.securityMatcher("/actuator/**") // actuator 경로만 적용
+        .authorizeHttpRequests(
+            auth -> auth.anyRequest().permitAll() // 모든 actuator 요청 허용
+            )
+        .csrf(csrf -> csrf.disable())
+        .build();
+  }
+
   @Bean
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     return http.authorizeHttpRequests(

diff --git a/apps/user-service/src/main/resources/application.yml b/apps/user-service/src/main/resources/application.yml
@@ -13,6 +13,24 @@ mybatis:
   mapper-locations: classpath:mapper/**/*.xml
   type-handlers-package: site.icebang.global.config.mybatis.typehandler
 
+management:
+  endpoints:
+    web:
+      exposure:
+        include: health,info,prometheus
+      base-path: /actuator
+  endpoint:
+    health:
+      show-details: always
+  prometheus:
+    metrics:
+      export:
+        enabled: true
+  server:
+    address: 127.0.0.1  # localhost에서만 접근
+    port: 8081
+  security:
+    enabled: false
 # 외부 API 연동을 위한 설정 섹션
 api:
   fastapi:

diff --git a/docker/production/agent-config.yml b/docker/production/agent-config.yml
@@ -0,0 +1,27 @@
+server:
+  log_level: info
+
+prometheus:
+  wal_directory: /tmp/grafana-agent-wal
+  global:
+    scrape_interval: 15s
+    external_labels:
+      cluster: production
+      service: user-service
+
+  configs:
+    - name: user-service-metrics
+      remote_write:
+        - url: ${GRAFANA_CLOUD_PROMETHEUS_URL}
+          basic_auth:
+            username: ${GRAFANA_CLOUD_PROMETHEUS_USER}
+            password: ${GRAFANA_CLOUD_API_KEY}
+
+      scrape_configs:
+        - job_name: 'user-service'
+          static_configs:
+            - targets: ['user-service:8081']  # 컨테이너 간 통신은 가능
+          metrics_path: '/actuator/prometheus'
+          scrape_interval: 15s
+          params:
+            format: ['prometheus']
diff --git a/docker/production/docker-compose.yml b/docker/production/docker-compose.yml
@@ -23,6 +23,7 @@ services:
       - promtail
     ports:
       - "8080:8080"
+      - "127.0.0.1:8081:8081"  # actuator만 localhost 접근
     networks:
       - app-network
     env_file:
@@ -32,13 +33,25 @@ services:
     volumes:
       - logs_volume:/logs
 
+  # Grafana Agent만으로 메트릭 수집 + 전송
+  grafana-agent:
+    image: grafana/agent:latest
+    container_name: grafana-agent
+    restart: unless-stopped
+    volumes:
+      - ./agent-config.yml:/etc/agent/agent.yml:ro
+    networks:
+      - app-network
+    env_file:
+      - .env.prod
+
   promtail:
     image: grafana/promtail:2.9.0
     container_name: promtail
     restart: unless-stopped
     volumes:
       - ./promtail-config.yml:/etc/promtail/config.yml:ro
-      - logs_volume:/logs      # Spring 로그 읽기
+      - logs_volume:/logs
     command:
       - -config.file=/etc/promtail/config.yml
       - -config.expand-env=true