Split metrics_cert in its own template

So it can be reused by other tasks
2024-03-25 12:06:02 +01:00 · 2024-03-25 12:06:02 +01:00 · 2efe9a12e8
parent 07b0aa8f2f
commit 2efe9a12e8
2 changed files with 19 additions and 15 deletions
--- a/templates/metrics_cert
+++ b/templates/metrics_cert
@ -0,0 +1,18 @@
+      # Get a certificate from vault to protect the metrics endpoint
+      template {
+        data        =<<_EOT
+{{- with pkiCert "[[ .prometheus.vault_pki ]]/issue/metrics" (printf "ip_sans=%s" (env "NOMAD_HOST_IP_metrics")) }}
+{{ .Cert }}
+{{ .Key }}
+{{- end }}
+_EOT
+        destination = "secrets/metrics.bundle.pem"
+      }
+
+      # Get the root CA
+      template {
+        data        =<<_EOT
+{{ with secret "[[ .prometheus.vault_pki ]]/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
+_EOT
+        destination = "local/monitoring.ca.pem"
+      }
--- a/templates/task.metrics_proxy
+++ b/templates/task.metrics_proxy
@ -25,21 +25,7 @@ vim: syntax=hcl
        policies = ["metrics[[ .consul.suffix ]]"]
      }

-      template {
-        data        =<<_EOT
-{{- with pkiCert "[[ .prometheus.vault_pki ]]/issue/metrics" (printf "ip_sans=%s" (env "NOMAD_HOST_IP_metrics")) }}
-{{ .Cert }}
-{{ .Key }}{{ end -}}
-_EOT
-        destination = "secrets/metrics.bundle.pem"
-      }
-
-      template {
-        data        =<<_EOT
-{{ with secret "[[ .vault.root ]]pki/monitoring/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
-_EOT
-        destination = "local/monitoring.ca.pem"
-      }
+[[ template "common/metrics_cert" . ]]

      template {
        data =<<_EOT