Pass full ctx to metrics_proxy

templates/task.metrics_proxy.tpl

@@ -7,6 +7,8 @@
         volumes = [
           "local/default.conf:/etc/nginx/conf.d/default.conf:ro"
         ]
+        pids_limit      = 100
+        readonly_rootfs = true
       }
 
       lifecycle {
@@ -15,12 +17,12 @@
       }
 
       vault {
-        policies = ["metrics[[ .env_suffix ]]"]
+        policies = ["metrics[[ .ctx.env.suffix ]]"]
       }
 
       template {
         data        =<<_EOT
-{{- with pkiCert "[[ .vault_prefix ]]pki/monitoring/issue/metrics" (printf "ip_sans=%s" (env "NOMAD_HOST_IP_metrics")) }}
+{{- with pkiCert "[[ .ctx.vault.prefix ]]pki/monitoring/issue/metrics" (printf "ip_sans=%s" (env "NOMAD_HOST_IP_metrics")) }}
 {{ .Cert }}
 {{ .Key }}{{ end -}}
 _EOT
@@ -29,7 +31,7 @@ _EOT
 
       template {
         data        =<<_EOT
-{{ with secret "[[ .vault_prefix ]]pki/monitoring/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
+{{ with secret "[[ .ctx.vault.prefix ]]pki/monitoring/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
 _EOT
         destination = "local/monitoring.ca.pem"
       }
@@ -44,7 +46,6 @@ server {
   ssl_certificate_key /secrets/metrics.bundle.pem;
   ssl_client_certificate /local/monitoring.ca.pem;
   ssl_verify_client on;
-  ssl_prefer_server_ciphers on;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_session_cache shared:SSL:10m;
@@ -70,7 +71,8 @@ _EOT
 
       resources {
         cpu    = 10
-        memory = 12
+        memory = 10
+        memory_max = 20
       }
     }