Use exporter's TLS support and remove metrics_proxy

elasticsearch.nomad.hcl

@@ -177,8 +177,6 @@ _EOT
 [[- if conv.ToBool $c.prometheus.enabled ]]
   [[- $e := merge .elasticsearch.exporter .elasticsearch . ]]
 
-[[ template "common/task.metrics_proxy" $e ]]
-
     # Prometheus exporter
     task "exporter" {
       driver = "[[ $e.nomad.driver ]]"
@@ -193,12 +191,26 @@ _EOT
         pids_limit      = 100
         command         = "elasticsearch_exporter"
         args = [
-          "--web.listen-address=127.0.0.1:9114"
+          "--web.listen-address=0.0.0.0:${NOMAD_ALLOC_PORT_metrics}",
+          "--web.config.file=/local/web_tls.yml"
         ]
       }
 
 [[ template "common/vault.policies" $e ]]
 [[ template "common/file_env" $e ]]
+[[ template "common/metrics_cert" $c ]]
+
+      template {
+        data = <<_EOT
+tls_server_config:
+  cert_file: /secrets/metrics.bundle.pem
+  key_file: /secrets/metrics.bundle.pem
+  client_auth_type: RequireAndVerifyClientCert
+  client_ca_file: /local/monitoring.ca.pem
+_EOT
+        destination = "local/web_tls.yml"
+      }
+
 [[ template "common/resources" $e ]]
     }
 

variables.yml

@@ -111,6 +111,12 @@ elasticsearch:
       ES_USERNAME: exporter
       ES_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
 
+    vault:
+      # Vault policies to attach to the task
+      policies:
+        - '[[ .instance ]][[ .consul.suffix ]]'
+        - metrics
+
     # Resource allocation
     resources:
       cpu: 50