Remove metrics_proxy as the exporter supports mTLS

2024-04-05 23:32:02 +02:00 · 2024-04-05 23:32:02 +02:00 · ab9572dd2f
parent 42c72e7de8
commit ab9572dd2f
4 changed files with 24 additions and 6 deletions
--- a/mongodb.nomad.hcl
+++ b/mongodb.nomad.hcl
@ -95,9 +95,8 @@ job "[[ .instance ]]" {
      }
    }

-[[ template "common/task.metrics_proxy" $c ]]
+[[- if conv.ToBool $c.prometheus.enabled ]]

-[[- if $c.prometheus.enabled ]]
    task "exporter" {

  [[- $e := merge $c.exporter $c ]]
@ -106,14 +105,14 @@ job "[[ .instance ]]" {
      user   = "9216"

      config {
-        image = "[[ $e.image ]]"
+  [[ template "common/image" $e ]]
        args  = [
          "--mongodb.uri=mongodb://127.0.0.1:${NOMAD_ALLOC_PORT_mongo}/%24external?replicaSet=[[ .mongo.replica_set ]]&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=%2Fsecrets%2Fmongo.bundle.pem&tlsCAFile=%2Fsecrets%2Fmongo.ca.pem",
-          "--web.listen-address=127.0.0.1:9216",
+          "--web.listen-address=:${NOMAD_ALLOC_PORT_metrics}",
+          "--web.config=/local/web_tls.yml",
          "--collect-all"
        ]
        pids_limit      = 100
-        readonly_rootfs = true
      }

      lifecycle {
@ -122,6 +121,15 @@ job "[[ .instance ]]" {
      }

  [[ template "common/vault.policies" $e ]]
+  [[ template "common/metrics_cert" $e ]]
+
+      # TLS config for the exporter
+      template {
+        data = <<_EOT
+[[ template "mongodb/exporter_tls.yml" $e ]]
+_EOT
+        destination = "local/web_tls.yml"
+      }

      # Get a certificate with monitoring capabilities
      template {
--- a/templates/exporter_tls.yml
+++ b/templates/exporter_tls.yml
@ -0,0 +1,5 @@
+tls_server_config:
+  cert_file: /secrets/metrics.bundle.pem
+  key_file: /secrets/metrics.bundle.pem
+  client_auth_type: RequireAndVerifyClientCert
+  client_ca_file: /local/monitoring.ca.pem
--- a/variables.yml
+++ b/variables.yml
@ -66,10 +66,15 @@ mongo:
  exporter:
    version: 0.40.0
    image: percona/mongodb_exporter:[[ .mongo.exporter.version ]]
+    vault:
+      policies:
+        - '[[ .instance ]]-mongod[[ .consul.suffix ]]'
+        - metrics[[ .consul.suffix ]]
    resources:
      cpu: 10
      memory: 50

  prometheus:
+    enabled: '[[ .prometheus.available ]]'
    # URL where prometheus metrics are exposed (from inside the container PoV)
    metrics_url: http://127.0.0.1:9216/metrics
--- a/vault/policies/mongodb-mongod.hcl
+++ b/vault/policies/mongodb-mongod.hcl
@ -10,7 +10,7 @@ path "[[ $c.vault.pki.path ]]/issue/mongod" {
  capabilities = ["update"]
 }

-[[- if .prometheus.enabled ]]
+[[- if conv.ToBool $c.prometheus.enabled ]]
 # Issue client cert for the exporter
 path "[[ $c.vault.pki.path ]]/issue/mongo-monitor" {
  capabilities = ["update"]