From ab9572dd2f235e02f7b55a3654fe335750da2896 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Fri, 5 Apr 2024 23:32:02 +0200
Subject: [PATCH] Remove metrics_proxy as the exporter supports mTLS

---
 mongodb.nomad.hcl                 | 18 +++++++++++++-----
 templates/exporter_tls.yml        |  5 +++++
 variables.yml                     |  5 +++++
 vault/policies/mongodb-mongod.hcl |  2 +-
 4 files changed, 24 insertions(+), 6 deletions(-)
 create mode 100644 templates/exporter_tls.yml

diff --git a/mongodb.nomad.hcl b/mongodb.nomad.hcl
index c176e19..63fa56c 100644
--- a/mongodb.nomad.hcl
+++ b/mongodb.nomad.hcl
@@ -95,9 +95,8 @@ job "[[ .instance ]]" {
       }
     }
 
-[[ template "common/task.metrics_proxy" $c ]]
+[[- if conv.ToBool $c.prometheus.enabled ]]
 
-[[- if $c.prometheus.enabled ]]
     task "exporter" {
 
   [[- $e := merge $c.exporter $c ]]
@@ -106,14 +105,14 @@ job "[[ .instance ]]" {
       user   = "9216"
 
       config {
-        image = "[[ $e.image ]]"
+  [[ template "common/image" $e ]]
         args  = [
           "--mongodb.uri=mongodb://127.0.0.1:${NOMAD_ALLOC_PORT_mongo}/%24external?replicaSet=[[ .mongo.replica_set ]]&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=%2Fsecrets%2Fmongo.bundle.pem&tlsCAFile=%2Fsecrets%2Fmongo.ca.pem",
-          "--web.listen-address=127.0.0.1:9216",
+          "--web.listen-address=:${NOMAD_ALLOC_PORT_metrics}",
+          "--web.config=/local/web_tls.yml",
           "--collect-all"
         ]
         pids_limit      = 100
-        readonly_rootfs = true
       }
 
       lifecycle {
@@ -122,6 +121,15 @@ job "[[ .instance ]]" {
       }
 
   [[ template "common/vault.policies" $e ]]
+  [[ template "common/metrics_cert" $e ]]
+
+      # TLS config for the exporter
+      template {
+        data = <<_EOT
+[[ template "mongodb/exporter_tls.yml" $e ]]
+_EOT
+        destination = "local/web_tls.yml"
+      }
 
       # Get a certificate with monitoring capabilities
       template {
diff --git a/templates/exporter_tls.yml b/templates/exporter_tls.yml
new file mode 100644
index 0000000..bd20145
--- /dev/null
+++ b/templates/exporter_tls.yml
@@ -0,0 +1,5 @@
+tls_server_config:
+  cert_file: /secrets/metrics.bundle.pem
+  key_file: /secrets/metrics.bundle.pem
+  client_auth_type: RequireAndVerifyClientCert
+  client_ca_file: /local/monitoring.ca.pem
diff --git a/variables.yml b/variables.yml
index ed6374f..5445084 100644
--- a/variables.yml
+++ b/variables.yml
@@ -66,10 +66,15 @@ mongo:
   exporter:
     version: 0.40.0
     image: percona/mongodb_exporter:[[ .mongo.exporter.version ]]
+    vault:
+      policies:
+        - '[[ .instance ]]-mongod[[ .consul.suffix ]]'
+        - metrics[[ .consul.suffix ]]
     resources:
       cpu: 10
       memory: 50
 
   prometheus:
+    enabled: '[[ .prometheus.available ]]'
     # URL where prometheus metrics are exposed (from inside the container PoV)
     metrics_url: http://127.0.0.1:9216/metrics
diff --git a/vault/policies/mongodb-mongod.hcl b/vault/policies/mongodb-mongod.hcl
index 16bf1fa..a88a2a6 100644
--- a/vault/policies/mongodb-mongod.hcl
+++ b/vault/policies/mongodb-mongod.hcl
@@ -10,7 +10,7 @@ path "[[ $c.vault.pki.path ]]/issue/mongod" {
   capabilities = ["update"]
 }
 
-[[- if .prometheus.enabled ]]
+[[- if conv.ToBool $c.prometheus.enabled ]]
 # Issue client cert for the exporter
 path "[[ $c.vault.pki.path ]]/issue/mongo-monitor" {
   capabilities = ["update"]