Remove metrics_proxy as the exporter supports mTLS
This commit is contained in:
parent
42c72e7de8
commit
ab9572dd2f
|
@ -95,9 +95,8 @@ job "[[ .instance ]]" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/task.metrics_proxy" $c ]]
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||||
|
|
||||||
[[- if $c.prometheus.enabled ]]
|
|
||||||
task "exporter" {
|
task "exporter" {
|
||||||
|
|
||||||
[[- $e := merge $c.exporter $c ]]
|
[[- $e := merge $c.exporter $c ]]
|
||||||
|
@ -106,14 +105,14 @@ job "[[ .instance ]]" {
|
||||||
user = "9216"
|
user = "9216"
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = "[[ $e.image ]]"
|
[[ template "common/image" $e ]]
|
||||||
args = [
|
args = [
|
||||||
"--mongodb.uri=mongodb://127.0.0.1:${NOMAD_ALLOC_PORT_mongo}/%24external?replicaSet=[[ .mongo.replica_set ]]&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=%2Fsecrets%2Fmongo.bundle.pem&tlsCAFile=%2Fsecrets%2Fmongo.ca.pem",
|
"--mongodb.uri=mongodb://127.0.0.1:${NOMAD_ALLOC_PORT_mongo}/%24external?replicaSet=[[ .mongo.replica_set ]]&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=%2Fsecrets%2Fmongo.bundle.pem&tlsCAFile=%2Fsecrets%2Fmongo.ca.pem",
|
||||||
"--web.listen-address=127.0.0.1:9216",
|
"--web.listen-address=:${NOMAD_ALLOC_PORT_metrics}",
|
||||||
|
"--web.config=/local/web_tls.yml",
|
||||||
"--collect-all"
|
"--collect-all"
|
||||||
]
|
]
|
||||||
pids_limit = 100
|
pids_limit = 100
|
||||||
readonly_rootfs = true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
lifecycle {
|
lifecycle {
|
||||||
|
@ -122,6 +121,15 @@ job "[[ .instance ]]" {
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/vault.policies" $e ]]
|
[[ template "common/vault.policies" $e ]]
|
||||||
|
[[ template "common/metrics_cert" $e ]]
|
||||||
|
|
||||||
|
# TLS config for the exporter
|
||||||
|
template {
|
||||||
|
data = <<_EOT
|
||||||
|
[[ template "mongodb/exporter_tls.yml" $e ]]
|
||||||
|
_EOT
|
||||||
|
destination = "local/web_tls.yml"
|
||||||
|
}
|
||||||
|
|
||||||
# Get a certificate with monitoring capabilities
|
# Get a certificate with monitoring capabilities
|
||||||
template {
|
template {
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
tls_server_config:
|
||||||
|
cert_file: /secrets/metrics.bundle.pem
|
||||||
|
key_file: /secrets/metrics.bundle.pem
|
||||||
|
client_auth_type: RequireAndVerifyClientCert
|
||||||
|
client_ca_file: /local/monitoring.ca.pem
|
|
@ -66,10 +66,15 @@ mongo:
|
||||||
exporter:
|
exporter:
|
||||||
version: 0.40.0
|
version: 0.40.0
|
||||||
image: percona/mongodb_exporter:[[ .mongo.exporter.version ]]
|
image: percona/mongodb_exporter:[[ .mongo.exporter.version ]]
|
||||||
|
vault:
|
||||||
|
policies:
|
||||||
|
- '[[ .instance ]]-mongod[[ .consul.suffix ]]'
|
||||||
|
- metrics[[ .consul.suffix ]]
|
||||||
resources:
|
resources:
|
||||||
cpu: 10
|
cpu: 10
|
||||||
memory: 50
|
memory: 50
|
||||||
|
|
||||||
prometheus:
|
prometheus:
|
||||||
|
enabled: '[[ .prometheus.available ]]'
|
||||||
# URL where prometheus metrics are exposed (from inside the container PoV)
|
# URL where prometheus metrics are exposed (from inside the container PoV)
|
||||||
metrics_url: http://127.0.0.1:9216/metrics
|
metrics_url: http://127.0.0.1:9216/metrics
|
||||||
|
|
|
@ -10,7 +10,7 @@ path "[[ $c.vault.pki.path ]]/issue/mongod" {
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[- if .prometheus.enabled ]]
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||||
# Issue client cert for the exporter
|
# Issue client cert for the exporter
|
||||||
path "[[ $c.vault.pki.path ]]/issue/mongo-monitor" {
|
path "[[ $c.vault.pki.path ]]/issue/mongo-monitor" {
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
|
|
Loading…
Reference in New Issue