# Prometheus has switched to running with 'nobody' user, which doesn't have
# access to the docker socket. This service runs a proxy that allows prometheus
# to access the docker socket.

# Since it internally uses HAProxy, it can also restrict access to parts of the
# docker API. By default, everything but the parts allowed in the envs below
# is restricted.

# Nice bonus: it also would allow us to run prometheus on a non-manager node.


data "docker_registry_image" "docker_socket_proxy" {
  name = "ghcr.io/tecnativa/docker-socket-proxy:0.1"
}

resource "docker_service" "docker_socket_proxy" {
  name = "prometheus_docker_socket_proxy"

  mode {
    global = true
  }

  task_spec {
    placement {
      constraints = [
        "node.role==manager",
      ]
    }

    networks_advanced {
      name = docker_network.docker_socket_proxy.id
      aliases = [
        "docker",
      ]
    }

    container_spec {
      image = "${data.docker_registry_image.docker_socket_proxy.name}@${data.docker_registry_image.docker_socket_proxy.sha256_digest}"

      env = {
        NODES    = "1"
        NETWORKS = "1"
        SERVICES = "1"
        TASKS    = "1"
      }

      mounts {
        target = "/var/run/docker.sock"
        source = "/var/run/docker.sock"
        type   = "bind"
      }
    }
  }
}