55 lines
1.3 KiB
HCL
55 lines
1.3 KiB
HCL
# Prometheus has switched to running with 'nobody' user, which doesn't have
|
|
# access to the docker socket. This service runs a proxy that allows prometheus
|
|
# to access the docker socket.
|
|
|
|
# Since it internally uses HAProxy, it can also restrict access to parts of the
|
|
# docker API. By default, everything but the parts allowed in the envs below
|
|
# is restricted.
|
|
|
|
# Nice bonus: it also would allow us to run prometheus on a non-manager node.
|
|
|
|
|
|
data "docker_registry_image" "docker_socket_proxy" {
|
|
name = "ghcr.io/tecnativa/docker-socket-proxy:0.1"
|
|
}
|
|
|
|
resource "docker_service" "docker_socket_proxy" {
|
|
name = "prometheus_docker_socket_proxy"
|
|
|
|
mode {
|
|
global = true
|
|
}
|
|
|
|
task_spec {
|
|
placement {
|
|
constraints = [
|
|
"node.role==manager",
|
|
]
|
|
}
|
|
|
|
networks_advanced {
|
|
name = docker_network.docker_socket_proxy.id
|
|
aliases = [
|
|
"docker",
|
|
]
|
|
}
|
|
|
|
container_spec {
|
|
image = "${data.docker_registry_image.docker_socket_proxy.name}@${data.docker_registry_image.docker_socket_proxy.sha256_digest}"
|
|
|
|
env = {
|
|
NODES = "1"
|
|
NETWORKS = "1"
|
|
SERVICES = "1"
|
|
TASKS = "1"
|
|
}
|
|
|
|
mounts {
|
|
target = "/var/run/docker.sock"
|
|
source = "/var/run/docker.sock"
|
|
type = "bind"
|
|
}
|
|
}
|
|
}
|
|
}
|