Use mTLS for cc-worker metrics endpoint (#4214)

svkrieger · web-flow · commit 57ee2c320e95 · 2025-02-13T12:17:37.000+01:00
diff --git a/lib/delayed_job/delayed_worker.rb b/lib/delayed_job/delayed_worker.rb
@@ -130,7 +130,14 @@ def setup_webserver(config, prometheus_dir)
 
     Thread.new do
       server = Puma::Server.new(metrics_app)
-      server.add_tcp_listener '127.0.0.1', config.get(:prometheus_port) || 9394
+
+      context = Puma::MiniSSL::Context.new
+      context.cert        = '/var/vcap/jobs/cloud_controller_worker/config/certs/scrape.crt'
+      context.key         = '/var/vcap/jobs/cloud_controller_worker/config/certs/scrape.key'
+      context.ca          = '/var/vcap/jobs/cloud_controller_worker/config/certs/scrape_ca.crt'
+      context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
+
+      server.add_ssl_listener('127.0.0.1', config.get(:prometheus_port) || 9394, context)
       server.run
     end
   end
