Nomad mTLS configuration and maintenance is somewhat tricky, in particular, monitoring agent certificate expiry, so new ones can be generated. In the current codebase, an external tool is required to monitor an agents TLS certificate expiry to allow for alerting and certificate rotation. Ideally a new set of agent metrics would be exposed which detail the TTL of an agent's TLS certificates which could then be consumed by monitoring tools such as Prometheus.

For efficiency the metrics emitter should be instantiated each time the Nomad agent loads TLS certificates into memory. This allows us to read the expiry values once while handling certificate rotation via SIGHUP and restart. The labels should match the default agent labels which allow operators to uniquely identify the agent.

Consul doc ref: https://developer.hashicorp.com/consul/docs/monitor/telemetry/agent#certificate-authority-expiration
Consul PR ref: hashicorp/consul#10768