TLS for nomad ui and nodes communication
Last modification on
- get cfssl
brew install cfssl
- generate a local CA
cfssl print-defaults csr | cfssl gencert -initca - | cfssljson -bare nomad-ca
- create a
cfssl.json
config file
{
"signing": {
"default": {
"expiry": "87600h",
"usages": ["signing", "key encipherment", "server auth", "client auth"]
}
}
}
- issue server certificates
echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -config=cfssl.json \
-hostname="server.global.nomad,localhost,127.0.0.1" - | cfssljson -bare server
- issue client certificates
echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -config=cfssl.json \
-hostname="client.global.nomad,localhost,127.0.0.1" - | cfssljson -bare client
- issue cli certificate
echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -profile=client \
- | cfssljson -bare cli
- copy all those certificates on /etc/certs Nomad servers
- change owner on /etc/certs
$ sudo chown -R nomad:nomad /etc/certs
copy CA certificate on trusted pki CA (each servers)
- update the nomad config wit hthe following stanza
Require TLS
tls { http = true rpc = true
cafile = "nomad-ca.pem" certfile = "server.pem" key_file = "server-key.pem"
verifyserverhostname = false
verifyhttpsclient = false
}
- restart nomad service
$ sudo service nomad restart
update traefik configuration nomad service endpoint address
- update traefik configuration nomad service endpoint tls option to not check
CA