Best way to provide users access to Nomad UI and API

Trojan295 · January 18, 2023, 9:08am

I’m trying to find out the best way to provide users access to the Nomad cluster to run and check jobs, tasks, view logs etc.

I have a configuration, which enabled mTLS between the nodes and verifies the clients using client certificates. So now I have to provide also users a client certificate for the users, so they can hit the UI or API. For now, I’m not using ACLs.

I find it a bit inconvenient to generate TLS certificates for every user (and manage the expiration of those). They also need to keep them and set every time the environment variables so the Nomad CLI works. This gets even more complicated, when there are multiple clusters.

I’m curious, if there are some scripts, tools or configuration, which allow making it easier. We have also Vault integrated with our IdP, so we could allow the users to generate TLS certificates for Nomad cluster with Vault, but this would require additional tooling or scripts.

I’m attaching the Nomad configuration:

datacenter = "dc1"

tls {
  http = true
  rpc  = true

  ca_file   = "/etc/nomad.d/certificates/tls/ca.pem"
  cert_file = "/etc/nomad.d/certificates/tls/cert.pem"
  key_file  = "/etc/nomad.d/certificates/tls/key.pem"

  verify_server_hostname = true
  verify_https_client    = true
}

acl {
  enabled = false
}

server {
  enabled          = true
  bootstrap_expect = 3
  encrypt = "<hidden>"
}

client {
  enabled       = true
}

consul {
  address = "127.0.0.1:8501"

  ssl = true
  verify_ssl = false
  ca_file   = "/etc/nomad.d/certificates/tls/ca.pem"
  cert_file = "/etc/nomad.d/certificates/tls/cert.pem"
  key_file  = "/etc/nomad.d/certificates/tls/key.pem"
}

vault {
  enabled = true
  address = "<hidden>"
  token = "<hidden>"
}

schlumpfit · January 23, 2023, 12:04pm

Hi @Trojan295,

you could use a proxy in front of nomad with the client TLS certificates.

In combination with vaults PKI engine and consul template you could make use of short lived TLS certificates that get automatically renewed.

To control access to the cluster itself you can use nomads ACL system directly, or couple it with vault again to use eg. and existing LDAP auth.

Trojan295 · January 25, 2023, 9:11am

Hey, thanks for the idea!

I like it much better as everything could be managed by Vault and the users can come from an IdP like Okta.

jrasell · January 25, 2023, 2:53pm

Hi @Trojan295 and @schlumpfit,

I just wanted to point out there is a tutorial available for running a UI reverse proxy which might be of interest and use here.

Thanks,
jrasell and the Nomad team

Trojan295 · January 25, 2023, 3:02pm

Thanks @jrasell! Didn’t know there was a tutorial on the Nomad website for it.

One thing I think could be improved by the Hashicorp guys is how to set up a production Nomad cluster.

I know there is Installing Nomad for Production | Nomad | HashiCorp Developer, but to be honest, after reading and actually setting up a cluster with Consul, Vault, mTLS and securing the stuff I don’t really get the simplicity argument for Nomad compared to e.g. Kubernetes.

Kubernetes had kubeadm, which simplifies creating a cluster a lot, while in Nomad I feel like in a DIY shop.

jrasell · January 27, 2023, 12:15pm

Hi @Trojan295,

Thanks for the feedback and this is something we are certainly currently aware of. I am not familiar with kubeadm, so will do some research in this area. Thanks again.

jrasell and the Nomad team