I’m trying to find out the best way to provide users access to the Nomad cluster to run and check jobs, tasks, view logs etc.
I have a configuration, which enabled mTLS between the nodes and verifies the clients using client certificates. So now I have to provide also users a client certificate for the users, so they can hit the UI or API. For now, I’m not using ACLs.
I find it a bit inconvenient to generate TLS certificates for every user (and manage the expiration of those). They also need to keep them and set every time the environment variables so the Nomad CLI works. This gets even more complicated, when there are multiple clusters.
I’m curious, if there are some scripts, tools or configuration, which allow making it easier. We have also Vault integrated with our IdP, so we could allow the users to generate TLS certificates for Nomad cluster with Vault, but this would require additional tooling or scripts.
Thanks @jrasell! Didn’t know there was a tutorial on the Nomad website for it.
One thing I think could be improved by the Hashicorp guys is how to set up a production Nomad cluster.
I know there is Installing Nomad for Production | Nomad | HashiCorp Developer, but to be honest, after reading and actually setting up a cluster with Consul, Vault, mTLS and securing the stuff I don’t really get the simplicity argument for Nomad compared to e.g. Kubernetes.
Kubernetes had kubeadm, which simplifies creating a cluster a lot, while in Nomad I feel like in a DIY shop.
Thanks for the feedback and this is something we are certainly currently aware of. I am not familiar with kubeadm, so will do some research in this area. Thanks again.
Is there anything on the roadmap about how this could be simplified?
I think an ideal scenario would be some one-liner to get something like
vault-cluster with PKI, app-role, token-auth, acl-enabled
consul-cluster using vault pki with service mesh enabled
nomad-cluster using vault,consul docker driver ready and a reverse-proxy added to service mesh exposing all 3 APIs dynamically configured via consul.
I think just adding more and more features to nomad itself is not the right way for production setups. I understand that it helps for evaluation, but I think that it would be great to have some best-practices setup. While flexibility is great to have it can make your life pretty hard in the real world