I’m trying to find out the best way to provide users access to the Nomad cluster to run and check jobs, tasks, view logs etc.
I have a configuration, which enabled mTLS between the nodes and verifies the clients using client certificates. So now I have to provide also users a client certificate for the users, so they can hit the UI or API. For now, I’m not using ACLs.
I find it a bit inconvenient to generate TLS certificates for every user (and manage the expiration of those). They also need to keep them and set every time the environment variables so the Nomad CLI works. This gets even more complicated, when there are multiple clusters.
I’m curious, if there are some scripts, tools or configuration, which allow making it easier. We have also Vault integrated with our IdP, so we could allow the users to generate TLS certificates for Nomad cluster with Vault, but this would require additional tooling or scripts.
I’m attaching the Nomad configuration:
datacenter = "dc1"
tls {
http = true
rpc = true
ca_file = "/etc/nomad.d/certificates/tls/ca.pem"
cert_file = "/etc/nomad.d/certificates/tls/cert.pem"
key_file = "/etc/nomad.d/certificates/tls/key.pem"
verify_server_hostname = true
verify_https_client = true
}
acl {
enabled = false
}
server {
enabled = true
bootstrap_expect = 3
encrypt = "<hidden>"
}
client {
enabled = true
}
consul {
address = "127.0.0.1:8501"
ssl = true
verify_ssl = false
ca_file = "/etc/nomad.d/certificates/tls/ca.pem"
cert_file = "/etc/nomad.d/certificates/tls/cert.pem"
key_file = "/etc/nomad.d/certificates/tls/key.pem"
}
vault {
enabled = true
address = "<hidden>"
token = "<hidden>"
}