Best way to trust self signed CA for all nomad jobs

We have a cluster running consul, vault and nomad, all of which are tls enabled. Some of the nomad jobs make curl calls to consul/vault endpoints. Since the CA used for tls is self signed it needs to be trusted for all api calls.

Currently we are mounting the ca in nomad job and setting the SSL_CERT_FILE env variable for each container. This now has to be done for every job that makes api calls. Is there a better way to do this at the nomad level centrally so that all the jobs running trust the ca?

Hi @gulavanir, Nomad doesn’t know much about the workloads it runs, other than what gets configured in the task driver configuration. It does not do anything to manage the trusted certificate store in your task, largely because that is totally specific to your task and opaque to Nomad.

What Nomad does provide is native integrations with Consul and Vault, exposed through the the use of a template block for rendering KV, and the service block for managing service registrations.

I’d be interested to hear more about your use case, if you find you still need to make direct API calls to Consul or Vault.

Thanks for a quick response @shoenig . We do use the template block at multiple places in our jobs. One of the use-cases we have here is to create/update consul kv using consul sessions in a nomad pre-task.