Hello,
we have two datacenters and every datacenter has three networks. Every network has its own Consul and Vault cluster. If I would deploy Nomad the normal way, I would have to create six nodes per network: 3 clients, 3 servers.
My idea was now, if it is possible to install just 3 or 5 servers to manage all clients in every DC and network, but configure them, to use the dedicated Consul / Vault cluster inside the networks.
DC1 → LAN → Consul / Vault
DC1 → DMZ-> Consul / Vault
DC1 → EXT → Consul / Vault
…
Or is that not possible, and I need to create Nomad clusters (3 servers, 3 clients) per network and configure them to use the Consul and Vault, which we have per network ?
I’ve found a related ticket: [question] Configure unique Vault cluster per DC · Issue #3913 · hashicorp/nomad · GitHub which is the same we need (for PCI-DSS)
cu denny
hi,
I think, Vault may work, as I can change the Vault address per client config (not sure, about Vaul config on server side), but Consul … ?? How can I tell the Nomad to register a service on the right DC and correct network, if Nomad servers runs - for example - on the DMZ network and I deploy a job to the LAN network on DC1 …
Hi there,
I’m wondering if you got this working with a different vault cluster per Nomad DC? Our setup is the same as yours, but right now we’re only running Nomad and Consul. We’re looking to add Vault. I haven’t found any documentation that indicates you can use a different Vault cluster per Nomad DC. I know you can specify a different Vault address on the Nomad client config, but the Vault Token can only be set in the Nomad Server vault stanza, indicating that the Client can’t use a different token (and therefore different cluster).
Were you able to get this set up working?
hi,
nope. I gave up because nobody replied. So I installed the full setup, but only in our internal LAN, as I dropped the Nomad idea in the DMZ zone. Most services requires a full VM … and it was not worth to create something.