Hi is the ca_cert
, client_cert
, and client_key
, automatically configured when we use Vault PKI as Nomad Cluster TLS ?
I implement nomad cluster to use vault pki secret engine, and want to use nomad secret backend too, but lokking at Nomad Secret Backend - HTTP API | Vault by HashiCorp, its need ca_cert
, client_cert
, and client_key
that basically from vault pki it self,
how to seamlessly integrate this without circular dependency happen?
I am facing a similar issue to this. My approach so far, although not implemented yet, is to use Vault Agent to provide the Nomad client with it’s set of PKI credentials, which can then be used to request secrets from jobs.
The Vault agent would provision a file with the vault
stanza in the Nomad configuration.
Would this approach solve things for you?
If my understanding correct, cmiiw, we need yo configure the nomad secret backend in vault to add nomad address, and tls thing like above, so vault can generate nomad token. But the nomad tls things generate by vault, and this will produce circular dependency. If we didn’t specify the tls thing the nomad token generator will not work