2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2016-11-02 00:40:42 +00:00
|
|
|
page_title: "Gossip and RPC Encryption"
|
2016-11-01 22:50:12 +00:00
|
|
|
sidebar_current: "docs-agent-encryption"
|
|
|
|
description: |-
|
2016-11-16 22:49:29 +00:00
|
|
|
Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic.
|
2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
# Encryption
|
|
|
|
|
2016-11-01 22:50:12 +00:00
|
|
|
The Nomad agent supports encrypting all of its network traffic. There are
|
2016-11-11 00:58:53 +00:00
|
|
|
two separate encryption systems, one for gossip traffic, and one for HTTP and
|
|
|
|
RPC.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
## Gossip
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Enabling gossip encryption only requires that you set an encryption key when
|
2016-11-02 00:40:42 +00:00
|
|
|
starting the Nomad server. The key can be set via the
|
2016-11-01 12:53:13 +00:00
|
|
|
[`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
|
|
|
|
of this setting is a server configuration file containing the encryption key.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
The key must be 16-bytes, base64 encoded. As a convenience, Nomad provides the
|
2016-11-01 22:50:12 +00:00
|
|
|
[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
```shell
|
2016-11-01 22:50:12 +00:00
|
|
|
$ nomad keygen
|
|
|
|
cg8StVXbQJ0gPvMd9o7yrg==
|
|
|
|
```
|
|
|
|
|
|
|
|
With that key, you can enable gossip encryption on the agent.
|
|
|
|
|
|
|
|
|
2016-11-11 00:58:53 +00:00
|
|
|
## HTTP, RPC, and Raft Encryption with TLS
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Nomad supports using TLS to verify the authenticity of servers and clients. To
|
|
|
|
enable this, Nomad requires that all clients and servers have key pairs that are
|
2016-11-02 00:40:42 +00:00
|
|
|
generated and signed by a Certificate Authority. This can be a private CA.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
TLS can be used to verify the authenticity of the servers and clients. The
|
|
|
|
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
|
|
|
|
a certificate is provided that is signed by the Certificate Authority from the
|
|
|
|
[`ca_file`][tls] for TLS connections.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
If `verify_server_hostname` is set, then outgoing connections perform
|
2016-11-11 00:58:53 +00:00
|
|
|
hostname verification. Unlike traditional HTTPS browser validation, all servers
|
|
|
|
must have a certificate valid for `server.<region>.nomad` or the client will
|
|
|
|
reject the handshake. It is also recommended for the certificate to sign
|
|
|
|
`localhost` such that the CLI can validate the server name.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
TLS is used to secure the RPC calls between agents, but gossip between nodes is
|
|
|
|
done over UDP and is secured using a symmetric key. See above for enabling
|
|
|
|
gossip encryption.
|
2016-11-02 00:40:42 +00:00
|
|
|
|
2016-11-11 00:58:53 +00:00
|
|
|
|
|
|
|
### Example TLS Configuration using cfssl
|
|
|
|
|
|
|
|
While [Vault's PKI backend][vault] is an ideal solution for managing
|
|
|
|
certificates and other secrets in a production environment, it's useful to use
|
|
|
|
simpler command line tools when learning how to configure TLS and your [PKI].
|
|
|
|
|
|
|
|
[`cfssl`][cfssl] is a tool for working with TLS certificates and certificate
|
|
|
|
authorities similar to [OpenSSL's][openssl] `x509` command line tool.
|
|
|
|
|
2016-11-16 22:49:29 +00:00
|
|
|
Once you have the `cfssl` command line tool installed, the first step to
|
2016-11-11 00:58:53 +00:00
|
|
|
setting up TLS is to create a Certificate Authority (CA) certificate. The
|
|
|
|
following command will generate a suitable example CA CSR, certificate, and
|
|
|
|
key:
|
|
|
|
|
|
|
|
```sh
|
|
|
|
# Run in the directory where you want to store certificates
|
|
|
|
cfssl print-defaults csr | cfssl gencert -initca - | cfssljson -bare ca
|
|
|
|
```
|
|
|
|
|
|
|
|
Next create a `nomad-csr.json` which contains the configuration for the actual
|
|
|
|
certificate you'll be using in Nomad:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
2016-11-16 22:49:29 +00:00
|
|
|
"CN": "global.nomad",
|
2016-11-11 00:58:53 +00:00
|
|
|
"hosts": [
|
2016-11-16 22:49:29 +00:00
|
|
|
"server.global.nomad",
|
|
|
|
"client.global.nomad",
|
2016-11-16 01:21:15 +00:00
|
|
|
"localhost"
|
2016-11-11 00:58:53 +00:00
|
|
|
]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
This will create a certificate suitable for both clients and servers in the
|
|
|
|
`global` (default) region.
|
|
|
|
|
|
|
|
In production Nomad agents should have a certificate valid for the name
|
2016-11-16 22:49:29 +00:00
|
|
|
`${ROLE}.${REGION}.nomad` where role is either `client` or `server` depending
|
|
|
|
on the node's role.
|
2016-11-11 00:58:53 +00:00
|
|
|
|
|
|
|
Create a certificate signed by your CA:
|
|
|
|
|
|
|
|
```sh
|
|
|
|
cfssl gencert -ca ca.pem -ca-key ca-key.pem nomad-csr.json | cfssljson -bare nomad
|
|
|
|
```
|
|
|
|
|
|
|
|
You've now successfully generated self-signed certificates! You should see the
|
|
|
|
following files:
|
|
|
|
|
|
|
|
| File | Description | Usage |
|
|
|
|
|-----------------|------------------------------|---------------------------|
|
|
|
|
| `ca.pem` | CA certificate | `ca_file` setting |
|
|
|
|
| `ca-key.pem` | CA private key | Signing CSRs |
|
|
|
|
| `nomad.pem` | Nomad cert for global region | `cert_file` setting |
|
|
|
|
| `nomad-key.pem` | Nomad key for foo region | `key_file` setting |
|
|
|
|
| `*.csr` | Certificate Signing Requests | Generating certs (temporary) |
|
|
|
|
|
|
|
|
In your Nomad configuration add the `tls` stanza:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
tls {
|
|
|
|
http = true
|
|
|
|
rpc = true
|
|
|
|
verify_server_hostname = true
|
|
|
|
ca_file = "ca.pem"
|
|
|
|
cert_file = "nomad.pem"
|
|
|
|
key_file = "nomad-key.pem"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
[vault]: https://www.vaultproject.io/docs/secrets/pki/
|
|
|
|
[PKI]: https://en.wikipedia.org/wiki/Public_key_infrastructure
|
|
|
|
[cfssl]: https://cfssl.org/
|
|
|
|
[openssl]: https://www.openssl.org/
|
2016-11-17 18:04:24 +00:00
|
|
|
[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"
|