open-nomad/demo/tls/README.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

58 lines
2.1 KiB
Markdown
Raw Normal View History

Demo TLS Configuration
======================
**Do _NOT_ use in production. For testing purposes only.**
See [Securing Nomad](https://www.nomadproject.io/guides/securing-nomad.html)
for a full guide.
This directory contains sample TLS certificates and configuration to ease
testing of TLS related features. There is a makefile to generate certificates,
and pre-generated are available for use.
## Files
| Generated? | File | Description |
| - | ------------- | ---|
| ◻️ | `GNUmakefile` | Makefile to generate certificates |
| ◻️ | `tls-*.hcl` | Nomad TLS configurations |
| ◻️ | `cfssl*.json` | cfssl configuration files |
| ◻️ | `csr*.json` | cfssl certificate generation configurations |
| ☑️ | `ca*.pem` | Certificate Authority certificate and key |
| ☑️ | `client*.pem` | Nomad client node certificate and key |
| ☑️ | `dev*.pem` | Nomad certificate and key for dev agents |
| ☑️ | `server*.pem` | Nomad server certificate and key |
| ☑️ | `user*.pem` | Nomad user (CLI) certificate and key |
| ☑️ | `user.pfx` | Nomad browser PKCS #12 certificate and key *(blank password)* |
## Usage
### Agent
To run a TLS-enabled Nomad agent include the `tls.hcl` configuration file with
either the `-dev` flag or your own configuration file. If you're not running
the `nomad agent` command from *this* directory you will have to edit the paths
in `tls.hcl`.
```sh
# Run the dev agent with TLS enabled
nomad agent -dev -config=tls-dev.hcl
# Run a *server* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-server.hcl
# Run a *client* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-client.hcl
```
### Browser
To access the Nomad Web UI when TLS is enabled you will need to import two
certificate files into your browser:
- `ca.pem` must be imported as a Certificate Authority
- `user.pfx` must be imported as a Client certificate. The password is blank.
When you access the UI via https://localhost:4646/ you will be prompted to
select the user certificate you imported.