open-nomad/e2e/terraform/tls_ca.tf
Mahmood Ali fec0adbb0e
Support mTLS clusters for e2e testing (#11092)
This allows us to spin up e2e clusters with mTLS configured for all HashiCorp services, i.e. Nomad, Consul, and Vault. Used it for testing #11089 .

mTLS is disabled by default. I have not updated Windows provisioning scripts yet - Windows also lacks ACL support from before. I intend to follow up for them in another round.
2021-08-30 10:18:16 -04:00

71 lines
1.7 KiB
HCL

resource "tls_private_key" "ca" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "ca" {
key_algorithm = "ECDSA"
private_key_pem = tls_private_key.ca.private_key_pem
subject {
common_name = "${local.random_name} Nomad E2E Cluster"
organization = local.random_name
}
validity_period_hours = 720
is_ca_certificate = true
allowed_uses = ["cert_signing"]
}
resource "local_file" "ca_key" {
filename = "keys/tls_ca.key"
content = tls_private_key.ca.private_key_pem
}
resource "local_file" "ca_cert" {
filename = "keys/tls_ca.crt"
content = tls_self_signed_cert.ca.cert_pem
}
resource "tls_private_key" "api_client" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "api_client" {
key_algorithm = "ECDSA"
private_key_pem = tls_private_key.api_client.private_key_pem
subject {
common_name = "${local.random_name} api client"
}
}
resource "tls_locally_signed_cert" "api_client" {
cert_request_pem = tls_cert_request.api_client.cert_request_pem
ca_key_algorithm = tls_private_key.ca.algorithm
ca_private_key_pem = tls_private_key.ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca.cert_pem
validity_period_hours = 720
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"client_auth",
]
}
resource "local_file" "api_client_key" {
filename = "keys/tls_api_client.key"
content = tls_private_key.api_client.private_key_pem
}
resource "local_file" "api_client_cert" {
filename = "keys/tls_api_client.crt"
content = tls_locally_signed_cert.api_client.cert_pem
}