open-nomad/demo/tls
Michael Schurter 1cc4759025 Add demo TLS certificates and configs
As well as a brief readme and makefile for generating the certificates.
2018-01-09 10:14:42 -08:00
..
ca-csr.json
ca-key.pem
ca.csr
ca.pem
cfssl-user.json
cfssl.json
client-key.pem
client.csr
client.pem
csr.json
dev-key.pem
dev.csr
dev.pem
GNUmakefile
README.md
server-key.pem
server.csr
server.pem
tls-client.hcl
tls-dev.hcl
tls-server.hcl
user-key.pem
user.csr
user.pem
user.pfx

Demo TLS Configuration

Do NOT use in production. For testing purposes only.

See Securing Nomad for a full guide.

This directory contains sample TLS certificates and configuration to ease testing of TLS related features. There is a makefile to generate certificates, and pre-generated are available for use.

Files

Generated? File Description
◻️ GNUmakefile Makefile to generate certificates
◻️ tls-*.hcl Nomad TLS configurations
◻️ cfssl*.json cfssl configuration files
◻️ csr*.json cfssl certificate generation configurations
☑️ ca*.pem Certificate Authority certificate and key
☑️ client*.pem Nomad client node certificate and key
☑️ dev*.pem Nomad certificate and key for dev agents
☑️ server*.pem Nomad server certificate and key
☑️ user*.pem Nomad user (CLI) certificate and key
☑️ user.pfx Nomad browser PKCS #12 certificate and key (blank password)

Usage

Agent

To run a TLS-enabled Nomad agent include the tls.hcl configuration file with either the -dev flag or your own configuration file. If you're not running the nomad agent command from this directory you will have to edit the paths in tls.hcl.

# Run the dev agent with TLS enabled
nomad agent -dev -config=tls-dev.hcl

# Run a *server* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-server.hcl

# Run a *client* agent with your configuration and TLS enabled
nomad agent -config=path/to/custom.hcl -config=tls-client.hcl

Browser

To access the Nomad Web UI when TLS is enabled you will need to import two certificate files into your browser:

  • ca.pem must be imported as a Certificate Authority
  • user.pfx must be imported as a Client certificate. The password is blank.

When you access the UI via https://localhost:4646/ you will be prompted to select the user certificate you imported.