github.com/obeyler/nomad@v0.11.8/demo/tls/README.md

github.com/obeyler/nomad@v0.11.8/demo/tls/README.md (about)

     1  Demo TLS Configuration
     2  ======================
     3  
     4  **Do _NOT_ use in production. For testing purposes only.**
     5  
     6  See [Securing Nomad](https://www.nomadproject.io/guides/securing-nomad.html)
     7  for a full guide.
     8  
     9  This directory contains sample TLS certificates and configuration to ease
    10  testing of TLS related features. There is a makefile to generate certificates,
    11  and pre-generated are available for use.
    12  
    13  ## Files
    14  
    15  | Generated? | File | Description |
    16  | - | ------------- | ---|
    17  | ◻️ | `GNUmakefile` | Makefile to generate certificates |
    18  | ◻️ | `tls-*.hcl`   | Nomad TLS configurations |
    19  | ◻️ | `cfssl*.json` | cfssl configuration files |
    20  | ◻️ | `csr*.json`   | cfssl certificate generation configurations |
    21  | ☑️ | `ca*.pem`     | Certificate Authority certificate and key |
    22  | ☑️ | `client*.pem` | Nomad client node certificate and key |
    23  | ☑️ | `dev*.pem`    | Nomad certificate and key for dev agents |
    24  | ☑️ | `server*.pem` | Nomad server certificate and key |
    25  | ☑️ | `user*.pem`   | Nomad user (CLI) certificate and key |
    26  | ☑️ | `user.pfx`    | Nomad browser PKCS #12 certificate and key *(blank password)* |
    27  
    28  ## Usage
    29  
    30  ### Agent
    31  
    32  To run a TLS-enabled Nomad agent include the `tls.hcl` configuration file with
    33  either the `-dev` flag or your own configuration file. If you're not running
    34  the `nomad agent` command from *this* directory you will have to edit the paths
    35  in `tls.hcl`.
    36  
    37  ```sh
    38  # Run the dev agent with TLS enabled
    39  nomad agent -dev -config=tls-dev.hcl
    40  
    41  # Run a *server* agent with your configuration and TLS enabled
    42  nomad agent -config=path/to/custom.hcl -config=tls-server.hcl
    43  
    44  # Run a *client* agent with your configuration and TLS enabled
    45  nomad agent -config=path/to/custom.hcl -config=tls-client.hcl
    46  ```
    47  
    48  ### Browser
    49  
    50  To access the Nomad Web UI when TLS is enabled you will need to import two
    51  certificate files into your browser:
    52  
    53  - `ca.pem` must be imported as a Certificate Authority
    54  - `user.pfx` must be imported as a Client certificate. The password is blank.
    55  
    56  When you access the UI via https://localhost:4646/ you will be prompted to
    57  select the user certificate you imported.