github.com/smintz/nomad@v0.8.3/website/source/docs/agent/configuration/tls.html.md

github.com/smintz/nomad@v0.8.3/website/source/docs/agent/configuration/tls.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "tls Stanza - Agent Configuration"
     4  sidebar_current: "docs-agent-configuration-tls"
     5  description: |-
     6    The "tls" stanza configures Nomad's TLS communication via HTTP and RPC to
     7    enforce secure cluster communication between servers, clients, and between.
     8  ---
     9  
    10  # `tls` Stanza
    11  
    12  <table class="table table-bordered table-striped">
    13    <tr>
    14      <th width="120">Placement</th>
    15      <td>
    16        <code>**tls**</code>
    17      </td>
    18    </tr>
    19  </table>
    20  
    21  The `tls` stanza configures Nomad's TLS communication via HTTP and RPC to
    22  enforce secure cluster communication between servers, clients, and between.
    23  
    24  ```hcl
    25  tls {
    26    http = true
    27    rpc  = true
    28  }
    29  ```
    30  
    31  ~> Incorrect configuration of the TLS configuration can result in failure to
    32  start the Nomad agent.
    33  
    34  This section of the documentation only covers the configuration options for
    35  `tls` stanza. To understand how to setup the certificates themselves, please see
    36  the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html).
    37  
    38  ## `tls` Parameters
    39  
    40  - `ca_file` `(string: "")` - Specifies the path to the CA certificate to use for
    41    Nomad's TLS communication.
    42  
    43  - `cert_file` `(string: "")` - Specifies the path to the certificate file used
    44    for Nomad's TLS communication.
    45  
    46  - `key_file` `(string: "")` - Specifies the path to the key file to use for
    47    Nomad's TLS communication.
    48  
    49  - `http` `(bool: false)` - Specifies if TLS should be enabled on the HTTP
    50    endpoints on the Nomad agent, including the API.
    51  
    52  - `rpc` `(bool: false)` - Specifies if TLS should be enabled on the RPC
    53    endpoints and [Raft][raft] traffic between the Nomad servers. Enabling this on
    54    a Nomad client makes the client use TLS for making RPC requests to the Nomad
    55    servers.
    56  
    57  - `rpc_upgrade_mode` `(bool: false)` - This option should be used only when the
    58    cluster is being upgraded to TLS, and removed after the migration is
    59    complete. This allows the agent to accept both TLS and plaintext traffic.
    60  
    61  - `verify_https_client` `(bool: false)` - Specifies agents should require
    62    client certificates for all incoming HTTPS requests. The client certificates
    63    must be signed by the same CA as Nomad.
    64  
    65  - `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS
    66    connections should verify the server's hostname.
    67  
    68  ## `tls` Examples
    69  
    70  The following examples only show the `tls` stanzas. Remember that the
    71  `tls` stanza is only valid in the placements listed above.
    72  
    73  ### Enabling TLS
    74  
    75  This example shows enabling TLS configuration. This enables TLS communication
    76  between all servers and clients using the default system CA bundle and
    77  certificates.
    78  
    79  ```hcl
    80  tls {
    81    http = true
    82    rpc  = true
    83  
    84    ca_file   = "/etc/certs/ca.crt"
    85    cert_file = "/etc/certs/nomad.crt"
    86    key_file  = "/etc/certs/nomad.key"
    87  }
    88  ```
    89  
    90  [raft]: https://github.com/hashicorp/serf "Serf by HashiCorp"