Merge pull request #3127 from hashicorp/b-tls-api

Fix TLSServerName for Node API Client

api/api.go

@@ -94,9 +94,8 @@ type Config struct {
 	// Region to use. If not provided, the default agent region is used.
 	Region string
 
-	// HttpClient is the client to use. Default will be
-	// used if not provided.
-	HttpClient *http.Client
+	// httpClient is the client to use. Default will be used if not provided.
+	httpClient *http.Client
 
 	// HttpAuth is the auth info to use for http access.
 	HttpAuth *HttpBasicAuth
@@ -117,15 +116,18 @@ func (c *Config) ClientConfig(region, address string, tlsEnabled bool) *Config {
 	if tlsEnabled {
 		scheme = "https"
 	}
+	defaultConfig := DefaultConfig()
 	config := &Config{
 		Address:    fmt.Sprintf("%s://%s", scheme, address),
 		Region:     region,
-		HttpClient: c.HttpClient,
+		httpClient: defaultConfig.httpClient,
 		HttpAuth:   c.HttpAuth,
 		WaitTime:   c.WaitTime,
 		TLSConfig:  c.TLSConfig.Copy(),
 	}
-	config.TLSConfig.TLSServerName = fmt.Sprintf("client.%s.nomad", c.Region)
+	if tlsEnabled && config.TLSConfig != nil {
+		config.TLSConfig.TLSServerName = fmt.Sprintf("client.%s.nomad", region)
+	}
 
 	return config
 }
@@ -169,10 +171,10 @@ func (t *TLSConfig) Copy() *TLSConfig {
 func DefaultConfig() *Config {
 	config := &Config{
 		Address:    "http://127.0.0.1:4646",
-		HttpClient: cleanhttp.DefaultClient(),
+		httpClient: cleanhttp.DefaultClient(),
 		TLSConfig:  &TLSConfig{},
 	}
-	transport := config.HttpClient.Transport.(*http.Transport)
+	transport := config.httpClient.Transport.(*http.Transport)
 	transport.TLSHandshakeTimeout = 10 * time.Second
 	transport.TLSClientConfig = &tls.Config{
 		MinVersion: tls.VersionTLS12,
@@ -221,7 +223,10 @@ func DefaultConfig() *Config {
 
 // ConfigureTLS applies a set of TLS configurations to the the HTTP client.
 func (c *Config) ConfigureTLS() error {
-	if c.HttpClient == nil {
+	if c.TLSConfig == nil {
+		return nil
+	}
+	if c.httpClient == nil {
 		return fmt.Errorf("config HTTP Client must be set")
 	}
 
@@ -240,7 +245,7 @@ func (c *Config) ConfigureTLS() error {
 		}
 	}
 
-	clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
+	clientTLSConfig := c.httpClient.Transport.(*http.Transport).TLSClientConfig
 	rootConfig := &rootcerts.Config{
 		CAFile: c.TLSConfig.CACert,
 		CAPath: c.TLSConfig.CAPath,
@@ -277,8 +282,8 @@ func NewClient(config *Config) (*Client, error) {
 		return nil, fmt.Errorf("invalid address '%s': %v", config.Address, err)
 	}
 
-	if config.HttpClient == nil {
-		config.HttpClient = defConfig.HttpClient
+	if config.httpClient == nil {
+		config.httpClient = defConfig.httpClient
 	}
 
 	// Configure the TLS cofigurations
@@ -300,7 +305,18 @@ func (c *Client) SetRegion(region string) {
 // GetNodeClient returns a new Client that will dial the specified node. If the
 // QueryOptions is set, its region will be used.
 func (c *Client) GetNodeClient(nodeID string, q *QueryOptions) (*Client, error) {
-	node, _, err := c.Nodes().Info(nodeID, q)
+	return c.getNodeClientImpl(nodeID, q, c.Nodes().Info)
+}
+
+// nodeLookup is the definition of a function used to lookup a node. This is
+// largely used to mock the lookup in tests.
+type nodeLookup func(nodeID string, q *QueryOptions) (*Node, *QueryMeta, error)
+
+// getNodeClientImpl is the implementation of creating a API client for
+// contacting a node. It takes a function to lookup the node such that it can be
+// mocked during tests.
+func (c *Client) getNodeClientImpl(nodeID string, q *QueryOptions, lookup nodeLookup) (*Client, error) {
+	node, _, err := lookup(nodeID, q)
 	if err != nil {
 		return nil, err
 	}
@@ -311,9 +327,17 @@ func (c *Client) GetNodeClient(nodeID string, q *QueryOptions) (*Client, error)
 		return nil, fmt.Errorf("http addr of node %q (%s) is not advertised", node.Name, nodeID)
 	}
 
-	region := c.config.Region
-	if q != nil && q.Region != "" {
+	var region string
+	switch {
+	case q != nil && q.Region != "":
+		// Prefer the region set in the query parameter
 		region = q.Region
+	case c.config.Region != "":
+		// If the client is configured for a particular region use that
+		region = c.config.Region
+	default:
+		// No region information is given so use the default.
+		region = "global"
 	}
 
 	// Get an API client for the node
@@ -471,7 +495,7 @@ func (c *Client) doRequest(r *request) (time.Duration, *http.Response, error) {
 		return 0, nil, err
 	}
 	start := time.Now()
-	resp, err := c.config.HttpClient.Do(req)
+	resp, err := c.config.httpClient.Do(req)
 	diff := time.Now().Sub(start)
 
 	// If the response is compressed, we swap the body's reader.

api/api_test.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -9,7 +10,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/testutil"
+	"github.com/stretchr/testify/assert"
 )
 
 type configCallback func(c *Config)
@@ -243,3 +246,126 @@ func TestQueryString(t *testing.T) {
 		t.Fatalf("bad uri: %q", uri)
 	}
 }
+
+func TestClient_NodeClient(t *testing.T) {
+	http := "testdomain:4646"
+	tlsNode := func(string, *QueryOptions) (*Node, *QueryMeta, error) {
+		return &Node{
+			ID:         structs.GenerateUUID(),
+			Status:     "ready",
+			HTTPAddr:   http,
+			TLSEnabled: true,
+		}, nil, nil
+	}
+	noTlsNode := func(string, *QueryOptions) (*Node, *QueryMeta, error) {
+		return &Node{
+			ID:         structs.GenerateUUID(),
+			Status:     "ready",
+			HTTPAddr:   http,
+			TLSEnabled: false,
+		}, nil, nil
+	}
+
+	optionNoRegion := &QueryOptions{}
+	optionRegion := &QueryOptions{
+		Region: "foo",
+	}
+
+	clientNoRegion, err := NewClient(DefaultConfig())
+	assert.Nil(t, err)
+
+	regionConfig := DefaultConfig()
+	regionConfig.Region = "bar"
+	clientRegion, err := NewClient(regionConfig)
+	assert.Nil(t, err)
+
+	expectedTLSAddr := fmt.Sprintf("https://%s", http)
+	expectedNoTLSAddr := fmt.Sprintf("http://%s", http)
+
+	cases := []struct {
+		Node                  nodeLookup
+		QueryOptions          *QueryOptions
+		Client                *Client
+		ExpectedAddr          string
+		ExpectedRegion        string
+		ExpectedTLSServerName string
+	}{
+		{
+			Node:                  tlsNode,
+			QueryOptions:          optionNoRegion,
+			Client:                clientNoRegion,
+			ExpectedAddr:          expectedTLSAddr,
+			ExpectedRegion:        "global",
+			ExpectedTLSServerName: "client.global.nomad",
+		},
+		{
+			Node:                  tlsNode,
+			QueryOptions:          optionRegion,
+			Client:                clientNoRegion,
+			ExpectedAddr:          expectedTLSAddr,
+			ExpectedRegion:        "foo",
+			ExpectedTLSServerName: "client.foo.nomad",
+		},
+		{
+			Node:                  tlsNode,
+			QueryOptions:          optionRegion,
+			Client:                clientRegion,
+			ExpectedAddr:          expectedTLSAddr,
+			ExpectedRegion:        "foo",
+			ExpectedTLSServerName: "client.foo.nomad",
+		},
+		{
+			Node:                  tlsNode,
+			QueryOptions:          optionNoRegion,
+			Client:                clientRegion,
+			ExpectedAddr:          expectedTLSAddr,
+			ExpectedRegion:        "bar",
+			ExpectedTLSServerName: "client.bar.nomad",
+		},
+		{
+			Node:                  noTlsNode,
+			QueryOptions:          optionNoRegion,
+			Client:                clientNoRegion,
+			ExpectedAddr:          expectedNoTLSAddr,
+			ExpectedRegion:        "global",
+			ExpectedTLSServerName: "",
+		},
+		{
+			Node:                  noTlsNode,
+			QueryOptions:          optionRegion,
+			Client:                clientNoRegion,
+			ExpectedAddr:          expectedNoTLSAddr,
+			ExpectedRegion:        "foo",
+			ExpectedTLSServerName: "",
+		},
+		{
+			Node:                  noTlsNode,
+			QueryOptions:          optionRegion,
+			Client:                clientRegion,
+			ExpectedAddr:          expectedNoTLSAddr,
+			ExpectedRegion:        "foo",
+			ExpectedTLSServerName: "",
+		},
+		{
+			Node:                  noTlsNode,
+			QueryOptions:          optionNoRegion,
+			Client:                clientRegion,
+			ExpectedAddr:          expectedNoTLSAddr,
+			ExpectedRegion:        "bar",
+			ExpectedTLSServerName: "",
+		},
+	}
+
+	for _, c := range cases {
+		name := fmt.Sprintf("%s__%s__%s", c.ExpectedAddr, c.ExpectedRegion, c.ExpectedTLSServerName)
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			nodeClient, err := c.Client.getNodeClientImpl("testID", c.QueryOptions, c.Node)
+			assert.Nil(err)
+			assert.Equal(c.ExpectedRegion, nodeClient.config.Region)
+			assert.Equal(c.ExpectedAddr, nodeClient.config.Address)
+			assert.NotNil(nodeClient.config.TLSConfig)
+			assert.Equal(c.ExpectedTLSServerName, nodeClient.config.TLSConfig.TLSServerName)
+		})
+	}
+}

command/alloc_status.go

@@ -72,7 +72,11 @@ func (c *AllocStatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *AllocStatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Allocs, nil)
 		if err != nil {
 			return []string{}

command/deployment_fail.go

@@ -52,7 +52,11 @@ func (c *DeploymentFailCommand) AutocompleteFlags() complete.Flags {
 
 func (c *DeploymentFailCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Deployments, nil)
 		if err != nil {
 			return []string{}

command/deployment_pause.go

@@ -44,7 +44,11 @@ func (c *DeploymentPauseCommand) AutocompleteFlags() complete.Flags {
 
 func (c *DeploymentPauseCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Deployments, nil)
 		if err != nil {
 			return []string{}

command/deployment_promote.go

@@ -62,7 +62,11 @@ func (c *DeploymentPromoteCommand) AutocompleteFlags() complete.Flags {
 
 func (c *DeploymentPromoteCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Deployments, nil)
 		if err != nil {
 			return []string{}

command/deployment_resume.go

@@ -50,7 +50,11 @@ func (c *DeploymentResumeCommand) AutocompleteFlags() complete.Flags {
 
 func (c *DeploymentResumeCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Deployments, nil)
 		if err != nil {
 			return []string{}

command/deployment_status.go

@@ -53,7 +53,11 @@ func (c *DeploymentStatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *DeploymentStatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Deployments, nil)
 		if err != nil {
 			return []string{}

command/eval_status.go

@@ -60,7 +60,15 @@ func (c *EvalStatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *EvalStatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Evals, nil)
 		if err != nil {
 			return []string{}

command/fs.go

@@ -95,7 +95,11 @@ func (c *FSCommand) AutocompleteFlags() complete.Flags {
 
 func (f *FSCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := f.Meta.Client()
+		client, err := f.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Allocs, nil)
 		if err != nil {
 			return []string{}

command/inspect.go

@@ -52,7 +52,11 @@ func (c *InspectCommand) AutocompleteFlags() complete.Flags {
 
 func (c *InspectCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_deployments.go

@@ -55,7 +55,11 @@ func (c *JobDeploymentsCommand) AutocompleteFlags() complete.Flags {
 
 func (c *JobDeploymentsCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_dispatch.go

@@ -67,7 +67,11 @@ func (c *JobDispatchCommand) AutocompleteFlags() complete.Flags {
 
 func (c *JobDispatchCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_history.go

@@ -67,7 +67,11 @@ func (c *JobHistoryCommand) Autocompleteflags() complete.Flags {
 
 func (c *JobHistoryCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_promote.go

@@ -63,7 +63,11 @@ func (c *JobPromoteCommand) AutocompleteFlags() complete.Flags {
 
 func (c *JobPromoteCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_revert.go

@@ -50,7 +50,11 @@ func (c *JobRevertCommand) AutocompleteFlags() complete.Flags {
 
 func (c *JobRevertCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/job_status.go

@@ -72,7 +72,11 @@ func (c *JobStatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *JobStatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

command/logs.go

@@ -76,7 +76,11 @@ func (c *LogsCommand) AutocompleteFlags() complete.Flags {
 
 func (l *LogsCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := l.Meta.Client()
+		client, err := l.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Allocs, nil)
 		if err != nil {
 			return []string{}

command/node_drain.go

@@ -57,7 +57,11 @@ func (c *NodeDrainCommand) AutocompleteFlags() complete.Flags {
 
 func (c *NodeDrainCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Nodes, nil)
 		if err != nil {
 			return []string{}

command/node_status.go

@@ -100,7 +100,11 @@ func (c *NodeStatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *NodeStatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Nodes, nil)
 		if err != nil {
 			return []string{}

command/status.go

@@ -38,7 +38,11 @@ func (c *StatusCommand) AutocompleteFlags() complete.Flags {
 
 func (c *StatusCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.All, nil)
 		if err != nil {
 			return []string{}

command/stop.go

@@ -63,7 +63,11 @@ func (c *StopCommand) AutocompleteFlags() complete.Flags {
 
 func (c *StopCommand) AutocompleteArgs() complete.Predictor {
 	return complete.PredictFunc(func(a complete.Args) []string {
-		client, _ := c.Meta.Client()
+		client, err := c.Meta.Client()
+		if err != nil {
+			return nil
+		}
+
 		resp, _, err := client.Search().PrefixSearch(a.Last, contexts.Jobs, nil)
 		if err != nil {
 			return []string{}

dev/README.md

@@ -10,5 +10,8 @@ files. At a high-level the use case for each package is as follows:
   spin up Nomad clients in Docker containers. This provides a simple mechanism
   to create a Nomad cluster locally.
 
+* `tls_cluster`: This package provides Nomad client configs and certificates to
+  run a TLS enabled cluster.
+
 * `vault`: This package provides basic Vault configuration files for use in
   configuring a Vault server when testing Nomad and Vault integrations.

dev/tls_cluster/README.md

@@ -0,0 +1 @@
+Simply run the Nomad Server and Clients from this directory and the created cluster will be using TLS.

dev/tls_cluster/certs/cfssl.json

@@ -0,0 +1,13 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "87600h",
+            "usages": [
+                "signing",
+                "key encipherment",
+                "server auth",
+                "client auth"
+            ]
+        }
+    }
+}

dev/tls_cluster/certs/cli-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILf7p/j1fRxbYKNMic2SDg8gtxKshjT9n53v79RL6YswoAoGCCqGSM49
+AwEHoUQDQgAEk5UATh31iXNMatpNooVoBqNJI7skvN7iXqhBP9v6ysACnhAbLphi
+PaZja5dqVIGpdX48B/lqvdz7bcgEHD3BTw==
+-----END EC PRIVATE KEY-----

dev/tls_cluster/certs/cli.csr

@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG7MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOVAE4d9YlzTGra
+TaKFaAajSSO7JLze4l6oQT/b+srAAp4QGy6YYj2mY2uXalSBqXV+PAf5ar3c+23I
+BBw9wU+gADAKBggqhkjOPQQDAgNJADBGAiEAjxZKImvamyiwlM71T5afwYrkXSKm
+Qgu2mOBVBMmLG1gCIQD74Uu+PlDuRFA+WLiRgpy/3WJWd6C2KAqTs7PLGx4cGw==
+-----END CERTIFICATE REQUEST-----

dev/tls_cluster/certs/cli.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByDCCAW+gAwIBAgIUHLtX9ysumbw3LCkxkKEzEH219p4wCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU1MDBaFw0xODA4
+MjkxODU1MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASTlQBOHfWJc0xq
+2k2ihWgGo0kjuyS83uJeqEE/2/rKwAKeEBsumGI9pmNrl2pUgal1fjwH+Wq93Ptt
+yAQcPcFPo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJK+IEBba+s+v3rV/bFn
+tZsnvduWMB8GA1UdIwQYMBaAFH66XbZ49lhFbnq7yQMJQgj5HAq3MAoGCCqGSM49
+BAMCA0cAMEQCIDe1yWG5ulggBbp0Qu+oZqARua9fK6lvcY8Ke0In7BcsAiB6QKi7
+ScbOUk5rusXY3PlFBu8IKm6b/cA/sftohFewLA==
+-----END CERTIFICATE-----

dev/tls_cluster/certs/client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILtFfW7tRp9eDQvQbZV9k8PwHyOh7RnnsKGuZs32VVNhoAoGCCqGSM49
+AwEHoUQDQgAEj/NNTMe1CfzurUFgnc1tNLUvfzcRJy4bE827jLbvct3DIXtYOv8S
+HOG+qdFhOyK1yqzb6Jv67jQ0nia5C6J3pQ==
+-----END EC PRIVATE KEY-----

dev/tls_cluster/certs/client.csr

@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG6MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI/zTUzHtQn87q1B
+YJ3NbTS1L383EScuGxPNu4y273LdwyF7WDr/EhzhvqnRYTsitcqs2+ib+u40NJ4m
+uQuid6WgADAKBggqhkjOPQQDAgNIADBFAiEA7G6tB30lrg46m+xOx/3CWahUmzKg
+tY0L8HH4I+URPvkCIHUHwmuQZAhkXyzSpUdaHBi/45c4MsUzt38JE1864Y1D
+-----END CERTIFICATE REQUEST-----

dev/tls_cluster/certs/client.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAZ+gAwIBAgIUGKlylRp2EYUnnMoRzkDLE8e/y4cwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU1MDBaFw0yNzA4
+MjcxODU1MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASP801Mx7UJ/O6t
+QWCdzW00tS9/NxEnLhsTzbuMtu9y3cMhe1g6/xIc4b6p0WE7IrXKrNvom/ruNDSe
+JrkLonelo4GuMIGrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUKwkGHIIODtdTmpOL
+EKwqBao7jq8wHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwLAYDVR0R
+BCUwI4IQY2xpZW50LmZvby5ub21hZIIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49
+BAMCA0gAMEUCIQCCHEeAyi6CCeK2eDMo40wgSUwz7tVjaSmZ/jj/lq2FwwIgeNK3
+d9b/cOpGCX1vVyRD9qkIO6eM228YGBqwUQLlQoY=
+-----END CERTIFICATE-----

dev/tls_cluster/certs/nomad-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIL0op5QMrXeB876AhIx/djGCNWMNpTCea1IMW3qVrADioAoGCCqGSM49
+AwEHoUQDQgAEPTNOV30bIUeCR4xvPn2duP4nz8RZg5SSfBqJ788Zo2jWwgUJ6unh
+KSeEsQaiVMIL8PcPn2OATMgTllqVSm7ALg==
+-----END EC PRIVATE KEY-----

dev/tls_cluster/certs/nomad-ca.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBPDCB5AIBADBIMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNU2FuIEZyYW5jaXNj
+bzELMAkGA1UEBxMCQ0ExFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEPTNOV30bIUeCR4xvPn2duP4nz8RZg5SSfBqJ788Zo2jW
+wgUJ6unhKSeEsQaiVMIL8PcPn2OATMgTllqVSm7ALqA6MDgGCSqGSIb3DQEJDjEr
+MCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq
+hkjOPQQDAgNHADBEAiAqo8um1UGdK2JIM2ZY5LUEvFfULqEP+IANGaBPR36rVwIg
+fi6F99QQBNwk0vmFhOEP1T01vajoM+Uwx6EhjyXBS7A=
+-----END CERTIFICATE REQUEST-----

dev/tls_cluster/certs/nomad-ca.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+DCCAZ6gAwIBAgIUbGbARr8sjISnz/MjmGEX/0VQWZswCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODUzMDBaFw0yMjA4
+MjgxODUzMDBaMEgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv
+MQswCQYDVQQHEwJDQTEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAQ9M05XfRshR4JHjG8+fZ24/ifPxFmDlJJ8GonvzxmjaNbC
+BQnq6eEpJ4SxBqJUwgvw9w+fY4BMyBOWWpVKbsAuo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfrpdtnj2WEVuervJAwlC
+CPkcCrcwHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwCgYIKoZIzj0E
+AwIDSAAwRQIhAKRui2n4gf/f2ooffiKkyJ2EmMJtD2zfusZPL84Vf59PAiAJtTNv
+3hEDL/ov9L0n0YfmmprA6ef8qqcet3TqidYVLA==
+-----END CERTIFICATE-----

dev/tls_cluster/certs/server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINOEjpNrhLHbQRMavODvn0nDMxVihn4QfLKlPApUbkUeoAoGCCqGSM49
+AwEHoUQDQgAEkIyNAlIpNvgNCtbSk5OIkbr+mF+RrNAFlzUKAEyxfht2nq5ea+Nj
+yP0wXQ5IWP+tHjiiQToBezSBJnlLxTzA1w==
+-----END EC PRIVATE KEY-----

dev/tls_cluster/certs/server.csr

@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG7MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJCMjQJSKTb4DQrW
+0pOTiJG6/phfkazQBZc1CgBMsX4bdp6uXmvjY8j9MF0OSFj/rR44okE6AXs0gSZ5
+S8U8wNegADAKBggqhkjOPQQDAgNJADBGAiEA3HRmZwW//PUp2wor97hIa5cAb0Yq
+EBFyqiUm9LdFzCsCIQCj5t+f+thVEvO5fQGILXBqq969KTefk9dVVQbLrcgxog==
+-----END CERTIFICATE REQUEST-----

dev/tls_cluster/certs/server.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAZ+gAwIBAgIUBvib9g3e/m/c7mZjiBE59CJJo6swCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU0MDBaFw0yNzA4
+MjcxODU0MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASQjI0CUik2+A0K
+1tKTk4iRuv6YX5Gs0AWXNQoATLF+G3aerl5r42PI/TBdDkhY/60eOKJBOgF7NIEm
+eUvFPMDXo4GuMIGrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUeoR3h6dgHF6LaHQ+
+xjO85N8fZ28wHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwLAYDVR0R
+BCUwI4IQc2VydmVyLmZvby5ub21hZIIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49
+BAMCA0kAMEYCIQCa/ljHAZh0RpV8aPu/GkJOJge8Jij5MsWRDYYIVoeN0QIhANHL
+uibsL7bNniqtD+2pccgxyPIjvrz18NOC/31KJy8d
+-----END CERTIFICATE-----

dev/tls_cluster/client1.hcl

@@ -0,0 +1,34 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/client1"
+
+# Enable the client
+client {
+  enabled = true
+
+  # For demo assume we are talking to server1. For production,
+  # this should be like "nomad.service.consul:4647" and a system
+  # like Consul used for service discovery.
+  servers = ["127.0.0.1:4647"]
+}
+
+# Modify our port to avoid a collision with server1
+ports {
+  http = 5656
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/client.pem"
+  key_file  = "certs/client-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}

dev/tls_cluster/client2.hcl

@@ -0,0 +1,34 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/client2"
+
+# Enable the client
+client {
+  enabled = true
+
+  # For demo assume we are talking to server1. For production,
+  # this should be like "nomad.service.consul:4647" and a system
+  # like Consul used for service discovery.
+  servers = ["127.0.0.1:4647"]
+}
+
+# Modify our port to avoid a collision with server1 and client1
+ports {
+  http = 5657
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/client.pem"
+  key_file  = "certs/client-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}

dev/tls_cluster/server.hcl

@@ -0,0 +1,27 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/server1"
+
+# Enable the server
+server {
+  enabled = true
+
+  # Self-elect, should be 3 or 5 for production
+  bootstrap_expect = 1
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/server.pem"
+  key_file  = "certs/server-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}