kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 17:35:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
65c7f34f2d4c92ffbb51646aacc264f8db33cc06
nomad/website/content/docs/configuration/tls.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

135 lines
5.8 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: tls Block in Agent Configuration
description: |-
Configure secure communication in the `tls` block of a Nomad agent configuration. Enable TLS on Raft traffic and RFC and HTTP endpoints. Add TLS cipher suites and paths to certificates and key files. Specify the TLS version. Require client certificates for all incoming HTTPS requests and the server name on all outgoing TLS connections.
---
# `tls` Block in Agent Configuration
<Placement groups={['tls']} />
This page provides reference information for configuring secure communication in
the `tls` block of a Nomad agent configuration. Enable TLS on Raft traffic and
RFC and HTTP endpoints. Add TLS cipher suites and paths to certificates and key
files. Specify the TLS version. Require client certificates for all incoming
HTTPS requests and verifying the server name on all outgoing TLS connections.
Note that he Nomad documentation uses "TLS" to refer to this communication
except when it is potentially ambiguous between TLS and mTLS.
```hcl
tls {
http = true
rpc = true
}
```
~> Incorrect configuration of the TLS configuration can result in failure to
start the Nomad agent.
This section of the documentation only covers the configuration options for the `tls` block. To understand how to setup the certificates themselves, refer to
the [Enable TLS Encryption for Nomad Tutorial](/nomad/docs/secure/traffic/tls).
## `tls` Parameters
- `ca_file` `(string: "")` - Specifies the path to the CA certificate to use for
Nomad's TLS communication.
- `cert_file` `(string: "")` - Specifies the path to the certificate file used
for Nomad's TLS communication.
- `key_file` `(string: "")` - Specifies the path to the key file to use for
Nomad's TLS communication.
- `http` `(bool: false)` - Specifies if TLS should be enabled on the HTTP
endpoints on the Nomad agent, including the API. By default this is non-mutual
TLS. You can upgrade this to mTLS by setting
[`verify_https_client=true`](#verify_https_client), but this can complicate
using the Nomad UI by requiring mTLS in your browser or running a proxy in
front of the Nomad UI.
- `rpc` `(bool: false)` - Toggle the option to enable mTLS on the RPC endpoints
and [Raft][raft] traffic. When this setting is activated, it establishes
protection both between Nomad servers and from the clients back to the
servers, ensuring mutual authentication. Setting `rpc=true` is required for
secure operation of Nomad.
- `rpc_upgrade_mode` `(bool: false)` - This option should be used only when the
cluster is being upgraded to TLS, and removed after the migration is
complete. This allows the agent to accept both TLS and plaintext traffic.
- `tls_cipher_suites` `(string: "")` - Specifies the TLS cipher suites that will
be used by the agent as a comma-separated string. Known insecure ciphers are
disabled (3DES and RC4). By default, an agent is configured to use
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Nomad does not accept explicit ciphersuite configuration when for TLS 1.3
because the Go team has already designated a select set of ciphers that align
with the broadly-accepted Mozilla Security/Server Side TLS guidance for
[modern TLS configuration][modern-tls].
~> **Warning:** the use of insecure cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and TLS_RSA_WITH_AES_128_CBC_SHA256 is now unsupported.
- `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
of TLS. Accepted values are "tls10", "tls11", "tls12", "tls13".
- `verify_https_client` `(bool: false)` - Specifies agents should require client
certificates for all incoming HTTPS requests, effectively upgrading
[`tls.http=true`](#http) to mTLS. The client certificates must be signed by
the same CA as Nomad. By default, `verify_https_client` is set to `false`,
which is safe so long as ACLs are enabled. This is recommended if you are
using the Nomad web UI to avoid the difficulty of distributing client certs to
browsers.
- `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS
connections should verify the server's hostname.
## `tls` Examples
The following examples only show the `tls` blocks. Remember that the
`tls` block is only valid in the placements listed above.
### Enabling TLS
This example shows enabling TLS configuration. This enables mTLS communication
between all servers and clients using the default system CA bundle and
certificates.
```hcl
tls {
http = true
rpc = true
ca_file = "/etc/certs/ca.crt"
cert_file = "/etc/certs/nomad.crt"
key_file = "/etc/certs/nomad.key"
}
```
### `tls` Configuration Reloads
Nomad supports dynamically reloading both client and server TLS
configuration. To reload an agent's TLS configuration, first update the TLS
block in the agent's configuration file and then send the Nomad agent a `SIGHUP`
signal. Note that this will only reload a subset of the configuration file,
including the TLS configuration.
The agent reloads all its network connections when there are changes to its
TLS configuration during a config reload via `SIGHUP`. Any new connections
established will use the updated configuration, and any outstanding old
connections will be closed. This process works when upgrading to TLS,
downgrading from it, as well as rolling certificates.
[raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp'
[modern-tls]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
Reference in New Issue View Git Blame Copy Permalink