Update to 2022-09-04 00:00

roles/nomad/templates/agent.crt.tpl.j2

@@ -1,3 +0,0 @@
-{{ with secret "[[ nomad_vault.pki.path ]]/issue/[[ nomad_vault.pki.role ]]" "common_name=[[ (nomad_conf.server.enabled) | ternary('server', 'client') ]].[[ nomad_conf.region | default('global') ]].nomad" "ttl=[[ nomad_vault.pki.ttl ]]" "alt_names=localhost,[[ inventory_hostname ]],{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.[[ nomad_conf.region | default('global') ]].nomad{% endif %}" "ip_sans=127.0.0.1,[[ ansible_default_ipv4.address ]]"}}
-{{ .Data.certificate }}
-{{ end }}

roles/nomad/templates/agent_cert.tpl.j2

@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault.pki.ttl }}" "alt_names=localhost,{{ inventory_hostname }},{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" "ip_sans=127.0.0.1,{{ ansible_default_ipv4.address }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault_tls.pki.ttl }}" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]

roles/nomad/templates/cli_cert.tpl.j2

@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "ttl={{ nomad_vault.pki.ttl }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "ttl={{ nomad_vault_tls.pki.ttl }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]

roles/nomad/templates/consul-template.hcl.j2

@@ -1,6 +1,6 @@
 vault {
-  address      = "{{ nomad_vault.address }}"
-  token        = "{{ nomad_vault.token }}"
+  address      = "{{ nomad_vault_tls.address }}"
+  token        = "{{ nomad_vault_tls.token }}"
   unwrap_token = false
 }
 

roles/nomad/templates/pre-backup.j2

@@ -6,7 +6,7 @@ set -eo pipefail
 NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
 NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
 {% endif %}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
 NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
 {% endif %}

roles/nomad/templates/profile.sh.j2

@@ -1,8 +1,9 @@
 {% if nomad_conf.tls.http %}
 export NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }}
 export NOMAD_CACERT={{ nomad_conf.tls.ca_file }}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 export NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt
 export NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key
+export NOMAD_TLS_SERVER_NAME={{ nomad_conf.server.enabled | ternary('server', 'client') }}.global.nomad
 {% endif %}
 {% endif %}