Update to 2022-09-04 00:00

roles/nomad/defaults/main.yml

@@ -56,7 +56,7 @@ nomad_base_conf:
 
 
   # TLS Settings
-  # See the nomad_vault configuration if you want to integrate with vault to obtain and renew the certificates
+  # See the nomad_vault_tls configuration if you want to integrate with vault to obtain and renew the certificates
   tls:
     http: False
     rpc: False
@@ -223,7 +223,7 @@ nomad_host_services: {}
 nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
 
 # When using vault to setup TLS for Nomad
-nomad_base_vault:
+nomad_base_vault_tls:
   enabled: False
   address: "{{ nomad_conf.vault.address | default(omit) }}"
   # Token to use to issue certificates
@@ -231,9 +231,9 @@ nomad_base_vault:
   pki:
     # The path of the PKI secret where cert will be issued
     path: /pki/nomad
-    role: nomad-cluster
+    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
     ttl: 24h
 
-nomad_extra_vault: {}
-nomad_host_vault: {}
-nomad_vault: "{{ nomad_base_vault | combine(nomad_extra_vault, recursive=True) | combine(nomad_host_vault, recursive=True) }}"
+nomad_extra_vault_tls: {}
+nomad_host_vault_tls: {}
+nomad_vault_tls: "{{ nomad_base_vault_tls | combine(nomad_extra_vault_tls, recursive=True) | combine(nomad_host_vault_tls, recursive=True) }}"

roles/nomad/tasks/conf.yml

@@ -92,7 +92,7 @@
   loop: "{{ nomad_backup_configs.stdout_lines }}"
   tags: nomad
 
-- when: nomad_vault.enabled
+- when: nomad_vault_tls.enabled
   block:
 
     - name: Deploy consul-template config

roles/nomad/tasks/services.yml

@@ -6,5 +6,5 @@
   tags: nomad
 
 - name: Handle consul-template-nomad service
-  service: name=consul-template-nomad state={{ nomad_vault.enabled | ternary('started', 'stopped') }} enabled={{ nomad_vault.enabled | ternary(True, False) }}
+  service: name=consul-template-nomad state={{ nomad_vault_tls.enabled | ternary('started', 'stopped') }} enabled={{ nomad_vault_tls.enabled | ternary(True, False) }}
   tags: nomad

roles/nomad/templates/agent.crt.tpl.j2

@@ -1,3 +0,0 @@
-{{ with secret "[[ nomad_vault.pki.path ]]/issue/[[ nomad_vault.pki.role ]]" "common_name=[[ (nomad_conf.server.enabled) | ternary('server', 'client') ]].[[ nomad_conf.region | default('global') ]].nomad" "ttl=[[ nomad_vault.pki.ttl ]]" "alt_names=localhost,[[ inventory_hostname ]],{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.[[ nomad_conf.region | default('global') ]].nomad{% endif %}" "ip_sans=127.0.0.1,[[ ansible_default_ipv4.address ]]"}}
-{{ .Data.certificate }}
-{{ end }}

roles/nomad/templates/agent_cert.tpl.j2

@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault.pki.ttl }}" "alt_names=localhost,{{ inventory_hostname }},{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" "ip_sans=127.0.0.1,{{ ansible_default_ipv4.address }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault_tls.pki.ttl }}" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]

roles/nomad/templates/cli_cert.tpl.j2

@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "ttl={{ nomad_vault.pki.ttl }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "ttl={{ nomad_vault_tls.pki.ttl }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]

roles/nomad/templates/consul-template.hcl.j2

@@ -1,6 +1,6 @@
 vault {
-  address      = "{{ nomad_vault.address }}"
-  token        = "{{ nomad_vault.token }}"
+  address      = "{{ nomad_vault_tls.address }}"
+  token        = "{{ nomad_vault_tls.token }}"
   unwrap_token = false
 }
 

roles/nomad/templates/pre-backup.j2

@@ -6,7 +6,7 @@ set -eo pipefail
 NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
 NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
 {% endif %}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
 NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
 {% endif %}

roles/nomad/templates/profile.sh.j2

@@ -1,8 +1,9 @@
 {% if nomad_conf.tls.http %}
 export NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }}
 export NOMAD_CACERT={{ nomad_conf.tls.ca_file }}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 export NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt
 export NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key
+export NOMAD_TLS_SERVER_NAME={{ nomad_conf.server.enabled | ternary('server', 'client') }}.global.nomad
 {% endif %}
 {% endif %}