Update to 2022-09-04 18:00

roles/nomad/defaults/main.yml

@@ -24,6 +24,7 @@ nomad_root_dir: /opt/nomad
 nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
 
 # List of Unix group which will be nomad admins
+# Used for example to grant access to cli cert with ACL
 nomad_admin_groups: "{{ system_admin_groups | default([]) }}"
 
 # If ACL are enabled, you need to set a management token for ansible
@@ -179,6 +180,10 @@ nomad_base_conf:
     # address: http://localhost:8500
     # allow_unauthenticated: True
     # tags: []
+    ssl: "{{ (consul_conf is defined and consul_conf.tls is defined and consul_conf.tls.enabled is defined and consul_conf.tls.enabled) | ternary(True, False) }}"
+    ca_file: "{{ nomad_root_dir }}/tls/consul_ca.crt"
+    cert_file: "{{ nomad_root_dir }}/tls/consul.crt"
+    key_file: "{{ nomad_root_dir }}/tls/consul.key"
 
   # Vault integration
   vault:
@@ -233,6 +238,12 @@ nomad_base_vault_tls:
     path: /pki/nomad
     role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
     ttl: 24h
+  consul_pki:
+    path: /pki/consul
+    role: nomad-client # Only nomad clients will use the gRPC endpoint and requires a client cert for consul
+    ttl: 24h
+  root_pki:
+    path: /pki/root # This is used to fetch the top level root CA, as envoy can't validate the chain unless it has it complete up to the auto-signed root
 
 nomad_extra_vault_tls: {}
 nomad_host_vault_tls: {}