tls cluster

hashicorp · dadgar · Aug 29, 2017 · Aug 29, 2017 · Aug 29, 2017 · Aug 29, 2017
commit 734a73ee4ed3dcc96e7f23c5289a59b976574d90
diff --git a/dev/tls_cluster/certs/cfssl.json b/dev/tls_cluster/certs/cfssl.json
@@ -0,0 +1,13 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "87600h",
+            "usages": [
+                "signing",
+                "key encipherment",
+                "server auth",
+                "client auth"
+            ]
+        }
+    }
+}
diff --git a/dev/tls_cluster/certs/cli-key.pem b/dev/tls_cluster/certs/cli-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILf7p/j1fRxbYKNMic2SDg8gtxKshjT9n53v79RL6YswoAoGCCqGSM49
+AwEHoUQDQgAEk5UATh31iXNMatpNooVoBqNJI7skvN7iXqhBP9v6ysACnhAbLphi
+PaZja5dqVIGpdX48B/lqvdz7bcgEHD3BTw==
+-----END EC PRIVATE KEY-----
diff --git a/dev/tls_cluster/certs/cli.csr b/dev/tls_cluster/certs/cli.csr
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG7MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJOVAE4d9YlzTGra
+TaKFaAajSSO7JLze4l6oQT/b+srAAp4QGy6YYj2mY2uXalSBqXV+PAf5ar3c+23I
+BBw9wU+gADAKBggqhkjOPQQDAgNJADBGAiEAjxZKImvamyiwlM71T5afwYrkXSKm
+Qgu2mOBVBMmLG1gCIQD74Uu+PlDuRFA+WLiRgpy/3WJWd6C2KAqTs7PLGx4cGw==
+-----END CERTIFICATE REQUEST-----
diff --git a/dev/tls_cluster/certs/cli.pem b/dev/tls_cluster/certs/cli.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByDCCAW+gAwIBAgIUHLtX9ysumbw3LCkxkKEzEH219p4wCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU1MDBaFw0xODA4
+MjkxODU1MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASTlQBOHfWJc0xq
+2k2ihWgGo0kjuyS83uJeqEE/2/rKwAKeEBsumGI9pmNrl2pUgal1fjwH+Wq93Ptt
+yAQcPcFPo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJK+IEBba+s+v3rV/bFn
+tZsnvduWMB8GA1UdIwQYMBaAFH66XbZ49lhFbnq7yQMJQgj5HAq3MAoGCCqGSM49
+BAMCA0cAMEQCIDe1yWG5ulggBbp0Qu+oZqARua9fK6lvcY8Ke0In7BcsAiB6QKi7
+ScbOUk5rusXY3PlFBu8IKm6b/cA/sftohFewLA==
+-----END CERTIFICATE-----
diff --git a/dev/tls_cluster/certs/client-key.pem b/dev/tls_cluster/certs/client-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILtFfW7tRp9eDQvQbZV9k8PwHyOh7RnnsKGuZs32VVNhoAoGCCqGSM49
+AwEHoUQDQgAEj/NNTMe1CfzurUFgnc1tNLUvfzcRJy4bE827jLbvct3DIXtYOv8S
+HOG+qdFhOyK1yqzb6Jv67jQ0nia5C6J3pQ==
+-----END EC PRIVATE KEY-----
diff --git a/dev/tls_cluster/certs/client.csr b/dev/tls_cluster/certs/client.csr
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG6MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI/zTUzHtQn87q1B
+YJ3NbTS1L383EScuGxPNu4y273LdwyF7WDr/EhzhvqnRYTsitcqs2+ib+u40NJ4m
+uQuid6WgADAKBggqhkjOPQQDAgNIADBFAiEA7G6tB30lrg46m+xOx/3CWahUmzKg
+tY0L8HH4I+URPvkCIHUHwmuQZAhkXyzSpUdaHBi/45c4MsUzt38JE1864Y1D
+-----END CERTIFICATE REQUEST-----
diff --git a/dev/tls_cluster/certs/client.pem b/dev/tls_cluster/certs/client.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAZ+gAwIBAgIUGKlylRp2EYUnnMoRzkDLE8e/y4cwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU1MDBaFw0yNzA4
+MjcxODU1MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASP801Mx7UJ/O6t
+QWCdzW00tS9/NxEnLhsTzbuMtu9y3cMhe1g6/xIc4b6p0WE7IrXKrNvom/ruNDSe
+JrkLonelo4GuMIGrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUKwkGHIIODtdTmpOL
+EKwqBao7jq8wHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwLAYDVR0R
+BCUwI4IQY2xpZW50LmZvby5ub21hZIIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49
+BAMCA0gAMEUCIQCCHEeAyi6CCeK2eDMo40wgSUwz7tVjaSmZ/jj/lq2FwwIgeNK3
+d9b/cOpGCX1vVyRD9qkIO6eM228YGBqwUQLlQoY=
+-----END CERTIFICATE-----
diff --git a/dev/tls_cluster/certs/nomad-ca-key.pem b/dev/tls_cluster/certs/nomad-ca-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIL0op5QMrXeB876AhIx/djGCNWMNpTCea1IMW3qVrADioAoGCCqGSM49
+AwEHoUQDQgAEPTNOV30bIUeCR4xvPn2duP4nz8RZg5SSfBqJ788Zo2jWwgUJ6unh
+KSeEsQaiVMIL8PcPn2OATMgTllqVSm7ALg==
+-----END EC PRIVATE KEY-----
diff --git a/dev/tls_cluster/certs/nomad-ca.csr b/dev/tls_cluster/certs/nomad-ca.csr
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBPDCB5AIBADBIMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNU2FuIEZyYW5jaXNj
+bzELMAkGA1UEBxMCQ0ExFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEPTNOV30bIUeCR4xvPn2duP4nz8RZg5SSfBqJ788Zo2jW
+wgUJ6unhKSeEsQaiVMIL8PcPn2OATMgTllqVSm7ALqA6MDgGCSqGSIb3DQEJDjEr
+MCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq
+hkjOPQQDAgNHADBEAiAqo8um1UGdK2JIM2ZY5LUEvFfULqEP+IANGaBPR36rVwIg
+fi6F99QQBNwk0vmFhOEP1T01vajoM+Uwx6EhjyXBS7A=
+-----END CERTIFICATE REQUEST-----
diff --git a/dev/tls_cluster/certs/nomad-ca.pem b/dev/tls_cluster/certs/nomad-ca.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+DCCAZ6gAwIBAgIUbGbARr8sjISnz/MjmGEX/0VQWZswCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODUzMDBaFw0yMjA4
+MjgxODUzMDBaMEgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv
+MQswCQYDVQQHEwJDQTEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAQ9M05XfRshR4JHjG8+fZ24/ifPxFmDlJJ8GonvzxmjaNbC
+BQnq6eEpJ4SxBqJUwgvw9w+fY4BMyBOWWpVKbsAuo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfrpdtnj2WEVuervJAwlC
+CPkcCrcwHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwCgYIKoZIzj0E
+AwIDSAAwRQIhAKRui2n4gf/f2ooffiKkyJ2EmMJtD2zfusZPL84Vf59PAiAJtTNv
+3hEDL/ov9L0n0YfmmprA6ef8qqcet3TqidYVLA==
+-----END CERTIFICATE-----
diff --git a/dev/tls_cluster/certs/server-key.pem b/dev/tls_cluster/certs/server-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINOEjpNrhLHbQRMavODvn0nDMxVihn4QfLKlPApUbkUeoAoGCCqGSM49
+AwEHoUQDQgAEkIyNAlIpNvgNCtbSk5OIkbr+mF+RrNAFlzUKAEyxfht2nq5ea+Nj
+yP0wXQ5IWP+tHjiiQToBezSBJnlLxTzA1w==
+-----END EC PRIVATE KEY-----
diff --git a/dev/tls_cluster/certs/server.csr b/dev/tls_cluster/certs/server.csr
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIG7MGICAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJCMjQJSKTb4DQrW
+0pOTiJG6/phfkazQBZc1CgBMsX4bdp6uXmvjY8j9MF0OSFj/rR44okE6AXs0gSZ5
+S8U8wNegADAKBggqhkjOPQQDAgNJADBGAiEA3HRmZwW//PUp2wor97hIa5cAb0Yq
+EBFyqiUm9LdFzCsCIQCj5t+f+thVEvO5fQGILXBqq969KTefk9dVVQbLrcgxog==
+-----END CERTIFICATE REQUEST-----
diff --git a/dev/tls_cluster/certs/server.pem b/dev/tls_cluster/certs/server.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAZ+gAwIBAgIUBvib9g3e/m/c7mZjiBE59CJJo6swCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNVBAcT
+AkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xNzA4MjkxODU0MDBaFw0yNzA4
+MjcxODU0MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASQjI0CUik2+A0K
+1tKTk4iRuv6YX5Gs0AWXNQoATLF+G3aerl5r42PI/TBdDkhY/60eOKJBOgF7NIEm
+eUvFPMDXo4GuMIGrMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUeoR3h6dgHF6LaHQ+
+xjO85N8fZ28wHwYDVR0jBBgwFoAUfrpdtnj2WEVuervJAwlCCPkcCrcwLAYDVR0R
+BCUwI4IQc2VydmVyLmZvby5ub21hZIIJbG9jYWxob3N0hwR/AAABMAoGCCqGSM49
+BAMCA0kAMEYCIQCa/ljHAZh0RpV8aPu/GkJOJge8Jij5MsWRDYYIVoeN0QIhANHL
+uibsL7bNniqtD+2pccgxyPIjvrz18NOC/31KJy8d
+-----END CERTIFICATE-----
diff --git a/dev/tls_cluster/client1.hcl b/dev/tls_cluster/client1.hcl
@@ -0,0 +1,34 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/client1"
+
+# Enable the client
+client {
+  enabled = true
+
+  # For demo assume we are talking to server1. For production,
+  # this should be like "nomad.service.consul:4647" and a system
+  # like Consul used for service discovery.
+  servers = ["127.0.0.1:4647"]
+}
+
+# Modify our port to avoid a collision with server1
+ports {
+  http = 5656
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/client.pem"
+  key_file  = "certs/client-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}
diff --git a/dev/tls_cluster/client2.hcl b/dev/tls_cluster/client2.hcl
@@ -0,0 +1,34 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/client2"
+
+# Enable the client
+client {
+  enabled = true
+
+  # For demo assume we are talking to server1. For production,
+  # this should be like "nomad.service.consul:4647" and a system
+  # like Consul used for service discovery.
+  servers = ["127.0.0.1:4647"]
+}
+
+# Modify our port to avoid a collision with server1 and client1
+ports {
+  http = 5657
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/client.pem"
+  key_file  = "certs/client-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}
diff --git a/dev/tls_cluster/server.hcl b/dev/tls_cluster/server.hcl
@@ -0,0 +1,27 @@
+# Increase log verbosity
+log_level = "DEBUG"
+
+region = "foo"
+
+# Setup data dir
+data_dir = "/tmp/server1"
+
+# Enable the server
+server {
+  enabled = true
+
+  # Self-elect, should be 3 or 5 for production
+  bootstrap_expect = 1
+}
+
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "certs/nomad-ca.pem"
+  cert_file = "certs/server.pem"
+  key_file  = "certs/server-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}