nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Separate Nomad UI vs node-to-node comms TLS configuration

Open bengaywins opened this issue 2 years ago • 6 comments

Proposal

Nomad's HTTP endpoint TLS configuration has a separate set of TLS certs/keys from the raft/gossip/rpc/etc node-to-node comms.

Use-cases

Staged roll out to an existing cluster of each of the different areas of use. This would enable having an HTTPS endpoint that no longer requires the entire TLS chain, keys, etc for just HTTP API comms while also allowing publicly trusted certs for the UI.

Attempted Solutions

None.

bengaywins avatar Dec 17 '22 00:12 bengaywins

Hi @bengaywins! This is something that's supported for some of the other HashiCorp products like Vault, so it seems like the right thing to do. I'll mark this for further discussion and roadmapping.

But for the UI case specifically, the Task API that's new in Nomad 1.5.0-beta will let you put together a UI proxy that runs on the cluster and uses separate certs (including those from something like Let's Encrypt). We'll likely have a Tutorial on how to do this kind of thing sometime before or around the time we go GA for Nomad 1.5.0

tgross avatar Feb 15 '23 19:02 tgross

LOVE this! The UI is is really my biggest use case. Same with the API endpoint too, but the UI is my biggest area of issue here. Our devs need to use the UI and requiring them to have the chain+keys, to view the UI, is not realistic. And weakens security imo too.

Is there really any difference between the HTTP endpoints vs the UI?

bengaywins avatar Feb 15 '23 19:02 bengaywins

Is there really any difference between the HTTP endpoints vs the UI?

The HTTP endpoints are the exact same HTTP API the UI uses. The web UI intentionally doesn't have any special "privileged" access. The Nomad agent serves a rich single-page app bundle (built with EmberJS) from a minimal web page found at /ui and that EmberJS application talks to the HTTP API.

Just FYI, it's probably a little hard to find but there's an existing Tutorial on running a reverse proxy in front of the web UI that describes a setup that sounds like it might help you out. That hasn't been updated for the new Task API but it will probably get the job done for your team today even without the Task API.

tgross avatar Feb 15 '23 19:02 tgross

Thanks for confirming about the API vs UI!

I have seen this, and in the past I ran something like it because I've been on Nomad off and on since before there was even an official UI. We're just trying to avoid the complexity if we can for the time being.

bengaywins avatar Feb 15 '23 20:02 bengaywins

I did some experimenting with using the Task API for running a UI proxy and sadly even in Nomad 1.5-beta1 there are some rough edges: https://github.com/schmichael/nomad-nginx-ui

It does work though, and I think the approach of serving /ui/ with the proxy's workload identity is a good one.

Multiple identities would be useful to make it a smoother experience, so I wrote up an issue here: https://github.com/hashicorp/nomad/issues/16194

schmichael avatar Feb 16 '23 00:02 schmichael

Is there a chance that the tutorial can be updated for the new task api?

josegonzalez avatar Aug 13 '24 08:08 josegonzalez