Fix Vault E2E TLS config (#11483)

* Update e2e/terraform configuration for Vault and default to mtls=true
hashicorp · Dec 2, 2021 · bfac8d8 · bfac8d8
1 parent 189806f
commit bfac8d8
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/e2e/terraform/config/dev-cluster/nomad/client-linux/client.hcl b/e2e/terraform/config/dev-cluster/nomad/client-linux/client.hcl
@@ -36,6 +36,6 @@ plugin "nomad-driver-ecs" {
 }
 
 vault {
-  enabled = true
-  address = "http://active.vault.service.consul:8200"
+  enabled   = true
+  address   = "http://active.vault.service.consul:8200"
 }
diff --git a/e2e/terraform/config/shared/nomad-tls.hcl b/e2e/terraform/config/shared/nomad-tls.hcl
@@ -18,3 +18,12 @@ consul {
   cert_file = "/etc/nomad.d/tls/agent.crt"
   key_file  = "/etc/nomad.d/tls/agent.key"
 }
+
+vault {
+  enabled   = true
+  address   = "https://active.vault.service.consul:8200"
+
+  ca_file   = "/etc/nomad.d/tls/ca.crt"
+  cert_file = "/etc/nomad.d/tls/agent.crt"
+  key_file  = "/etc/nomad.d/tls/agent.key"
+}
diff --git a/e2e/terraform/provision-nomad/main.tf b/e2e/terraform/provision-nomad/main.tf
@@ -148,6 +148,10 @@ resource "null_resource" "upload_configs" {
 
 }
 
+// TODO: Create separate certs.
+// This creates one set of certs to manage Nomad, Consul, and Vault and therefore
+// puts all the required SAN entries to enable sharing certs. This is an anti-pattern
+// that we should clean up.
 resource "null_resource" "generate_instance_tls_certs" {
   count      = var.tls ? 1 : 0
   depends_on = [null_resource.upload_configs]
@@ -180,7 +184,7 @@ openssl req -newkey rsa:2048 -nodes \
 
 cat <<'NEOY' > keys/agent-${var.instance.public_ip}.conf
 
-subjectAltName=DNS:${local.tls_role}.global.nomad,DNS:${local.tls_role}.dc1.consul,DNS:localhost,DNS:${var.instance.public_dns},IP:127.0.0.1,IP:${var.instance.private_ip},IP:${var.instance.public_ip}
+subjectAltName=DNS:${local.tls_role}.global.nomad,DNS:${local.tls_role}.dc1.consul,DNS:localhost,DNS:${var.instance.public_dns},DNS:vault.service.consul,DNS:active.vault.service.consul,IP:127.0.0.1,IP:${var.instance.private_ip},IP:${var.instance.public_ip}
 extendedKeyUsage = serverAuth, clientAuth
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment

diff --git a/e2e/terraform/scripts/bootstrap-vault.sh b/e2e/terraform/scripts/bootstrap-vault.sh
@@ -28,10 +28,13 @@ NOMAD_VAULT_TOKEN=$(vault token create -policy nomad-server -period 72h -orphan
 cat <<EOF > "${DIR}/../keys/nomad_vault.hcl"
 vault {
   enabled          = true
-  address          = "http://active.vault.service.consul:8200"
+  address          = "https://active.vault.service.consul:8200"
   task_token_ttl   = "1h"
   create_from_role = "nomad-cluster"
   token            = "$NOMAD_VAULT_TOKEN"
+  ca_file   = "/etc/vault.d/tls/ca.crt"
+  cert_file = "/etc/vault.d/tls/agent.crt"
+  key_file  = "/etc/vault.d/tls/agent.key"
 }
 
 EOF
diff --git a/e2e/terraform/terraform.full.tfvars b/e2e/terraform/terraform.full.tfvars
@@ -8,7 +8,7 @@ nomad_enterprise                 = true
 nomad_acls                       = true
 vault                            = true
 volumes                          = true
-tls                              = false
+tls                              = true
 
 # required to avoid picking up defaults from terraform.tfvars file
 nomad_version      = "" # default version for deployment