[feature] support CRL (certificate revocation list) files

[shvar]

Preface

Nomad is currently using two systems for securing its protocols.

• ACL (which has a token revocation mechanism) controls access to data and APIs
• mTLS that could work in an untrusted #environment and even prevent other services from masquerading as Nomad agents.

Use case

We have to use nomad agents over the internet and would like to protect our communication channels. So, mTLS sounds like a very natural choice. However, some of the agents could be compromised and we would like to be able to revoke their certificates.
Supporting a revocation list could help to avoid building a system for rotation low TTL certs.

What do you think?

P. S. And Vault already has a CRL support.

[shvar]

This is actually reformulated and reopened #2996
I believe, that since the release of ACL policies it's now clear, that use cases for ACL and mTLS are different. So it's worth to talk about this feature again.

[preetapan]

@shvar Nomad supports live reloading TLS configuration (and it terminates existing connections). When a cert is compromised, you could issue a new one. The workflow would look something like below

• Create new CA
• Create new certificates for clients and servers
• Reload all clients and servers with both CAs as valid (to prevent clients from being temporarily unable to connect to a quorum of Nomad servers)
• Reload all clients and servers with only the new CA

This is more complex than having Nomad support a CRL, but I wanted to mention this workaround to you as something you can do right now.

We'll consider adding this feature in a future release. We also want to build support for better Vault integration so that Nomad clients/servers can use vault as the secret engine to generate certs.

[amfern]

#4901 addresses this issue using ACL

[SoMuchToGrok]

Is that true @preetapan ? In my experience, Nomad cannot live reload a CA change specifically because it doesn't update its trust anchors. Last tested on 0.8.4.

#3746