Encrypt Status Communication Messages in Consul and Nomad

  • INFSEC01: Secure Consul internal communication
  • INFSEC02: Secure Nomad internal communication

Consul: Encrypt the Gossip Protocol

  1. On any node in your cluster, run the command consul keygen and note down the password
  2. On all nodes, add the following configuration options, then restart consul
{
encrypt = "SECRET"
encrypt_verify_incoming = false
encrypt_verify_outgoing = false
}
  1. On all nodes, set encrypt_verify_outgoing = true, then restart consul
{
encrypt = "SECRET"
encrypt_verify_incoming = false
encrypt_verify_outgoing = true
}
  1. On all nodes, set encrypt_verify_incoming = true, then restart consul
{
encrypt = "SECRET"
encrypt_verify_incoming = true
encrypt_verify_outgoing = true
}

Consul: TLS Encryption

  1. Generate root certificate
  2. Generate server and client certificates
  3. Enable TLS encryption on the servers
  4. Enable TLS encryption on the clients

Generate Certificates

>> consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
>>consul tls cert create -server -dc=infra==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved infra-server-consul-0.pem
==> Saved infra-server-consul-0-key.pem

Enable TLS Encryption

  1. Server: Copy the certificates and add the following configuration options.
{
"verify_incoming": false,
"verify_outgoing": false,
"verify_server_hostname": false,
"ca_file": "consul-agent-ca.pem",
"cert_file": "dc1-server-consul-0.pem",
"key_file": "dc1-server-consul-0-key.pem"
}
  1. Restart the server nodes — be sure that they are running before continuing.
  2. Clients: Copy the certificates, add the following configuration options.
{
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,
"ca_file": "consul-agent-ca.pem",
"cert_file": "dc1-server-consul-0.pem",
"key_file": "dc1-server-consul-0-key.pem"
}
  1. Restart the client nodes
  2. Server: set the following configuration options
{   
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true
}
  1. Restart the server nodes

Nomad: Encrypt the Gossip Protocol

  1. Create a secret with nomad operator keygen
  2. Add this secret to the server’s configuration files, and restart all servers
server {
encrypt = SECRET
}

Nomad: TLS Encryption

Generate Certificates

consul tls ca create -domain=nomad -name-constraint
==> Saved nomad-agent-ca.pem
==> Saved nomad-agent-ca-key.pem
>> consul tls cert create -server -domain nomad -dc=global==> Saved global-server-nomad-1.pem
==> Saved global-server-nomad-1-key.pem
>> consul tls cert create -client -domain nomad -dc=global==> Using nomad-agent-ca.pem and nomad-agent-ca-key.pem
==> Saved global-client-nomad-1.pem
==> Saved global-client-nomad-1-key.pem

Enable TLS Encryption

  1. Server: Copy the certificated, then add the following configuration options:
tls {
http = true
rpc = true
ca_file = "certs/nomad-agent-ca.pem"
cert_file = "certs/global-server-nomad-0.pem"
key_file = "certs/global-server-nomad-0-key.pem"
verify_server_hostname = true
verify_https_client = false
}
  1. Restart the server
  2. Clients: Copy the certificates, then add the following configuration options:
tls {
http = true
rpc = true
ca_file = "certs/nomad-agent-ca.pem"
cert_file = "certs/global-client-nomad-0.pem"
key_file = "certs/global-client-nomad-0-key.pem"
verify_server_hostname = true
verify_https_client = true
}
  1. Restart all clients

Conclusion

/usr/local/bin/consul agent -config-dir=/etc/consul/ -bind=192.168.2.201 -client=192.168.2.201
==> Starting Consul agent...
Version: 'v1.7.1'
Node ID: '6f859439-c48f-f3af-5282-26b9f9dccad2'
Node name: 'raspi-3-1'
Datacenter: 'infra' (Segment: '')
Server: false (Bootstrap: false)
Client Addr: [192.168.2.201] (HTTP: 8500, HTTPS: -1, gRPC: -1, DNS: 8600)
Cluster Addr: 192.168.2.201 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store