diff --git a/setup-cluster.yml b/setup-cluster.yml index eee555d..4b9a6b4 100644 --- a/setup-cluster.yml +++ b/setup-cluster.yml @@ -354,9 +354,6 @@ # Create networks for binding task ports nomad_host_networks: - # - name: public - # interface: eth0 - # reserved_ports: "22" - name: nomad-bridge interface: nomad reserved_ports: "22" @@ -368,13 +365,17 @@ nomad_acl_enabled: true # Enable vault integration + # HACK: Only talk to local Vault for now because it doesn't have HTTPS + # TODO: Would be really great to hvae this over https and point to vault.consul.service + # nomad_vault_address: "https://vault.service.consul:8200" + # Right now, each node only talks to it's local Vault, so if that node is rebooted and + # that vault is sealed, it will not have access to vault. This is a problem if a node + # must reboot. + nomad_vault_address: "http://127.0.0.1:8200" # TODO: This fails on first run because the Nomad-Vault integration can't be set up # until Nomad has started. Could maybe figure out if ACLs have been set up and leave # these out until the later play, maybe just bootstrap the nomad-cluster role in Vault # befor Nomad is set up - # nomad_vault_address: "http://vault.service.consul:8200" - # Only talk to local Vault for now because it doesn't have HTTPS - nomad_vault_address: "http://127.0.0.1:8200" nomad_vault_create_from_role: "nomad-cluster" # TODO: (security) Probably want to restict this to a narrower scoped token nomad_vault_enabled: "{{ root_token is defined }}"