- Add lock/unlock methods that use Nomad Variables
- Clean up (ie rename "loggy" method)
- Later: Change auth to use Workload Identity tokens and TaskAPI instead of manually passed in token + URL
- External: Push change to official Caddy plugins list
- External: Build and push official docker image
- External: Add a Nomad Pack (ideally official)
Nomad Variable Storage for Caddy TLS data.
This cluster plugin enables Caddy 2 to store TLS data like keys and certificates as Nomad Variables so you don't have to rely on a shared filesystem. This allows you to use Caddy 2 in distributed environment and use a centralized storage for auto-generated certificates that is shared between all Caddy instances.
The version of this plugin in the master branch supports Caddy 2.0.0+ using CertMagic's Storage Interface
This will only work with Caddy 2.
You need to specify nomad
as the storage module in Caddy's configuration. This can be done in the config file of using the admin API.
JSON (reference)
{
"admin": {
"listen": "0.0.0.0:2019"
},
"storage": {
"module": "nomad",
"address": "localhost:4646",
"prefix": "caddytls",
"token": "nomad-access-token",
}
}
Caddyfile (reference)
{
storage nomad {
address "127.0.0.1:4646"
token "nomad-access-token"
timeout 10
prefix "caddytls"
value_prefix "myprefix"
aes_key "nomadtls-1234567890-caddytls-32"
tls_enabled "false"
tls_insecure "true"
}
}
Because this plugin uses the official Nomad API client you can use all ENV variables like nomad_HTTP_ADDR
or nomad_HTTP_TOKEN
to define your Nomad address and token. For more information see https://github.com/hashicorp/nomad/blob/master/api/api.go
Without any further configuration a running Nomad on 127.0.0.1:4646 is assumed.
There are additional ENV variables for this plugin:
CADDY_CLUSTERING_nomad_PREFIX
defines the prefix for the keys in the Variable. Default iscaddytls
To access Nomad you need a token with a valid ACL policy. Assuming you configured cadytls
as your Variable path prefix you can use the following settings:
namespace "default" {
variables {
path "cadytls/*" {
capabilities = ["write", "read", "destroy"]
}
}
}
This plugin code is based off of pteich/caddy-tlsconsul, big thanks to pteich for that.