Nomad Code Snippets
To fulfill desired security properties, Nomad certificates can be signed with their region and role in their certificate
Common Name
such as:
client.global.nomad
for aclient
node in theglobal
regionserver.us-west.nomad
for aserver
node in theus-west
region
Let's take a look at how these certificates are validated in the code.
Standard TLS
In the Golang standard tls
package in common.go L511-L522
there's the ability to supply a function which can do additional verification of a peer certificate.
Nomad Server
Nomad wires this up in their tls config in server.go L451-L447:
Specifically in the if tlsConf.VerifyServerHostname {}
where it sets the function to rpcNameAndRegionValidator(region)
.
This method is defined later on in server.go L479-L497:
And validateRPCRegionPeer
is right below, in server.go L499-L515:
Where the interesting happen when we check if the first part is a client
or a server
.