commit 9cf0b86f4c18d7f4a7df0ba482153e6fc76c4f11 parent 63b12beb033a1c1b53e959558589f30ad1d3faa3 Author: Andreas Gruhler <andreas.gruhler@adfinis.com> Date: Thu, 20 Jul 2023 18:04:13 +0200 fix(vault): disable service reg. on excl. servers Diffstat:
M | vault.sh | | | 6 | ++++++ |
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/vault.sh b/vault.sh @@ -83,6 +83,12 @@ storage "consul" { tls_ca_file = "/opt/consul/tls/consul-agent-ca.pem" tls_cert_file = "/opt/consul/tls/dc1-client-consul.pem" tls_key_file = "/opt/consul/tls/dc1-client-consul-key.pem" +$(if [[ "$NOMAD_CLIENT" = false ]]; then + # This nodes TLS certificate cannot be updated by Nomad jobs, + # because it serves as Nomad server exclusively. Don't expose + # it to the load balancer by disabling Consul service discovery. + echo " disable_registration = true" +fi) } seal "transit" {