| It’s much easier with nomad as you are not forced in to a ”black box” with networking layers and surrounding requirements. Bare metal nomad - use with consul and hook up traefik with consul backend. This would be the simplest, most ”zero conf”, way to go. I’ve used this setup for a few years heavy production use (e-commerce & 50 devs) As consul presents SRV records you can hook up a LB using those, or use nomad/consul templating to configure one. Service mesh with mTLS is actually rather approachable and we’ve deployed it on selected services where we need to track access and have stricter security. (This however had us move off traefik and in to nginx + openresty) Now if you want secrets management on steroids you’ll want vault. It’s really in many ways at the heart of things. It raises complexity, but the things that you can do with the nomad/consul/vault stack is fantastic. Currently we use vault for ssl pki, secrets management for services & ci/cd, and ssh cert pki. These things really form a coherent whole and each component is useful on it own. Compared to k8s it’s a much more versatile stack although not as much of a “framework” and more like individual “libs”. I always come back to the description: “more in line with the unix philosophy”. In a mixed environment where you have some legacy and/or servers to manage I think using the hashicorp stack is a no brainer - consul and vault are tools I wouldn’t want to be without. |