CircleCI-Public · denislemire · Jan 31, 2026
@@ -54,6 +54,9 @@ module "nomad" {
   basename = "<< name prefix for nomad clients >>"
 
   enable_imdsv2 = "<< optional/required >>"
+
+  # Optional: Custom CA certificate for Docker to trust (e.g., for corporate proxies or private registries)
+  # custom_ca_cert = file("path/to/your/ca-cert.pem")
 }
 
 output "nomad" {

@@ -60,6 +60,7 @@ data "cloudinit_config" "nomad_user_data" {
         server_retry_join     = var.deploy_nomad_server_instances ? local.server_retry_join : var.nomad_server_hostname
         log_level             = var.log_level
         external_nomad_server = var.deploy_nomad_server_instances
+        custom_ca_cert        = var.custom_ca_cert
       }
     )
   }

@@ -101,6 +101,18 @@ cat <<EOT > /etc/docker/daemon.json
 EOT
 
 echo 'export no_proxy="true"' >> /etc/default/docker
+
+%{ if custom_ca_cert != "" ~}
+echo "--------------------------------------"
+echo "   Installing Custom CA Certificate"
+echo "--------------------------------------"
+cat <<EOT > /usr/local/share/ca-certificates/circleci-custom-ca.crt
+${custom_ca_cert}
+EOT
+update-ca-certificates
+echo "Custom CA certificate installed successfully"
+%{ endif ~}
+
 service docker restart
 sleep 5
 

@@ -266,3 +266,15 @@ variable "log_level" {
     error_message = "The value for log_level must be 'INFO', 'DEBUG', 'WARN', or 'TRACE'."
   }
 }
+
+variable "custom_ca_cert" {
+  type        = string
+  default     = ""
+  description = <<-EOF
+    Custom CA certificate (PEM format) to install on Nomad client hosts.
+    This CA will be added to the system trust store, allowing Docker to pull
+    images from registries that use certificates signed by this CA.
+    This is useful for environments with corporate proxies or private registries
+    that use custom/self-signed certificates.
+    EOF
+}
@@ -110,6 +110,7 @@ resource "google_compute_instance_template" "nomad" {
       server_retry_join     = var.deploy_nomad_server_instances ? local.server_retry_join : local.nomad_server_hostname_and_port
       log_level             = var.log_level
       external_nomad_server = var.deploy_nomad_server_instances
+      custom_ca_cert        = var.custom_ca_cert
     }
   )
 

@@ -326,6 +326,19 @@ apt-get install -y docker-ce=5:28.5.2-1~ubuntu.22.04~jammy docker-ce-cli=5:28.5.
 install jq
 
 enabled_docker_userns
+
+%{ if custom_ca_cert != "" ~}
+echo "--------------------------------------"
+echo "   Installing Custom CA Certificate"
+echo "--------------------------------------"
+cat <<EOT > /usr/local/share/ca-certificates/circleci-custom-ca.crt
+${custom_ca_cert}
+EOT
+update-ca-certificates
+echo "Custom CA certificate installed successfully"
+systemctl restart docker
+%{ endif ~}
+
 configure_circleci
 install_nomad || (echo "=================\nFailed to install nomad\n==================\n" && exit 1)
 configure_nomad

@@ -342,4 +342,16 @@ variable "k8s_cluster_location" {
     condition     = !var.deploy_nomad_server_instances || length(var.k8s_cluster_location) > 0
     error_message = "Kubernetes Cluster Location is required when deploying nomad server instances"
   }
+}
+
+variable "custom_ca_cert" {
+  type        = string
+  default     = ""
+  description = <<-EOF
+    Custom CA certificate (PEM format) to install on Nomad client hosts.
+    This CA will be added to the system trust store, allowing Docker to pull
+    images from registries that use certificates signed by this CA.
+    This is useful for environments with corporate proxies or private registries
+    that use custom/self-signed certificates.
+    EOF
 }