You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently working towards securing my entire infrastructure with end to end TLS. I use Vault's PKI backend to generate an x509 server certificate for Fabio itself.
The server certificate is used for:
Fabio routing to itself (UI)
Consul health checks against Fabio
This certificate has a short TTL of 30 days, so it gets rotated at the mid-way point (15 days) by consul-template. When this certificate does rotate, we need Fabio to start using it. The typical pattern here would be to send a SIGHUP (Vault itself follows this pattern). Currently, we're sending a full restart to Fabio on a rotation (and doing this restart in a highly-available manner introduces additional complexities).
How involved would it be to make this logic more flexible?
Line 1 is a wildcard cert, stored in Vault's generic secret backend.
Line 2 is the server cert for fabio.
Additionally, it would be ideal for Fabio to re-read the system CA file as well (for root CA rotations). This is technically a different issue, so let me know if I should open up something separate for that.
For additional context, here is the PR where this functionality was added to Vault.
The text was updated successfully, but these errors were encountered:
I've just merged #315 which adds support for Vault as a native PKI store for fabio. Can you have a look whether we can make this more flexible for your needs?
From what I can tell, these are the only "blockers" preventing me from switching to this new config :)
Is anything currently handling the refresh of the clientca? From what I can see, nothing in the code is explicitly doing so. However, it may be inadvertently happening when the server cert refreshes (i.e. the entire TLS config gets refreshed)?
Just a general thought + improvement: I think it makes more sense for the refresh logic to take a fraction of a lifetime of a cert (i.e. 50%). Transitioning to a PKI-backed infrastructure takes some time, and I think many people will be running various TTLs in different environments. Additionally, this logic is closer to the default behavior of most of the hashicorp tooling around renewals. Ultimately, this becomes one less thing to keep track of. This is definitely something I can help implement if desired.
I'm currently working towards securing my entire infrastructure with end to end TLS. I use Vault's PKI backend to generate an x509 server certificate for Fabio itself.
The server certificate is used for:
This certificate has a short TTL of 30 days, so it gets rotated at the mid-way point (15 days) by consul-template. When this certificate does rotate, we need Fabio to start using it. The typical pattern here would be to send a SIGHUP (Vault itself follows this pattern). Currently, we're sending a full restart to Fabio on a rotation (and doing this restart in a highly-available manner introduces additional complexities).
How involved would it be to make this logic more flexible?
Example fabio config
Line 1 is a wildcard cert, stored in Vault's generic secret backend.
Line 2 is the server cert for fabio.
Additionally, it would be ideal for Fabio to re-read the system CA file as well (for root CA rotations). This is technically a different issue, so let me know if I should open up something separate for that.
For additional context, here is the PR where this functionality was added to Vault.
The text was updated successfully, but these errors were encountered: