Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Support graceful reloads of file certificate stores #355

Open
SoMuchToGrok opened this issue Sep 19, 2017 · 3 comments
Open

[feature] Support graceful reloads of file certificate stores #355

SoMuchToGrok opened this issue Sep 19, 2017 · 3 comments
Labels
theme-pki
Milestone
Unplanned

Comments

@SoMuchToGrok
Copy link

SoMuchToGrok commented Sep 19, 2017
edited

I'm currently working towards securing my entire infrastructure with end to end TLS. I use Vault's PKI backend to generate an x509 server certificate for Fabio itself.

The server certificate is used for:

  • Fabio routing to itself (UI)
  • Consul health checks against Fabio

This certificate has a short TTL of 30 days, so it gets rotated at the mid-way point (15 days) by consul-template. When this certificate does rotate, we need Fabio to start using it. The typical pattern here would be to send a SIGHUP (Vault itself follows this pattern). Currently, we're sending a full restart to Fabio on a rotation (and doing this restart in a highly-available manner introduces additional complexities).

How involved would it be to make this logic more flexible?

Example fabio config

proxy.cs = cs=company;type=vault;cert=secret/fabio/certs;refresh=30s,\
           cs=ui;type=file;cert=/secrets/fabio/server.crt;key=/secrets/fabio/server.key
proxy.addr = :80,:443;cs=company

Line 1 is a wildcard cert, stored in Vault's generic secret backend.
Line 2 is the server cert for fabio.

Additionally, it would be ideal for Fabio to re-read the system CA file as well (for root CA rotations). This is technically a different issue, so let me know if I should open up something separate for that.

For additional context, here is the PR where this functionality was added to Vault.
@magiconair
Copy link
Contributor

I've just merged #315 which adds support for Vault as a native PKI store for fabio. Can you have a look whether we can make this more flexible for your needs?

@magiconair magiconair added this to the Unplanned milestone Oct 10, 2017
@SoMuchToGrok
Copy link
Author

Sorry for the late response - been very busy and distracted lately. I'll take a look within the next day and get back to you. Thanks!

@SoMuchToGrok
Copy link
Author

SoMuchToGrok commented Oct 30, 2017
edited

Alright, it's been a very busy couple of weeks - thanks for pinging me on this @magiconair!

This is awesome - so happy to see this kind of integration. Just a few thoughts from my perspective:

  • It would be ideal to enable passing more options to Vault's PKI backend, such as:
  • Is anything currently handling the refresh of the clientca? From what I can see, nothing in the code is explicitly doing so. However, it may be inadvertently happening when the server cert refreshes (i.e. the entire TLS config gets refreshed)?
  • Just a general thought + improvement: I think it makes more sense for the refresh logic to take a fraction of a lifetime of a cert (i.e. 50%). Transitioning to a PKI-backed infrastructure takes some time, and I think many people will be running various TTLs in different environments. Additionally, this logic is closer to the default behavior of most of the hashicorp tooling around renewals. Ultimately, this becomes one less thing to keep track of. This is definitely something I can help implement if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme-pki
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
2 participants
@magiconair @SoMuchToGrok