Configure Fabio to use vault as a certificate store

immutability-io / consul-terraform

2 stars 0 forks source link

Configure Fabio to use vault as a certificate store #15

Open cypherhat opened 8 years ago

cypherhat commented 8 years ago

See https://github.com/eBay/fabio/wiki/Certificate-Stores#vault

zambien commented 8 years ago

starting on this.

cypherhat commented 8 years ago

See this:

https://gitter.im/eBay/fabio/archives/2016/09/08

you would need to add a manual override route as:

route add vault my.vaultdomain.org/ http://vault.default.svc.cluster.local:8200/

However, since the Vault API should be accessed via TLS and fabio does not support upstream TLS servers the SNI aware TCP proxy from eBay/fabio#1 should solve this issue.

zambien commented 8 years ago

I was able to get fabio to come up and connect to vault but there are some issues to work out..

Getting fabio to automatically have auth to vault
tcp/sni as mentioned
Getting the certs into vault and made available

Unsealing, setting vault tokens, etc manually is something we'll have to work around. My inital thought is that we need a long-lived vault available to work with. Maybe the VPN back to a longer lived vault on local laptop can be a stepping stone. Does that make sense?