Demo application with TLS using `fabio`

[kerscher]

Provide an environment with a demo HTTPS application behind fabio. Fabio will terminate TLS. Changes expected:

• NGINX job hosting certificates, not exposed outside₁
  • Generated by operator locally for this demo
  • Fabio uses http target
• NGINX job (separate) hosting demo content, exposed through HTTPS
  • Service tags to register on Consul for fabio configuration
  • Nothing fancy, static content

₁ Switched to vault once available, but better than file since it demands no manual change on server and can be run reproducibly from Terraform

[kerscher]

It might be a good idea to have a {fabio + private nginx} module that has this ready for use in environments where vault or other alternatives are not available.

[ketzacoatl]

Much of my comment here is a replay of what Yghor and I discussed yesterday in chat (to clarify the details together). The first nginx instance noted above is for fabio and TLS (to serve certs to fabio). The goal right now is to keep our interaction with TLS as minimal as possible while we map out and understand what fabio and the backend services need to make this work. Yghor is giving the http backend a shot, but it's for simplicity. A directory of TLS certs (path backend) might be easier. We will want to use vault in the long-run, and we should aim for that above all the others, however Vault is getting updates in the stack, and vault adds complication (ACLs/config/etc) to the initial setup, so this demo is skipping that to focus on what fabio needs and how it works with TLS certs for multiple backends it is routing for.