Support loading and runtime update of X509 certificate chains for TLS

[simonmittag]

Jabba needs to support loading and runtime update of X509 certificate chains, containing SSL cert, intermediate certs and certificate authority details. It would be good to support at least one way to update these without having to restart the server i.e. by pushing a config update.

How should we support loading of TLS certs?

Embed cert inside yml config

Allow the user to paste the certificate directly into the json/yml config to be loaded during bootstrap. Config is currently loaded from disk but may also be applied via configuration endpoint at runtime.

Pros

• It's easy to build
• You don't have to specify any external paths

  Cons

• Not docker friendly
• Mixing cert. with other config options.
• Security only as good as config file permissions

Load separately from disk

This is what Nginx does.

Pros

• It's easy to build
• You can specify the path in the config file.

  Cons

• Not docker friendly
• Security only as good as file permissions

Integrate with Hashicorp Vault

Access the certificate from a local or remote Hashicorp vault instance. https://www.vaultproject.io/

Pros

• Secured by Vault's encryption

  Cons

• bundles Jabba with Vault

ACME client(RFC8555) i.e. letsencrypt

Access and renew the certificate from an ACME compatible provider such as letsencrypt.

Pros

• ACME supports auto-renewal
• Docker friendly

  Cons

• relies on multi-step process, may require admin UI.

Tasks

• [x] TLS as an alternate mode to HTTP? Server runs either/or.
• [x] Test on MacOS, CentOS, Ubuntu, Alpine to validate multiple cacert signatures.
• [x] How are TLS cipher suites controlled? config examples with TLS config: https://github.com/denji/golang-tls#start-of-content. A+ cipher suites with major browser support 08/2020: https://www.ssllabs.com/ssltest/analyze.html?d=j8a.io
• [x] Test with Komodo cert chain and without private CA
• [x] performance test via circleCI.
• [x] retest suite of downstream timeouts against TLS endpoint to make sure they regress well.

[simonmittag]

we'll start implementing this with a simple embed cert, key in configuration file implementation