traefik-on-service-fabric icon indicating copy to clipboard operation
traefik-on-service-fabric copied to clipboard

Published 20 hours ago verified publisher icon jjcollinge

Add Azure KeyVault integration

Open jjcollinge opened this issue 6 years ago • 7 comments

  • Add support for KeyVault provider configuration
  • Fetch certificate from KeyVault
  • Provid certificate to provider for client authentication

@askw @flmader

jjcollinge avatar Dec 18 '17 12:12 jjcollinge

How to get started with this, if I wanted to help? I have no Go experience, so I would prefer some guidance as to where to start and how you see a design for this?

clausndk avatar Feb 28 '18 10:02 clausndk

Hey @clausndk - things have changed a little since I first proposed this issue. As the TLS config is pulled straight from the traefik.toml configuration file - it probably makes sense to handle the Key Vault piece outside of Traefik.

[serviceFabric.tls]
   cert = "certs/servicefabric.crt"
   key = "certs/servicefabric.key"
   insecureskipverify = true

You could use a SetupEntryPoint script that pulls the Azure credentials it needs to talk to Key Vault from environment variables and then grabs the certificates stored as base64encoded Key Vault secrets, decodes it and then injects them into the traefik.toml before the Traefik process is started. According to the Traefik TLS config code // CA, Cert and Key can be either path or file contents - so you could inject it directly into the treafik.toml as a string or write them to files and inject the file paths. The SetupEntryPoint script can be written as a batch file that kicks off a Powershell script so you won't have to deal with Go :) this pattern is shown here.

Hope that makes sense - I'll have a think if there's a better option. @lawrencegripper thoughts?

jjcollinge avatar Feb 28 '18 12:02 jjcollinge

Yeah this makes sense for me, unless we can find a way to roll this up into traefik but I'd expect the scope of the changes to be too large

lawrencegripper avatar Mar 01 '18 12:03 lawrencegripper

I have opened a PR which solves this (for windows only as I don't have Linux environment right now)

https://github.com/jjcollinge/traefik-on-service-fabric/pull/65

RamjotSingh avatar May 17 '18 01:05 RamjotSingh

Has there been progress made on this feature, or is it still up for grabs?

paul-mcgrath avatar Oct 12 '18 09:10 paul-mcgrath

hi @paul-mcgrath, we now link on the main README to @RamjotSingh's work available at the following repo: https://github.com/jjcollinge/traefik-on-service-fabric#multi-environment-support-and-automated-management-of-certificates. This works for Windows only, we haven't added anything additional on the Linux side.

jjcollinge avatar Oct 16 '18 14:10 jjcollinge

Hey that's fantastic, thank you! This is exactly what we were looking to solve right now. Very much appreciated 👍

paul-mcgrath avatar Oct 16 '18 14:10 paul-mcgrath