Vault PKI Integration

[Caiyeon]

It would be nice if Goldfish could integrate with Vault's PKI backend. Given a PKI role name, Goldfish should be able to request vault to issue a certificate, and load it into memory in order to serve HTTPS requests. This would require Goldfish to be able to hot-reload its certificate, since it is very possible for vault certificates to be short-lived. Downtime should be ideally zero.

[sirlatrom]

You can see a simple way to choose server certificate per request here: https://github.com/sirlatrom/tls-sidecar-playground/blob/c669423246c12e1666ac2a5341307df85f1a3e9f/dumbserver/main.go#L84

Please copy in the tlsrotater file instead of depending on my version, as it's certainly not guaranteed to stay the same over time.

[sirlatrom]

PS: I see that with echo, you would have to use the StartServer function and provide the http.TLSConfig on the server instance like I've done in my simple example.

[Caiyeon]

There's also a chicken and egg problem. Goldfish allows for bootstrapping after launch, but launching requires the certificate. I suppose goldfish can refuse to launch on PKI without a token.

[Caiyeon]

Feature has been implemented and tested