jupyterhub / traefik-proxy

JupyterHub proxy implementation with traefik
https://jupyterhub-traefik-proxy.readthedocs.io
BSD 3-Clause "New" or "Revised" License
54 stars 30 forks source link

Support automatic Let's Encrypt certificate aquisition #105

Open yuvipanda opened 4 years ago

yuvipanda commented 4 years ago

Proposed change

Add an option to automatically get let's encrypt certificates for a given set of domains. Traefik already supports this, and we should expose this easily.

Alternative options

Alternatives are:

  1. We add extra traefik config to get our TLS certs (we do this in TLJH)
  2. Add an additional proxy in front for TLS termination (we do this in z2jh, although not with traefik proxy)

It would be nice to not have to do either of these things!

Who would use this feature?

Everyone, since everyone wantsn HTTPS!

(Optional): Suggest a solution

Upstream the automatic HTTPS code from TLJH to traefik-proxy

GeorgianaElena commented 4 years ago

This is a great idea @yuvipanda.

Right now, configuring https (manually or through let's encrypt) is possible when the proxy is externally managed. This PR however https://github.com/jupyterhub/traefik-proxy/pull/84 made ssl encryption available also for the case when the proxy is managed by the Hub (but by configuring JH and not the proxy directly).

Regarding TraefikProxy supporting Let's Encrypt:

consideRatio commented 4 years ago

I've struggled a lot with Pebble and DNS matters, and still am @GeorgianaElena!

A lot of my struggles relates to: a) The Kubernetes environment b) The Pebble Challenge Test Server limited functionality, which only return preconfigured responses. c) Pebble's -dnsserver flag, which makes Pebble use a specific DNS server, but in a different manner it otherwise would, which made it ignore CNAME entries.

At this point, I'm starting to get the pieces to fall in place, but this has been a big hurdle for me.

I think it is very viable to setup local and CI tests for traefik-proxy with Pebble, and I figure it can make it easier to develop the desired functionality. I think it is best to only use Pebble itself, and avoid introducing Pebble Challenge Test Server. It's main purpose is facilitate testing of ACME clients, while we mostly wants to test our setup of an ACME client. Pebble is what is the actual ACME server we need to test our setup against.

consideRatio commented 4 years ago

Regarding what challenges to support. I leaning towards not making trouble to support anything but the HTTP-01 challenge for now, and considering additional challenges only at a later point if ever.