Support automatic Let's Encrypt certificate aquisition

[yuvipanda]

Proposed change

Add an option to automatically get let's encrypt certificates for a given set of domains. Traefik already supports this, and we should expose this easily.

Alternative options

Alternatives are:

1. We add extra traefik config to get our TLS certs (we do this in TLJH)
2. Add an additional proxy in front for TLS termination (we do this in z2jh, although not with traefik proxy)

It would be nice to not have to do either of these things!

Who would use this feature?

Everyone, since everyone wantsn HTTPS!

(Optional): Suggest a solution

Upstream the automatic HTTPS code from TLJH to traefik-proxy

[GeorgianaElena]

This is a great idea @yuvipanda.

Right now, configuring https (manually or through let's encrypt) is possible when the proxy is externally managed. This PR however https://github.com/jupyterhub/traefik-proxy/pull/84 made ssl encryption available also for the case when the proxy is managed by the Hub (but by configuring JH and not the proxy directly).

Regarding TraefikProxy supporting Let's Encrypt:

• Should we support every option traefik supports (every type of acme challenge and their configuration)? There are a few, however: https://docs.traefik.io/v1.7/configuration/acme/
• How should we test this? I noticed that @consideRatio explores testing let's encrypt in z2jh with pebble. I tried doing the same thing here, using the Pebble Challenge Test Server, but unfortunately with not luck so far :confused:.

[consideRatio]

I've struggled a lot with Pebble and DNS matters, and still am @GeorgianaElena!

A lot of my struggles relates to: a) The Kubernetes environment b) The Pebble Challenge Test Server limited functionality, which only return preconfigured responses. c) Pebble's -dnsserver flag, which makes Pebble use a specific DNS server, but in a different manner it otherwise would, which made it ignore CNAME entries.

At this point, I'm starting to get the pieces to fall in place, but this has been a big hurdle for me.

I think it is very viable to setup local and CI tests for traefik-proxy with Pebble, and I figure it can make it easier to develop the desired functionality. I think it is best to only use Pebble itself, and avoid introducing Pebble Challenge Test Server. It's main purpose is facilitate testing of ACME clients, while we mostly wants to test our setup of an ACME client. Pebble is what is the actual ACME server we need to test our setup against.

[consideRatio]

Regarding what challenges to support. I leaning towards not making trouble to support anything but the HTTP-01 challenge for now, and considering additional challenges only at a later point if ever.