forked from jupyterhub/zero-to-jupyterhub-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rewrite to use traefik instead of nginx
nginx proved more complicated than hoped for, primarily due to lack of hot reloading. The two blockers were: 1. nginx won't start without SSL certs existing, but we won't get them until after nginx starts to use the webroot challenge! 2. When certificates get renewed, nginx needs a reload. We could have fixed these, but I realized the reason we were not using traefik for this was that it needs persistent disk to put its let's encrypt config in. Since that is no longer a problem due to the secret sync, I switched us over to traefik instead. *Much* cleaner, simpler and straightforward!!!
- Loading branch information
Showing
5 changed files
with
122 additions
and
118 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
FROM python:3.7-buster | ||
FROM python:3.7-alpine | ||
|
||
RUN pip install --no-cache certbot kubernetes | ||
RUN pip install --no-cache kubernetes | ||
|
||
COPY autocert.py /usr/local/bin/autocert.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,47 +4,66 @@ | |
kind: ConfigMap | ||
apiVersion: v1 | ||
metadata: | ||
name: nginx-proxy-config | ||
name: traefik-proxy-config | ||
labels: | ||
{{- include "jupyterhub.labels" . | nindent 4 }} | ||
data: | ||
proxy.conf: | | ||
map $http_upgrade $connection_upgrade { | ||
default upgrade; | ||
'' close; | ||
} | ||
server { | ||
listen 80; | ||
# Serve let's encrypt challenges from the disk shared with autocertbot | ||
location /.well-known/acme-challenge { | ||
root /usr/share/nginx/html/; | ||
} | ||
location / { | ||
# Redirect everything to HTTPS | ||
return 301 https://$host$request_uri; | ||
} | ||
} | ||
{{- range $host := .Values.proxy.https.hosts }} | ||
server { | ||
listen 443 ssl; | ||
server_name {{ $host }}; | ||
ssl_certificate /etc/letsencrypt/live/{{ $host }}/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/{{ $host }}/privkey.pem; | ||
location / { | ||
proxy_pass http://proxy-http:8000/; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
# websocket headers | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection $connection_upgrade; | ||
} | ||
} | ||
{{- end }} | ||
traefik.toml: | | ||
# traefik.toml file template | ||
defaultEntryPoints = ["http", "https"] | ||
logLevel = "INFO" | ||
# log errors, which could be proxy errors | ||
[accessLog] | ||
format = "json" | ||
[accessLog.filters] | ||
statusCodes = ["500-999"] | ||
[accessLog.fields.headers] | ||
[accessLog.fields.headers.names] | ||
Authorization = "redact" | ||
Cookie = "redact" | ||
Set-Cookie = "redact" | ||
X-Xsrftoken = "redact" | ||
[respondingTimeouts] | ||
idleTimeout = "10m0s" | ||
[entryPoints] | ||
[entryPoints.http] | ||
address = ":80" | ||
[entryPoints.https] | ||
address = ":443" | ||
[wss] | ||
protocol = "http" | ||
[certificatesResolvers.le.acme] | ||
email = "[email protected]" | ||
storage = "/etc/acme/acme.json" | ||
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" | ||
[certificatesResolvers.le.acme.httpChallenge] | ||
# used during the challenge | ||
entryPoint = "http" | ||
[providers] | ||
[providers.file] | ||
filename = '/etc/traefik/dynamic.toml' | ||
dynamic.toml: | | ||
[http.routers] | ||
[http.routers.chp] | ||
rule = "PathPrefix(`/`)" | ||
service = "chp" | ||
[http.routers.chp.tls] | ||
certResolver = "le" | ||
{{- range $host := .Values.proxy.https.hosts }} | ||
[[http.routers.chp.tls.domains]] | ||
main = "{{ $host }}" | ||
{{- end}} | ||
[http.services] | ||
[http.services.chp.loadBalancer] | ||
[[http.services.chp.loadBalancer.servers]] | ||
url = "http://proxy-http:8000/" | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,7 +18,7 @@ spec: | |
{{- include "jupyterhub.matchLabels" . | nindent 8 }} | ||
hub.jupyter.org/network-access-proxy-http: "true" | ||
annotations: | ||
checksum/config-map: {{ include (print .Template.BasePath "/proxy/autohttps/configmap-nginx.yaml") . | sha256sum }} | ||
checksum/config-map: {{ include (print .Template.BasePath "/proxy/autohttps/configmap.yaml") . | sha256sum }} | ||
spec: | ||
{{- if .Values.rbac.enabled }} | ||
serviceAccountName: autohttps | ||
|
@@ -30,33 +30,42 @@ spec: | |
nodeSelector: {{ toJson .Values.proxy.nodeSelector }} | ||
{{- include "jupyterhub.coreAffinity" . | nindent 6 }} | ||
volumes: | ||
- name: webroot | ||
emptyDir: {} | ||
- name: certificates | ||
emptyDir: {} | ||
- name: nginx-config | ||
- name: traefik-config | ||
configMap: | ||
name: nginx-proxy-config | ||
name: traefik-proxy-config | ||
initContainers: | ||
- name: volume-mount-hack-why-god-still | ||
image: busybox | ||
command: | ||
- /bin/sh | ||
- -c | ||
- chmod 0755 /usr/share/nginx/html /etc/letsencrypt | ||
- chmod 0755 /etc/acme | ||
volumeMounts: | ||
- name: certificates | ||
mountPath: /etc/acme | ||
- name: load-acme | ||
image: "{{ .Values.proxy.autocertbot.image.name }}:{{ .Values.proxy.autocertbot.image.tag }}" | ||
{{- with .Values.proxy.autocertbot.image.pullPolicy }} | ||
imagePullPolicy: {{ . }} | ||
{{- end }} | ||
command: ["/usr/local/bin/autocert.py", "load", "proxy-public-tls-acme", "acme.json", "/etc/acme/acme.json"] | ||
env: | ||
# We need this to get logs immediately | ||
- name: PYTHONUNBUFFERED | ||
value: "True" | ||
volumeMounts: | ||
- name: webroot | ||
mountPath: /usr/share/nginx/html | ||
- name: certificates | ||
mountPath: /etc/letsencrypt | ||
mountPath: /etc/acme | ||
containers: | ||
- name: nginx | ||
image: "{{ .Values.proxy.nginx.image.name }}:{{ .Values.proxy.nginx.image.tag }}" | ||
{{- with .Values.proxy.nginx.image.pullPolicy }} | ||
- name: traefik | ||
image: "{{ .Values.proxy.traefik.image.name }}:{{ .Values.proxy.traefik.image.tag }}" | ||
{{- with .Values.proxy.traefik.image.pullPolicy }} | ||
imagePullPolicy: {{ . }} | ||
{{- end }} | ||
resources: | ||
{{- .Values.proxy.nginx.resources | toYaml | trimSuffix "\n" | nindent 12 }} | ||
{{- .Values.proxy.traefik.resources | toYaml | trimSuffix "\n" | nindent 12 }} | ||
ports: | ||
- name: http | ||
containerPort: 80 | ||
|
@@ -65,32 +74,21 @@ spec: | |
containerPort: 443 | ||
protocol: TCP | ||
volumeMounts: | ||
- name: webroot | ||
mountPath: /usr/share/nginx/html | ||
- name: traefik-config | ||
mountPath: /etc/traefik | ||
- name: certificates | ||
mountPath: /etc/letsencrypt | ||
- name: nginx-config | ||
mountPath: /etc/nginx/conf.d/ | ||
mountPath: /etc/acme | ||
- name: certbot | ||
image: "{{ .Values.proxy.autocertbot.image.name }}:{{ .Values.proxy.autocertbot.image.tag }}" | ||
{{- with .Values.proxy.autocertbot.image.pullPolicy }} | ||
imagePullPolicy: {{ . }} | ||
{{- end }} | ||
command: ["/usr/local/bin/autocert.py"] | ||
command: ["/usr/local/bin/autocert.py", "watch-save", "proxy-public-tls-acme", "acme.json", "/etc/acme/acme.json"] | ||
env: | ||
# We need this to get logs immediately | ||
- name: PYTHONUNBUFFERED | ||
value: "True" | ||
args: | ||
- --test-cert | ||
- {{ .Release.Name }}-https-certbot-dir | ||
- [email protected] | ||
{{- range $host := .Values.proxy.https.hosts }} | ||
- {{ $host }} | ||
{{- end }} | ||
volumeMounts: | ||
- name: webroot | ||
mountPath: /usr/share/nginx/html | ||
- name: certificates | ||
mountPath: /etc/letsencrypt | ||
mountPath: /etc/acme | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters