-
Notifications
You must be signed in to change notification settings - Fork 792
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1636 from consideRatio/5-autohttps-cm-to-yaml
autohttps: traefik's config now configurable and in YAML
- Loading branch information
Showing
5 changed files
with
204 additions
and
125 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
jupyterhub/templates/proxy/autohttps/_configmap-dynamic.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
{{- define "jupyterhub.dynamic.yaml" -}} | ||
# Content of dynamic.yaml to be merged merged with | ||
# proxy.traefik.extraDynamicConfig. | ||
# ---------------------------------------------------------------------------- | ||
http: | ||
# Middlewares tweaks requests. We define them here and reference them in | ||
# our routers. We use them to redirect http traffic and headers to proxied | ||
# web requests. | ||
# | ||
# ref: https://docs.traefik.io/middlewares/overview/ | ||
middlewares: | ||
hsts: | ||
# A middleware to add a HTTP Strict-Transport-Security (HSTS) response | ||
# header, they function as a request for browsers to enforce HTTPS on | ||
# their end in for a given time into the future, and optionally | ||
# subdomains for requests to subdomains as well. | ||
# | ||
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | ||
headers: | ||
stsIncludeSubdomains: {{ .Values.proxy.traefik.hsts.includeSubdomains }} | ||
stsPreload: {{ .Values.proxy.traefik.hsts.preload }} | ||
stsSeconds: {{ .Values.proxy.traefik.hsts.maxAge | int64 }} | ||
# A middleware to redirect to https | ||
redirect: | ||
redirectScheme: | ||
permanent: true | ||
scheme: https | ||
# A middleware to add a X-Scheme (X-Forwarded-Proto) header that | ||
# JupyterHub's Tornado web-server needs if expecting to serve https | ||
# traffic. Without it we would run into issues like: | ||
# https://github.com/jupyterhub/jupyterhub/issues/2284 | ||
scheme: | ||
headers: | ||
customRequestHeaders: | ||
# DISCUSS ME: Can we use the X-Forwarded-Proto header instead? It | ||
# seems more recognized. Mozilla calls it the de-facto standard | ||
# header for this purpose, and Tornado recognizes both. | ||
# | ||
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto | ||
# ref: https://www.tornadoweb.org/en/stable/httpserver.html#http-server | ||
X-Scheme: https | ||
|
||
# Routers routes web requests to a service and optionally tweaks them with | ||
# middleware. | ||
# | ||
# ref: https://docs.traefik.io/routing/routers/ | ||
routers: | ||
# Route secure https traffic to the configurable-http-proxy managed by | ||
# JupyterHub. | ||
default: | ||
entrypoints: | ||
- "https" | ||
middlewares: | ||
- "hsts" | ||
- "scheme" | ||
rule: PathPrefix(`/`) | ||
service: default | ||
# Use our predefined TLS options and certificate resolver, enabling | ||
# this route to act as a TLS termination proxy with high security | ||
# standards. | ||
tls: | ||
certResolver: default | ||
domains: | ||
{{- range $host := .Values.proxy.https.hosts }} | ||
- main: {{ $host }} | ||
{{- end }} | ||
options: default | ||
|
||
# Route insecure http traffic to https | ||
insecure: | ||
entrypoints: | ||
- "http" | ||
middlewares: | ||
- "redirect" | ||
rule: PathPrefix(`/`) | ||
service: default | ||
|
||
# Services represents the destinations we route traffic to. | ||
# | ||
# ref: https://docs.traefik.io/routing/services/ | ||
services: | ||
# Represents the configurable-http-proxy (chp) server that is managed by | ||
# JupyterHub to route traffic both to itself and to user pods. | ||
default: | ||
loadBalancer: | ||
servers: | ||
- url: 'http://proxy-http:8000/' | ||
|
||
# Configure TLS to give us an A+ in the ssllabs.com test | ||
# | ||
# ref: https://www.ssllabs.com/ssltest/ | ||
tls: | ||
options: | ||
default: | ||
# Allowed ciphers adapted from Mozillas SSL Configuration Generator | ||
# configured for Intermediate support which doesn't support very old | ||
# systems but doesn't require very modern either. | ||
# | ||
# ref: https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.4 | ||
cipherSuites: | ||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ||
minVersion: VersionTLS12 | ||
sniStrict: true | ||
{{- end }} |
68 changes: 68 additions & 0 deletions
68
jupyterhub/templates/proxy/autohttps/_configmap-traefik.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
{{- define "jupyterhub.traefik.yaml" -}} | ||
# Content of traefik.yaml to be merged merged with | ||
# proxy.traefik.extraStaticConfig. | ||
# ---------------------------------------------------------------------------- | ||
|
||
# Config of logs about web requests | ||
# | ||
# ref: https://docs.traefik.io/observability/access-logs/ | ||
accessLog: | ||
# Redact commonly sensitive headers | ||
fields: | ||
headers: | ||
names: | ||
Authorization: redacted | ||
Cookie: redacted | ||
Set-Cookie: redacted | ||
X-Xsrftoken: redacted | ||
# Only log errors | ||
filters: | ||
statusCodes: | ||
- 500-599 | ||
|
||
# Automatically acquire certificates certificates form a Certificate | ||
# Authority (CA) like Let's Encrypt using the ACME protocol's HTTP-01 | ||
# challenge. | ||
# | ||
# ref: https://docs.traefik.io/https/acme/#certificate-resolvers | ||
certificatesResolvers: | ||
default: | ||
acme: | ||
caServer: {{ .Values.proxy.https.letsencrypt.acmeServer }} | ||
email: {{ .Values.proxy.https.letsencrypt.contactEmail }} | ||
httpChallenge: | ||
entryPoint: http | ||
storage: /etc/acme/acme.json | ||
|
||
# Let Traefik listen to port 80 and port 443 | ||
# | ||
# ref: https://docs.traefik.io/routing/entrypoints/ | ||
entryPoints: | ||
# Port 80, used for: | ||
# - ACME HTTP-01 challenges | ||
# - Redirects to HTTPS | ||
http: | ||
address: ':80' | ||
# Port 443, used for: | ||
# - TLS Termination Proxy, where HTTPS transitions to HTTP. | ||
https: | ||
address: ':443' | ||
# Configure a high idle timeout for our websockets connections | ||
transport: | ||
respondingTimeouts: | ||
idleTimeout: 10m0s | ||
|
||
# Config of logs about what happens to Traefik itself (startup, | ||
# configuration, events, shutdown, and so on). | ||
# | ||
# ref: https://docs.traefik.io/observability/logs | ||
log: | ||
level: {{ if .Values.debug.enabled -}} DEBUG {{- else -}} INFO {{- end }} | ||
|
||
# Let Traefik monitor another file we mount for dynamic configuration. As we | ||
# mount this file through this configmap, we can make a `kubectl edit` on the | ||
# configmap and have Traefik update on changes to dynamic.yaml. | ||
providers: | ||
file: | ||
filename: /etc/traefik/dynamic.yaml | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,134 +1,28 @@ | ||
{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }} | ||
{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }} | ||
{{- if $autoHTTPS -}} | ||
{{- $_ := required .Values.proxy.https.letsencrypt.contactEmail "proxy.https.letsencrypt.contactEmail is a required field" -}} | ||
|
||
# This configmap contains Traefik configuration files to be mounted. | ||
# - traefik.yaml will only be read during startup (static configuration) | ||
# - dynamic.yaml will be read on change (dynamic configuration) | ||
# | ||
# ref: https://docs.traefik.io/getting-started/configuration-overview/ | ||
# | ||
# The configuration files are first rendered with Helm templating to large YAML | ||
# strings. Then we use the fromYAML function on these strings to get an object, | ||
# that we in turn merge with user provided extra configuration. | ||
# | ||
kind: ConfigMap | ||
apiVersion: v1 | ||
metadata: | ||
name: traefik-proxy-config | ||
labels: | ||
{{- include "jupyterhub.labels" . | nindent 4 }} | ||
data: | ||
# This configmap provides the complete configuration for our traefik proxy. | ||
# traefik has 'static' config and 'dynamic' config (https://docs.traefik.io/getting-started/configuration-overview/) | ||
# traefik.toml contains the static config, while dynamic.toml has the dynamic config. | ||
traefik.toml: | | ||
traefik.yaml: | | ||
{{- include "jupyterhub.traefik.yaml" . | fromYaml | merge .Values.proxy.traefik.extraStaticConfig | toYaml | nindent 4 }} | ||
dynamic.yaml: | | ||
{{- include "jupyterhub.dynamic.yaml" . | fromYaml | merge .Values.proxy.traefik.extraDynamicConfig | toYaml | nindent 4 }} | ||
# We wanna listen on both port 80 & 443 | ||
[entryPoints] | ||
[entryPoints.http] | ||
# traefik is used only for TLS termination, so port 80 is just for redirects | ||
# No configuration for timeouts, etc needed | ||
address = ":80" | ||
[entryPoints.https] | ||
address = ":443" | ||
[entryPoints.https.transport.respondingTimeouts] | ||
# High idle timeout, because we have websockets | ||
idleTimeout = "10m0s" | ||
[log] | ||
level = "INFO" | ||
[accessLog] | ||
[accessLog.filters] | ||
# Only error codes | ||
statusCodes = ["500-599"] | ||
# Redact possible sensitive headers from log | ||
[accessLog.fields.headers] | ||
[accessLog.fields.headers.names] | ||
Authorization = "redact" | ||
Cookie = "redact" | ||
Set-Cookie = "redact" | ||
X-Xsrftoken = "redact" | ||
# We want certificates to come from Let's Encrypt, with the HTTP-01 challenge | ||
[certificatesResolvers.le.acme] | ||
email = {{ required "proxy.https.letsencrypt.contactEmail is a required field" .Values.proxy.https.letsencrypt.contactEmail | quote }} | ||
storage = "/etc/acme/acme.json" | ||
{{- if .Values.proxy.https.letsencrypt.acmeServer }} | ||
caServer = {{ .Values.proxy.https.letsencrypt.acmeServer | quote }} | ||
{{- end}} | ||
[certificatesResolvers.le.acme.httpChallenge] | ||
# Use our port 80 http endpoint for the HTTP-01 challenge | ||
entryPoint = "http" | ||
[providers] | ||
[providers.file] | ||
# Configuration for routers & other dynamic items come from this file | ||
# This file is also provided by this configmap | ||
filename = '/etc/traefik/dynamic.toml' | ||
dynamic.toml: | | ||
# Configure TLS to give us an A+ in the ssllabs test | ||
[tls] | ||
[tls.options] | ||
[tls.options.default] | ||
sniStrict = true | ||
# Do not support insecureTLS 1.0 or 1.1 | ||
minVersion = "VersionTLS12" | ||
# Ciphers to support, adapted from https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate | ||
# This supports a reasonable number of browsers. | ||
cipherSuites = [ | ||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", | ||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | ||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", | ||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", | ||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", | ||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" | ||
] | ||
# traefik uses middlewares to set options in specific routes | ||
# These set up the middleware options, which are then referred to by the routes | ||
[http.middlewares] | ||
# Used to do http -> https redirects | ||
[http.middlewares.redirect.redirectScheme] | ||
scheme = "https" | ||
# Used to set appropriate headers in requests sent to CHP | ||
[http.middlewares.https.headers] | ||
[http.middlewares.https.headers.customRequestHeaders] | ||
# Tornado needs this for referrer checks | ||
# You run into stuff like https://github.com/jupyterhub/jupyterhub/issues/2284 otherwise | ||
X-Scheme = "https" | ||
# Used to set HSTS headers based on user provided options | ||
[http.middlewares.hsts.headers] | ||
stsSeconds = {{ int64 .Values.proxy.traefik.hsts.maxAge }} | ||
{{ if .Values.proxy.traefik.hsts.includeSubdomains }} | ||
stsIncludeSubdomains = true | ||
{{- end }} | ||
# Routers match conditions (rule) to options (middlewares) and a backend (service) | ||
[http.routers] | ||
# Listen on the http endpoint (port 80), redirect everything to https | ||
[http.routers.httpredirect] | ||
rule = "PathPrefix(`/`)" | ||
service = "chp" | ||
entrypoints = ["http"] | ||
middlewares = ["redirect"] | ||
# Listen on https endpoint (port 443), proxy everything to chp | ||
[http.routers.chp] | ||
rule = "PathPrefix(`/`)" | ||
entrypoints = ["https"] | ||
middlewares = ["hsts", "https"] | ||
service = "chp" | ||
[http.routers.chp.tls] | ||
# use our nice TLS defaults, and get HTTPS from Let's Encrypt | ||
options = "default" | ||
certResolver = "le" | ||
{{- range $host := .Values.proxy.https.hosts }} | ||
[[http.routers.chp.tls.domains]] | ||
main = "{{ $host }}" | ||
{{- end}} | ||
# Set CHP to be our only backend where traffic is routed to | ||
[http.services] | ||
[http.services.chp.loadBalancer] | ||
[[http.services.chp.loadBalancer.servers]] | ||
url = "http://proxy-http:8000/" | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters