Separate automatic HTTPS to its own deployment

jupyterhub/templates/proxy/autohttps/_README.md

@@ -0,0 +1,9 @@
+# Automatic HTTPS Terminator
+
+This directory has Kubernetes objects for automatic Let's Encrypt Support.
+When enabled, we create a new deployment object that has an nginx-ingress
+and kube-lego container in it. This is responsible for requesting,
+storing and renewing certificates as needed from Let's Encrypt.
+
+The only change required outside of this directory is in the `proxy-public`
+service, which targets different hubs based on automatic HTTPS status.

jupyterhub/templates/proxy/autohttps/deployment.yaml

@@ -0,0 +1,125 @@
+{{ $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled ) }}
+{{ $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt" ) ) }}
+{{ if $autoHTTPS }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: autohttps
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: autohttps
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        component: autohttps
+        release: {{ .Release.Name }}
+        heritage: {{ .Release.Service }}
+        app: kube-lego
+        hub.jupyter.org/network-access-proxy-http: "true"
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: autohttps
+      {{- end }}
+      nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
+      affinity:
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchExpressions:
+                    - key: component
+                      operator: In
+                      values: ['hub']
+                    - key: release
+                      operator: In
+                      values: [ {{ .Release.Name | quote }} ]
+      containers:
+        - name: nginx
+          image: "{{ .Values.proxy.nginx.image.name }}:{{ .Values.proxy.nginx.image.tag }}"
+          imagePullPolicy: {{ .Values.proxy.nginx.image.pullPolicy }}
+          resources:
+{{ toYaml .Values.proxy.nginx.resources | indent 12 }}
+          args:
+            - /nginx-ingress-controller
+            - --default-backend-service={{ .Release.Namespace }}/proxy-http
+            - --configmap={{ .Release.Namespace }}/nginx-proxy-config
+            - --ingress-class=jupyterhub-proxy-tls
+            - --watch-namespace={{ .Release.Namespace }}
+            {{ if .Values.debug.enabled }}
+            - --v=3
+            {{ end }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+            - name: https
+              containerPort: 443
+              protocol: TCP
+        - name: kube-lego
+          image: "{{ .Values.proxy.lego.image.name }}:{{ .Values.proxy.lego.image.tag }}"
+          imagePullPolicy: {{ .Values.proxy.lego.image.pullPolicy }}
+          resources:
+{{ toYaml .Values.proxy.lego.resources | indent 12 }}
+          env:
+            - name: LEGO_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LEGO_WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LEGO_POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: LEGO_EMAIL
+              # {{ required "proxy.https.letsencrypt.contactEmail is a required field" .Values.proxy.https.letsencrypt.contactEmail }}
+              value: {{ .Values.proxy.https.letsencrypt.contactEmail | quote }}
+            - name: LEGO_SUPPORTED_INGRESS_PROVIDER
+              value: "nginx"
+            - name: LEGO_SUPPORTED_INGRESS_CLASS
+              value: "jupyterhub-proxy-tls,dummy"
+            - name: LEGO_DEFAULT_INGRESS_CLASS
+              value: "jupyterhub-proxy-tls"
+            - name: LEGO_KUBE_ANNOTATION
+              value: "hub.jupyter.org/tls-terminator"
+            - name: LEGO_URL
+              value: "https://acme-v01.api.letsencrypt.org/directory"
+          ports:
+            - containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+      terminationGracePeriodSeconds: 60
+{{ end }}

jupyterhub/templates/proxy/ingress-internal.yaml → jupyterhub/templates/proxy/autohttps/ingress-internal.yaml

@@ -1,4 +1,6 @@
-{{- if and .Values.proxy.https.enabled .Values.proxy.https.hosts }}
+{{ $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled ) }}
+{{ $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt" ) ) }}
+{{ if $autoHTTPS }}
 # This is solely used to provide auto HTTPS with our bundled kube-lego
 apiVersion: extensions/v1beta1
 kind: Ingress
@@ -20,15 +22,7 @@ spec:
       host: {{ $host }}
     {{- end }}
   tls:
-    {{- if eq .Values.proxy.https.type "letsencrypt" }}
     - secretName: kubelego-tls-proxy-{{ .Release.Name }}
-    {{- else if eq .Values.proxy.https.type "manual" }}
-    - secretName: manual-tls-proxy-{{ .Release.Name }}
-    {{- else }}
-    # unhandled type
-    # it would be nice if helm had an `error` function
-    {{ required (printf "https.type must be 'manual' or 'letsencrypt', not '%s'" .Values.proxy.https.type)  ._undefined }}
-    {{- end }}
       hosts:
 {{ toYaml .Values.proxy.https.hosts | indent 8 }}
 {{- end }}

jupyterhub/templates/proxy/autohttps/nginx-configmap.yaml

@@ -0,0 +1,10 @@
+{{ $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled ) }}
+{{ $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt" ) ) }}
+{{ if $autoHTTPS }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: nginx-proxy-config
+data:
+  proxy-body-size: "{{ .Values.proxy.nginx.proxyBodySize }}"
+{{ end }}

jupyterhub/templates/proxy/rbac.yaml → jupyterhub/templates/proxy/autohttps/rbac.yaml

@@ -1,3 +1,6 @@
+{{ $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled ) }}
+{{ $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt" ) ) }}
+{{ if $autoHTTPS }}
 {{ if .Values.rbac.enabled -}}
 # This is way too many permissions, but apparently the nginx-controller
 # is written to sortof assume it is clusterwide ingress provider.
@@ -81,7 +84,7 @@ roleRef:
   name: nginx-{{ .Release.Name }}
 subjects:
   - kind: ServiceAccount
-    name: proxy
+    name: autohttps
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -179,7 +182,7 @@ roleRef:
   name: nginx
 subjects:
   - kind: ServiceAccount
-    name: proxy
+    name: autohttps
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -196,7 +199,7 @@ roleRef:
   name: kube-lego
 subjects:
   - kind: ServiceAccount
-    name: proxy
+    name: autohttps
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: v1
@@ -207,5 +210,6 @@ metadata:
     chart: {{ .Chart.Name }}-{{ .Chart.Version }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-  name: proxy
+  name: autohttps
 {{- end }}
+{{ end }}

jupyterhub/templates/proxy/autohttps/service.yaml

@@ -0,0 +1,21 @@
+{{ $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled ) }}
+{{ $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt" ) ) }}
+{{ if $autoHTTPS }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy-http
+  # toYaml + indent seem a lot more unstable & error prone
+  annotations: {{ toJson .Values.proxy.service.annotations }}
+  labels: {{ toJson .Values.proxy.service.labels }}
+spec:
+  type: ClusterIP
+  selector:
+    name: proxy
+    component: proxy
+    release: {{ .Release.Name }}
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000
+{{ end }}