-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extending guide with DNS and letsencrypt #15
Comments
Thanks for filing the issue! I agree letsencrypt integration is the right thing to do. |
We should definitely add letsencrypt to the walkthough! Letsencrypt works right now, we just need to add it to the docs. FWIW, I believe this is the config necessary for letsencrypt to work in the helm chart as it is now: ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
host: your-public-host.biz
https:
enabled: true
type: "kube-lego"
proxy:
service:
type: ClusterIP @yuvipanda is any of that superfluous? Could we reduce the necessary config to something more like: letsencrypt:
domain: yourdomain.horse
email: you@yourdomain.horse which would trigger the ingress, ClusterIP, etc. config? |
https://hackmd.io/CYNgjKDsIEwLQGMCmBWALHNsVwIYlwwGYw0ZRdIAjXADhSA= might be more up to date? |
OK. Putting this here to document, @yuvipanda would love some help before JupyterCon next week. i'm currently running into this, I believe. the proxy service returns a 302 by default, so i think this breaks google cloud's health checking: You can go to https://train.thedataincubator.co/ and see that https has worked (I had to set the lego backend to be "gce", not "nginx"). However, the routing to the
Long story short: I think that either |
@cmoscardi just curious, when you ran
did the name of the kube-lego ingress first appear as kube-lego-nginx (as it does in my case)? Did you manually change it later to kube-lego-gce? |
hey, sorry for the delay @Winterflower - so, I'll be back with more shortly. But yes, I explicitly changed the service to Right, so with nginx, I don't see any sort of nginx backend actually turn on that would be able to serve the validation string for Let's Encrypt. In particular, I see this:
So now I have to figure out setting GCE in the Well, I went down another track and discovered that I had not done a This led me to notice the following in the list of services... The thing to note is that there are two kube-lego-nginx things running. So this is a mystery to me. |
hihi @cmoscardi ! Edit: I am currently hit by this issue for kube-lego jetstack/kube-lego#256 The health checks are second issue (like you say in your original post). Good news is that you can redirect them to another URL such as /healthz from the Compute Engine Health Checks screen. I think @tothandras is working on something for configurable-http-proxy. jupyterhub/configurable-http-proxy#124 |
Upgrade pip because upgrade pip.
So, after enough fiddling with it, I did get it to work! In particular, I deleted the "default https check" under the health checks page and things started working. Notably that health check is claiming not to be used by anything? (vs. the others which say they're in use by things like How does this work? We just don't know. But I now might be able to fashion a PR out of this (for GKE people, at least). UPDATE: I think it might have actually been two things. Sorry I'm just flying so blind here.
|
Right. Now, on the latest master, I'm encountering a new thing. From chrome:
This is with the "gce" ingress above, health check set appropriately (and apparently everything is healthy). Let's encrypt has successfully run (according to the logs). There's probably some firewall rule I need to set? Or, an extra firewall rule being created that I needed to delete.... So that's issue #1, it seems. Now, the next thing to happen is that upon going to https://t5.thedataincubator.co, I get redirected to
And there's nothing in the hub logs about requests inbound from the proxy. However, the standard open http:// proxy-public link works. |
As a point of good practice, I'll remark that I did get GCE ingress + https with let's encrypt working. If you're reading this and want to also make it work, feel free to reply here and I'll get back to you ASAP with my instructions. It's a rather intricate set of steps. It doesn't seem to be of general interest, though (there's a motion to get nginx working) |
#229 adds support for SSL with letsencrypt with: proxy:
hosts:
- <your-host>
letsencrypt:
contactEmail: <your-email> |
I think a guide for extending this zero to Jhub guide with a DNS server and letsencrypt would be essential.
If the DNS + letsencrypt set-up is made, it makes much more sense to detail different authenticators, since we really want SSL encryption before working with passwords etc.
Maybe include this in the default set-up, since the default currently uses no SSL, which is not recommended.
The text was updated successfully, but these errors were encountered: