autohttps: traefik's config now configurable and in YAML #1636
Conversation
consideRatio
changed the title
|
(removed to avoid clutter) |
Traefik can be configured with both YAML and TOML, this transitioned the current TOML configuration to a YAML configuration. - I added some comments while learning about the configuration as well. - I made the log level become DEBUG if debug.enabled was configured - We now explicitly set the ACME server to use and avoids using Traefik's default value.
consideRatio
force-pushed
the
5-autohttps-cm-to-yaml
branch
from
3b35082
to
441b098
Compare
consideRatio
changed the title
|
@yuvipanda and @GeorgianaElena, I make a trick I do in this PR to configure Traefik in a way that hopefully avoids a very common problem for Helm charts - that we end up adding more and more and more templating in order to allow the user to configure more and more. The trick allow us to take a rendered Helm template and let the user merge any additional configuration into it!
By this approach, I hope we can avoid a common Helm chart problem described in this video. What do you think? |
There was a problem hiding this comment.
Great work @consideRatio ❤️
I love the idea of letting users add their own custom config and that the static and dynamic config are separated into their own files. This seems less scary than having one big file and it's very nice that you don't need to restart whenever you modify dynamic config pieces.
LGTM 🎉
From the [RFC documentation](https://tools.ietf.org/html/rfc6797#section-7.2) it seems like we "SHOULD" make the http->https redirect permanent (301) instead of a temporary redirect (302), and that we "MUST NOT" include an STS header in our redirect response over HTTP which is insecure.
A preload value in the STS header indicates that the webserver wants the browser to add this website to a list which should be considered to be HTTPS only that can influence other browsers that haven't even visisted this webserver before. One can also manually add oneself to such list from https://hstspreload.org/ if one complies with their requirements, of which one is that a preload value in the STS header is specified.
consideRatio
force-pushed
the
5-autohttps-cm-to-yaml
branch
from
032daba
to
eb13535
Compare
|
After having read more about HSTS, I also added the option to specify the preload directive of the STS header. For more info, read at https://hstspreload.org/. I followed the RFC specification and didn't enable this by default according to their recommendation. |
|
I think this is ready for merge now! @jcrist as a developer of the dask-gateway helm chart, I want to suggest usage of this pattern to configure your executables. Helm has an issue, and this pattern avoids it to a large degree. |
PR summary
YAML instead of TOML
The autohttps deployment run Traefik, and we are in this PR switching from configuring it with YAML instead of TOML, for two reasons.
fromYamlexists, but notfromToml), and I want to use this.Extensible configuration in a sustainable way
The configuration options
proxy.traefik.extraStaticConfigand.extraDynamicConfigare added to allow a chart user to add generic configuration into Traefik's config. By doing so, we setup for a more sustainable experience that doesn't require the Chart maintainers to add more and more templating options, while also allowing the chart user to configure whatever is of relevance.The end goal of this work is to help for example BinderHub hook into our automatic HTTPS setup by adding endpoints that traefik can route to to get HTTPS through Z2JH's setup.
Implementation tricks explained
I've opted to create defined templates, one to render each Traefik configuration file. This allow me to take it and pass the rendered templates to
fromYamlthat transforms it back to an object as compared to big string of YAML. Following that, we can merge this object with.extra<Static|Dynamic>Config.By doing this, we get to inject content from for example
proxy.https.hostsinto the configuration, and also allow the chart user to then do any change it likes.