wip: simplify ssl configuration

- move SSL configuration to entrypoint instead of on every router
- add passthrough extra_static_config and extra_dynamic_config options for traefik
- remove several individual config keys for providers in favor of generalized passthrough `etcd_client_kwargs` and `consul_client_kwargs`

Author: minrk

dev-requirements.txt

@@ -1,4 +1,5 @@
 black
+certipy
 codecov
 # etcd3 & python-consul2 are now soft dependencies
 # Adding them here prevents CI from failing

jupyterhub_traefik_proxy/consul.py

@@ -22,9 +22,10 @@
 import string
 from urllib.parse import urlparse
 
-from traitlets import Any, Unicode, default
+from traitlets import Any, Dict, Unicode, default
 
 from .kv_proxy import TKvProxy
+from .traefik_utils import deep_merge
 
 
 class TraefikConsulProxy(TKvProxy):
@@ -35,11 +36,9 @@ class TraefikConsulProxy(TKvProxy):
     # Consul doesn't accept keys containing // or starting with / so we have to escape them
     key_safe_chars = string.ascii_letters + string.digits + "!@#$%^&*();<>-.+?:"
 
-    consul_client_ca_cert = Unicode(
+    consul_client_kwargs = Dict(
         config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Consul client root certificates""",
+        help="Extra consul client constructor arguments",
     )
 
     consul_url = Unicode(
@@ -85,10 +84,11 @@ def _default_client(self):
         kwargs = {
             "host": consul_service.hostname,
             "port": consul_service.port,
-            "cert": self.consul_client_ca_cert,
         }
         if self.consul_password:
             kwargs.update({"token": self.consul_password})
+        if self.consul_client_kwargs:
+            kwargs.update(self.consul_client_kwargs)
         return consul.aio.Consul(**kwargs)
 
     def __init__(self, **kwargs):
@@ -105,11 +105,9 @@ def _setup_traefik_static_config(self):
             }
         }
 
-        # FIXME: Same with the tls info
-        if self.consul_client_ca_cert:
-            provider_config["consul"]["tls"] = {"ca": self.consul_client_ca_cert}
-
-        self.static_config.update({"providers": provider_config})
+        self.static_config = deep_merge(
+            self.static_config, {"providers": provider_config}
+        )
         return super()._setup_traefik_static_config()
 
     def _start_traefik(self):

jupyterhub_traefik_proxy/etcd.py

@@ -22,9 +22,10 @@
 from urllib.parse import urlparse
 
 from tornado.concurrent import run_on_executor
-from traitlets import Any, Bool, List, Unicode, default
+from traitlets import Any, Dict, Unicode, default
 
 from .kv_proxy import TKvProxy
+from .traefik_utils import deep_merge
 
 
 class TraefikEtcdProxy(TKvProxy):
@@ -34,42 +35,9 @@ class TraefikEtcdProxy(TKvProxy):
 
     provider_name = "etcd"
 
-    etcd_client_ca_cert = Unicode(
+    etcd_client_kwargs = Dict(
         config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client root certificates""",
-    )
-
-    etcd_client_cert_crt = Unicode(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client certificate chain
-            (etcd_client_cert_key must also be specified)""",
-    )
-
-    etcd_client_cert_key = Unicode(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client private key
-            (etcd_client_cert_crt must also be specified)""",
-    )
-
-    # The grpc client (used by the Python etcd library) doesn't allow untrusted
-    # etcd certificates, although traefik does allow them.
-    etcd_insecure_skip_verify = Bool(
-        False,
-        config=True,
-        help="""Traefik will by default validate SSL certificate of etcd backend""",
-    )
-
-    grpc_options = List(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Any grpc options that need to be passed to the etcd client""",
+        help="""Extra keyword arguments to pass to the etcd Python client constructor""",
     )
 
     @default("executor")
@@ -120,10 +88,6 @@ def _default_client(self):
         kwargs = {
             'host': etcd_service.hostname,
             'port': etcd_service.port,
-            'ca_cert': self.etcd_client_ca_cert,
-            'cert_cert': self.etcd_client_cert_crt,
-            'cert_key': self.etcd_client_cert_key,
-            'grpc_options': self.grpc_options,
         }
         if self.etcd_password:
             kwargs.update(
@@ -132,6 +96,9 @@ def _default_client(self):
                     "password": self.etcd_password,
                 }
             )
+        if self.etcd_client_kwargs:
+            kwargs.update(self.etcd_client_kwargs)
+        print(f"Creating etcd with {kwargs=}")
         return etcd3.client(**kwargs)
 
     def _cleanup(self):
@@ -194,29 +161,27 @@ async def _kv_atomic_delete(self, *keys):
     def _setup_traefik_static_config(self):
         self.log.debug("Setting up the etcd provider in the static config")
         url = urlparse(self.etcd_url)
-        self.static_config.update(
-            {
-                "providers": {
-                    "etcd": {
-                        "endpoints": [url.netloc],
-                        "rootKey": self.kv_traefik_prefix,
-                    }
-                }
-            }
-        )
+        etcd_config = {
+            "endpoints": [url.netloc],
+            "rootKey": self.kv_traefik_prefix,
+        }
         if url.scheme == "https":
             # If etcd is running over TLS, then traefik needs to know
-            tls_conf = {}
-            if self.etcd_client_ca_cert is not None:
-                tls_conf["ca"] = self.etcd_client_ca_cert
-            tls_conf["insecureSkipVerify"] = self.etcd_insecure_skip_verify
-            self.static_config["providers"]["etcd"]["tls"] = tls_conf
+            etcd_config["tls"] = {}
+            # tls_conf = {}
+            # if self.etcd_client_ca_cert is not None:
+            #     tls_conf["ca"] = self.etcd_client_ca_cert
+            # tls_conf["insecureSkipVerify"] = self.etcd_insecure_skip_verify
+            # self.static_config["providers"]["etcd"]["tls"] = tls_conf
 
         if self.etcd_username and self.etcd_password:
-            self.static_config["providers"]["etcd"].update(
+            etcd_config.update(
                 {
                     "username": self.etcd_username,
                     "password": self.etcd_password,
                 }
             )
+        self.static_config = deep_merge(
+            self.static_config, {"providers": {"etcd": etcd_config}}
+        )
         return super()._setup_traefik_static_config()

jupyterhub_traefik_proxy/proxy.py

@@ -32,6 +32,7 @@
 from traitlets import Any, Bool, Dict, Integer, Unicode, default, observe, validate
 
 from . import traefik_utils
+from .traefik_utils import deep_merge
 
 
 class TraefikProxy(Proxy):
@@ -65,6 +66,25 @@ def _concurrency_changed(self, change):
         "traefik.toml", config=True, help="""traefik's static configuration file"""
     )
 
+    extra_static_config = Dict(
+        config=True,
+        help="""Extra static configuration for treafik.
+
+        Merged with the default static config before writing to `.static_config_file`.
+
+        Has no effect if `Proxy.should_start` is False.
+        """,
+    )
+    extra_dynamic_config = Dict(
+        config=True,
+        help="""Extra dynamic configuration for treafik.
+
+        Merged with the default dynamic config during startup.
+
+        Always takes effect.
+        """,
+    )
+
     toml_static_config_file = Unicode(
         config=True,
         help="Deprecated. Use static_config_file",
@@ -188,13 +208,6 @@ def _add_port(self, proposal):
             url = urlunparse(parsed)
         return url
 
-    traefik_cert_resolver = Unicode(
-        config=True,
-        help="""The traefik certificate Resolver to use for requesting certificates""",
-    )
-
-    # FIXME: How best to enable TLS on routers assigned to only select
-    # entrypoints defined here?
     traefik_entrypoint = Unicode(
         help="""The traefik entrypoint name to use.
 
@@ -414,14 +427,16 @@ async def _setup_traefik_static_config(self):
         Subclasses should specify any traefik providers themselves, in
         :attrib:`self.static_config["providers"]`
         """
-        self.static_config["providers"][
-            "providersThrottleDuration"
-        ] = self.traefik_providers_throttle_duration
-
+        static_config = {
+            "api": {},
+            "providers": {
+                "providersThrottleDuration": self.traefik_providers_throttle_duration,
+            },
+        }
         if self.traefik_log_level:
-            self.static_config["log"] = {"level": self.traefik_log_level}
+            static_config["log"] = {"level": self.traefik_log_level}
 
-        entrypoints = {
+        entrypoints = static_config["entryPoints"] = {
             self.traefik_entrypoint: {
                 "address": urlparse(self.public_url).netloc,
             },
@@ -430,8 +445,20 @@ async def _setup_traefik_static_config(self):
             },
         }
 
-        self.static_config["entryPoints"] = entrypoints
-        self.static_config["api"] = {}
+        if self.is_https:
+            entrypoints[self.traefik_entrypoint]["http"] = {
+                "tls": {
+                    "options": "default",
+                }
+            }
+
+        # load what we just defined at _lower_ priority
+        # than anything added to self.static_config in a subclass before this
+        self.static_config = deep_merge(static_config, self.static_config)
+        if self.extra_static_config:
+            self.static_config = deep_merge(
+                self.static_config, self.extra_static_config
+            )
 
         self.log.info(f"Writing traefik static config: {self.static_config}")
 
@@ -446,29 +473,46 @@ async def _setup_traefik_dynamic_config(self):
         self.log.debug("Setting up traefik's dynamic config...")
         self._generate_htpassword()
         api_url = urlparse(self.traefik_api_url)
-        api_path = api_url.path if api_url.path else '/api'
+        api_path = api_url.path if api_url.path.strip("/") else '/api'
         api_credentials = (
             f"{self.traefik_api_username}:{self.traefik_api_hashed_password}"
         )
-        http = self.dynamic_config.setdefault("http", {})
-        routers = http.setdefault("routers", {})
+        dynamic_config = {
+            "http": {
+                "routers": {},
+                "middlewares": {},
+            }
+        }
+        dynamic_config["http"]
+        routers = dynamic_config["http"]["routers"]
+        middlewares = dynamic_config["http"]["middlewares"]
         routers["route_api"] = {
             "rule": f"Host(`{api_url.hostname}`) && PathPrefix(`{api_path}`)",
             "entryPoints": [self.traefik_api_entrypoint],
             "service": "api@internal",
             "middlewares": ["auth_api"],
         }
-        middlewares = http.setdefault("middlewares", {})
         middlewares["auth_api"] = {"basicAuth": {"users": [api_credentials]}}
+
+        # add default ssl cert/keys
         if self.ssl_cert and self.ssl_key:
-            tls = self.dynamic_config.setdefault("tls", {})
-            stores = tls.setdefault("stores", {})
-            stores["default"] = {
-                "defaultCertificate": {
-                    "certFile": self.ssl_cert,
-                    "keyFile": self.ssl_key,
+            dynamic_config["tls"] = {
+                "stores": {
+                    "default": {
+                        "defaultCertificate": {
+                            "certFile": self.ssl_cert,
+                            "keyFile": self.ssl_key,
+                        }
+                    }
                 }
             }
+
+        self.dynamic_config = deep_merge(dynamic_config, self.dynamic_config)
+        if self.extra_dynamic_config:
+            self.dynamic_config = deep_merge(
+                self.dynamic_config, self.extra_dynamic_config
+            )
+
         await self._apply_dynamic_config(self.dynamic_config, None)
 
     def validate_routespec(self, routespec):
@@ -556,19 +600,6 @@ def _dynamic_config_for_route(self, routespec, target, data):
             "loadBalancer": {"servers": [{"url": target}], "passHostHeader": True}
         }
 
-        # Enable TLS on this router if globally enabled
-        if self.is_https:
-            tls_config = {}
-            if self.traefik_cert_resolver:
-                tls_config["certResolver"] = self.traefik_cert_resolver
-            else:
-                # we need _some_ key to be set
-                # because key-value stores can't store empty dicts.
-                # put a default value here
-                tls_config["options"] = "default"
-
-            router["tls"] = tls_config
-
         # Add the data node to a separate top-level node, so traefik doesn't see it.
         # key needs to be key-value safe (no '/')
         # store original routespec, router, service aliases for easy lookup

tests/config_files/fake-ca-cert.crt renamed to tests/config_files/etcd/ca.crt

@@ -13,5 +13,8 @@ watch = true
 [entryPoints.https]
 address = "127.0.0.1:8000"
 
+[entryPoints.https.http.tls]
+options = "default"
+
 [entryPoints.auth_api]
 address = "127.0.0.1:8099"