Merge pull request #199 from minrk/simplify-tls

simplify ssl, passthrough configuration

Author: GeorgianaElena

dev-requirements.txt

@@ -1,4 +1,5 @@
 black
+certipy
 codecov
 # etcd3 & python-consul2 are now soft dependencies
 # Adding them here prevents CI from failing

jupyterhub_traefik_proxy/consul.py

@@ -22,9 +22,10 @@
 import string
 from urllib.parse import urlparse
 
-from traitlets import Any, Unicode, default
+from traitlets import Any, Dict, Unicode, default
 
 from .kv_proxy import TKvProxy
+from .traefik_utils import deep_merge
 
 
 class TraefikConsulProxy(TKvProxy):
@@ -35,11 +36,9 @@ class TraefikConsulProxy(TKvProxy):
     # Consul doesn't accept keys containing // or starting with / so we have to escape them
     key_safe_chars = string.ascii_letters + string.digits + "!@#$%^&*();<>-.+?:"
 
-    consul_client_ca_cert = Unicode(
+    consul_client_kwargs = Dict(
         config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Consul client root certificates""",
+        help="Extra consul client constructor arguments",
     )
 
     consul_url = Unicode(
@@ -85,10 +84,11 @@ def _default_client(self):
         kwargs = {
             "host": consul_service.hostname,
             "port": consul_service.port,
-            "cert": self.consul_client_ca_cert,
         }
         if self.consul_password:
             kwargs.update({"token": self.consul_password})
+        if self.consul_client_kwargs:
+            kwargs.update(self.consul_client_kwargs)
         return consul.aio.Consul(**kwargs)
 
     def __init__(self, **kwargs):
@@ -105,11 +105,9 @@ def _setup_traefik_static_config(self):
             }
         }
 
-        # FIXME: Same with the tls info
-        if self.consul_client_ca_cert:
-            provider_config["consul"]["tls"] = {"ca": self.consul_client_ca_cert}
-
-        self.static_config.update({"providers": provider_config})
+        self.static_config = deep_merge(
+            self.static_config, {"providers": provider_config}
+        )
         return super()._setup_traefik_static_config()
 
     def _start_traefik(self):

jupyterhub_traefik_proxy/etcd.py

@@ -22,9 +22,10 @@
 from urllib.parse import urlparse
 
 from tornado.concurrent import run_on_executor
-from traitlets import Any, Bool, List, Unicode, default
+from traitlets import Any, Dict, Unicode, default
 
 from .kv_proxy import TKvProxy
+from .traefik_utils import deep_merge
 
 
 class TraefikEtcdProxy(TKvProxy):
@@ -34,42 +35,9 @@ class TraefikEtcdProxy(TKvProxy):
 
     provider_name = "etcd"
 
-    etcd_client_ca_cert = Unicode(
+    etcd_client_kwargs = Dict(
         config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client root certificates""",
-    )
-
-    etcd_client_cert_crt = Unicode(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client certificate chain
-            (etcd_client_cert_key must also be specified)""",
-    )
-
-    etcd_client_cert_key = Unicode(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Etcd client private key
-            (etcd_client_cert_crt must also be specified)""",
-    )
-
-    # The grpc client (used by the Python etcd library) doesn't allow untrusted
-    # etcd certificates, although traefik does allow them.
-    etcd_insecure_skip_verify = Bool(
-        False,
-        config=True,
-        help="""Traefik will by default validate SSL certificate of etcd backend""",
-    )
-
-    grpc_options = List(
-        config=True,
-        allow_none=True,
-        default_value=None,
-        help="""Any grpc options that need to be passed to the etcd client""",
+        help="""Extra keyword arguments to pass to the etcd Python client constructor""",
     )
 
     @default("executor")
@@ -120,10 +88,6 @@ def _default_client(self):
         kwargs = {
             'host': etcd_service.hostname,
             'port': etcd_service.port,
-            'ca_cert': self.etcd_client_ca_cert,
-            'cert_cert': self.etcd_client_cert_crt,
-            'cert_key': self.etcd_client_cert_key,
-            'grpc_options': self.grpc_options,
         }
         if self.etcd_password:
             kwargs.update(
@@ -132,6 +96,8 @@ def _default_client(self):
                     "password": self.etcd_password,
                 }
             )
+        if self.etcd_client_kwargs:
+            kwargs.update(self.etcd_client_kwargs)
         return etcd3.client(**kwargs)
 
     def _cleanup(self):
@@ -194,29 +160,22 @@ async def _kv_atomic_delete(self, *keys):
     def _setup_traefik_static_config(self):
         self.log.debug("Setting up the etcd provider in the static config")
         url = urlparse(self.etcd_url)
-        self.static_config.update(
-            {
-                "providers": {
-                    "etcd": {
-                        "endpoints": [url.netloc],
-                        "rootKey": self.kv_traefik_prefix,
-                    }
-                }
-            }
-        )
+        etcd_config = {
+            "endpoints": [url.netloc],
+            "rootKey": self.kv_traefik_prefix,
+        }
         if url.scheme == "https":
             # If etcd is running over TLS, then traefik needs to know
-            tls_conf = {}
-            if self.etcd_client_ca_cert is not None:
-                tls_conf["ca"] = self.etcd_client_ca_cert
-            tls_conf["insecureSkipVerify"] = self.etcd_insecure_skip_verify
-            self.static_config["providers"]["etcd"]["tls"] = tls_conf
+            etcd_config["tls"] = {}
 
         if self.etcd_username and self.etcd_password:
-            self.static_config["providers"]["etcd"].update(
+            etcd_config.update(
                 {
                     "username": self.etcd_username,
                     "password": self.etcd_password,
                 }
             )
+        self.static_config = deep_merge(
+            self.static_config, {"providers": {"etcd": etcd_config}}
+        )
         return super()._setup_traefik_static_config()

jupyterhub_traefik_proxy/fileprovider.py

@@ -92,6 +92,7 @@ def _persist_dynamic_config(self):
                     http.pop(key)
             if not http:
                 dynamic_config.pop("http")
+        self.log.debug("Writing dynamic config %s", dynamic_config)
         self.dynamic_config_handler.atomic_dump(dynamic_config)
 
     async def _setup_traefik_dynamic_config(self):

jupyterhub_traefik_proxy/kv_proxy.py

@@ -319,13 +319,22 @@ def by_depth(item):
             key_path = key.split(sep)
             d = tree
             for parent_key, key in zip(key_path[:-1], key_path[1:]):
-                if parent_key not in d:
+                if parent_key.isdigit():
+                    parent_key = int(parent_key)
+                if isinstance(d, dict) and parent_key not in d:
                     # create container
                     if key.isdigit():
                         # integer keys mean it's a list
                         d[parent_key] = []
                     else:
                         d[parent_key] = {}
+                elif isinstance(d, list):
+                    if key.isdigit():
+                        # integer keys mean it's a list
+                        next_d = []
+                    else:
+                        next_d = {}
+                    d.append(next_d)
                 # walk down to the next level
                 d = d[parent_key]
             if isinstance(d, list):