Merge pull request #1758 from yuvipanda/no-ssl

https: Only expose port 443 if we really have HTTPS on
jupyterhub · Sep 8, 2020 · cd1eff7 · cd1eff7
2 parents 96a23f9 + eef09dd
commit cd1eff7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/doc/source/administrator/security.md b/doc/source/administrator/security.md
@@ -41,6 +41,7 @@ changes to your `config.yaml` file:
    ```yaml
    proxy:
      https:
+       enabled: true
        hosts:
          - <your-domain-name>
        letsencrypt:
@@ -80,8 +81,7 @@ There are two ways to specify your manual certificate, directly in the config.ya
     ```yaml
     proxy:
       https:
-        hosts:
-          - <your-domain-name>
+        enabled: true
         type: manual
         manual:
           key: |
@@ -109,6 +109,7 @@ There are two ways to specify your manual certificate, directly in the config.ya
     ```yaml
     proxy:
       https:
+        enabled: true
         hosts:
           - <your-domain-name>
         type: secret

diff --git a/jupyterhub/templates/proxy/service.yaml b/jupyterhub/templates/proxy/service.yaml
@@ -1,8 +1,10 @@
-{{- $HTTPS := .Values.proxy.https.enabled -}}
-{{- $autoHTTPS := and $HTTPS (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}}
-{{- $offloadHTTPS := and $HTTPS (eq .Values.proxy.https.type "offload") -}}
-{{- $manualHTTPS := and $HTTPS (eq .Values.proxy.https.type "manual") -}}
-{{- $manualHTTPSwithsecret := and $HTTPS (eq .Values.proxy.https.type "secret") -}}
+{{- $enabled := .Values.proxy.https.enabled -}}
+{{- $autoHTTPS := and $enabled (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}}
+{{- $manualHTTPS := and $enabled (eq .Values.proxy.https.type "manual") -}}
+{{- $manualHTTPSwithsecret := and $enabled (eq .Values.proxy.https.type "secret") -}}
+{{- $offloadHTTPS := and $enabled (eq .Values.proxy.https.type "offload") -}}
+{{- $valid := or $autoHTTPS (or $manualHTTPS (or $manualHTTPSwithsecret $offloadHTTPS)) -}}
+{{- $HTTPS := and $enabled $valid  -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -43,6 +45,9 @@ spec:
     {{- if $HTTPS }}
     - name: https
       port: 443
+      # When HTTPS termination is handled outside our helm chart, pass traffic
+      # coming in via this Service's port 443 to targeted pod's port meant for
+      # HTTP traffic.
       {{- if $offloadHTTPS }}
       targetPort: http
       {{- else }}

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -186,7 +186,7 @@ proxy:
     enabled: true
     minAvailable: 1
   https:
-    enabled: true
+    enabled: false
     type: letsencrypt
     #type: letsencrypt, manual, offload, secret
     letsencrypt: