Page MenuHomePhabricator

Determine TLS termination
Open, HighPublic

Description

Dropping the horizon web proxies and going for @GTirloni proposed nginx balancing means PAWS has to handle its own TLS termination and certificate handling.

There are a couple of choices, this task is to figure out how to configure them and determine if we will keep PAWS (zero-to-jupyterhub-k8s 0.8.0) choices or deviate from them.

At the very least we will need TLS termination up to the proxy pod and to the deploy-hook pod.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2019, 9:01 PM
Chicocvenancio triaged this task as High priority.Mar 13 2019, 7:53 PM
bd808 added a comment.Mar 14 2019, 5:49 AM

One short term option could be to continue to use the shared Cloud VPS proxy for TLS termination. We can add a custom vhost in the existing nginx config or we can double proxy by putting the needed nginx config on another VM and pointing the standard proxy at that instance.

Longer term we will need to figure out a similar set of questions for the Toolforge cluster which I think should allow us to find a shared solution at least as far as TLS termination goes.

GTirloni removed a subscriber: GTirloni.Mar 21 2019, 9:06 PM