Skip to content

Commit c483539

Browse files
committed
tmp
1 parent a594a53 commit c483539

File tree

5 files changed

+195
-1
lines changed

5 files changed

+195
-1
lines changed

proxy-example/dc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
#!/usr/bin/env bash
2+
exec docker compose -f letsencrypt/docker-compose.yml "$@"

proxy-example/docker-compose.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ services:
1717
- "./jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py:ro"
1818
# Bind Docker socket on the host so we can connect to the daemon from
1919
# within the container
20-
- "/var/run/docker.sock:/var/run/docker.sock:rw"
20+
# "/var/run/docker.sock:/var/run/docker.sock:rw"
2121
# Bind Docker volume on host for JupyterHub database and cookie secrets
2222
- "jupyterhub-data:/data"
2323
ports:

proxy-example/letsencrypt/README.md

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
# Let's Encrypt
2+
3+
copied from: https://github.com/mtnygard/jupyterhub-deploy-docker/blob/master/Dockerfile.jupyterhub
4+
5+
This example includes a Docker Compose configuration file that you can
6+
use to deploy [JupyterHub](https://github.com/jupyter/jupyterhub) with
7+
TLS certificate and key files generated by [Let's Encrypt](https://letsencrypt.org).
8+
9+
The `docker-compose.yml` configuration file in this example extends the
10+
JupyterHub service defined in the `docker-compose.yml` file in the root
11+
directory of this repository.
12+
13+
When you run the JupyterHub Docker container using the configuration
14+
file in this directory, Docker mounts an additional volume containing
15+
the Let's Encrypt TLS certificate and key files, and overrides the
16+
`SSL_CERT` and `SSL_KEY` environment variables to point to these files.
17+
18+
## Create a secrets volume
19+
20+
This example stores the Let's Encrypt TLS certificate and key files in
21+
a Docker volume, and mounts the volume to the JupyterHub container at
22+
runtime.
23+
24+
Create a volume to store the certificate and key files.
25+
26+
```
27+
# Activate Docker machine where JupyterHub will run
28+
eval "$(docker-machine env jupyterhub)"
29+
30+
docker volume create --name jupyterhub-secrets
31+
```
32+
33+
## Generate Let's Encrypt certificate and key
34+
35+
Run the `letsencrypt.sh` script to create a TLS full-chain certificate
36+
and key.
37+
38+
The script downloads and runs the `letsencrypt` Docker image to create a
39+
full-chain certificate and private key, and stores the files in a Docker
40+
volume. You must provide a valid, routable, fully-qualified domain name (you
41+
must own it), and you must activate the Docker machine host that the domain
42+
points to before you run this script. You must also provide a valid email
43+
address and the name of the volume you created above.
44+
45+
_Notes:_ The script hard codes several `letsencrypt` options, one of which
46+
automatically agrees to the Let's Encrypt Terms of Service.
47+
48+
```
49+
# Activate Docker machine where JupyterHub will run
50+
eval "$(docker-machine env jupyterhub)"
51+
52+
./letsencrypt.sh \
53+
--domain myhost.mydomain \
54+
--email me@mydomain \
55+
--volume jupyterhub-secrets
56+
```
57+
58+
## Run JupyterHub container
59+
60+
To run the JupyterHub container using the Let's Encrypt certificate and key,
61+
set the `SECRETS_VOLUME` environment variable to the name of the Docker volume
62+
containing the certificate and key files, and run `docker-compose` **from the
63+
root directory** of this repository while specifying the `docker-compose.yml`
64+
configuration in this directory:
65+
66+
```
67+
export SECRETS_VOLUME=jupyterhub-secrets
68+
69+
docker-compose -f examples/letsencrypt/docker-compose.yml up -d
70+
```
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Copyright (c) Jupyter Development Team.
2+
# Distributed under the terms of the Modified BSD License.
3+
4+
# JupyterHub docker-compose configuration that uses Let's Encrypt TLS
5+
# certificate and key.
6+
7+
# Extends the JupyterHub configuration in the root directory of this repository.
8+
# Mounts an additional secrets volume that stores the Let's Encrypt TLS
9+
# certificate and key files, and overrides the `SSL_CERT` and `SSL_KEY`
10+
# environment variables to point to these files.
11+
12+
version: "2"
13+
14+
services:
15+
hub:
16+
extends: # hub service in repository root directory
17+
file: ../docker-compose.yml
18+
service: hub
19+
volumes:
20+
- "secrets:/etc/letsencrypt"
21+
environment:
22+
SSL_KEY: "/etc/letsencrypt/privkey.pem"
23+
SSL_CERT: "/etc/letsencrypt/cert.pem"
24+
25+
# Explicitly declare volume and network dependencies
26+
# (they cannot be extended)
27+
volumes:
28+
data:
29+
external:
30+
name: ${DATA_VOLUME_HOST}
31+
secrets:
32+
external:
33+
name: ${SECRETS_VOLUME}
34+
35+
networks:
36+
default:
37+
external:
38+
name: jupyterhub-network
Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
#!/bin/bash
2+
# Copyright (c) Jupyter Development Team.
3+
# Distributed under the terms of the Modified BSD License.
4+
5+
# Wrapper script that runs https://letsencrypt.org Docker container to generate
6+
# a certificate for a single domain and store it in a Docker volume.
7+
8+
set -e
9+
10+
USAGE="
11+
Usage: `basename $0` --domain FQDN --email EMAIL --volume SECRETS_VOLUME
12+
[--staging]
13+
"
14+
15+
while [[ $# > 0 ]]
16+
do
17+
key="$1"
18+
case $key in
19+
--domain)
20+
FQDN="$2"
21+
shift # past argument
22+
;;
23+
--email)
24+
EMAIL="$2"
25+
shift # past argument
26+
;;
27+
--volume)
28+
SECRETS_VOLUME="$2"
29+
shift # past argument
30+
;;
31+
--staging)
32+
CERT_SERVER=--staging
33+
;;
34+
*) # unknown option
35+
;;
36+
esac
37+
shift # past argument or value
38+
done
39+
40+
if [ -z "${FQDN:+x}" ]; then
41+
echo "ERROR: Must provide --domain option or set FQDN environment varable"
42+
echo "$USAGE" && exit 1
43+
fi
44+
45+
if [ -z "${EMAIL:+x}" ]; then
46+
echo "ERROR: Must provide --email option set EMAIL environment varable"
47+
echo "$USAGE" && exit 1
48+
fi
49+
50+
if [ -z "${SECRETS_VOLUME:+x}" ]; then
51+
echo "ERROR: Must provide --volume option or set SECRETS_VOLUME environment varable"
52+
echo "$USAGE" && exit 1
53+
fi
54+
55+
# letsencrypt certificate server type (default is production).
56+
# Set `CERT_SERVER=--staging` for staging.
57+
: ${CERT_SERVER=''}
58+
59+
# Generate the cert and save it to the Docker volume
60+
docker run --rm -it \
61+
-p 80:80 \
62+
-v $SECRETS_VOLUME:/etc/letsencrypt \
63+
quay.io/letsencrypt/letsencrypt:latest \
64+
certonly \
65+
--non-interactive \
66+
--keep-until-expiring \
67+
--standalone \
68+
--standalone-supported-challenges http-01 \
69+
--agree-tos \
70+
--force-renewal \
71+
--domain "$FQDN" \
72+
--email "$EMAIL" \
73+
$CERT_SERVER
74+
75+
# Set permissions so nobody can read the cert and key.
76+
# Also symlink the certs into the root of the /etc/letsencrypt
77+
# directory so that the FQDN doesn't have to be known later.
78+
docker run --rm -it \
79+
-v $SECRETS_VOLUME:/etc/letsencrypt \
80+
--entrypoint=/bin/bash \
81+
quay.io/letsencrypt/letsencrypt:latest \
82+
-c "find /etc/letsencrypt/* -maxdepth 1 -type l -delete && \
83+
ln -s /etc/letsencrypt/live/$FQDN/* /etc/letsencrypt/ && \
84+
find /etc/letsencrypt -type d -exec chmod 755 {} +"

0 commit comments

Comments
 (0)