How to set up SSL with a binderhub?

SSL for binderhub

1. Install cert-manager using steps in https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#steps

# Install the CustomResourceDefinition resources separately
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml

# Create the namespace for cert-manager
kubectl create namespace cert-manager

# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install \
  --name cert-manager \
  --namespace cert-manager \
  --version v0.8.1 \
  jetstack/cert-manager

1. Create binderhub-issuer.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-production
  namespace: <binderhub-namespace>
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: <email-address>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: letsencrypt-production
    http01: {}

1. Apply issuer with kubectl

kubectl apply -f binderhub-issuer.yaml

1. Install nginx-ingress controller

helm install stable/nginx-ingress --name quickstart

1. Point your domain to the loadbalancer IP of the nginx-ingress controller

# This shows you the external IP to point to
kubectl get service quickstart

1. Append ingress object on top level indentation in your config.yaml

config:
  BinderHub:
    use_registry: true
    image_prefix: <dockerhub prefix>
    hub_url: <jupyterhub-url>
    
ingress:
  enabled: true
  hosts:
    - <domain-name>
  annotations: 
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/issuer: letsencrypt-production
  https:
    enabled: true
    type: nginx
  tls:
    - secretName: <domain-name>-tls
      hosts: 
        - <domain-name>

1. Perform helm upgrade to enable ingress:

helm upgrade binderhub jupyterhub/binderhub --version=0.2.0-3b53fce  -f secret.yaml -f config.yaml

1. Have a cup of coffee and try accessing your binderhub domain via https in about 10 minutes (SSL won’t work right away).

Tested with AWS EKS and DigitalOcean

Hey @amn41 and @betatim I managed to make my SSL configuration work. I think our approaches are similar. What I did was use ingress-nginx as the ingress controller then I used cert-manager as the SSL cert generator. I also pointed my domain to the load balancer that ingress-nginx deploys after the helm install so that it’ll route appropriately to the ingress. Just need to replicate and check it one more time before I share the solution here and maybe in the forum 😃