batchspawner.SlurmSpawner + internal SSL

Hi all,
I am looking to add a jupyterhub frontend to our HPC cluster running slurm. I got a test hub setup and working fine. I would very much like to setup SSL for the connection between the jupyterhub proxy and the jupyter notebooks since the notebooks are running on multi-user compute nodes. Reading through the PRs it looks like running a self-signed CA using the internal SSL flag is not (yet?) supported by the SlurmSpawner. Is there a best practice document for using a jupyterhub frontend to a HPC cluster? Anything else that can be done to secure the connection between the hub and the notebooks?

Hey there,

Of course you can configure internal TLS for SlurmSpawner as well. The only thing is that you will have to create a certificate that is valid for all login/compute nodes of your SLURM cluster where single user servers will run. Basically you have to add hostnames to c.JupyterHub.trusted_alt_names config.

For instance, if all you compute nodes have a internal domain, say cluster.internal, ie, if your compute nodes can be resolved using compute-0.cluster.internal, compute-1.cluster.internal, etc, you can simply add a wildcard Subject Alternative Name (SAN) in the certificate. In that case your config will be c.JupyterHub.trusted_alt_names = ["*.cluster.internal"]. If that is not the case, you will need to add names of all compute nodes explicitly

Check the ansible playbook that does this config.