use a proxy instead of ssh to reach user notebooks

Currently we have to create a ssh-tunnel to reach the remote user notebook.

We should add a feature, to make the user notebooks reachable from the outside world (or at least the source ip of JupyterHub).

Challenges:

• user notebooks are running with their own internal certificate.
• JupyterHub uses a client certificate to connect to it. Thus a https proxy (like ingress nginx) in front of the user-notebook will most-likely not work.

Current working theory:

• Maybe it will work if we create an ingress resource for the user notebook, using the internal certificate as tls source Challenges:
  • the DNS name of the user-notebook must be part of c.JupyterHub.ssl_alt_names(?) during start of central JupyterHub
  • Can we simply create a tls secret, usable by ingress, from the given certificate?
  • How do we handle user notebooks without internal ssl? Option to use lets encrypt certificate instead?
  • Does ingress-nginx support https backend out of the box?