Hello all,
I’ve successfully deployed dask-gateway in an EKS cluster with no public IP. I would like to make the schedulers available to a cluster of jupyterlabs running outside the EKS cluster (not jupyterhub). I can connect to the services / clusters / etc using kubectl.
Even thought I’m in private subnets I still need would like to encrypt the traffic.
AFAIK, without TLS, when distributed.Client connects to a scheduler instantiated by dask-gateway, it does so by creating an SSL socket with the tls_cert and tls_key to the same load balancer in front of the service (Is this right?) where Key and Cert provided by ClusterReport object when the gateway connects to. I understand this is “mTLS”? Right?
If I put a terminating tls load balancer will the connection between Client and Scheduler still work? Do I’ve to take something else in consideration? Should I expose any other port? Has anyone exposed scheduler over tls without problems? How?
┌────────────────┐
│EKS │
│ ┌──────────┐ │
│ │scheduler │ │
│ └──────────┘ │
│ ▲ 8786 │
│ │ │
│ │ │
┌─────────┐ │ │ │
┌─────────┐ │ │ │ │ │
│ │ │ │ │ │ │
│ Client ├───────►│ Load │ │ ┌─┴─────┐ │
│ │ 443?│ Balancer├──────┼───►│traefik│ │
└─────────┘ │ │ │ └───────┘ │
└─────────┘ │ │
└────────────────┘
Hope my question makes sense.