Dask: How to Add Security (TLS/SSL) to Dask Cluster?
I resolved the issue. Both the Dask workers and the scheduler need to have the certificate files in the config. Additionally, we need to bake in the certificates in the dockerfile as well. See full config below:
Dockerfile
FROM daskdev/dask
RUN conda install --yes \
-c conda-forge \
python==3.7
ADD certs /certs/
ENTRYPOINT ["tini", "-g", "--", "/usr/bin/prepare.sh"]
Helm Config
worker:
name: worker
image:
repository: "gcr.io/PROJECT_ID/mydask"
tag: "latest"
env:
- name: DASK_DISTRIBUTED__COMM__DEFAULT_SCHEME
value: "tls"
- name: DASK_DISTRIBUTED__COMM__REQUIRE_ENCRYPTION
value: "true"
- name: DASK_DISTRIBUTED__COMM__TLS__CA_FILE
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__SCHEDULER__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__SCHEDULER__CERT
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__WORKER__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__WORKER__CERT
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__CLIENT__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__CLIENT__CERT
value: "certs/myca.pem"
scheduler:
name: scheduler
image:
repository: "gcr.io/PROJECT_ID/mydask"
tag: "latest"
env:
- name: DASK_DISTRIBUTED__COMM__DEFAULT_SCHEME
value: "tls"
- name: DASK_DISTRIBUTED__COMM__REQUIRE_ENCRYPTION
value: "true"
- name: DASK_DISTRIBUTED__COMM__TLS__CA_FILE
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__SCHEDULER__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__SCHEDULER__CERT
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__WORKER__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__WORKER__CERT
value: "certs/myca.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__CLIENT__KEY
value: "certs/mykey.pem"
- name: DASK_DISTRIBUTED__COMM__TLS__CLIENT__CERT
value: "certs/myca.pem"