Pachyderm Docs: Setup Ingress with Traefik

Before completing the following steps, read the Infrastructure Recommendation page.

⚠️

We are now shipping Pachyderm with an embedded proxy allowing your cluster to expose one single port externally. This deployment setup is optional.

If you choose to deploy Pachyderm with a Proxy, our new recommended architecture and deployment instructions overwrite the following instructions.

This section provides an example of how to route cluster-external HTTP/HTTPS requests to cluster-internal services (here Pachyderm UI console service and authentication services using the ingress controller Traefik.

Traefik ingress controller on Pachyderm UI’s cluster in one diagram #

Here is a quick high-level view of the various components at play.

pach-ui-ingress

⚠️

The following installation steps are for Informational Purposes ONLY. Please refer to your full Traefik documentation for further installation details and any troubleshooting advice.

Traefik installation and Ingress resource Definition #

Helm install Traefik:
- Get Repo Info
```
helm repo add traefik https://helm.traefik.io/traefik
```
```
helm repo update
```
- Install the Traefik helm chart (helm v3)
```
helm install traefik traefik/traefik
```
- Run a quick check:
```
kubectl get all 
```
You should see your Traefik pod, service, deployments.apps, and replicaset.app.
You can now access your Traefik Dashboard at http://127.0.0.1:9000/dashboard/ following the port-forward instructions (You can choose to apply your own Ingress resource instead.):
```
kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
```
Configure the Ingress in the helm chart. You will need to configure any specific annotations your ingress controller requires.
- my_pachyderm_values.yaml
```
ingress:
  enabled: false
  annotations:
     kubernetes.io/ingress.class: "traefik"
     traefik.ingress.kubernetes.io/router.tls: "true"
  host: "<your_domain_name>"
```
  For a list of all available annotations, read the Traefik & Kubernetes documentation.
  At a minimum, you will need to specify the host field: match the hostname header of the http request (domain).
  Check the list of all available helm values at your disposal in our reference documentation.

Install Pachyderm and Console using the Helm Chart

Once you have your networking infrastructure set up, apply a helm values file such as the one specified in the example file below to wire up routing through an Ingress, and set up TLS.

ingress:
   enabled: true
   host: <DNS-ENTRY-A>
   annotations:
      ## annotations specific to integrate with your ingress-controller
      traefik.ingress.kubernetes.io/router.tls: "true"
      kubernetes.io/ingress.class: "traefik"
   tls:
      enabled: true
      secretName: "pach-tls"
pachd:
   tls:
      enabled: true
      secretName: "pach-tls"
   externalService:
      enabled: true
      loadBalancerIP: <DNS-ENTRY-B>
console:
   enabled: true

helm install pachyderm -f my_pachyderm_values.yaml pach/pachyderm

The deployment of Pachyderm automatically creates the required set of rules.

Check your new rules by running kubectl describe ingress console: s kubectl describe ingress console Name: console Namespace: default Address: Default backend: default-http-backend:80 Rules: Host Path Backends console.localhost / console:console-http (10.1.0.7:4000) Annotations: kubernetes.io/ingress.class: traefik /dex pachd:identity-port (10.1.0.8:1658) Annotations: kubernetes.io/ingress.class: traefik / pachd:oidc-port (10.1.0.8:1657) Annotations: kubernetes.io/ingress.class: traefik Events: <none>
Check the Traefik Dashboard again (http://127.0.0.1:9000/dashboard/), your new set of rules should now be visible.

Browse #

Connect to your Console (Pachyderm UI): https://<external-IP-address-or-domain-name>:443/ (if TLS is enabled) or http://<external-IP-address-or-domain-name>:80/. You are all set!

References #

Traefik documentation.