Skip to content

Deploy Pachyderm with TLS (SSL, HTTPS)

Obtain A Certificate And Enable TLS

You can deploy your Pachyderm cluster with Transport Layer Security (TLS) enabled to secure internet browser connections and transactions through data encryption by means of a trusted certificate and a private key.

Before you can enable TLS:

  • Obtain a certificate from a trusted Certificate Authority such as Let's Encrypt, HashiCorp Vault, Venafi...
  • Create a tls secret ( kubectl create secret tls <name> --key=tls.key --cert=tls.cert) with the "tls.key" and "tls.crt" keys containing the PEM-encoded private key and certificate material.

Optionally, you can install Cert-Manager on your cluster to simplify the process of obtaining (No Certificate Signing Requests needed), renewing, and using certificates. In particular, you can use cert-manager to:

  • Talk to a certificate issuer Cert-manager comes with a number of built-in certificate issuers. You can also install external issuers in addition to the built-in types.

  • Obtain your certificate:

    You can verify that the certificate is issued correctly by running the following command:

    kubectl get certificate
    You should see the certificate with a status of Ready in output.

  • Create the backing tls secret holding your Certificate and private key automatically.

Once your tls secret is created:

  • Enable tls in your helm values.
  • Reference this certificate object in your helm chart by setting your tls secret name in the proper tls section. (For the Cert Manager users, the secret name should match the name set in your certificate ressource.


In this example, you terminate tls at the cluster level by enabling tls directly on pachd:

      enabled: true
      secretName: "<the-secret-name-in-your-certificate-ressource>"

Et voila!


When using self signed certificates or custom certificate authority, you will need to set global.customCaCerts to true to add Pachyderm's certificate and CA to the list of trusted authorities for console and enterprise, allowing Pachyderm components (pachd, Console, Enterprise Server) to communicate over SSL.

If you are using a custom ca-signed cert, you must include the full certificate chain in the root.crt file.

Connect to Pachyderm via Proxy Server

If you use Kubernetes cluster-wide proxies to control outbound access, use the following attributes to propagate your required settings:

  • global.proxy: Sets the HTTP/S proxy server address for Console, PachD, and Enterprise Server.
  • global.noProxy: Define a comma-separated list of destinations that bypass the proxy if global.proxy is being used.

Connect to Pachyderm Via SSL

After you deploy Pachyderm, to connect through pachctl by using a trusted certificate, you will need to set the pachd_address in the Pachyderm context with the cluster IP address that starts with grpcs://. You can do so by running the following command:


echo '{"pachd_address": "grpcs://<cluster-ip:30650"}' | pachctl config set context "grpcs-context" --overwrite && pachctl config set active-context "grpcs-context"   

Last update: August 3, 2022
Does this page need fixing? Edit me on GitHub