Deploy Pachyderm with TLS¶
You can deploy your Pachyderm cluster with Transport Layer Security (TLS) enabled to ensure your cluster communications are protected from external attackers, and all the communication parties are verified by means of a trusted certificate and a private key. For many organizations, TLS is a security requirement that ensures integrity of their data. Before you can enable TLS, you need to obtain a certificate from a trusted CA, such as Let's Encrypt, Cloudflare, or other. You can enable TLS during the deployment of your Pachyderm cluster by configuring it in your helm values. You can either provide an existing secret with your certificate, or supply your certificate and key and helm will create the secret for you.
pachd:
tls:
enabled: true
secretName: ""
newSecret:
create: false
crt: ""
key: ""
Note
When using self signed certificates or custom certificate authority, you will need to set global.customCaCerts
to true to add Pachyderm's certificate and CA to the list of trusted authorities for console and enterprise, allowing Pachyderm components (pachd, Console, enterprise server) to communicate over SSL.
If you are using a custom ca-signed cert, you must include the full certificate chain in the root.crt file.
After you deploy Pachyderm, to connect through pachctl
by using a trusted certificate, you need to configure the pachd_address
in the Pachyderm context with the cluster IP address that starts with grpcs://
. You can do so by running the following command:
Example
echo '{"pachd_address": "grpcs://<cluster-ip:30650"}' | pachctl config set context "local-grpcs" --overwrite && pachctl config set active-context "local-grpcs"
See Also: