Deploy Pachyderm with TLS¶
You can deploy your Pachyderm cluster with Transport Layer Security(TLS) enabled to ensure your cluster communications are protected from external attackers, and all the communication parties are verified by means of a trusted certificate and a private key. For many organizations, TLS is a security requirement that ensures integrity of their data. Before you can enable TLS, you need to obtain a certificate from a trusted CA, such as Let's Encrypt, Cloudflare, or other. You can enable TLS during the deployment of your Pachyderm cluster by providing a path to your CA certificate and your private key by using the --tls
flag with the pachctl deploy
command.
pachctl deploy <platform> --tls "<path/to/cert>,<path/to/key>"
Note
The paths to the certificate and to the key must be specified exactly as shown in the example above — in double quotes, separated by a comma, and without a space.
After you deploy Pachyderm, to connect through pachctl
by using a trusted certificate, you need to configure the pachd_address
in the Pachyderm context with the cluster IP address that starts with grpcs://
. You can do so by running the following command:
Example
echo '{"pachd_address": "grpcs://<cluster-ip:30650"}' | pachctl config set context "local-grpcs" --overwrite && pachctl config set active-context "local-grpcs"
See Also: