TLS (SSL, HTTPS)
Secure internet browser connections and transactions via data encryption by deploying Pachyderm with Transport Layer Security (TLS). Once set up, users can access Pachyderm through a secure HTTPS connection (e.g., https://console.yourdomain.com
)
Before You Start #
- You must have admin control over the domain you wish to use
- You must have already set up a subdomain for your Pachyderm cluster (e.g.,
console.yourdomain.com
) - You must have added the subdomain to the
proxy.host
value in your Helmvalues.yaml
file
About DNS Records #
You will need to access your domain’s DNS records to complete the setup. For example, if you are deploying Pachyderm in GCP, you will need to navigate to the Networking section of your GCP project. If your domain is registered with a third-party provider (e.g., Cloudflare), you will also need to log in to your account with that provider as well to register the subdomain with an NS
record that matches the values of your subdomain’s NS
record in GCP.
The following guide assumes that you already have the following DNS records set up for your subdomain:
Record Type | Example DNS Name | Value |
---|---|---|
A |
console.yourdomain.com. |
<pachyderm.proxy.external.ip> |
NS |
console.yourdomain.com. |
auto generated; do not edit |
SOA |
console.yourdomain.com. |
auto generated; do not edit |
How to Deploy with TLS Enabled #
At a high level, you need to do all of the following to enable TLS:
- Create a signed certificate (obtainable from any CA, such as Let’s Encrypt, HashiCorp Vault, or Venafi).
- Create a Kubernetes secret with the certificate.
- Configure the TLS section of your Helm
values.yaml
file by enabling TLS and specifying the secret name. - Upgrade your Cluster.
- Connect using
pachctl connect grpcs://<your.proxy.host.value>:443
.
.crt
must include the full certificate chain (root, intermediates, and leaf). You must also set global.customCaCerts
to true
in the Helm values.yaml
file.Via certbot (Let’s Encrypt) #
The following steps are just one example of how to obtain a signed certificate from Let’s Encrypt.
-
Install certbot.
-
Run the following command (replace
<your@email.address>
and<your.proxy.host.value>
):certbot certonly --manual -v \ --preferred-challenges=dns \ --email <your@email.address> \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d <your.proxy.host.value>
You will be asked to fill out some identifying information. When prompted, create a TXT record with your DNS provider. The TXT record will look something like this:
_acme-challenge.<your.proxy.host.value>. IN TXT "<random-string>"
Once you have created the TXT record, press
Enter
to continue in the terminal. If the TXT record is not created and accessible, the command will fail. -
Create a secret (replace
<your.proxy.host.value>
):kubectl create secret tls pachyderm-tls-secret-001 \ --cert /etc/letsencrypt/live/<your.proxy.host.value>/fullchain.pem \ --key /etc/letsencrypt/live/<your.proxy.host.value>/privkey.pem \ --dry-run=client \ --output=yaml > pachyderm-tls-secret-001.yaml
-
Apply the secret:
kubectl apply -f pachyderm-tls-secret-001.yaml
-
Configure the TLS section of your Helm values.yaml file by enabling TLS and specifying the secret name:
tls: enabled: true secretName: pachyderm-tls-secret-001
-
Upgrade your Helm chart:
helm upgrade pachyderm pachyderm/pachyderm -f values.yaml
-
Connect to Pachyderm via SSL:
pachctl connect grpcs://<your.proxy.host.value>:443
That’s it! You can now consider setting up Authentication to take advantage of our Authorization (RBAC) system.
Troubleshooting #
Can’t Connect to Console Through Subdomain #
It’s possible that the external IP address of your cluster has changed during a Helm upgrade. To check, run the following command:
kubectl get service pachyderm-proxy -o wide | grep pachyderm-proxy | awk '{print $4}'
If that IP address does not match the IP address found in your A
DNS record, you will need to update your DNS records to point to the new IP address.