Run Commands


Learn how to deploy a cluster with Transport Layer Security (TLS).

Secure internet browser connections and transactions via data encryption by deploying Pachyderm with Transport Layer Security (TLS).

Before You Start #


You can simplify this process by using a tool like Cert-Manager, which is a certificate controller for Kubernetes that obtains certificates from Issuers, ensures the certificates are valid, and attempts to renew certificates at a configured time before expiry.

You can install Cert-Manager using the following command:

kubectl apply -f

How to Deploy With TLS #

1. Create a TLS Secret #

  1. Open a terminal and navigate to the location of your generated .key and .crt files.
  2. Run the following command:
kubectl create secret tls <name> --key=tls.key --cert=tls.crt
  1. Verify your certificate:
kubectl get certificate

2. Enable TLS in Your Helm Chart Values. #

Reference the certificate object in your helm chart by setting your TLS secret name in the proper TLS section.

Setup Type:

For the Cert Manager users, the secret name should match the name set in your certificate resource.

Self-Signed & Custom Certificates #

When using self signed certificates or custom certificate authority (instead of Lets Encrypt, HashiCorp Vault, or Venafi), you must set global.customCaCerts to true to add Pachyderm’s certificate and CA to the list of trusted authorities for console and enterprise.

If you are using a custom ca-signed cert, you must include the full certificate chain in the root.crt file.

3. Connect to Pachyderm via SSL #

After you deploy Pachyderm, to connect through pachctl by using a trusted certificate, you will need to set the pachd_address in the Pachyderm context with the cluster IP address that starts with grpcs://. You can do so by running the following command:

Setup Type: