Deploy Pachyderm with TLS (SSL, HTTPS)

Learn how to deploy a Pachyderm cluster with Transport Layer Security (TLS).

March 22, 2023

Obtain A Certificate And Enable TLS #

You can deploy your Pachyderm cluster with Transport Layer Security (TLS) enabled to secure internet browser connections and transactions through data encryption by means of a trusted certificate and a private key.

Before you can enable TLS:

Optionally, you can install Cert-Manager on your cluster to simplify the process of obtaining (No Certificate Signing Requests needed), renewing, and using certificates. In particular, you can use cert-manager to:

Once your tls secret is created:

Example #

In this example, you terminate tls at the cluster level by enabling tls directly on pachd:

      enabled: true
      secretName: "<the-secret-name-in-your-certificate-resource>"

Et voila!


When using self signed certificates or custom certificate authority, you will need to set global.customCaCerts to true to add Pachyderm’s certificate and CA to the list of trusted authorities for console and enterprise, allowing Pachyderm components (pachd, Console, Enterprise Server) to communicate over SSL.

If you are using a custom ca-signed cert, you must include the full certificate chain in the root.crt file.


We are now shipping Pachyderm with an embedded proxy allowing your cluster to expose one single port externally. This deployment setup is optional.

If you choose to deploy Pachyderm with a proxy (see the deployment instructions and new recommended architecture), the setup of tls is set in the proxy section of your values.yaml only (i.e., tls terminates inside the proxy).

The setup of TLS at the proxy level is intended for the case where the proxy is exposed directly to the Internet.

      enabled: true
      secretName: "<the-secret-name-in-your-certificate-resource>"

Connect to Pachyderm Via SSL #

After you deploy Pachyderm, to connect through pachctl by using a trusted certificate, you will need to set the pachd_address in the Pachyderm context with the cluster IP address that starts with grpcs://. You can do so by running the following command:

Example #

echo '{"pachd_address": "grpcs://<cluster-ip:30650"}' | pachctl config set context "grpcs-context" --overwrite && pachctl config set active-context "grpcs-context"   

Attention proxy users, your port number is now 443.

echo '{"pachd_address": "grpcs://<external-IP-address-or-domain-name>:443"}' | pachctl config set context "grpcs-context" --overwrite
pachctl config set active-context "grpcs-context"