Upgrade to Embedded Proxy

Learn how to upgrade your pachd clusters and Enterprise Server to use the embedded proxy, exposing only one external port.

March 24, 2023

Pachyderm ships with an embedded proxy that exposes one external TCP port (:80 or :443 if TLS is enabled) for all access, including: GRPCs, HTTP/S, s3 Gateway, OIDC, and Dex. Switching to using the embedded proxy improves your deployment’s security posture because the proxy is hardened against malicious traffic and writes out extensive audit logs for all requests to Pachyderm.

Before You Start #

This guide assumes that:

How to Upgrade to Embedded Proxy #

  1. Update your helm values.yaml file to include the following proxy settings:
  enabled: true
  # host can be "http://<Enterprise-server-external-IP-or-DNS>" or the value of proxy.service.type.loadBalancerIP
    # type can also be NodePort
    type: LoadBalancer
    # loadBalancerIP can be left blank if you don't know the provisioned IP.
    # legacyPorts are only needed for compatibility with your existing configuration. This is not needed for a fresh install where proxy is enabled.
     grpc: 30650
     s3gateway: 30650
     oidcPort: 0
     identityPort: 0
  1. Remove the pachd.externalService section.
  2. Upgrade your cluster:
helm repo update
helm upgrade pachyderm pachyderm/pachyderm -f values.yml
  1. Connect to your cluster:
pachctl connect grpc://localhost:80