Upgrade to Embedded Proxy
Learn how to upgrade your pachd clusters and Enterprise Server to use the embedded proxy, exposing only one external port.
March 24, 2023
Pachyderm ships with an embedded proxy that exposes one external TCP port (
:443 if TLS is enabled) for all access, including: GRPCs, HTTP/S, s3 Gateway, OIDC, and Dex. Switching to using the embedded proxy improves your deployment’s security posture because the proxy is hardened against malicious traffic and writes out extensive audit logs for all requests to Pachyderm.
Before You Start #
This guide assumes that:
- You have Pachyderm already set up with Enterprise Server, Authentication and an IdP Connector.
- You are upgrading to from < 2.5.0 to 2.5.0 or newer.
- You are currently using
- You have a DNS set up or Load Balance IP Address for the
How to Upgrade to Embedded Proxy #
- Update your helm
values.yamlfile to include the following proxy settings:
proxy: enabled: true # host can be "http://<Enterprise-server-external-IP-or-DNS>" or the value of proxy.service.type.loadBalancerIP host: 192.168.1.70 service: # type can also be NodePort type: LoadBalancer # loadBalancerIP can be left blank if you don't know the provisioned IP. loadBalancerIP: # legacyPorts are only needed for compatibility with your existing configuration. This is not needed for a fresh install where proxy is enabled. legacyPorts: grpc: 30650 s3gateway: 30650 oidcPort: 0 identityPort: 0
- Remove the
- Upgrade your cluster:
helm repo update helm upgrade pachyderm pachyderm/pachyderm -f values.yml
- Connect to your cluster:
pachctl connect grpc://localhost:80