Kubernetes with Helm
Deploy ZenML Pro workspaces on Kubernetes with Helm and enroll them in the ZenML Pro control plane
This guide provides step-by-step instructions for deploying ZenML Pro workspaces on Kubernetes using Helm and enrolling them in the ZenML Pro control plane.
Prerequisites
Before starting, make sure you go through the general prerequisites for hybrid deployments and have collected the necessary artifacts and information. Particular requirements for Kubernetes with Helm deployments are listed below.
Infrastructure:
Kubernetes cluster (1.24+)
Network:
Load balancer, network gateway or Ingress controllers etc.
Internal DNS resolution
TLS certificates signed by your internal CA (or self-signed)
Network connectivity between cluster components
Tools (on a machine with internet access for initial setup):
Helm (3.0+)
Install the ZenML Pro Workspace Server
Step 1: Enroll the Workspace in the ZenML Pro Control Plane
Make sure to enroll the workspace in the ZenML Pro control plane by following the Enroll a Workspace in the ZenML Pro Control Plane guide and collect the necessary enrollment credentials.
Step 2: Create Kubernetes Secrets
If you are using an internal container registry, you may need to create a secret to allow the ZenML Pro workspace servers to pull the images. The following is an example of how to do this:
You'll use this secret in the next step when configuring the Helm values for the ZenML Pro workspace server.
Step 3: Configure Helm Values for Workspace Server
The ZenML Pro workspace server is developed on top of the open-source ZenML server and inherits all its features and deployment options. This deployment also uses the open-source ZenML Helm chart, with the only notable differences being that the ZenML Pro workspace server is configured to connect to the ZenML Pro control plane and uses a different container image that is released separately from the open-source ZenML server.
The example below is a basic configuration for the ZenML Pro control plane Helm chart. For a full list of configurable values and documentation, also see the OSS ZenML Helm chart on ArtifactHub.
For advanced deployment configurations, you can also consult the Deploy with Helm documentation, which covers topics such as:
database configuration options
external secrets store backends (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault)
database backup strategies
Minimum required settings:
the database credentials (
zenml.database.url)the URL (
zenml.serverURL) and Ingress hostname (zenml.ingress.host) where the ZenML Pro workspace server will be reachablethe Pro configuration (
zenml.pro.*) with your organization and workspace details
Additional relevant settings:
configure container registry credentials (
imagePullSecrets) if your cluster needs to authenticate to the container registryinjecting custom CA certificates (
zenml.certificates), especially important if the TLS certificates used by the ZenML Pro services are signed by a custom Certificate Authorityconfigure HTTP proxy settings (
zenml.proxy)custom container image repository location (
zenml.image.repository)additional Ingress settings (
zenml.ingress)Kubernetes resources allocated to the pods (
resources)
Step 4: Deploy the ZenML Pro Workspace Server with Helm
Using the remote Helm chart, if you have access to the internet:
Using the local Helm chart, if you have downloaded the chart previously:
Verify deployment:
Step 5: Install Internal CA Certificates
If the TLS certificates used by the ZenML Pro workspace server are signed by a custom Certificate Authority, you need to install the CA certificates on every machine that needs to access the ZenML workspace server.
System-wide Installation
On all client machines that will access the ZenML workspace server:
Obtain your internal CA certificate
Install it in the system certificate store:
Linux: Copy to
/usr/local/share/ca-certificates/and runupdate-ca-certificatesmacOS: Use
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <cert.pem>Windows: Use
certutil -addstore "Root" cert.pem
For some browsers (e.g., Chrome), updating the system's CA certificates is not enough. You will also need to import the CA certificates into the browser.
For Python/ZenML client:
For Containerized Pipelines
When running containerized pipelines with ZenML, you'll need to install the CA certificates into the container images built by ZenML. Customize the build process via DockerSettings:
Create a custom Dockerfile:
Build and push the image to your internal registry:
Update your ZenML pipeline code to use the custom image:
Access the Workspace UI
Open the ZenML Pro control plane UI in your browser
Sign in with your organization credentials
You should see your workspace running and ready to use in the organization it was enrolled in
Access the Workspaces from ZenML CLI
To login to a workspace with the ZenML CLI:
(Optional) Enable Snapshot Support / Workload Manager
The Workspace Server includes a workload manager feature that enables running pipelines directly from the ZenML Pro UI. This requires the workspace server to have access to a Kubernetes cluster where ad-hoc runner pods can be created.
The workload manager feature and snapshots are only available from ZenML workspace server version 0.90.0 onwards.
If you want to enable snapshot support for the ZenML Pro workspace server, you need to follow the instructions in the Enable Snapshot Support guide.
Day 2 Operations
For information on upgrading ZenML Pro components, see the Upgrades & Updates guide.
Related Resources
Support
For self-hosted and hybrid SaaS/self-hosted deployments, contact ZenML Support:
Email: [email protected]
Provide: Deployment status, configuration details and any error logs
Request from ZenML Support:
Pre-deployment architecture consultation
Offline support packages
Update bundles and release notes
Security documentation (SBOM, vulnerability reports)
Last updated
Was this helpful?