SSL/TLS Certificates in Chroma

Chroma uses uvicorn as an ASGI server, which can be configured to use SSL/TLS certificates.

CLI not supported

Using certificates with Chroma CLI is not yet supported.

Performance Impact

Using certificates within Chroma will have a performance impact as uvicorn will need to hnadle the encryption and decryption of the data. If performance is of concern, consider using a reverse proxy like nginx or envoy to handle the SSL/TLS termination.

Self-Signed Certificates

Creating a self-signed certificate

You will also need to create a openssl.cnf file in the same directory with the following content:

  1. ```ini
  2. [req]
  3. distinguished_name = req_distinguished_name
  4. x509_extensions = usr_cert
  6. [req_distinguished_name]
  7. CN = $ENV::CHROMA_DOMAIN
  9. [usr_cert]
  10. subjectAltName = DNS:$ENV::CHROMA_DOMAIN
  11. ```

Certificate Domain - CHROMA_DOMAIN

You can set the CHROMA_DOMAIN environment variable to the domain you want to use for the certificate.

OpenSSLDocker

To run the following you will need to have openssl installed on your system.

  1. export CHROMA_DOMAIN=${CHROMA_DOMAIN:-"localhost"}
  2. openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 \
  3.   -keyout certs/serverkey.pem \
  4.   -subj '/O=Chroma/C=US' \
  5.   -out certs/servercert.pem \
  6.   -config openssl.cnf

This will create a self-signed certificate and key in the certs directory.

If you are using Docker, you can use the following command to generate the certificates:

  1. docker run --rm -v $(pwd)/certs:/certs \
  2.   -v $(pwd)/openssl.cnf:/etc/ssl/openssl.cnf \
  3.   -e CHROMA_DOMAIN=localhost \
  4.   openquantumsafe/openssl3 \
  5.   openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 \
  6.   -keyout /certs/serverkey.pem \
  7.   -subj '/O=Chroma/C=US' \
  8.   -out /certs/servercert.pem \
  9.   -config /etc/ssl/openssl.cnf

Security Warning

Self-signed certificates are not recommended for production use. They are only suitable for testing and development purposes. Additionally in the above example the keyfile is not password protected, which is also not recommended for production use.

Configuring and running Chroma

You can run Chroma with the SSL/TLS certificate generate above or any other certificate you have.

DockerDocker Compose

To run Chroma with the self-signed certificate, you can use the following command:

  1. docker run --rm -it -p 8000:8000 \
  2.   -v $(pwd)/certs:/chroma/certs \
  3.   chromadb/chroma:0.5.0 \
  4.   --workers 1 \
  5.   --host 0.0.0.0 \
  6.   --port 8000 \
  7.   --proxy-headers \
  8.   --log-config chromadb/log_config.yml \
  9.   --timeout-keep-alive 30 \
  10.   --ssl-keyfile /chroma/certs/serverkey.pem \
  11.   --ssl-certfile /chroma/certs/servercert.pem

To run Chroma with the self-signed certificate using Docker Compose, you can use the following docker-compose.yml file:

  1. version: '3.9'
  3. networks:
  4.   net:
  5.     driver: bridge
  7. services:
  8.   server:
  9.     image: chromadb/chroma:0.5.0
  10.     volumes:
  11.       # Be aware that indexed data are located in "/chroma/chroma/"
  12.       # Default configuration for persist_directory in chromadb/config.py
  13.       # Read more about deployments: https://docs.trychroma.com/deployment
  14.       - chroma-data:/chroma/chroma
  15.     command: "--workers 1 --host 0.0.0.0 --port 8000 --proxy-headers --log-config chromadb/log_config.yml --timeout-keep-alive 30 --ssl-keyfile /chroma/certs/serverkey.pem --ssl-certfile /chroma/certs/servercert.pem"
  16.     environment:
  17.       - IS_PERSISTENT=TRUE
  18.       - CHROMA_SERVER_AUTHN_PROVIDER=${CHROMA_SERVER_AUTHN_PROVIDER}
  19.       - CHROMA_SERVER_AUTHN_CREDENTIALS_FILE=${CHROMA_SERVER_AUTHN_CREDENTIALS_FILE}
  20.       - CHROMA_SERVER_AUTHN_CREDENTIALS=${CHROMA_SERVER_AUTHN_CREDENTIALS}
  21.       - CHROMA_AUTH_TOKEN_TRANSPORT_HEADER=${CHROMA_AUTH_TOKEN_TRANSPORT_HEADER}
  22.       - PERSIST_DIRECTORY=${PERSIST_DIRECTORY:-/chroma/chroma}
  23.       - CHROMA_OTEL_EXPORTER_ENDPOINT=${CHROMA_OTEL_EXPORTER_ENDPOINT}
  24.       - CHROMA_OTEL_EXPORTER_HEADERS=${CHROMA_OTEL_EXPORTER_HEADERS}
  25.       - CHROMA_OTEL_SERVICE_NAME=${CHROMA_OTEL_SERVICE_NAME}
  26.       - CHROMA_OTEL_GRANULARITY=${CHROMA_OTEL_GRANULARITY}
  27.       - CHROMA_SERVER_NOFILE=${CHROMA_SERVER_NOFILE}
  28.     restart: unless-stopped
  29.     ports:
  30.       - "8000:8000"
  31.     healthcheck:
  32.       # Adjust below to match your container port
  33.       test: [ "CMD", "curl", "-f", "http://localhost:8000/api/v1/heartbeat" ]
  34.       interval: 30s
  35.       timeout: 10s
  36.       retries: 3
  37.     networks:
  38.       - net
  40. volumes:
  41.   chroma-data:
  42.     driver: local

Using a Certificate Authority

Examples below will demonstrate how to use certbot to generate a certificate with a given certificate authority.

Let’s Encrypt

Coming soon!

AWS Certificate Manager

Coming soon!

June 26, 2024