Deploy BDT in Kubernetes Environment (without Helm Chart)
This section describes steps to deploy BDT in a Kubernetes pod without using a Helm Chart.
Tip
You can use any orchestration tool for deployment.
Prerequisites
Kubernetes environment is up and running and kubectl is installed.
CipherTrust Manager 2.19 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
BDT image repository, thalesciphertrust/ciphertrust-batch-data-transformation, is accessible. This repository contains images for BDT. The image path with the latest tag always points to the latest release.
Note
The user is responsible for maintaining the security of their production environment.
Steps to Deploy BDT within your Kubernetes Pod
Create an BDT application on CipherTrust Manager. Click the desired tab to view the instructions.
To create an application from CipherTrust Manager's UI, follow this link.
The application is created on the CipherTrust Manager and a registration token is returned in response. This token is passed in the deployment scripts to register BDT client on the CipherTrust Manager as shown in the below steps.
API:
/v1/data-protection/client-profilesRequest
{ "name": "client_profile_bdt", "app_connector_type": "BDT", "heartbeat_threshold": 5, "configurations": { "log_level": "INFO", "heartbeat_interval": 30, "heartbeat_timeout_count":3, "thread_count": 2, "batch_size": 10 } }Response
{ "id": "9f3edcb1-38e8-4bc7-8c41-99e897560328", "uri": "kylo:kylo:adp-management:client-profiles:client-profile-bdt-9f3edcb1-38e8-4bc7-8c41-99e897560328", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2025-03-24T03:26:15.949341161Z", "updatedAt": "2025-03-24T03:26:15.949341161Z", "name": "client_profile_bdt", "app_connector_type": "BDT", "configurations": { "thread_count": 2, "batch_size": 10, "enable_performance_metrics": true, "tls_to_appserver": { "tls_skip_verify": true, "tls_enabled": false }, "auth_method_used": { "scheme_name": "Basic" }, "symmetric_key_cache_enabled": true, "symmetric_key_cache_expiry": 43200, "size_of_connection_pool": 300, "load_balancing_algorithm": "round-robin", "connection_timeout": 30000, "connection_read_timeout": 7000, "connection_idle_timeout": 600000, "connection_retry_interval": 600000, "maximum_idle_connection": 10000, "maximum_idle_connection_per_host": 10000, "dial_timeout": 10, "dial_keep_alive": 60, "log_level": "INFO", "log_rotation": "Daily", "log_size_limit": "100K", "log_max_backup_index": -1, "log_type": "Console", "log_gmt": false, "heartbeat_interval": 30, "heartbeat_timeout_count": 3 }, "csr_parameters": { "csr_cn": "Application Data Protection" }, "ca_id": "04d7f146-684b-47a2-a2c2-e8690be50e18", "enable_client_autorenewal": false, "client_management_profile_id": "0a3b495c-26c2-4a1a-a722-f46bec47e689", "registration_token_id": "0850f54a-dc42-4f3e-a2d3-0b49e19c5ece", "meta": { "has_active_clients": false, "status": "Healthy" } }In response, a registration token is returned. The registration token is passed in the deployment script to register BDT client on the CipherTrust Manager as shown in the below steps.
Create the secret using the following command.
kubectl create secret generic <bdt secret name> --from-literal=regtoken=<registration token>Create a deployment file, for example,
<bdt-deployment.yaml>with the following content.apiVersion: apps/v1 kind: Deployment metadata: name: bdt-deployment labels: app: bdt spec: replicas: 1 selector: matchLabels: app: bdt template: metadata: labels: app: bdt spec: containers: - name: bdt-container image: <bdt-image-name> imagePullPolicy: IfNotPresent env: - name: KMS_HOST value: "<key manager ip>" - name: REG_TOKEN valueFrom: secretKeyRef: name: <bdt secret name> key: regtoken volumeMounts: - mountPath: <container mount path> name: bdt-volume volumes: - name: bdt-volume hostPath: path: <host path to mount> type: DirectoryNote
The
<container mount path>should exist inside the container's home directory (/opt/app/tmp/). For example,<container mount path>can be/opt/app/tmp/input/for input files. Similarly, volumes for output and unprocessed record files can also be mapped.To run database-related transformations, you might need to configure more environment variables, click here for details.
Caution
Volume mounting is mandatory in the following cases during deployment to allow BDT to read or create a file.
When using file as source/destination
When configuring unprocessed record file path
When loading the JDBC driver from the host machine
Use
/opt/app/tmp/to map the external volume with container. Ensure the BDT container has permission to read, write, and execute on the mounted volume else, the deployment will fail.Apply the deployment configuration.
kubectl apply -f <bdt-deployment.yaml>Create a service to expose the BDT pod, for example,
<bdt-service.yaml>with the following content.apiVersion: v1 kind: Service metadata: name: bdt-service labels: app: bdt spec: selector: app: bdt type: NodePort ports: - port: 8080 nodePort: 32085Apply the service configuration.
kubectl apply -f <bdt-service.yaml>Check whether your deployment is ready.
kubectl get deploymentsVerify the deployment.
curl -X GET http://<node ip>:32085/livenessThe following response indicates a successful deployment.
{ "status": "OK" }
BDT is now deployed successfully and is ready to protect, reveal, and reprotect data. Refer to Tasks for details.
