Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Alternative Deployment Methods

Deploy CRDP in Kubernetes Environment (without Helm Chart)

search

Please Note:

printsuggest an edit

Deploy CRDP in Kubernetes Environment (without Helm Chart)

This section describes steps to deploy CRDP in a Kubernetes pod without using a Helm Chart.

copy link to clipboardPrerequisites

This deployment scenario assumes that:

  • Kubernetes environment is up and running and kubectl is installed.

  • CipherTrust Manager 2.14 or higher is up and running. Refer to CipherTrust Manager Deployment for details.

    • On the CipherTrust Manager, a CRDP application is defined.

    • A registration token is generated. This registration token will be used to register the CRDP clients with CipherTrust Manager.

    Refer to Defining applications in the Application Data Protection Administration document for details.

  • CRDP image repository, thalesciphertrust/ciphertrust-restful-data-protection, is accessible. This repository contains images for CRDP.

    The path for CRDP 1.0.0 is thalesciphertrust/ciphertrust-restful-data-protection:1.0.0.

    Note

    The image path with the latest tag (thalesciphertrust/ciphertrust-restful-data-protection:latest) always points to the latest release.

copy link to clipboardSteps to Deploy CRDP within your Kubernetes Pod

  1. Create the secret using the following command.

    kubectl create secret generic <crdp secret name> --from-literal=regtoken=<registration token>

  2. Create a deployment file, for example, <crdp-deployment.yaml> with the following content.

    apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: crdp
  name: crdp-deployment
spec:
  template:
     metadata:
        name: crdp
        labels:
          run: crdp
     spec:
      containers:
        - image: thalesciphertrust/ciphertrust-restful-data-protection:latest
          imagePullPolicy: IfNotPresent
          name: crdp-image

          env:
            - name: KEY_MANAGER_HOST
              value: "<key manager ip>"
            - name: SERVER_MODE
              value: "no-tls"
            - name: REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: regtoken

  replicas: 1
  selector:
      matchLabels:
        run: crdp

  3. Apply the deployment configuration.

    kubectl apply -f <crdp-deployment.yaml>

  4. Create a service to expose the CRDP pod, for example, <crdp-service.yaml> with the following content.

    apiVersion: v1
kind: Service
metadata:
  labels:
    run: crdp
  name: <crdp-service-name>
spec:
  selector:
    run: crdp
  type: NodePort
  ports:
    - port: 8090
      nodePort: 32085

  5. Apply the service configuration.

    kubectl apply -f <crdp-service.yaml>

  6. Check whether your deployment is ready.

    kubectl get deployments

  7. Verify the deployment.

    curl http://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET

  1. Create the secret using the following command.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-literal=regtoken=<registration token>

  2. Create a deployment file, for example, <crdp-deployment.yaml> with the following content.

    apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: crdp
  name: crdp-deployment
spec:
  template:
     metadata:
        name: crdp
        labels:
          run: crdp
     spec:
      containers:
        - image: thalesciphertrust/ciphertrust-restful-data-protection:latest
          imagePullPolicy: IfNotPresent
          name: crdp-image

          env:
            - name: KEY_MANAGER_HOST
              value: "<key manager ip>"
            - name: SERVER_MODE
              value: "tls-cert-opt"
            - name: REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: regtoken
            - name: CERT_VALUE
              valueFrom:
                secretKeyRef:
                  name: crdp-secret
                  key: cert
            - name: KEY_VALUE
              valueFrom:
                secretKeyRef:
                  name: crdp-secret
                  key: key

  replicas: 1
  selector:
      matchLabels:
        run: crdp

  3. Apply the deployment configuration.

    kubectl apply -f <crdp-deployment.yaml>

  4. Create a service to expose the CRDP pod, for example, <crdp-service.yaml> with the following content.

    apiVersion: v1
kind: Service
metadata:
  labels:
    run: crdp
  name: <crdp-service-name>
spec:
  selector:
    run: crdp
  type: NodePort
  ports:
    - port: 8090
      nodePort: 32085

  5. Apply the service configuration.

    kubectl apply -f <crdp-service.yaml>

  6. Check whether your deployment is ready.

    kubectl get deployments

  7. Verify the deployment.

    curl -k https://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET

  1. Create the secret.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path> --from-literal=regtoken=<registration token>

  2. Create a deployment file, for example, <crdp-deployment.yaml> with the following content.

    apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: crdp
  name: crdp-deployment
spec:
  template:
     metadata:
        name: crdp
        labels:
          run: crdp
     spec:
      containers:
        - image: thalesciphertrust/ciphertrust-restful-data-protection:latest
          imagePullPolicy: IfNotPresent
          name: crdp-image

          env:
            - name: KEY_MANAGER_HOST
              value: "<key manager ip>"
            - name: SERVER_MODE
              value: "tls-cert"
            - name: REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: regtoken
            - name: CERT_VALUE
              valueFrom:
                secretKeyRef:
                  name: crdp-secret
                  key: cert
            - name: KEY_VALUE
              valueFrom:
                secretKeyRef:
                  name: crdp-secret
                  key: key
            - name: TRUSTED_CA
              valueFrom:
                secretKeyRef:
                  name: crdp-secret
                  key: ca

  replicas: 1
  selector:
      matchLabels:
        run: crdp

  3. Apply the deployment configuration.

    kubectl apply -f <crdp-deployment.yaml>

  4. Create a service to expose the CRDP pod, for example, <crdp-service.yaml> with the following content.

    apiVersion: v1
kind: Service
metadata:
  labels:
    run: crdp
  name: <crdp-service-name>
spec:
  selector:
    run: crdp
  type: NodePort
  ports:
    - port: 8090
      nodePort: 32085

  5. Apply the service configuration.

    kubectl apply -f <crdp-service.yaml>

  6. Check whether your deployment is ready.

    kubectl get deployments

  7. Verify the deployment.

    curl -k --key <client key file path> --cert <client certificate file path> https://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET

This step will update your existing deployment and the CRDP container will come up. CRDP will get keys and configurations from the CipherTrust Manager. If there is any change in the policies and configuration, CRDP uses the heartbeat mechanism to get updates from the CipherTrust Manager.

copy link to clipboardNext steps

After the CRDP container is up and running, you can explore any of the following topics:

On this page