Deploy CRDP in Kubernetes Environment (without Helm Chart)
This section describes the steps to deploy CRDP in Kubernetes pod without using a Helm Chart.
Prerequisites
This deployment scenario assumes that:
A Kubernetes environment is deployed and working.
Docker version 24.0.1 or higher is installed.
CipherTrust Manager 2.14 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
CRDP image repository
The thalesciphertrust/ciphertrust-restful-data-protection repository contains the following images for CRDP:
CRDP (with 1.0.0 tag): thalesciphertrust/ciphertrust-restful-data-protection:1.0.0
CRDP (with latest tag): thalesciphertrust/ciphertrust-restful-data-protection:latest
The image path with the latest tag always points to the latest release.
Steps to Deploy CRDP within your K8s Pod
On CipherTrust Manager, define an Application and generate a registration token. Keep this registration token for a future step. Refer to Defining applications in the Application Data Protection Administration Guide for details.
Add the CRDP container to your Kubernetes pod.
Add the following
containers
to your deployment file (for example,deployment.yaml
in this document):spec: containers: - image: thalesciphertrust/ciphertrust-restful-data-protection:latest imagePullPolicy: IfNotPresent name: crdp-container readinessProbe: httpGet: path: /healthz port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 livenessProbe: httpGet: path: /liveness port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10
Update deployment with below lines under
env
in thedeployment.yaml
:env: - name: KEY_MANAGER_HOST valueFrom: configMapKeyRef: name: <configmap-name> key: KEY_MANAGER_HOST - name: SERVER_MODE valueFrom: configMapKeyRef: name: <configmap-name> key: SERVER_MODE - name: REGISTRATION_TOKEN valueFrom: configMapKeyRef: name: <configmap-name> key: REGISTRATION_TOKEN - name: CERT_VALUE valueFrom: secretKeyRef: name: <secret-name> key: server.crt - name: KEY_VALUE valueFrom: secretKeyRef: name: <secret-name> key: trustedca - name: TRUSTED_CA
Click here to know more about the environment variables.
Add the below lines to the
data
section ofkind: ConfigMap
of thedeployment.yaml
file:data: SERVER_MODE: no-tls KEY_MANAGER_HOST: <ip of kms> REGISTRATION_TOKEN: <reg_token>
Add the below lines to the
data
section ofkind:Secret
in thedeployment.yaml
file. This step is only needed whenSERVER_MODE
istls-cert-opt
.data: server.crt: <tls-certificate> server.key: <tls-key>
Add the below lines to the
data
section ofkind:Secret
in thedeployment.yaml
file. This step is only needed whenSERVER_MODE
istls-cert
.data: server.crt: <tls-certificate> server.key: <tls-key> trustedca: <trusted CA>
Start the Kubernetes deployment as shown below:
kubectl apply -f `<filename>` -n `<namespace>`
This step will update your existing deployment and CRDP will come up. CRDP will get keys and configurations from the CipherTrust Manager. If there is any change in the policies and configuration, CRDP uses the heartbeat mechanism to get the updates from the CipherTrust Manager.
Next steps
After the CRDP container is up and running, you can explore any of the following topics: