Deploy CRDP in Kubernetes Environment (without Helm Chart)
This section describes steps to deploy CRDP in a Kubernetes pod without using a Helm Chart.
Prerequisites
This deployment scenario assumes that:
Kubernetes environment is up and running and
kubectlis installed.CipherTrust Manager 2.14 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
On the CipherTrust Manager, a CRDP application is defined.
A registration token is generated. This registration token will be used to register the CRDP clients with CipherTrust Manager.
Refer to Defining applications in the Application Data Protection Administration document for details.
CRDP image repository, thalesciphertrust/ciphertrust-restful-data-protection, is accessible. This repository contains images for CRDP.
The path for CRDP 1.1.0 is
thalesciphertrust/ciphertrust-restful-data-protection:1.1.0.Note
The image path with the latest tag (
thalesciphertrust/ciphertrust-restful-data-protection:latest) always points to the latest release.
Steps to Deploy CRDP within your Kubernetes Pod
Create the secret using the following command.
kubectl create secret generic <crdp secret name> --from-literal=regtoken=<registration token>Create a deployment file, for example,
<crdp-deployment.yaml>with the following content.apiVersion: apps/v1 kind: Deployment metadata: labels: run: crdp name: crdp-deployment spec: template: metadata: name: crdp labels: run: crdp spec: containers: - image: thalesciphertrust/ciphertrust-restful-data-protection:latest imagePullPolicy: IfNotPresent name: crdp-image env: - name: KEY_MANAGER_HOST value: "<key manager ip>" - name: SERVER_MODE value: "no-tls" - name: REGISTRATION_TOKEN valueFrom: secretKeyRef: name: <crdp secret name> key: regtoken replicas: 1 selector: matchLabels: run: crdpApply the deployment configuration.
kubectl apply -f <crdp-deployment.yaml>Create a service to expose the CRDP pod, for example,
<crdp-service.yaml>with the following content.apiVersion: v1 kind: Service metadata: labels: run: crdp name: <crdp-service-name> spec: selector: run: crdp type: NodePort ports: - port: 8090 nodePort: 32085Apply the service configuration.
kubectl apply -f <crdp-service.yaml>Check whether your deployment is ready.
kubectl get deploymentsVerify the deployment.
curl http://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET
Create the secret using the following command.
kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-literal=regtoken=<registration token>Create a deployment file, for example,
<crdp-deployment.yaml>with the following content.apiVersion: apps/v1 kind: Deployment metadata: labels: run: crdp name: crdp-deployment spec: template: metadata: name: crdp labels: run: crdp spec: containers: - image: thalesciphertrust/ciphertrust-restful-data-protection:latest imagePullPolicy: IfNotPresent name: crdp-image env: - name: KEY_MANAGER_HOST value: "<key manager ip>" - name: SERVER_MODE value: "tls-cert-opt" - name: REGISTRATION_TOKEN valueFrom: secretKeyRef: name: <crdp secret name> key: regtoken - name: CERT_VALUE valueFrom: secretKeyRef: name: crdp-secret key: cert - name: KEY_VALUE valueFrom: secretKeyRef: name: crdp-secret key: key replicas: 1 selector: matchLabels: run: crdpApply the deployment configuration.
kubectl apply -f <crdp-deployment.yaml>Create a service to expose the CRDP pod, for example,
<crdp-service.yaml>with the following content.apiVersion: v1 kind: Service metadata: labels: run: crdp name: <crdp-service-name> spec: selector: run: crdp type: NodePort ports: - port: 8090 nodePort: 32085Apply the service configuration.
kubectl apply -f <crdp-service.yaml>Check whether your deployment is ready.
kubectl get deploymentsVerify the deployment.
curl -k https://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET
Create the secret.
kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path> --from-literal=regtoken=<registration token>Create a deployment file, for example,
<crdp-deployment.yaml>with the following content.apiVersion: apps/v1 kind: Deployment metadata: labels: run: crdp name: crdp-deployment spec: template: metadata: name: crdp labels: run: crdp spec: containers: - image: thalesciphertrust/ciphertrust-restful-data-protection:latest imagePullPolicy: IfNotPresent name: crdp-image env: - name: KEY_MANAGER_HOST value: "<key manager ip>" - name: SERVER_MODE value: "tls-cert" - name: REGISTRATION_TOKEN valueFrom: secretKeyRef: name: <crdp secret name> key: regtoken - name: CERT_VALUE valueFrom: secretKeyRef: name: crdp-secret key: cert - name: KEY_VALUE valueFrom: secretKeyRef: name: crdp-secret key: key - name: TRUSTED_CA valueFrom: secretKeyRef: name: crdp-secret key: ca replicas: 1 selector: matchLabels: run: crdpApply the deployment configuration.
kubectl apply -f <crdp-deployment.yaml>Create a service to expose the CRDP pod, for example,
<crdp-service.yaml>with the following content.apiVersion: v1 kind: Service metadata: labels: run: crdp name: <crdp-service-name> spec: selector: run: crdp type: NodePort ports: - port: 8090 nodePort: 32085Apply the service configuration.
kubectl apply -f <crdp-service.yaml>Check whether your deployment is ready.
kubectl get deploymentsVerify the deployment.
curl -k --key <client key file path> --cert <client certificate file path> https://<node ip>:32085/liveness -H 'Content-Type: application/json' -X GET
This step will update your existing deployment and the CRDP container will come up. CRDP will get keys and configurations from the CipherTrust Manager. If there is any change in the policies and configuration, CRDP uses the heartbeat mechanism to get updates from the CipherTrust Manager.
Note
It is not recommended to run CRDP container in the privileged mode.
Next steps
After the CRDP container is up and running, you can explore any of the following topics:
