Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Alternative Deployment Methods

Deploy DPG in Kubernetes Environment (without Helm Chart)

search

Please Note:

Deploy DPG in Kubernetes Environment (without Helm Chart)

This section describes the steps involved in deploying DPG as a sidecar inline with your application container in a Kubernetes pod.

Prerequisites

This deployment scenario assumes that:

  • A Kubernetes environment is deployed and working.

  • The application to be protected is currently deployed on one or more Kubernetes pods. If you are using Helm Charts to deploy, refer to Quick Start.

  • Your Kubernetes environment and orchestrator have access to the ciphertrust-data-protection-gateway repository. For any repositories related issue, contact dpg.admin@thalesgroup.com.

    This repository contains the following images:

    • DPG (with latest tag): thalesgroup/ciphertrust-data-protection-gateway:latest

    • Sample Application Server (with appserver tag): thalesgroup/ciphertrust-data-protection-gateway:appserver

  • CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.

Steps to Deploy DPG as Sidecar

  1. In CipherTrust Manager, define an Application and generate a registration token. Keep this registration token for a future step. Refer to Application Protection Administrator Guide for details.

  2. Add the DPG container to your Kubernetes pod.

    • Add the following containers to your deployment file (for example, deployment.yaml in this document):

      spec:              
   containers:              
    - image: thalesgroup/ciphertrust-data-protection-gateway:latest
      imagePullPolicy: IfNotPresent
      name: dpg-container
      readinessProbe:
        httpGet:
           path: /healthz
           port: 8990
           scheme: HTTP
        initialDelaySeconds: 10
        periodSeconds: 5
      livenessProbe:
        httpGet:
            path: /liveness
            port: 8990
            scheme: HTTP
        initialDelaySeconds: 10
        periodSeconds: 10

    • Update deployment with below lines under env in the deployment.yaml:

          env:

        - name: KMS
          valueFrom:
            configMapKeyRef:
              name: <configmap-name>
              key: KMS
         - name: CERT_PATH
           valueFrom:
              secretKeyRef:
                name: <secret-name> 
                key: server.crt
         - name: KEY_PATH
           valueFrom:
              secretKeyRef:
                name: <secret-name>
                key: server.key
         - name: TLS_ENABLED
           valueFrom:
              configMapKeyRef:
                name: <configmap-name>
                key: TLS_ENABLED
         - name: REG_TOKEN
           valueFrom:
              configMapKeyRef:
                name: <configmap-name>
                key: REG_TOKEN
         - name: DESTINATION_URL
           valueFrom:
              configMapKeyRef:
                name: <configmap-name>
                key: DESTINATION_URL

    • Add the below lines to the data section of kind: ConfigMap of the deployment.yaml file:

      data:               
    apiVersion: v1
    data:
        TLS_ENABLED: false
        KMS: <ip of kms>
        REG_TOKEN:  <reg_token>
        DESTINATION_URL: http://localhost:8081

    • Add the below lines to the data section of kind:Secret in the deployment.yaml file. This step is only needed when tls_enabled is set to true.

      data:
  server.crt: <tls-certificate>
  server.key: <tls-key>

  3. Launch the Kubernetes deployment as shown below:

    kubectl apply -f `<filename>` -n `<namespace>`

    This step will update your existing deployment and DPG will come up as a sidecar along with your application. DPG will get all associated policies and configurations from the CipherTrust Manager.

On this page