Deploy DPG in Kubernetes Environment (without Helm Chart)

This section describes the steps involved in deploying DPG as a sidecar inline with your application container in a Kubernetes pod.

Prerequisites

This deployment scenario assumes that:

• A Kubernetes environment is deployed and working.

• The application to be protected is currently deployed on one or more Kubernetes pods. If you are using Helm Charts to deploy, refer to Quick Start.

• Your Kubernetes environment and orchestrator have access to the ciphertrust-data-protection-gateway repository. For any repositories related issue, contact dpg.admin@thalesgroup.com.

  This repository contains the following images:

  • DPG (with latest tag): thalesgroup/ciphertrust-data-protection-gateway:latest

  • Sample Application Server (with appserver tag): thalesgroup/ciphertrust-data-protection-gateway:appserver

• CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.

Steps to Deploy DPG as Sidecar

1. In CipherTrust Manager, define an Application and generate a registration token. Keep this registration token for a future step. Refer to Application Protection Administrator Guide for details.

2. Add the DPG container to your Kubernetes pod.

   • Add the following containers to your deployment file (for example, deployment.yaml in this document):

     spec:              
        containers:              
         - image: thalesgroup/ciphertrust-data-protection-gateway:latest
           imagePullPolicy: IfNotPresent
           name: dpg-container
           readinessProbe:
             httpGet:
                path: /healthz
                port: 8990
                scheme: HTTP
             initialDelaySeconds: 10
             periodSeconds: 5
           livenessProbe:
             httpGet:
                 path: /liveness
                 port: 8990
                 scheme: HTTP
             initialDelaySeconds: 10
             periodSeconds: 10
     

   • Update deployment with below lines under env in the deployment.yaml:

         env:
     
             - name: KMS
               valueFrom:
                 configMapKeyRef:
                   name: <configmap-name>
                   key: KMS
              - name: CERT_PATH
                valueFrom:
                   secretKeyRef:
                     name: <secret-name> 
                     key: server.crt
              - name: KEY_PATH
                valueFrom:
                   secretKeyRef:
                     name: <secret-name>
                     key: server.key
              - name: TLS_ENABLED
                valueFrom:
                   configMapKeyRef:
                     name: <configmap-name>
                     key: TLS_ENABLED
              - name: REG_TOKEN
                valueFrom:
                   configMapKeyRef:
                     name: <configmap-name>
                     key: REG_TOKEN
              - name: DESTINATION_URL
                valueFrom:
                   configMapKeyRef:
                     name: <configmap-name>
                     key: DESTINATION_URL
     

   • Add the below lines to the data section of kind: ConfigMap of the deployment.yaml file:

     data:               
         apiVersion: v1
         data:
             TLS_ENABLED: false
             KMS: <ip of kms>
             REG_TOKEN:  <reg_token>
             DESTINATION_URL: http://localhost:8081
     

   • Add the below lines to the data section of kind:Secret in the deployment.yaml file. This step is only needed when tls_enabled is set to true.

     data:
       server.crt: <tls-certificate>
       server.key: <tls-key>
     

3. Launch the Kubernetes deployment as shown below:

   kubectl apply -f `<filename>` -n `<namespace>`
   

   This step will update your existing deployment and DPG will come up as a sidecar along with your application. DPG will get all associated policies and configurations from the CipherTrust Manager.