Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Administration

Quick Start

search

Please Note:

print

Quick Start

This article covers the steps involved in deploying DPG as a sidecar with your application that is deployed to a Kubernetes pod using a Helm Chart. Refer to Alternative Deployment Methods for other methods of deploying DPG.

copy link to clipboardPrerequisites

This Quick Start deployment scenario assumes that:

  • A Kubernetes environment is deployed and working.

  • The Application to be protected is currently deployed using a Helm Chart on one or many Kubernetes pods.

  • Your Kubernetes environment and orchestrator have access to the ciphertrust-data-protection-gateway repository. For any repositories related issue, contact dpg.admin@thalesgroup.com.

    This repository contains the following images:

    • DPG (with latest tag): thalesgroup/ciphertrust-data-protection-gateway:latest

    • Sample Application Server (with appserver tag): thalesgroup/ciphertrust-data-protection-gateway:appserver

  • CipherTrust Manager v2.7 or higher is up and running. Refer to CipherTrust Manager Deployment for details.

copy link to clipboardSteps to Deploy DPG within your K8s Pod

  1. From CipherTrust Manager, create an Application and generate a registration token. You can keep the configuration simple and you do not have to define an endpoint at this time. Keep this registration token for a future step. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details.

  2. Add the DPG container to your Helm Chart.

    • Add the following containers to your deployment file (for example, deployment.yaml in this document) in the template folder of the Helm package configuration:

      spec:
   containers:
     - image: {{.Values.deployment.dpgimage}}
       name: {{.Values.deployment.dpgimagename}}
       readinessProbe:
         httpGet:
            path: /healthz
            port: 8990
            scheme: HTTP
         initialDelaySeconds: 10
         periodSeconds: 5
       livenessProbe:
         httpGet:
            path: /liveness
            port: 8990
            scheme: HTTP
         initialDelaySeconds: 10
         periodSeconds: 10

    • Update deployment with below lines under env in the deployment.yaml file:

      env:

  - name: KMS
    valueFrom:
     configMapKeyRef:
       name: {{.Values.configuration.configmapname}}
       key: KMS
 - name: CERT_PATH
   valueFrom:
      secretKeyRef:
        name: dpg-secret
        key: server.crt
 - name: KEY_PATH
   valueFrom:
      secretKeyRef:
        name: dpg-secret
        key: server.key
 - name: TLS_ENABLED
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: TLS_ENABLED
 - name: REG_TOKEN
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: REG_TOKEN
 - name: DESTINATION_URL
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: DESTINATION_URL

      Note

      The KEY_PATH and CERT_PATH variables are required only if TLS_ENABLED is true.

    • Add the below lines to the data section of kind: ConfigMap in the deployment.yaml file:

      data:
    TLS_ENABLED: {{.Values.configuration.tlsenabled | quote}}}
    KMS: {{.Values.configuration.kms}}
    REG_TOKEN: {{.Values.configuration.reg_token}}
    DESTINATION_URL: {{.Values.configuration.appurl}}

    • Add the below lines to the data section of kind:Secret in the deployment.yaml file. This step is only needed when tls_enabled is set to true.

      data:
      server.crt: {{.Values.configuration.servercrt}}
      server.key: {{.Values.configuration.serverkey}}

  3. Modify the values.yaml file.

    • Add below lines to the configuration section of the values.yaml file:

      configuration:
#used in deployment file and configuration file
secretname: <value of secretname>
configmapname: <value of configmapname>
tlsenabled: false
kms: <kms>
appurl: http(s)://localhost:<applicationserverPort>
reg_token: <value of reg_token>
servercrt: <certificate for TLS communication>
serverkey: <key for TLS communication>

      Here,

      • kms: IP address/Hostname of the CipherTrust Manager.

      • appurl: URL of the Application Server.

      • applicationserverPort: Port on which the Application Server is up and running.

      • secretname: Name of the secret used in your deployment.

      • configmapname: Name of the configmap used in your deployment.

      • tlsenabled: Flag to enable DPG to listen over TLS. For more details, refer to Enable TLS between Client and DPG.

      • reg_token: Registration token used to register a DPG client on the CipherTrust Manager.

    • Add below lines to the deployment section of the values.yaml file.

      dpgimagename: <dpg-container>
dpgimage: thalesgroup/ciphertrust-data-protection-gateway:latest

Here, dpgimagename is a unique identifier for DPG container in pod.

    • Change the values of application ports in values.yaml to the port of the DPG application, as shown below.

      service:
    port: 8990

      By default, DPG comes up on 8990. However, you can change the deafault port using the environment variable DPG_PORT.

  4. Deploy the new version of the Helm Chart as shown below:

    helm upgrade <helm-chart-name> <path-of-helm-chart> -n <namespace>

    This step will upgrade your existing deployment.

As soon as the DPG container comes up, it will attempt to get all associated policies and configurations from the CipherTrust Manager. If you have not created any, DPG will pass requests and responses to the application without processing them. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details on how to create appropriate policies and configuration to start protecting data.

Once your Protection Policies are created, DPG will retrieve any changes available and start processing data.

On this page