Quick Start

This article covers the steps involved in deploying DPG as a sidecar with your application that is deployed to a Kubernetes pod using a Helm Chart. Refer to Alternative Deployment Methods for other methods of deploying DPG.

Prerequisites

This Quick Start deployment scenario assumes that:

A Kubernetes environment is deployed and working.
The Application to be protected is currently deployed using a Helm Chart on one or many Kubernetes pods.
Your Kubernetes environment and orchestrator have access to the ciphertrust-data-protection-gateway repository. For any repositories related issue, contact dpg.admin@thalesgroup.com.
This repository contains the following images:
- DPG (with latest tag): thalesgroup/ciphertrust-data-protection-gateway:latest
- Sample Application Server (with appserver tag): thalesgroup/ciphertrust-data-protection-gateway:appserver
CipherTrust Manager v2.7 or higher is up and running. Refer to CipherTrust Manager Deployment for details.

Steps to Deploy DPG within your K8s Pod

From CipherTrust Manager, create an Application and generate a registration token. You can keep the configuration simple and you do not have to define an endpoint at this time. Keep this registration token for a future step. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details.

Add the DPG container to your Helm Chart.

Add the following containers to your deployment file (for example, deployment.yaml in this document) in the template folder of the Helm package configuration:

spec:              
   containers:
     - image: {{.Values.deployment.dpgimage}}
       name: {{.Values.deployment.dpgimagename}}
       readinessProbe:
         httpGet:
            path: /healthz
            port: 8990
            scheme: HTTP
         initialDelaySeconds: 10
         periodSeconds: 5
       livenessProbe:
         httpGet:
            path: /liveness
            port: 8990
            scheme: HTTP
         initialDelaySeconds: 10
         periodSeconds: 10

Update deployment with below lines under env in the deployment.yaml file:

env:

  - name: KMS
    valueFrom:
     configMapKeyRef:
       name: {{.Values.configuration.configmapname}}
       key: KMS
 - name: CERT_PATH
   valueFrom:
      secretKeyRef:
        name: dpg-secret 
        key: server.crt
 - name: KEY_PATH
   valueFrom:
      secretKeyRef:
        name: dpg-secret
        key: server.key
 - name: TLS_ENABLED
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: TLS_ENABLED
 - name: REG_TOKEN
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: REG_TOKEN
 - name: DESTINATION_URL
   valueFrom:
      configMapKeyRef:
        name: {{.Values.configuration.configmapname}}
        key: DESTINATION_URL

Note

The KEY_PATH and CERT_PATH variables are required only if TLS_ENABLED is true.

Add the below lines to the data section of kind: ConfigMap in the deployment.yaml file:

data:               
    TLS_ENABLED: {{.Values.configuration.tlsenabled | quote}}}
    KMS: {{.Values.configuration.kms}}
    REG_TOKEN: {{.Values.configuration.reg_token}}
    DESTINATION_URL: {{.Values.configuration.appurl}}

Add the below lines to the data section of kind:Secret in the deployment.yaml file. This step is only needed when tls_enabled is set to true.
```
data:
      server.crt: {{.Values.configuration.servercrt}}
      server.key: {{.Values.configuration.serverkey}}
```

Modify the values.yaml file.
- Add below lines to the configuration section of the values.yaml file:
```
configuration:
#used in deployment file and configuration file
secretname: <value of secretname>
configmapname: <value of configmapname>                     
tlsenabled: false
kms: <kms>
appurl: http(s)://localhost:<applicationserverPort>
reg_token: <value of reg_token>
servercrt: <certificate for TLS communication>
serverkey: <key for TLS communication>
```
  Here,
  - kms: IP address/Hostname of the CipherTrust Manager.
  - appurl: URL of the Application Server.
  - applicationserverPort: Port on which the Application Server is up and running.
  - secretname: Name of the secret used in your deployment.
  - configmapname: Name of the configmap used in your deployment.
  - tlsenabled: Flag to enable DPG to listen over TLS. For more details, refer to Enable TLS between Client and DPG.
  - reg_token: Registration token used to register a DPG client on the CipherTrust Manager.
- Add below lines to the deployment section of the values.yaml file.
```
dpgimagename: <dpg-container>
dpgimage: thalesgroup/ciphertrust-data-protection-gateway:latest

Here, dpgimagename is a unique identifier for DPG container in pod.
```
- Change the values of application ports in values.yaml to the port of the DPG application, as shown below.
```
service:
    port: 8990
```
  By default, DPG comes up on 8990. However, you can change the deafault port using the environment variable DPG_PORT.
Deploy the new version of the Helm Chart as shown below:
```
helm upgrade <helm-chart-name> <path-of-helm-chart> -n <namespace>
```
This step will upgrade your existing deployment.

As soon as the DPG container comes up, it will attempt to get all associated policies and configurations from the CipherTrust Manager. If you have not created any, DPG will pass requests and responses to the application without processing them. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details on how to create appropriate policies and configuration to start protecting data.

Once your Protection Policies are created, DPG will retrieve any changes available and start processing data.

Suggest A Change

Quick Start

Prerequisites

Steps to Deploy DPG within your K8s Pod

On this page