Deploy DPG in Kubernetes Environment (without Helm Chart)
This section describes the steps involved in deploying DPG as a sidecar inline with your application container in a Kubernetes pod.
Prerequisites
This deployment scenario assumes that:
A Kubernetes environment is deployed and working.
A minimum supported docker version is installed. For DPG, the minimum supported version is 20.10.0.
The application to be protected is currently deployed on one or more Kubernetes pods. If you are using Helm Charts to deploy, refer to Quick Start.
CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.
DPG Image Repository
The ciphertrust-data-protection-gateway repository contains the following images for DPG 1.3.0:
DPG (with 1.3.0 tag): thalesciphertrust/ciphertrust-data-protection-gateway:1.3.0
DPG (with latest tag): thalesciphertrust/ciphertrust-data-protection-gateway:latest
The image path with the latest tag always points to the latest release.
Sample Application Server (with appserver tag): thalesciphertrust/ciphertrust-data-protection-gateway:appserver
Steps to Deploy DPG as Sidecar
Note
It is not recommended to run DPG container in the privileged mode.
On CipherTrust Manager, define an Application and generate a registration token. Keep this registration token for a future step. Refer to Application Protection Administrator Guide for details.
Add the DPG container to your Kubernetes pod.
Add the following
containersto your deployment file (for example,deployment.yamlin this document):spec: containers: - image: thalesciphertrust/ciphertrust-data-protection-gateway:latest imagePullPolicy: IfNotPresent name: dpg-container readinessProbe: httpGet: path: /healthz port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 livenessProbe: httpGet: path: /liveness port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10Update deployment with below lines under
envin thedeployment.yaml:env: - name: KMS valueFrom: configMapKeyRef: name: <configmap-name> key: KMS - name: CERT_VALUE valueFrom: secretKeyRef: name: <secret-name> key: server.crt - name: KEY_PATH valueFrom: secretKeyRef: name: <secret-name> key: server.key - name: TLS_ENABLED valueFrom: configMapKeyRef: name: <configmap-name> key: TLS_ENABLED - name: REG_TOKEN valueFrom: configMapKeyRef: name: <configmap-name> key: REG_TOKEN - name: DESTINATION_URL valueFrom: configMapKeyRef: name: <configmap-name> key: DESTINATION_URLClick here to know more about environment variables.
Add the below lines to the
datasection ofkind: ConfigMapof thedeployment.yamlfile:data: apiVersion: v1 data: TLS_ENABLED: false KMS: <ip of kms> REG_TOKEN: <reg_token> DESTINATION_URL: http://localhost:8081Add the below lines to the
datasection ofkind:Secretin thedeployment.yamlfile. This step is only needed whentls_enabledis set to true.data: server.crt: <tls-certificate> server.key: <tls-key>
Start the Kubernetes deployment as shown below:
kubectl apply -f `<filename>` -n `<namespace>`This step will update your existing deployment and DPG will come up as a sidecar with your application. DPG will get all associated policies and configurations from the CipherTrust Manager. If there is any change in the policies and configuration, DPG uses the heartbeat mechanism to get the updates from the CipherTrust Manager. When revealing the data, DPG reads the access policy and displays the output based on the reveal format set in the access policy.
