Quick Start
This article covers the steps involved in deploying DPG as a sidecar with your application that is deployed to a Kubernetes pod using a Helm Chart. Refer to Alternative Deployment Methods for other methods of deploying DPG.
Prerequisites
This Quick Start deployment scenario assumes that:
A Kubernetes environment is deployed and working.
A minimum supported docker version is installed. For DPG, the minimum supported version is 20.10.0.
The Application to be protected is currently deployed using a Helm Chart on one or many Kubernetes pods.
CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.
DPG Image Repository
The ciphertrust-data-protection-gateway repository contains the following images for DPG 1.3.0:
DPG (with 1.3.0 tag): thalesciphertrust/ciphertrust-data-protection-gateway:1.3.0
DPG (with latest tag): thalesciphertrust/ciphertrust-data-protection-gateway:latest
The image path with the latest tag always points to the latest release.
Sample Application Server (with appserver tag): thalesciphertrust/ciphertrust-data-protection-gateway:appserver
Steps to Deploy DPG within your K8s Pod
From CipherTrust Manager, create an Application and generate a registration token. You can keep the configuration simple and you do not have to define an endpoint at this time. Keep this registration token for a future step. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details.
Add the DPG container to your Helm Chart.
Add the following
containersto your deployment file (for example,deployment.yamlin this document) in the template folder of the Helm package configuration:spec: containers: - image: {{.Values.deployment.dpgimage}} name: {{.Values.deployment.dpgimagename}} readinessProbe: httpGet: path: /healthz port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 livenessProbe: httpGet: path: /liveness port: 8990 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10Update deployment with below lines under
envin thedeployment.yamlfile:env: - name: KMS valueFrom: configMapKeyRef: name: {{.Values.configuration.configmapname}} key: KMS - name: CERT_VALUE valueFrom: secretKeyRef: name: {{.Values.configuration.secretname}} key: server.crt - name: KEY_VALUE valueFrom: secretKeyRef: name: {{.Values.configuration.secretname}} key: server.key - name: TLS_ENABLED valueFrom: configMapKeyRef: name: {{.Values.configuration.configmapname}} key: TLS_ENABLED - name: REG_TOKEN valueFrom: configMapKeyRef: name: {{.Values.configuration.configmapname}} key: REG_TOKEN - name: DESTINATION_URL valueFrom: configMapKeyRef: name: {{.Values.configuration.configmapname}} key: DESTINATION_URLClick here to know more about environment variables.
Add the below lines to the
datasection ofkind: ConfigMapin thedeployment.yamlfile:data: TLS_ENABLED: {{.Values.configuration.tlsenabled | quote}}} KMS: {{.Values.configuration.kms}} REG_TOKEN: {{.Values.configuration.reg_token}} DESTINATION_URL: {{.Values.configuration.appurl}}Add the below lines to the
datasection ofkind:Secretin thedeployment.yamlfile. This step is only needed whentls_enabledis set to true.data: server.crt: {{.Values.configuration.servercrt}} server.key: {{.Values.configuration.serverkey}}
Modify the
values.yamlfile in your Helm Chart.Add below lines to the
configurationsection of thevalues.yamlfile:configuration: #used in deployment file and configuration file secretname: <value of secretname> configmapname: <value of configmapname> tlsenabled: false kms: <kms> appurl: http(s)://localhost:<applicationserverPort> reg_token: <value of reg_token> servercrt: <certificate for TLS communication> serverkey: <key for TLS communication>Here,
secretname: Name of the secret used in your deployment.configmapname: Name of the configmap used in your deployment.tlsenabled: Flag to configure DPG as a TLS Terminator (to listen over TLS). For more details, refer to Enable TLS between Client and DPG.kms: IP address/Hostname of the CipherTrust Manager.appurl: URL of the Application Server.applicationserverPort: Port on which the Application Server is up and running.reg_token: Registration token used to register a DPG client on the CipherTrust Manager.
Add below lines to the
deploymentsection of thevalues.yamlfile.dpgimagename: <dpg-container> dpgimage: thalesciphertrust/ciphertrust-data-protection-gateway:latestHere,
dpgimagenameis a unique identifier for the DPG container in a pod.Change the values of application ports in
values.yamlto the port of the DPG application, as shown below.service: port: 8990By default, DPG comes up on 8990. However, you can change the default port using the environment variable
DPG_PORT.
Deploy the new version of the Helm Chart as shown below:
helm upgrade <helm-chart-name> <path-of-helm-chart> -n <namespace>This step will upgrade your existing deployment.
As soon as the DPG container comes up, it will attempt to get all associated policies and configurations from the CipherTrust Manager. If you have not created any, DPG will pass requests and responses to the application without processing them. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details on how to create appropriate policies and configuration to start protecting data.
After you have configured Protection and Access Policies, DPG retrieves any changes available and starts processing data. DPG uses a heartbeat - a lightweight mechanism to poll the CipherTrust Manager for the changes. When revealing the data, DPG uses the Access Policy and displays the output based on the reveal format set in the policy.
