Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Administration

Quick Start

search

Please Note:

Quick Start

This article covers the steps involved in deploying DPG as a sidecar with your application that is deployed to a Kubernetes pod using a Helm Chart. Refer to Alternative Deployment Methods for other methods of deploying DPG.

Prerequisites

This Quick Start deployment scenario assumes that:

  • A Kubernetes environment is deployed and working.

  • A minimum supported docker version is installed. For DPG, the minimum supported version is 20.10.0.

  • The Application to be protected is currently deployed using a Helm Chart on one or many Kubernetes pods.

  • CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.

DPG Image Repository

The ciphertrust-data-protection-gateway repository contains the following images for DPG 1.1.0:

  • DPG (with 1.1.0 tag): thalesciphertrust/ciphertrust-data-protection-gateway:1.1.0

  • DPG (with latest tag): thalesciphertrust/ciphertrust-data-protection-gateway:latest

    The image path with the latest tag always points to the latest release.

  • Sample Application Server (with appserver tag): thalesciphertrust/ciphertrust-data-protection-gateway:appserver

Steps to Deploy DPG within your K8s Pod

  1. From CipherTrust Manager, create an Application and generate a registration token. You can keep the configuration simple and you do not have to define an endpoint at this time. Keep this registration token for a future step. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details.

  2. Add the DPG container to your Helm Chart.

    • Add the following containers to your deployment file (for example, deployment.yaml in this document) in the template folder of the Helm package configuration:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      spec:              
         containers:
           - image: {{.Values.deployment.dpgimage}}
             name: {{.Values.deployment.dpgimagename}}
             readinessProbe:
               httpGet:
                  path: /healthz
                  port: 8990
                  scheme: HTTP
               initialDelaySeconds: 10
               periodSeconds: 5
             livenessProbe:
               httpGet:
                  path: /liveness
                  port: 8990
                  scheme: HTTP
               initialDelaySeconds: 10
               periodSeconds: 10
      
    • Update deployment with below lines under env in the deployment.yaml file:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      env:
      
        - name: KMS
          valueFrom:
           configMapKeyRef:
             name: {{.Values.configuration.configmapname}}
             key: KMS
       - name: CERT_PATH
         valueFrom:
            secretKeyRef:
              name: {{.Values.configuration.secretname}} 
              key: server.crt
       - name: KEY_PATH
         valueFrom:
            secretKeyRef:
              name: {{.Values.configuration.secretname}}
              key: server.key
       - name: TLS_ENABLED
         valueFrom:
            configMapKeyRef:
              name: {{.Values.configuration.configmapname}}
              key: TLS_ENABLED
       - name: REG_TOKEN
         valueFrom:
            configMapKeyRef:
              name: {{.Values.configuration.configmapname}}
              key: REG_TOKEN
       - name: DESTINATION_URL
         valueFrom:
            configMapKeyRef:
              name: {{.Values.configuration.configmapname}}
              key: DESTINATION_URL
      

      The KEY_PATH and CERT_PATH variables are required only if TLS_ENABLED is true.

    • Add the below lines to the data section of kind: ConfigMap in the deployment.yaml file:

      1
      2
      3
      4
      5
      data:               
          TLS_ENABLED: {{.Values.configuration.tlsenabled | quote}}}
          KMS: {{.Values.configuration.kms}}
          REG_TOKEN: {{.Values.configuration.reg_token}}
          DESTINATION_URL: {{.Values.configuration.appurl}}
      
    • Add the below lines to the data section of kind:Secret in the deployment.yaml file. This step is only needed when tls_enabled is set to true.

      1
      2
      3
      data:
            server.crt: {{.Values.configuration.servercrt}}
            server.key: {{.Values.configuration.serverkey}}
      
  3. Modify the values.yaml file in your Helm Chart.

    • Add below lines to the configuration section of the values.yaml file:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      configuration:
      #used in deployment file and configuration file
      secretname: <value of secretname>
      configmapname: <value of configmapname>                     
      tlsenabled: false
      kms: <kms>
      appurl: http(s)://localhost:<applicationserverPort>
      reg_token: <value of reg_token>
      servercrt: <certificate for TLS communication>
      serverkey: <key for TLS communication>
      

      Here,

      • secretname: Name of the secret used in your deployment.

      • configmapname: Name of the configmap used in your deployment.

      • tlsenabled: Flag to configure DPG as a TLS Terminator (to listen over TLS). For more details, refer to Enable TLS between Client and DPG.

      • kms: IP address/Hostname of the CipherTrust Manager.

      • appurl: URL of the Application Server.

      • applicationserverPort: Port on which the Application Server is up and running.

      • reg_token: Registration token used to register a DPG client on the CipherTrust Manager.

    • Add below lines to the deployment section of the values.yaml file.

      1
      2
      dpgimagename: <dpg-container>
      dpgimage: thalesciphertrust/ciphertrust-data-protection-gateway:latest
      

      Here, dpgimagename is a unique identifier for the DPG container in a pod.

    • Change the values of application ports in values.yaml to the port of the DPG application, as shown below.

      1
      2
      service:
          port: 8990
      

      By default, DPG comes up on 8990. However, you can change the default port using the environment variable DPG_PORT.

  4. Deploy the new version of the Helm Chart as shown below:

    1
    helm upgrade <helm-chart-name> <path-of-helm-chart> -n <namespace>
    

    This step will upgrade your existing deployment.

As soon as the DPG container comes up, it will attempt to get all associated policies and configurations from the CipherTrust Manager. If you have not created any, DPG will pass requests and responses to the application without processing them. Refer to Application Protection Administrator Guide of the CipherTrust Manager for details on how to create appropriate policies and configuration to start protecting data.

After you have configured Protection and Access Policies, DPG retrieves any changes available and starts processing data. DPG uses a heartbeat - a lightweight mechanism to poll the CipherTrust Manager for the changes. When revealing the data, DPG uses the Access Policy and displays the output based on the reveal format set in the policy.