Deployment
Deploying CipherStash Proxy as a Sidecar to Google Cloud Run
Deploying CipherStash Proxy as a sidecar in Google Cloud Run involves integrating it with another container in the same service. This setup allows both the application and the proxy to share the same network space, simplifying secure communication between them.
Prerequisites
- Google Cloud Account: Ensure you have a Google Cloud account with billing enabled.
- Google Cloud SDK: Install and configure the Google Cloud SDK (
gcloud
). - Docker: If you're customizing images or working locally before pushing to Google Container Registry (GCR), ensure Docker is installed.
- CipherStash Proxy Configuration: Review and prepare the necessary configurations for CipherStash Proxy.
Step-by-Step Guide
1. Create or Update a Cloud Run Service
To deploy your application with the CipherStash Proxy as a sidecar, define a service in Cloud Run by creating a YAML file (cloudrun-service.yaml
) similar to the following:
1apiVersion: serving.knative.dev/v1
2kind: Service
3metadata:
4 name: your-service-name
5spec:
6 template:
7 spec:
8 containers:
9 - name: main-app
10 image: gcr.io/your-project-id/your-app-image:tag
11 ports:
12 - name: http1
13 containerPort: 8080
14 env:
15 - name: APP_CONFIG
16 value: 'example-config'
17 resources:
18 limits:
19 cpu: 1000m
20 memory: 512Mi
21
22 - name: cipherstash-proxy
23 image: gcr.io/your-project-id/cipherstash-proxy:latest
24 env:
25 - name: CS_DATABASE__NAME
26 value: 'your-database-name'
27 - name: CS_DATABASE__USERNAME
28 value: 'database-user'
29 - name: CS_DATABASE__PORT
30 value: '5432' # Adjust the port as needed
31 - name: CS_DATABASE__HOST
32 value: '127.0.0.1'
33 - name: CS_DATABASE__PASSWORD
34 value: 'your-password'
35 resources:
36 limits:
37 cpu: 1000m
38 memory: 512Mi
39
40 traffic:
41 - percent: 100
42 latestRevision: true
GCP Managed Databases
If you're using a managed database service like Cloud SQL, GCP provides another sidecar container that provides a secure connection to the database. You will want to use this sidecar container as the upstream database for the CipherStash Proxy.
2. Deploy the Service to Cloud Run
Deploy your service to Cloud Run using the following command or the Google Cloud Console:
1gcloud run services replace cloudrun-service.yaml
This command will update or create a new service based on the YAML configuration.
3. Update the Application Configuration
Update your application configuration to use the CipherStash Proxy as the database connection. The application should connect to the proxy on the port specified in the configuration, the default being 6432
.
Redeploy the application with the updated configuration to ensure it connects to the proxy.
4. Verify Deployment
After deployment, verify that the service is running correctly:
1gcloud run services describe your-service-name
This command provides details about the service, including the URL, status, and traffic distribution.
Cloud SQL
If you're using Cloud SQL as your PostgreSQL database, you will need to enable a Private IP connection to the database, as CipherStash Proxy currently does not support Unix socket connections which is the default behavior for Cloud Run services to connect to Cloud SQL.
To enable a Private IP connection, follow these steps:
Cloud SQL Configuration
- Create a Cloud SQL Instance: Create a new Cloud SQL instance or use an existing one.
- Enable Private IP: Under Connections, Networking, and Private IP, enable the Private IP connection. You may need to create a new VPC network or use an existing one.
- Copy the Private IP Address: Copy the Private IP address of the Cloud SQL instance, under Connections, Summary. This will be labeled as the "Internal IP address".
Cloud Run Configuration
- Create or edit Cloud Run Service: Create a new Cloud Run service or use an existing one.
- Enable VPC for outbound traffic: Under the Networking tab, select "Connect to a VPC for outbound traffic " and choose the VPC network where the Cloud SQL instance is located. Ensure you also select "Route only requests to private IPs to the VPC" which will route only traffic to the Cloud SQL instance through the VPC.
- Update the Proxy Configuration: Update the
CS_DATABASE__HOST
environment variable in the proxy configuration to use the Private IP address of the Cloud SQL instance (this will be an internal IP address, e.g.10.x.x.x
). - Deploy the Service: Deploy the service to Cloud Run.
Notes and Considerations
- Security: Manage sensitive configuration values (like database passwords) securely using Google Cloud Secret Manager and reference them in your environment variables.
- Networking: Configure VPC connections if your application needs to access other Google Cloud resources within a private network.
- Monitoring: Utilize Google Cloud's operations suite to monitor and manage the health and performance of your application and the CipherStash Proxy.
This guide provides a framework for deploying a multi-container setup in Google Cloud Run, leveraging the scalability and management features of the platform while ensuring that the CipherStash Proxy runs seamlessly as a sidecar to your main application.