Deploying CipherStash Proxy as a Sidecar to Google Cloud Run

Deploying CipherStash Proxy as a sidecar in Google Cloud Run involves integrating it with another container in the same service. This setup allows both the application and the proxy to share the same network space, simplifying secure communication between them.


  • Google Cloud Account: Ensure you have a Google Cloud account with billing enabled.
  • Google Cloud SDK: Install and configure the Google Cloud SDK (gcloud).
  • Docker: If you're customizing images or working locally before pushing to Google Container Registry (GCR), ensure Docker is installed.
  • CipherStash Proxy Configuration: Review and prepare the necessary configurations for CipherStash Proxy.

Step-by-Step Guide

1. Create or Update a Cloud Run Service

To deploy your application with the CipherStash Proxy as a sidecar, define a service in Cloud Run by creating a YAML file (cloudrun-service.yaml) similar to the following:

2kind: Service
4  name: your-service-name
6  template:
7    spec:
8      containers:
9        - name: main-app
10          image:
11          ports:
12            - name: http1
13              containerPort: 8080
14          env:
15            - name: APP_CONFIG
16              value: "example-config"
17          resources:
18            limits:
19              cpu: 1000m
20              memory: 512Mi
22        - name: cipherstash-proxy
23          image:
24          env:
25            - name: CS_DATABASE__NAME
26              value: "your-database-name"
27            - name: CS_DATABASE__USERNAME
28              value: "database-user"
29            - name: CS_DATABASE__PORT
30              value: "5432" # Adjust the port as needed
31            - name: CS_DATABASE__HOST
32              value: ""
33            - name: CS_DATABASE__PASSWORD
34              value: "your-password"
35          resources:
36            limits:
37              cpu: 1000m
38              memory: 512Mi
40  traffic:
41    - percent: 100
42      latestRevision: true

GCP Managed Databases

If you're using a managed database service like Cloud SQL, GCP provides another sidecar container that provides a secure connection to the database. You will want to use this sidecar container as the upstream database for the CipherStash Proxy.

2. Deploy the Service to Cloud Run

Deploy your service to Cloud Run using the following command or the Google Cloud Console:

1gcloud run services replace cloudrun-service.yaml

This command will update or create a new service based on the YAML configuration.

3. Update the Application Configuration

Update your application configuration to use the CipherStash Proxy as the database connection. The application should connect to the proxy on the port specified in the configuration, the default being 6432.

Redeploy the application with the updated configuration to ensure it connects to the proxy.

4. Verify Deployment

After deployment, verify that the service is running correctly:

1gcloud run services describe your-service-name

This command provides details about the service, including the URL, status, and traffic distribution.

Cloud SQL

If you're using Cloud SQL as your PostgreSQL database, you will need to enable a Private IP connection to the database, as CipherStash Proxy currently does not support Unix socket connections which is the default behavior for Cloud Run services to connect to Cloud SQL.

To enable a Private IP connection, follow these steps:

Cloud SQL Configuration

  1. Create a Cloud SQL Instance: Create a new Cloud SQL instance or use an existing one.
  2. Enable Private IP: Under Connections, Networking, and Private IP, enable the Private IP connection. You may need to create a new VPC network or use an existing one.
  3. Copy the Private IP Address: Copy the Private IP address of the Cloud SQL instance, under Connections, Summary. This will be labeled as the "Internal IP address".

Cloud Run Configuration

  1. Create or edit Cloud Run Service: Create a new Cloud Run service or use an existing one.
  2. Enable VPC for outbound traffic: Under the Networking tab, select "Connect to a VPC for outbound traffic " and choose the VPC network where the Cloud SQL instance is located. Ensure you also select "Route only requests to private IPs to the VPC" which will route only traffic to the Cloud SQL instance through the VPC.
  3. Update the Proxy Configuration: Update the CS_DATABASE__HOST environment variable in the proxy configuration to use the Private IP address of the Cloud SQL instance (this will be an internal IP address, e.g. 10.x.x.x).
  4. Deploy the Service: Deploy the service to Cloud Run.

Notes and Considerations

  • Security: Manage sensitive configuration values (like database passwords) securely using Google Cloud Secret Manager and reference them in your environment variables.
  • Networking: Configure VPC connections if your application needs to access other Google Cloud resources within a private network.
  • Monitoring: Utilize Google Cloud's operations suite to monitor and manage the health and performance of your application and the CipherStash Proxy.

This guide provides a framework for deploying a multi-container setup in Google Cloud Run, leveraging the scalability and management features of the platform while ensuring that the CipherStash Proxy runs seamlessly as a sidecar to your main application.