Deployment

Deploying CipherStash Proxy to Kubernetes

To deploy CipherStash Proxy to a Kubernetes (K8s) cluster, you can either create a separate Kubernetes Deployment or add CipherStash Proxy as a sidecar to your application's Deployment.

Deploying as a Kubernetes Deployment

To deploy CipherStash Proxy as a separate Kubernetes Deployment, you'll need to create a Deployment and a ConfigMap. Here's a step-by-step guide to get you started:

Deployment prerequisites

  • Kubernetes cluster: Make sure you have access to a Kubernetes cluster. If you don't have one, you can set one up using Minikube or a cloud provider like AWS, GCP, or Azure.
  • Kubectl: Install and configure kubectl, the command-line tool for Kubernetes, to interact with your cluster.
  • CipherStash Proxy configuration: Refer to Proxy configuration for details on how to configure CipherStash Proxy.

Deployment step-by-step guide

1. Deployment: Prepare the configuration file

2. Deployment: create a ConfigMap

  • Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

    1apiVersion: v1
    2kind: ConfigMap
    3metadata:
    4  name: cipherstash-proxy-config
    5data:
    6  cipherstash-proxy.toml: |
    7    username = "postgres"
    8    password = "password"
    9
    10    workspace_id = "12345678-1234-1234-1234-123456789012"
    11    client_access_key = "12345678-1234-1234-1234-123456789012"
    12
    13    [database]
    14    name = "stash"

    Note

    Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

  • Apply the ConfigMap to your cluster:

    1kubectl apply -f cipherstash-proxy.yaml

3. Deployment: Create a Kubernetes Deployment

  • Create a Deployment file cipherstash-proxy-deployment.yaml with the necessary settings:

    1apiVersion: apps/v1
    2kind: Deployment
    3metadata:
    4  name: cipherstash-proxy-deployment
    5spec:
    6  replicas: 1
    7  selector:
    8    matchLabels:
    9      app: cipherstash-proxy
    10  template:
    11    metadata:
    12      labels:
    13        app: cipherstash-proxy
    14    spec:
    15      containers:
    16        - name: cipherstash-proxy
    17          image: cipherstash/cipherstash-proxy:latest
    18          ports:
    19            - containerPort: 6432
    20          volumeMounts:
    21            - name: config-volume
    22              mountPath: /etc/cipherstash-proxy
    23      volumes:
    24        - name: config-volume
    25          configMap:
    26            name: cipherstash-proxy-config
  • Apply the deployment:

    1kubectl apply -f cipherstash-proxy-deployment.yaml

4. Deployment: Expose the service (optional)

  • If you need to expose the CipherStash Proxy service outside your Kubernetes cluster, you can create a Service of type LoadBalancer or NodePort. Here's an example Service definition:

    1apiVersion: v1
    2kind: Service
    3metadata:
    4  name: cipherstash-proxy-service
    5spec:
    6  type: LoadBalancer
    7  ports:
    8    - port: 6432
    9      targetPort: 6432
    10  selector:
    11    app: cipherstash-proxy

5. Deployment: Deploy and verify

  • Deploy the service (if needed) and verify that your deployment is running:

    1kubectl get pods
    2kubectl get services
  • Ensure that the cipherstash-proxy-service is correctly exposed and accessible.

Deploying as a Kubernetes sidecar

To deploy CipherStash Proxy as a sidecar in Kubernetes, run it alongside your main application container within the same pod. This allows both containers to share network space and other resources.

Sidecar prerequisites

  • Kubernetes cluster: Make sure you have access to a Kubernetes cluster.
  • Kubectl: Install and configure kubectl.
  • Main application: You should have a primary application that requires the cipherstash/cipherstash-proxy service.
  • Cipherstash Proxy configuration: Refer to Cipherstash Proxy configuration for details on how to configure the Proxy.

Sidecar step-by-step guide

1. Sidecar: Prepare the configuration file

2. Sidecar: Create a ConfigMap

  • Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

    1apiVersion: v1
    2kind: ConfigMap
    3metadata:
    4  name: cipherstash-proxy-config
    5data:
    6  cipherstash-proxy.toml: |
    7    username = "postgres"
    8    password = "password"
    9
    10    workspace_id = "12345678-1234-1234-1234-123456789012"
    11    client_access_key = "12345678-1234-1234-1234-123456789012"
    12
    13    [database]
    14    name = "stash"

    Note

    Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

  • Apply the ConfigMap to your cluster:

    1kubectl apply -f cipherstash-proxy.yaml

3. Sidecar: Create a Kubernetes Deployment with sidecar

  • Modify your application's Deployment manifest to include the cipherstash/cipherstash-proxy container as a sidecar. Here’s an example deployment.yaml:

    1apiVersion: apps/v1
    2kind: Deployment
    3metadata:
    4  name: myapp-deployment
    5spec:
    6  replicas: 1
    7  selector:
    8    matchLabels:
    9      app: myapp
    10  template:
    11    metadata:
    12      labels:
    13        app: myapp
    14    spec:
    15      containers:
    16        - name: myapp
    17          image: myapp-image
    18          ports:
    19            - containerPort: <app-port>
    20          # Additional configurations for your main application
    21
    22        - name: cipherstash-proxy
    23          image: cipherstash/cipherstash-proxy:latest
    24          ports:
    25            - containerPort: 6432
    26          volumeMounts:
    27            - name: config-volume
    28              mountPath: /etc/cipherstash-proxy
    29      volumes:
    30        - name: config-volume
    31          configMap:
    32            name: cipherstash-proxy-config
  • Replace myapp-image and <app-port> with your application's image and port.

4. Sidecar: Apply the deployment

  • Apply the deployment to your Kubernetes cluster:

    1kubectl apply -f deployment.yaml

5. Sidecar: Verify the deployment

  • Verify that both the main application and the cipherstash/cipherstash-proxy sidecar are running:

    1kubectl get pods
  • Check the logs to ensure that both containers are functioning correctly:

    1kubectl logs <pod-name> -c myapp
    2kubectl logs <pod-name> -c cipherstash-proxy

Notes

  • Security: Be cautious with how you handle secrets and sensitive information in Kubernetes.
  • Networking: Make sure that your Kubernetes pods can access the necessary resources, such as your PostgreSQL database.
  • Resource Allocation: Make sure that the pod has enough resources allocated for both the main application and the sidecar container.

This guide provides a basic deployment strategy for the cipherstash/cipherstash-proxy container in a Kubernetes environment. Depending on your specific requirements and cluster configuration, you might need to adjust the deployment settings.

With the CipherStash Proxy in place, you can now use the entire CipherStash product suite to secure your data:

  • CipherStash Audit: Audit your database queries and data access logs
  • CipherStash Encrypt: Encrypt your data at rest and in transit
  • CipherStash Identify: Identify and mask sensitive data in your database (coming soon!)
Previous
Docker