Proxy deployment
Deploying CipherStash Proxy to Kubernetes
To deploy CipherStash Proxy to a Kubernetes (K8s) cluster, you can either create a separate Kubernetes Deployment or add CipherStash Proxy as a sidecar to your application's Deployment.
Deploying as a Kubernetes Deployment
To deploy CipherStash Proxy as a separate Kubernetes Deployment, you'll need to create a Deployment and a ConfigMap. Here's a step-by-step guide to get you started:
Deployment prerequisites
- Kubernetes cluster: Make sure you have access to a Kubernetes cluster. If you don't have one, you can set one up using Minikube or a cloud provider like AWS, GCP, or Azure.
- Kubectl: Install and configure
kubectl
, the command-line tool for Kubernetes, to interact with your cluster. - CipherStash Proxy configuration: Refer to Proxy configuration for details on how to configure CipherStash Proxy.
Deployment step-by-step guide
1. Deployment: Prepare the configuration file
- Refer to Proxy configuration for details on how to configure CipherStash Proxy.
2. Deployment: create a ConfigMap
Store your
cipherstash-proxy.toml
in a Kubernetes ConfigMap. Save the following in a file namedcipherstash-proxy.yaml
:1apiVersion: v1 2kind: ConfigMap 3metadata: 4 name: cipherstash-proxy-config 5data: 6 cipherstash-proxy.toml: | 7 username = "postgres" 8 password = "password" 9 10 workspace_id = "12345678-1234-1234-1234-123456789012" 11 client_access_key = "12345678-1234-1234-1234-123456789012" 12 13 [database] 14 name = "stash"
Note
Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.
Apply the ConfigMap to your cluster:
1kubectl apply -f cipherstash-proxy.yaml
3. Deployment: Create a Kubernetes Deployment
Create a Deployment file
cipherstash-proxy-deployment.yaml
with the necessary settings:1apiVersion: apps/v1 2kind: Deployment 3metadata: 4 name: cipherstash-proxy-deployment 5spec: 6 replicas: 1 7 selector: 8 matchLabels: 9 app: cipherstash-proxy 10 template: 11 metadata: 12 labels: 13 app: cipherstash-proxy 14 spec: 15 containers: 16 - name: cipherstash-proxy 17 image: cipherstash/cipherstash-proxy:latest 18 ports: 19 - containerPort: 6432 20 volumeMounts: 21 - name: config-volume 22 mountPath: /etc/cipherstash-proxy 23 volumes: 24 - name: config-volume 25 configMap: 26 name: cipherstash-proxy-config
Apply the deployment:
1kubectl apply -f cipherstash-proxy-deployment.yaml
4. Deployment: Expose the service (optional)
If you need to expose the CipherStash Proxy service outside your Kubernetes cluster, you can create a Service of type LoadBalancer or NodePort. Here's an example Service definition:
1apiVersion: v1 2kind: Service 3metadata: 4 name: cipherstash-proxy-service 5spec: 6 type: LoadBalancer 7 ports: 8 - port: 6432 9 targetPort: 6432 10 selector: 11 app: cipherstash-proxy
5. Deployment: Deploy and verify
Deploy the service (if needed) and verify that your deployment is running:
1kubectl get pods 2kubectl get services
Ensure that the
cipherstash-proxy-service
is correctly exposed and accessible.
Deploying as a Kubernetes sidecar
To deploy CipherStash Proxy as a sidecar in Kubernetes, run it alongside your main application container within the same pod. This allows both containers to share network space and other resources.
Sidecar prerequisites
- Kubernetes cluster: Make sure you have access to a Kubernetes cluster.
- Kubectl: Install and configure
kubectl
. - Main application: You should have a primary application that requires the
cipherstash/cipherstash-proxy
service. - Cipherstash Proxy configuration: Refer to Cipherstash Proxy configuration for details on how to configure the Proxy.
Sidecar step-by-step guide
1. Sidecar: Prepare the configuration file
- Refer to CipherStash Proxy configuration for details on how to configure the Proxy.
2. Sidecar: Create a ConfigMap
Store your
cipherstash-proxy.toml
in a Kubernetes ConfigMap. Save the following in a file namedcipherstash-proxy.yaml
:1apiVersion: v1 2kind: ConfigMap 3metadata: 4 name: cipherstash-proxy-config 5data: 6 cipherstash-proxy.toml: | 7 username = "postgres" 8 password = "password" 9 10 workspace_id = "12345678-1234-1234-1234-123456789012" 11 client_access_key = "12345678-1234-1234-1234-123456789012" 12 13 [database] 14 name = "stash"
Note
Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.
Apply the ConfigMap to your cluster:
1kubectl apply -f cipherstash-proxy.yaml
3. Sidecar: Create a Kubernetes Deployment with sidecar
Modify your application's Deployment manifest to include the
cipherstash/cipherstash-proxy
container as a sidecar. Here’s an exampledeployment.yaml
:1apiVersion: apps/v1 2kind: Deployment 3metadata: 4 name: myapp-deployment 5spec: 6 replicas: 1 7 selector: 8 matchLabels: 9 app: myapp 10 template: 11 metadata: 12 labels: 13 app: myapp 14 spec: 15 containers: 16 - name: myapp 17 image: myapp-image 18 ports: 19 - containerPort: <app-port> 20 # Additional configurations for your main application 21 22 - name: cipherstash-proxy 23 image: cipherstash/cipherstash-proxy:latest 24 ports: 25 - containerPort: 6432 26 volumeMounts: 27 - name: config-volume 28 mountPath: /etc/cipherstash-proxy 29 volumes: 30 - name: config-volume 31 configMap: 32 name: cipherstash-proxy-config
Replace
myapp-image
and<app-port>
with your application's image and port.
4. Sidecar: Apply the deployment
Apply the deployment to your Kubernetes cluster:
1kubectl apply -f deployment.yaml
5. Sidecar: Verify the deployment
Verify that both the main application and the
cipherstash/cipherstash-proxy
sidecar are running:1kubectl get pods
Check the logs to ensure that both containers are functioning correctly:
1kubectl logs <pod-name> -c myapp 2kubectl logs <pod-name> -c cipherstash-proxy
Notes
- Security: Be cautious with how you handle secrets and sensitive information in Kubernetes.
- Networking: Make sure that your Kubernetes pods can access the necessary resources, such as your PostgreSQL database.
- Resource Allocation: Make sure that the pod has enough resources allocated for both the main application and the sidecar container.
This guide provides a basic deployment strategy for the cipherstash/cipherstash-proxy
container in a Kubernetes environment. Depending on your specific requirements and cluster configuration, you might need to adjust the deployment settings.
With the CipherStash Proxy in place, you can now use the entire CipherStash product suite to secure your data:
- CipherStash Audit: Audit your database queries and data access logs
- CipherStash Encrypt: Encrypt your data at rest and in transit
- CipherStash Identify: Identify and mask sensitive data in your database (coming soon!)