How-to guides

Deploying Tandem to Kubernetes

To deploy Tandem to a Kubernetes (K8s) cluster, you can either create a separate Kubernetes Deployment or add Tandem as a sidecar to your application's Deployment.

Kubernetes Deployment

To deploy Tandem as a separate Kubernetes Deployment, you'll need to create a Kubernetes Deployment and a ConfigMap. Here's a step-by-step guide to get you started:

Deployment Prerequisites

  • Kubernetes Cluster: Ensure you have access to a Kubernetes cluster. If you don't have one, you can set one up using Minikube or a cloud provider like AWS, GCP, or Azure.
  • Kubectl: Install and configure kubectl, the command-line tool for Kubernetes, to interact with your cluster.
  • Tandem configuration: Please refer to the Tandem configuration reference for details on how to configure Tandem.

Step-by-Step Guide

1. Deployment: Prepare the Configuration File

2. Deployment: Create a ConfigMap

  • Store your tandem.json in a Kubernetes ConfigMap. Save the following in a file named tandem-configmap.yaml:

    1apiVersion: v1
    2kind: ConfigMap
    3metadata:
    4  name: tandem-config
    5data:
    6  tandem.json: |
    7    {
    8      "port": 5442,
    9      "passthrough": true,
    10      "database_url": "postgres://postgres:password@postgres:5432/stash",
    11      "db_pool_size": 1,
    12      "log_level": "info"
    13    }
    14
  • Apply the ConfigMap to your cluster:

    1kubectl apply -f tandem-configmap.yaml
    2

3. Deployment: Set Up Environment Variables

  • You'll need to set the environment variables (CS_CLIENT_KEY, CS_CLIENT_ID, etc.) as secrets in Kubernetes.

4. Deployment: Create a Kubernetes Deployment

  • Create a Deployment file tandem-deployment.yaml with the necessary settings:

    1apiVersion: apps/v1
    2kind: Deployment
    3metadata:
    4  name: tandem-deployment
    5spec:
    6  replicas: 1
    7  selector:
    8    matchLabels:
    9      app: tandem
    10  template:
    11    metadata:
    12      labels:
    13        app: tandem
    14    spec:
    15      containers:
    16        - name: tandem
    17          image: cipherstash/tandem
    18          ports:
    19            - containerPort: 5442
    20          envFrom:
    21            - secretRef:
    22                name: tandem-secret
    23          volumeMounts:
    24            - name: config-volume
    25              mountPath: /etc/tandem
    26      volumes:
    27        - name: config-volume
    28          configMap:
    29            name: tandem-config
    30
  • In this deployment file, make sure to replace tandem-secret with the name of your secret containing the environment variables.

  • Apply the deployment:

    1kubectl apply -f tandem-deployment.yaml
    2

5. Deployment: Expose the Service (Optional)

  • If you need to expose the Tandem service outside your Kubernetes cluster, you can create a Service of type LoadBalancer or NodePort. Here's an example Service definition:

    1apiVersion: v1
    2kind: Service
    3metadata:
    4  name: tandem-service
    5spec:
    6  type: LoadBalancer
    7  ports:
    8    - port: 5442
    9      targetPort: 5442
    10  selector:
    11    app: tandem
    12

6. Deployment: Deploy and Verify

  • Deploy the service (if needed) and verify that your deployment is running:

    1kubectl get pods
    2kubectl get services
    3
  • Ensure that the Tandem service is correctly exposed and accessible.

Kubernetes Sidecar

To deploy Tandem as a sidecar in Kubernetes involves running it alongside your main application container within the same pod. This allows both containers to share network space and other resources. Below is a step-by-step guide to set this up:

Sidecar Prerequisites

  • Kubernetes Cluster: Ensure you have access to a Kubernetes cluster.
  • Kubectl: Install and configure kubectl.
  • Main Application: You should have a primary application that requires the cipherstash/tandem service.
  • Tandem configuration: Please refer to the Tandem configuration reference for details on how to configure Tandem.

Sidecar Step-by-Step Guide

1. Sidecar: Prepare the Configuration File

2. Sidecar: Create a ConfigMap

  • Store your tandem.json in a Kubernetes ConfigMap. Save the following in a file named tandem-configmap.yaml:

    1apiVersion: v1
    2kind: ConfigMap
    3metadata:
    4  name: tandem-config
    5data:
    6  tandem.json: |
    7    {
    8      "port": 5442,
    9      "passthrough": true,
    10      "database_url": "postgres://postgres:password@postgres:5432/stash",
    11      "db_pool_size": 1,
    12      "log_level": "info"
    13    }
    14
  • Apply the ConfigMap to your cluster:

    1kubectl apply -f tandem-configmap.yaml
    2

3. Sidecar: Set Up Environment Variables as Kubernetes Secrets

  • Store the environment variables (CS_CLIENT_KEY, CS_CLIENT_ID, etc.) as Kubernetes secrets.

4. Sidecar: Create a Kubernetes Deployment with Sidecar

  • Modify your application's Deployment manifest to include the cipherstash/tandem container as a sidecar. Here’s an example deployment.yaml:

    1apiVersion: apps/v1
    2kind: Deployment
    3metadata:
    4  name: myapp-deployment
    5spec:
    6  replicas: 1
    7  selector:
    8    matchLabels:
    9      app: myapp
    10  template:
    11    metadata:
    12      labels:
    13        app: myapp
    14    spec:
    15      containers:
    16        - name: myapp
    17          image: myapp-image
    18          ports:
    19            - containerPort: <app-port>
    20          # Additional configurations for your main application
    21
    22        - name: tandem
    23          image: cipherstash/tandem
    24          ports:
    25            - containerPort: 5442
    26          envFrom:
    27            - secretRef:
    28                name: tandem-secret
    29          volumeMounts:
    30            - name: config-volume
    31              mountPath: /etc/tandem
    32      volumes:
    33        - name: config-volume
    34          configMap:
    35            name: tandem-config
    36
  • Replace myapp-image and <app-port> with your application's image and port.

  • Ensure tandem-secret is the name of your secret containing the environment variables.

5. Sidecar: Apply the Deployment

  • Apply the deployment to your Kubernetes cluster:

    1kubectl apply -f deployment.yaml
    2

6. Sidecar: Verify the Deployment

  • Verify that both the main application and the cipherstash/tandem sidecar are running:

    1kubectl get pods
    2
  • Check the logs to ensure that both containers are functioning correctly:

    1kubectl logs <pod-name> -c myapp
    2kubectl logs <pod-name> -c tandem
    3

Notes and Considerations

  • Security: Be cautious with how you handle secrets and sensitive information in Kubernetes.
  • Networking: Ensure that your Kubernetes pods can access the necessary resources, such as your PostgreSQL database.
  • Resource Allocation: Ensure that the pod has enough resources allocated for both the main application and the sidecar container.

This guide provides a basic deployment strategy for the cipherstash/tandem container in a Kubernetes environment. Depending on your specific requirements and cluster configuration, you might need to adjust the deployment settings.

Previous
Encryption migrations