Deploying CipherStash Proxy to Kubernetes

To deploy CipherStash Proxy to a Kubernetes (K8s) cluster, you can either create a separate Kubernetes Deployment or add CipherStash Proxy as a sidecar to your application's Deployment.

Deploying as a Kubernetes Deployment

To deploy CipherStash Proxy as a separate Kubernetes Deployment, you'll need to create a Deployment and a ConfigMap. Here's a step-by-step guide to get you started:

Deployment prerequisites

• Kubernetes cluster: Make sure you have access to a Kubernetes cluster. If you don't have one, you can set one up using Minikube or a cloud provider like AWS, GCP, or Azure.
• Kubectl: Install and configure kubectl, the command-line tool for Kubernetes, to interact with your cluster.
• CipherStash Proxy configuration: Refer to CipherStash Proxy config for details on how to configure CipherStash Proxy.

Deployment step-by-step guide

1. Deployment: Prepare the configuration file

• Refer to CipherStash Proxy config for details on how to configure CipherStash Proxy.

2. Deployment: create a ConfigMap

• Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

  1apiVersion: v1
  2kind: ConfigMap
  3metadata:
  4  name: cipherstash-proxy-config
  5data:
  6  cipherstash-proxy.toml: |
  7    username = "postgres"
  8    password = "password"
  9
  10    workspace_id = "12345678-1234-1234-1234-123456789012"
  11    client_access_key = "12345678-1234-1234-1234-123456789012"
  12
  13    [database]
  14    name = "stash"

  Note

  Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

• Apply the ConfigMap to your cluster:

  1kubectl apply -f cipherstash-proxy.yaml

3. Deployment: Create a Kubernetes Deployment

• Create a Deployment file cipherstash-proxy-deployment.yaml with the necessary settings:

  1apiVersion: apps/v1
  2kind: Deployment
  3metadata:
  4  name: cipherstash-proxy-deployment
  5spec:
  6  replicas: 1
  7  selector:
  8    matchLabels:
  9      app: cipherstash-proxy
  10  template:
  11    metadata:
  12      labels:
  13        app: cipherstash-proxy
  14    spec:
  15      containers:
  16        - name: cipherstash-proxy
  17          image: cipherstash/cipherstash-proxy:latest
  18          ports:
  19            - containerPort: 6432
  20          volumeMounts:
  21            - name: config-volume
  22              mountPath: /etc/cipherstash-proxy
  23      volumes:
  24        - name: config-volume
  25          configMap:
  26            name: cipherstash-proxy-config

• Apply the deployment:

  1kubectl apply -f cipherstash-proxy-deployment.yaml

4. Deployment: Expose the service (optional)

• If you need to expose the CipherStash Proxy service outside your Kubernetes cluster, you can create a Service of type LoadBalancer or NodePort. Here's an example Service definition:

  1apiVersion: v1
  2kind: Service
  3metadata:
  4  name: cipherstash-proxy-service
  5spec:
  6  type: LoadBalancer
  7  ports:
  8    - port: 6432
  9      targetPort: 6432
  10  selector:
  11    app: cipherstash-proxy

5. Deployment: Deploy and verify

• Deploy the service (if needed) and verify that your deployment is running:

  1kubectl get pods
  2kubectl get services

• Ensure that the cipherstash-proxy-service is correctly exposed and accessible.

Deploying as a Kubernetes sidecar

To deploy CipherStash Proxy as a sidecar in Kubernetes, run it alongside your main application container within the same pod. This allows both containers to share network space and other resources.

Sidecar prerequisites

• Kubernetes cluster: Make sure you have access to a Kubernetes cluster.
• Kubectl: Install and configure kubectl.
• Main application: You should have a primary application that requires the cipherstash/cipherstash-proxy service.
• Cipherstash Proxy configuration: Refer to CipherStash Proxy config for details on how to configure the Proxy.

Sidecar step-by-step guide

1. Sidecar: Prepare the configuration file

• Refer to CipherStash Proxy config for details on how to configure the Proxy.

2. Sidecar: Create a ConfigMap

• Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

  1apiVersion: v1
  2kind: ConfigMap
  3metadata:
  4  name: cipherstash-proxy-config
  5data:
  6  cipherstash-proxy.toml: |
  7    username = "postgres"
  8    password = "password"
  9
  10    workspace_id = "12345678-1234-1234-1234-123456789012"
  11    client_access_key = "12345678-1234-1234-1234-123456789012"
  12
  13    [database]
  14    name = "stash"

  Note

  Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

• Apply the ConfigMap to your cluster:

  1kubectl apply -f cipherstash-proxy.yaml

3. Sidecar: Create a Kubernetes Deployment with sidecar

• Modify your application's Deployment manifest to include the cipherstash/cipherstash-proxy container as a sidecar. Here’s an example deployment.yaml:

  1apiVersion: apps/v1
  2kind: Deployment
  3metadata:
  4  name: myapp-deployment
  5spec:
  6  replicas: 1
  7  selector:
  8    matchLabels:
  9      app: myapp
  10  template:
  11    metadata:
  12      labels:
  13        app: myapp
  14    spec:
  15      containers:
  16        - name: myapp
  17          image: myapp-image
  18          ports:
  19            - containerPort: <app-port>
  20          # Additional configurations for your main application
  21
  22        - name: cipherstash-proxy
  23          image: cipherstash/cipherstash-proxy:latest
  24          ports:
  25            - containerPort: 6432
  26          volumeMounts:
  27            - name: config-volume
  28              mountPath: /etc/cipherstash-proxy
  29      volumes:
  30        - name: config-volume
  31          configMap:
  32            name: cipherstash-proxy-config

• Replace myapp-image and <app-port> with your application's image and port.

4. Sidecar: Apply the deployment

• Apply the deployment to your Kubernetes cluster:

  1kubectl apply -f deployment.yaml

5. Sidecar: Verify the deployment

• Verify that both the main application and the cipherstash/cipherstash-proxy sidecar are running:

  1kubectl get pods

• Check the logs to ensure that both containers are functioning correctly:

  1kubectl logs <pod-name> -c myapp
  2kubectl logs <pod-name> -c cipherstash-proxy

Notes

• Security: Be cautious with how you handle secrets and sensitive information in Kubernetes.
• Networking: Make sure that your Kubernetes pods can access the necessary resources, such as your PostgreSQL database.
• Resource Allocation: Make sure that the pod has enough resources allocated for both the main application and the sidecar container.

This guide provides a basic deployment strategy for the cipherstash/cipherstash-proxy container in a Kubernetes environment. Depending on your specific requirements and cluster configuration, you might need to adjust the deployment settings.

With CipherStash Proxy in place, you can now encrypt your data.