Deploying CipherStash Proxy to Kubernetes

To deploy CipherStash Proxy to a Kubernetes (K8s) cluster, you can either create a separate Kubernetes Deployment or add CipherStash Proxy as a sidecar to your application's Deployment.

Deploying as a Kubernetes Deployment

To deploy CipherStash Proxy as a separate Kubernetes Deployment, you'll need to create a Deployment and a ConfigMap. Here's a step-by-step guide to get you started:

Deployment prerequisites

• Kubernetes cluster: Make sure you have access to a Kubernetes cluster. If you don't have one, you can set one up using Minikube or a cloud provider like AWS, GCP, or Azure.
• Kubectl: Install and configure kubectl, the command-line tool for Kubernetes, to interact with your cluster.
• CipherStash Proxy configuration: Refer to Proxy configuration for details on how to configure CipherStash Proxy.

Deployment step-by-step guide

1. Deployment: Prepare the configuration file

• Refer to Proxy configuration for details on how to configure CipherStash Proxy.

2. Deployment: create a ConfigMap

• Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

  1apiVersion: v1
  2kind: ConfigMap
  3metadata:
  4  name: cipherstash-proxy-config
  5data:
  6  cipherstash-proxy.toml: |
  7    username = "postgres"
  8    password = "password"
  9
  10    workspace_id = "12345678-1234-1234-1234-123456789012"
  11    client_access_key = "12345678-1234-1234-1234-123456789012"
  12
  13    [database]
  14    name = "stash"

  Note

  Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

• Apply the ConfigMap to your cluster:

  1kubectl apply -f cipherstash-proxy.yaml

3. Deployment: Create a Kubernetes Deployment

• Create a Deployment file cipherstash-proxy-deployment.yaml with the necessary settings:

  1apiVersion: apps/v1
  2kind: Deployment
  3metadata:
  4  name: cipherstash-proxy-deployment
  5spec:
  6  replicas: 1
  7  selector:
  8    matchLabels:
  9      app: cipherstash-proxy
  10  template:
  11    metadata:
  12      labels:
  13        app: cipherstash-proxy
  14    spec:
  15      containers:
  16        - name: cipherstash-proxy
  17          image: cipherstash/cipherstash-proxy:latest
  18          ports:
  19            - containerPort: 6432
  20          volumeMounts:
  21            - name: config-volume
  22              mountPath: /etc/cipherstash-proxy
  23      volumes:
  24        - name: config-volume
  25          configMap:
  26            name: cipherstash-proxy-config

• Apply the deployment:

  1kubectl apply -f cipherstash-proxy-deployment.yaml

4. Deployment: Expose the service (optional)

• If you need to expose the CipherStash Proxy service outside your Kubernetes cluster, you can create a Service of type LoadBalancer or NodePort. Here's an example Service definition:

  1apiVersion: v1
  2kind: Service
  3metadata:
  4  name: cipherstash-proxy-service
  5spec:
  6  type: LoadBalancer
  7  ports:
  8    - port: 6432
  9      targetPort: 6432
  10  selector:
  11    app: cipherstash-proxy

5. Deployment: Deploy and verify

• Deploy the service (if needed) and verify that your deployment is running:

  1kubectl get pods
  2kubectl get services

• Ensure that the cipherstash-proxy-service is correctly exposed and accessible.

Deploying as a Kubernetes sidecar

To deploy CipherStash Proxy as a sidecar in Kubernetes, run it alongside your main application container within the same pod. This allows both containers to share network space and other resources.

Sidecar prerequisites

• Kubernetes cluster: Make sure you have access to a Kubernetes cluster.
• Kubectl: Install and configure kubectl.
• Main application: You should have a primary application that requires the cipherstash/cipherstash-proxy service.
• Cipherstash Proxy configuration: Refer to Cipherstash Proxy configuration for details on how to configure the Proxy.

Sidecar step-by-step guide

1. Sidecar: Prepare the configuration file

• Refer to CipherStash Proxy configuration for details on how to configure the Proxy.

2. Sidecar: Create a ConfigMap

• Store your cipherstash-proxy.toml in a Kubernetes ConfigMap. Save the following in a file named cipherstash-proxy.yaml:

  1apiVersion: v1
  2kind: ConfigMap
  3metadata:
  4  name: cipherstash-proxy-config
  5data:
  6  cipherstash-proxy.toml: |
  7    username = "postgres"
  8    password = "password"
  9
  10    workspace_id = "12345678-1234-1234-1234-123456789012"
  11    client_access_key = "12345678-1234-1234-1234-123456789012"
  12
  13    [database]
  14    name = "stash"

  Note

  Use environment variables for sensitive information like access keys, client keys, and database credentials. The example above is for demonstration purposes only.

• Apply the ConfigMap to your cluster:

  1kubectl apply -f cipherstash-proxy.yaml

3. Sidecar: Create a Kubernetes Deployment with sidecar

• Modify your application's Deployment manifest to include the cipherstash/cipherstash-proxy container as a sidecar. Here’s an example deployment.yaml:

  1apiVersion: apps/v1
  2kind: Deployment
  3metadata:
  4  name: myapp-deployment
  5spec:
  6  replicas: 1
  7  selector:
  8    matchLabels:
  9      app: myapp
  10  template:
  11    metadata:
  12      labels:
  13        app: myapp
  14    spec:
  15      containers:
  16        - name: myapp
  17          image: myapp-image
  18          ports:
  19            - containerPort: <app-port>
  20          # Additional configurations for your main application
  21
  22        - name: cipherstash-proxy
  23          image: cipherstash/cipherstash-proxy:latest
  24          ports:
  25            - containerPort: 6432
  26          volumeMounts:
  27            - name: config-volume
  28              mountPath: /etc/cipherstash-proxy
  29      volumes:
  30        - name: config-volume
  31          configMap:
  32            name: cipherstash-proxy-config

• Replace myapp-image and <app-port> with your application's image and port.

4. Sidecar: Apply the deployment

• Apply the deployment to your Kubernetes cluster:

  1kubectl apply -f deployment.yaml

5. Sidecar: Verify the deployment

• Verify that both the main application and the cipherstash/cipherstash-proxy sidecar are running:

  1kubectl get pods

• Check the logs to ensure that both containers are functioning correctly:

  1kubectl logs <pod-name> -c myapp
  2kubectl logs <pod-name> -c cipherstash-proxy

Notes

• Security: Be cautious with how you handle secrets and sensitive information in Kubernetes.
• Networking: Make sure that your Kubernetes pods can access the necessary resources, such as your PostgreSQL database.
• Resource Allocation: Make sure that the pod has enough resources allocated for both the main application and the sidecar container.

This guide provides a basic deployment strategy for the cipherstash/cipherstash-proxy container in a Kubernetes environment. Depending on your specific requirements and cluster configuration, you might need to adjust the deployment settings.

With the CipherStash Proxy in place, you can now use the entire CipherStash product suite to secure your data:

• CipherStash Audit: Audit your database queries and data access logs
• CipherStash Encrypt: Encrypt your data at rest and in transit
• CipherStash Identify: Identify and mask sensitive data in your database (coming soon!)