Google Cloud Platform
This guide will walk you through deploying D1 Storage or D1 Generic, using K1 for key management, to Google Kubernetes Engine with Google Cloud Storage, Google Cloud Key Management, and Google Identity.
To follow this guide, you will need to create a project in Google Cloud Platform as well as set up the gcloud
CLI
tool.
Google Cloud Storage
In order to provision a basic storage bucket follow this
guide or run the following gcloud
command:
gcloud alpha storage buckets create gs://d1-bucket/ -b -l <location>
Create an HMAC key for the bucket as described here. The key will function as the S3 credentials for the bucket.
Google KMS
You will need to provision a Key Ring as well as an encryption Key. The process is described
here. Alternatively, you can perform the
following steps. To provision the Key Ring, run the following gcloud
command:
gcloud kms keyrings create d1-keyring --location <location>
Then create an encryption Key:
gcloud kms keys create d1-key --keyring d1-keyring --location <location> --purpose "encryption"
Next, create a service account and give it permission to access the KMS:
gcloud iam service-accounts create d1-kms-sa
gcloud projects add-iam-policy-binding <project> --member="serviceAccount:d1-kms-sa@<project>.iam.gserviceaccount.com" --role="roles/cloudkms.cryptoOperator"
Finally, create a file with credentials for the service account:
gcloud iam service-accounts keys create service-account.json --iam-account=d1-kms-sa@<project>.iam.gserviceaccount.com
Google Identity
Setup an OIDC client as described here. You will obtain a client ID and a client secret, which you will need during deployment.
Google Kubernetes Engine
Provision a GKE cluster as described here or by using the following gcloud
command:
gcloud container clusters create d1-cluster --machine-type e2-standard-2 --num-nodes 2 --zone <zone>
Deployment
You first need to deploy K1 using our Helm chart. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
# File: values.yaml
k1:
endpoint: k1.default.svc.cluster.local
keyprovider:
provider: gcloudKMS
gcloudKMS:
location: "projects/<project>/locations/<location>"
keyname: "projects/<project>/locations/<location>/keyRings/d1-keyring/cryptoKeys/d1-key"
credentialsJson: ""
postgresql:
auth:
database: "k1"
username: "k1"
password: <fill in a secure password>
You can then deploy K1:
helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 0.2.0 --values values.yaml --set-file k1.keyprovider.gcloudKMS.credentialsJson=./service-account.json
Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:
export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID
You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
config:
keys:
provider: "k1"
k1:
endpoint: "k1.default.svc.cluster.local:50051"
kik: <Key Initialization Key>
kikId: <Key Initialization Key ID>
io:
provider: "s3"
s3:
address: "https://storage.googleapis.com"
id: <HMAC Key ID>
key: <HMAC Key>
bucket: "d1-bucket"
id:
provider: "oidc"
oidc:
issuer: "https://accounts.google.com"
clientid: <OIDC client ID>
signingalg: "RS256"
claimtranslation: <You desired claim translation>
You can then deploy D1 Storage or D1 Generic:
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 0.3.10 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 0.3.10 --values values.yaml