Skip to main content

Google Cloud Platform

This guide will walk you through deploying D1 Storage or D1 Generic, using K1 for key management, to Google Kubernetes Engine with Google Cloud Storage, Google Cloud Key Management, and Google Identity.

To follow this guide, you will need to create a project in Google Cloud Platform as well as set up the gcloud CLI tool.

Google Cloud Storage

In order to provision a basic storage bucket follow this guide or run the following gcloud command:

gcloud alpha storage buckets create gs://d1-bucket/ -b -l <location>

Create an HMAC key for the bucket as described here. The key will function as the S3 credentials for the bucket.

Google KMS

You will need to provision a Key Ring as well as an encryption Key. The process is described here. Alternatively, you can perform the following steps. To provision the Key Ring, run the following gcloud command:

gcloud kms keyrings create d1-keyring --location <location>

Then create an encryption Key:

gcloud kms keys create d1-key --keyring d1-keyring --location <location> --purpose "encryption"

Next, create a service account and give it permission to access the KMS:

gcloud iam service-accounts create d1-kms-sa
gcloud projects add-iam-policy-binding <project> --member="serviceAccount:d1-kms-sa@<project>.iam.gserviceaccount.com" --role="roles/cloudkms.cryptoOperator"

Finally, create a file with credentials for the service account:

gcloud iam service-accounts keys create service-account.json --iam-account=d1-kms-sa@<project>.iam.gserviceaccount.com

Google Identity

Setup an OIDC client as described here. You will obtain a client ID and a client secret, which you will need during deployment.

Google Kubernetes Engine

Provision a GKE cluster as described here or by using the following gcloud command:

gcloud container clusters create d1-cluster --machine-type e2-standard-2 --num-nodes 2 --zone <zone>

Deployment

You first need to deploy K1 using our Helm chart. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:

# File: values.yaml
k1:
  endpoint: k1.default.svc.cluster.local

  keyprovider:
    provider: gcloudKMS

    gcloudKMS:
      location: "projects/<project>/locations/<location>"
      keyname: "projects/<project>/locations/<location>/keyRings/d1-keyring/cryptoKeys/d1-key"
      credentialsJson: ""

postgresql:
  auth:
    database: "k1"
    username: "k1"
    password: <fill in a secure password>

You can then deploy K1:

helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 0.2.0 --values values.yaml --set-file k1.keyprovider.gcloudKMS.credentialsJson=./service-account.json

Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:

export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID

You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:

config:
  keys:
    provider: "k1"

    k1:
      endpoint: "k1.default.svc.cluster.local:50051"
      kik: <Key Initialization Key>
      kikId: <Key Initialization Key ID>

  io:
    provider: "s3"

    s3:
      address: "https://storage.googleapis.com"
      id: <HMAC Key ID>
      key: <HMAC Key>
      bucket: "d1-bucket"

  id:
    provider: "oidc"

    oidc:
      issuer: "https://accounts.google.com"
      clientid: <OIDC client ID>
      signingalg: "RS256"
      claimtranslation: <You desired claim translation>

You can then deploy D1 Storage or D1 Generic:

helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 0.3.10 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 0.3.10 --values values.yaml