virtru-charts

CSE Deployment via Helm

Overview

This Helm chart will deploy Virtru’s key management server for Google Client Side Encryption. You can read this documentation on Virtru’s support site here:

v1.1.0 Upgrade Notes

Relevant to users leveraging .Values.externalAppSecrets

Upgrading from < v1.1.0 to >= v1.1.0 chart version while using the .Values.externalAppSecrets requires your in-cluster external-secrets operator to be on v0.16.0+. In chart version v1.1.0+, upgrades to the ExternalSecrets object to use external-secrets.io/v1 apiVersion have been made. Previously the external secret created used external-secrets.io/v1beta1.

This upgrade in line with external-secrets operator no longer serving v1beta1 APIs in v0.17.0+. v1 APIs were promoted in v0.16.0, and will be the default in Virtru provided charts moving forward.

Assumptions

Prerequisites

These are the requirements before getting started with this chart:

Installation Steps

Configure IDP

To use Google’s CSE service, you must have a 3rd party identity provider configured to authenticate users to the CSE service. Documentation on Google’s requirements can be found here.

Provision SSL Certificate

Virtru’s KMS for Google CSE runs on a secure connection from Google to the service. The certificates, for this service, will be mounted into the running container. When filling out the values.yaml file in the section below, you will need the private key and certificate chain available to you.

Updating values.yaml file

This section will detail potential changes that you will need to make to your values.yaml file.

appConfig

appSecrets

In the appSecrets section, the hmac, secretKey, and cksHmac (if using CKS) sections must be the plaintext values for your secrets, while in ssl you must base-64 encode the private key and certificate.

volumes

Uncomment the default values that are prepopulated if utilizing the Drive Labels integration (See https://support.virtru.com/hc/en-us/articles/20411711509527-Reference-Virtru-Private-Keystore-for-Google-Workspace-CSE-Configuring-Drive-Labels-with-CSE)

Installing the CSE

Use a standard helm install command to deploy your CSE. An example command is listed below:

helm install -n virtru -f ./values.yaml cse ./ --create-namespace

Additional Config to go live

Refer to standard documentation for CSE configuration in Google Admin. You can get your endpoint for your DNS record by running the following command:

kubectl -n virtru get services

And there should be public endpoints you can use when relaying traffic from Google to your new CSE.

Values

Key Type Default Description
affinity object {} Node affinity rules for pod scheduling.
appConfig object {"accountsUrl":"https://api.virtru.com/accounts/api","acmUrl":"https://api.virtru.com/acm/api","cksUrl":"https://cks.yourdomain.com","driveLabels":{"adminTime":"15","driveLabelsTime":"15","driveTime":"15","enabled":"false","serviceAccountEmail":"<your-drive-admin-email-address>"},"jwksAuthnIssuers":"base64 encoded authn issuers object","jwksAuthzIssuers":"eyAiZ3N1aXRlY3NlLXRva2VuaXNzdWVyLWRyaXZlQHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1kcml2ZUBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImdzdWl0ZWNzZS10b2tlbmlzc3Vlci1tZWV0QHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1tZWV0QHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIiwiZ3N1aXRlY3NlLXRva2VuaXNzdWVyLWNhbGVuZGFyQHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1jYWxlbmRhckBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImdzdWl0ZWNzZS10b2tlbmlzc3Vlci1nbWFpbEBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9zZXJ2aWNlX2FjY291bnRzL3YxL2p3ay9nc3VpdGVjc2UtdG9rZW5pc3N1ZXItZ21haWxAc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20iIH0K","jwtAud":"base64 encoded jwt audience object","jwtKaclsUrl":"https://fqdn.yourdomain.com","processNumberOverride":"5","useCks":"false","useSsl":"true"} Application Configuration
appConfig.cksUrl string "https://cks.yourdomain.com" Optional: URL for the CKS if integrating with the Virtru CKS.
appConfig.driveLabels.enabled string "false" Enable or disable Drive Labels integration. Defaults to false. See https://support.virtru.com/hc/en-us/articles/27150297991319-Reference-Drive-Label-Variables for more info.
appConfig.jwksAuthnIssuers string "base64 encoded authn issuers object" Refer to https://support.virtru.com/hc/en-us/articles/4409220098199-Reference-Virtru-Private-Keystore-for-Google-Workspace-CSE-ENV-Variables for more information.
appConfig.jwksAuthzIssuers string "eyAiZ3N1aXRlY3NlLXRva2VuaXNzdWVyLWRyaXZlQHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1kcml2ZUBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImdzdWl0ZWNzZS10b2tlbmlzc3Vlci1tZWV0QHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1tZWV0QHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIiwiZ3N1aXRlY3NlLXRva2VuaXNzdWVyLWNhbGVuZGFyQHN5c3RlbS5nc2VydmljZWFjY291bnQuY29tIjogImh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL3NlcnZpY2VfYWNjb3VudHMvdjEvandrL2dzdWl0ZWNzZS10b2tlbmlzc3Vlci1jYWxlbmRhckBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImdzdWl0ZWNzZS10b2tlbmlzc3Vlci1nbWFpbEBzeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbSI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9zZXJ2aWNlX2FjY291bnRzL3YxL2p3ay9nc3VpdGVjc2UtdG9rZW5pc3N1ZXItZ21haWxAc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20iIH0K" The default Google JWKS AUTHZ variables are provided below.
appConfig.jwtKaclsUrl string "https://fqdn.yourdomain.com" The URL for KACLS JWT validation should be the FQDN for your CSE service.
appConfig.useCks string "false" Enable or disable connection to the Virtru CKS. Defaults to false.
appSecrets object {"cksHmac":{"tokenId":"from-your-cks","tokenSecret":"from-your-cks"},"googleApplicationCredentials":"/app/cse/credentials.json","hmac":{"tokenId":"provided-by-virtru","tokenSecret":"provided-by-virtru"},"secretKey":"secretkey:<base64-encoded-secret-key>","ssl":{"certificate":"<base64 private ssl cert>","privateKey":"<base64 private rsa key>"}} Application Secrets Configuration
appSecrets.cksHmac object {"tokenId":"from-your-cks","tokenSecret":"from-your-cks"} Optional: Provide CKS tokenId and tokenSecret if integrating with the CKS.
appSecrets.googleApplicationCredentials string "/app/cse/credentials.json" Optional: For Google Drive Labels integration. Leave as-is if not using Drive Labels feature.
appSecrets.hmac object {"tokenId":"provided-by-virtru","tokenSecret":"provided-by-virtru"} HMAC token for authentication will be provided to you by Virtru.
appSecrets.secretKey string "secretkey:<base64-encoded-secret-key>" appSecrets.secretKey is required only if NOT using Virtru CKS. Must be in base64 format. Comment this out if using CKS.
appSecrets.ssl object {"certificate":"<base64 private ssl cert>","privateKey":"<base64 private rsa key>"} SSL private key and certificate in base64 format.
autoscaling object {"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80} Horizontal pod scaling. Defaults to false. We recommend the customer adheres to their organization’s policies for autoscaling.
autoscaling.maxReplicas int 100 Maximum number of pod replicas.
autoscaling.minReplicas int 1 Minimum number of pod replicas.
autoscaling.targetCPUUtilizationPercentage int 80 CPU utilization threshold for scaling.
deployment object {"port":9000} Port exposed by the deployment. Defaults to 9000.
fullnameOverride string ""  
image object {"pullPolicy":"IfNotPresent","repository":"containers.virtru.com/cse","tag":""} Container image repository. Defaults to the Chart.yaml’s appVersion.
ingress object {"annotations":{},"enabled":false,"hosts":[{"host":"fqdn.yourdomain.com","paths":[{"backend":{"serviceName":"cse","servicePort":9000},"path":"/*","pathType":"ImplementationSpecific"}]}],"tls":[]} Ingress service is disabled by default. A load balancer service is created in its place.
ingress.annotations object {} Custom annotations for the ingress resource.
ingress.hosts[0] object {"host":"fqdn.yourdomain.com","paths":[{"backend":{"serviceName":"cse","servicePort":9000},"path":"/*","pathType":"ImplementationSpecific"}]} fqdn.yourdomain.com must match the FQDN of your CSE service.
ingress.tls list [] Alternatively, appSecrets.ssl.privateKey and appSecrets.ssl.certificate can be used for TLS certificate configuration.
nameOverride string "" Optional name override for resources.
nodeSelector object {} Specifies node labels for pod scheduling.
podAnnotations object {} Custom annotations for pods. Defaults to empty.
podSecurityContext object {} Security settings for the entire pod.
probes object {"liveness":{"failureThreshold":2,"initialDelaySeconds":40,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"readiness":{"failureThreshold":2,"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10}} Readiness probe settings to check if the pod is ready to receive traffic.
probes.liveness object {"failureThreshold":2,"initialDelaySeconds":40,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10} Liveness probe settings to restart the pod if it becomes unresponsive.
replicaCount int 1 Number of pod replicas to deploy. Default is 1.
resources object {} CPU and memory resource limits and requests for the pod. Defaults to empty for flexibility.
securityContext object {} Security settings for containers. We encourage you to follow your organization’s security policies for compliance and security.
service object {"annotations":{},"port":443,"protocol":"TCP","type":"LoadBalancer"} Determines the type of Kubernetes service. A load balancer is created by default.
service.type string "LoadBalancer" Annotations for the Kubernetes service.
serviceAccount object {"annotations":{},"create":true,"name":""} A Kubernetes service account is created by default. A name is auto-generated if left blank.
serviceAccount.annotations object {} Annotations to add to the service account. Defaults to empty.
testerPod object {"annotations":{"helm.sh/hook":"test"},"enabled":false} Optional: Specifies if a test pod should be deployed. Defaults to false.
testerPod.annotations.”helm.sh/hook” string "test" Marks this pod as a Helm test hook.
tolerations list [] List of tolerations to allow scheduling on tainted nodes.
volumes list [] Uncomment lines below volumes and remove brackets if using the Drive Labels integration.