Contents x
Deploy Server into Google Cloud Platform using Kubernetes
  • 18 Oct 2020
  • 2 Minutes to read
  • Print
  • Dark
    Light
  • PDF
Contents

Deploy Server into Google Cloud Platform using Kubernetes

  • Updated on 18 Oct 2020
  • 2 Minutes to read
  • Print
  • Dark
    Light
  • PDF

This article describes the steps needed to deploy the SecureCircle Server into Google Cloud Platform (GCP) using Kubernetes.

Step 1 - Create site-specific config and static data

  1. Change working directory to the volumeimage directory (your volumeimage will be supplied to you via the SecureCircle Support Portal).
  2. Complete the prerequsites in for pushing images to the GCP Docker registry: https://cloud.google.com/container-registry/docs/pushing-and-pulling
  3. Execute the following, where #projectname# is the name of the GCP project:
docker build -t us.gcr.io/#projectname#/securecircleconfigdata:1 .
docker push us.gcr.io/#projectname#/securecircleconfigdata:1

Step 2 - Push SecureCircle Server images to GCP Repo

  • Download the Docker image archives for the latest version of SecureCircle from the Server Downloads page.
  • Push each image to the GCP repo.
docker load --input securecircle-#service#:#version#.tar.gz
docker tag securecircle-#service#:#version# us.gcr.io/#projectname#/securecircle-#service#:#version#
docker push us.gcr.io/#projectname#/securecircle-#service#:#version#

Step 3 - Customize the Kubernetes configuration files

  1. Execute the following command, which replaces the string !REPOBASE! with your repo's base in the file securecircle-deployment.yaml (Kubernetes configuration files will be supplied to you via the SecureCircle Support Portal). For example, for a project name of securecircle-k8s, and the repo base of us.gcr.io/securecircle-k8s, the command would be: sed -i 's@!REPOBASE!@us.gcr.io/securecircle-k8s@g' securecircle-deployment.yaml
sed -i 's@!REPOBASE!@us.gcr.io/#projectname#@g' securecircle-deployment.yaml
  1. Edit securecircle-configmap.yaml and populate CONFIGDATA_IMAGE with "us.gcr.io/#projectname#/securecircleconfigdata:1", replacing #projectname# with the name of the GCP project.

Step 4 - Deploy a MySQL-based CloudSQL instance (>=5.6)

Allow CloudSQL Proxy access to SQL database.

  1. Create an IAM service account with Cloud SQL Client and Cloud SQL Viewer role access to the SQL instance. Create a key for the account and download (json file).
  2. Ensure the Cloud SQL Admin API is enabled for this project (see https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview)
  3. Execute the following to store the downloaded IAM service role json credentials file as a secret, replacing #path_to_iam_service_role_credentials_json# with the path to the file on your local machine:
kubectl create secret generic securecircle-cloudsql-instance-credentials --from-file=credentials.json=#path_to_iam_service_role_credentials_json#

Configure MySQL Users and Databases

  1. Use the SQL->->Users dialog in GCP Web UI to create a user. Allow any host (%)
  2. Use the SQL->->Databases dialog in GCP Web UI to create six databases named as follows: Tracker, Spare, Runtime, System, Share, Logging.
  3. Use the SQL->->->Add Database Flags dialog in GCP Web UI to set sql_mode with the following values: ONLY_FULL_GROUP_BY, STRICT_TRANS_TABLES, NO_ZERO_IN_DATE, NO_ZERO_DATE, ERROR_FOR_DIVISION_BY_ZERO, NO_ENGINE_SUBSTITUTION, ANSI_QUOTES.
  4. Execute the following to store the MySQL username and password as a secret, replacing #MySQLUsername# and #MySQLPassword# with the username and password previously created:
kubectl create secret generic securecircle-mysql-cred --from-literal=SQL_PASSWORD=#MySQLPassword# --from-literal=SQL_USERNAME=#MySQLUsername#

Step 5 - Edit securecircle-configmap.yaml with appropriate environment settings.

  1. Edit securecircle-configmap.yaml, setting CLOUDSQL_INSTANCE to CloudSQL Instance Connection Name (e.g., securecircle-k8s:us-west2:securecircle-k8s-sql-1) the and SERVER_FQDN to the DNS name (FQDN) which clients will use to access the SecureCircle Server.

Step 6 - Create TLS Secret for Load Balancer

  1. Run the following command, setting the appropriate paths to certificate chain and key files.
kubectl create secret tls securecircle-tls-secret --cert=#path_to_chain_file --key=#path_to_key_file

Step 7 - Apply the Kubernetes config in the base directory.

  1. Run the kubectl apply command in the base directory.
kubectl apply -f .
Was this article helpful?
What's Next
SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. End users operate without obstacles, while data is continuously secured against breaches and insider threats.
Company
Collateral
Resources
Support
Connect With Us
Sales
Copyright © 2021 SecureCircle LLC. All Rights Reserved