Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Deployment via Helm (Kubernetes Guide)

  • Updated

Overview

This document provides step-by-step instructions for configuring and deploying the Virtru Customer Key Server (CKS) using Helm in a Kubernetes environment.

The primary focus is on properly editing the values.yaml file, including:

  • Authentication tokens (authTokenJson)
  • RSA key configuration
  • Ingress and TLS settings

1. Pull the Helm Chart

(Optional) Install nginx for load balancing

Create a working directory and add the Virtru Helm repository:

helm repo add virtru-charts https://virtru-corp.github.io/virtru-charts/
helm repo update

Verify:

helm repo list

Download the CKS chart locally:

helm pull virtru-charts/cks --untar
cd cks

1.1 Generate the Chart Details

Generating the chart details directly on the Kubernetes cluster can reduce operational overhead by eliminating the need to provision a separate Linux server and manually transfer values into a Helm chart.

  1. Follow these steps to install the uuidgen utility
  2. Navigate to the cks directory: cd cks 
  3. Run the ./generate-helm-details.sh script to generate the required chart details.
  4. Navigate to the /cks/cks-setup-helm-details/ directory and copy the chart details 

  5. Replace self-signed certificate with a valid CA signed TLS Certificate

    Email send_to_virtru.tar.gz to Virtru

  6. Please click here for detailed steps on downloading the send_to_virtru.tar.gz file.

    Once the script has completed successfully, a file, send_to_virtru.tar.gz will be in your /cks/cks-setup-helm-details/ directory. This file will contain the required information so that Virtru can communicate with your CKS appliance.

  7. Send the file via Secure Share to the deployment team:

2. Updating values.yaml

2.1 Ingress Configuration

Update your FQDN:

ingress:
  enabled: true
  annotations:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: cks.yourdomain.com -- replace this with your CKS URL
      paths:
        - path: /*
          pathType: ImplementationSpecific
          backend:
            serviceName: cks
            servicePort: 443

2.2 TLS Secret Configuration

⚠️ Do NOT paste certificate contents into values.yaml

There are two approaches:

Option 1 (Default – Quick Start)

  • Instead, reference a Kubernetes TLS secret:
tls:
  - secretName: cks-tls-secret
    hosts:
      - cks.yourdomain.com

Option 2 (Recommended – Production)

  • Use an external secrets manager (e.g., External Secrets Operator)
  • Enable externalAppSecrets
  • Ensure External Secrets Operator ≥ v0.16.0
  • Uses external-secrets.io/v1

Use of an external secrets manager falls outside the scope of Virtru-managed deployment support. While we can provide general guidance, configuration and setup must be handled within your organization. We are unable to assist with the setup or troubleshooting of these systems.

2.3 Virtru Organization ID

appConfig:
  virtruOrgId: "YOUR_ORG_ID"
  • (Provided by your Virtru Deployment Engineer)

2.3 Authentication Token Configuration

From your Linux server:

/var/virtru/cks/env/cks.env

OR

/var/virtru/cks/token-store/tokens.json
  • Update the helm chart appSecrets with the copied tokens json value
appSecrets:
  virtruAuth:
    data:
      authTokenJson: |
        BASE64_ENCODED_VALUE
  • Must be base64 encoded
  • Example command to base64 encode (token.json):
printf '[{"displayName":"Token For the Virtru ACM to access this CKS","tokenId":"virtru-2026-09-28@token.virtru.com","lastModified":"2026-01-01T20:40:18.004Z","created":"2026-00-00T23:08:08.004Z","state":"active","version":"1.9.0","attributes":[{"value":"value","key":"virtru:data:creator"},{"value":"user@virtru.com","key":"virtru:data:owner"},{"value":"service","key":"virtru:service:type"}],"encryptedToken":{"secret":"Mvalue"}}]' \
| base64 | tr -d '\n' | tee authTokenJson.b64
  • Example command to base64 decode (token.json) and check the value:
base64 --decode authTokenJson.b64

2.4 RSA Key Configuration

From the Linux server:

/var/virtru/cks/keys/rsa001.pub
/var/virtru/cks/keys/rsa001.pem
  • Update the helm chart appSecrets with the copied keys value
appSecrets:
  virtruKeys:
    data:
      rsa001.pub: |
        -----BEGIN PUBLIC KEY-----
        <public key>
        -----END PUBLIC KEY-----

      rsa001.pem: |
        -----BEGIN RSA PRIVATE KEY-----
        <private key>
        -----END RSA PRIVATE KEY-----

⚠️ Critical Notes:

  • Maintain exact formatting
  • Do not modify key structure
  • Indentation must be correct - use nano through the terminal for accurate indentation

5. Deploy the Helm Chart

helm upgrade --install cks . \
  -n virtru \
  -f values.yaml \
  --create-namespace

6. Post-Deployment Validation

Check Pods

kubectl get pods -n virtru

Check Helm Release

helm list -n virtru

Check Services

kubectl get svc -n virtru

Check Logs

kubectl logs <pod-name> -f -n virtru

7. Retrieve CKS Endpoint

kubectl describe ingress -n virtru

Use the load balancer endpoint for:

8. Go-Live Preparation

Next Step Proceed to: Updating TLS Certificates

Related articles