Overview
After deploying Virtru Client-Side Encryption (CSE), you may need to:
- view pod status
- stream logs
- troubleshoot unhealthy pods
- upgrade to a newer chart version
- roll back a failed release
This guide covers the most common post-installation operations for managing your CSE deployment.
Verify Deployment
Check that all pods are running:
kubectl -n virtru get pods
Verify the pods are healthy and ready:
kubectl -n virtru describe deployment cse
Check logs for any errors:
kubectl -n virtru logs -l name=cse --tail=100 kubectl -n virtru logs -l app.kubernetes.io/name=cse --tail=100
Retrieve Service Endpoint
Retrieve the public endpoint for your DNS record:
kubectl -n virtru get services
Alternatively, get the ingress IP. This IP address will be used as an A Record in you DNS entries:
kubectl -n virtru get ingress
Use the public endpoint when relaying traffic from Google to your new CSE.
Uninstall the Helm Release
This removes:
- Deployments
- Pods
- Services
- Ingress resources
helm uninstall cse -n virtru
Verify:
helm list -n virtru
Upgrading the CSE Deployment
Ensure your local Helm repository is up to date:
helm repo update
Best Practice
Always pin to a specific chart version in production environments to ensure reproducible deployments.
helm pull virtru-charts/cse --version 1.1.0 --untar
Review Changes (Optional)
Before upgrading, you can review differences between the current deployment and the new chart version:
helm diff upgrade -n virtru -f ./values.yaml cse virtru-charts/cse
Note
The helm diff plugin must be installed separately:
helm plugin install https://github.com/databus23/helm-diff
Perform the Upgrade
Upgrade your existing CSE deployment:
helm upgrade -n virtru -f ./values.yaml cse virtru-charts/cse --atomic --timeout 5m
Best Practice
For production environments, pin to a specific chart version to ensure consistent and predictable upgrades:
helm upgrade -n virtru -f ./values.yaml cse virtru-charts/cse --version 1.2.0 --atomic --timeout 5m
Troubleshooting
8.1 Rolling Back a Failed Deployment
View the Helm release history:
helm -n virtru history cse
Rollback to a previous revision:
helm -n virtru rollback cse <revision-number>
Viewing Logs
Check that all pods are running:
kubectl -n virtru get pods
View logs for all CSE pods:
kubectl -n virtru logs -l app.kubernetes.io/name=cse --tail=100
Run this on the actual pod that is restarting:
kubectl -n virtru describe pod <pod-name>
View logs for a specific pod:
kubectl -n virtru logs <pod-name>
Delete an unhealthy pod:
kubectl -n virtru delete pod <pod-name>
That will show the actual labels on the pods:
kubectl -n virtru get pods --show-labels
That will show the actual labels on the pods.:
kubectl -n virtru logs -l app.kubernetes.io/name=cse
For live streaming logs in real time:
kubectl -n virtru logs -f -l app.kubernetes.io/name=cse
8.3 Common Issues
| Symptom | Possible Cause | Solution |
|---|---|---|
Pods stuck in Pending
|
Insufficient cluster resources | Check node capacity with kubectl describe nodes
|
Pods in CrashLoopBackOff
|
Configuration or secrets issue | Review logs and verify values.yaml configuration |
Pods in ImagePullBackOff
|
Unable to pull container image | Verify image registry access and pull secrets |
| SSL/TLS errors | Certificate mismatch or encoding issue | Ensure certificate matches jwtKaclsUrl and is correctly formatted |
| External secrets not syncing | Operator version mismatch | Ensure External Secrets Operator is version 0.16.0 or higher |
| Service has no external IP | Load balancer not provisioned | Verify cloud provider configuration and quotas |
| Authentication failures from Google | Incorrect JWT configuration | Validate jwtAud, jwksAuthnIssuers, and jwksAuthzIssuers
|
| Readiness/Liveness probe failures | Application startup delay or health issue | Check logs and consider adjusting probe initialDelaySeconds in Helm Chart Configuration Reference
|
Google Workspace Integration
Once your CSE service is deployed and reachable:
- Configure Google Workspace to connect to your CSE service
- Use the Google IdP fallback option or your configured IdP
- Follow Google’s official documentation for completing the integration
Additional Resources
| Resource | Description |
|---|---|
| Helm Chart Configuration Reference | Complete list of all configurable Helm values |
| Reference: ENV Variables | Environment variable reference for Virtru services |
| Kubernetes: Google CSE Labels Integration | Guide for enabling Drive Labels integration |
| Reference: Drive Label Variables | Detailed configuration options for Drive Labels |
| Reference: How Google CSE Labels Work | Overview of Drive Labels functionality |