Summary
This guide walks you through deploying Virtru Private Keystore for Google Workspace Client-Side Encryption (CSE) using Helm. The deployment enables secure key management for Google Workspace CSE integration.
Note
This document assumes you have completed the Google Admin/Console Changes.
Prerequisites
Before proceeding, ensure you have:
- Completed the Google Admin/Console Changes
- Helm installed and configured on your local machine
- Access to a Kubernetes cluster with
kubectlconfigured - SSL certificate and private key for your CSE service
- HMAC credentials provided by Virtru (tokenId and tokenSecret)
- A 3rd party Identity Provider (IDP) configured for Google CSE
1. Pulling the Helm Chart
- (Optional) Install nginx for load balancing
Create a local directory to store your chart, then add Virtru's Helm charts to your local Helm repo:
helm repo add virtru-charts https://virtru-corp.github.io/virtru-charts/ helm repo update
To view your Helm repos, run:
helm repo list
You should see virtru-charts added from the URL https://virtru-corp.github.io/virtru-charts/.
1.2 Download the Chart
To download the chart for editing:
helm pull virtru-charts/cse --untar cd cse
Navigate into the cse directory and edit the values.yaml file.
2. Updating values.yaml
For a complete list of all available configuration options, see the Helm Chart Configuration Reference.
2.1 Service Configuration
By default, a LoadBalancer service is created on port 443. You can customize the service type and use a static IP address:
service:
type: LoadBalancer
port: 443
protocol: TCP
annotations: {}
# loadBalancerIP: <your-static-ip-address>Recommended: If you prefer to use an Ingress controller, disable the LoadBalancer and enable Ingress:
service:
annotations: {}
# -- Annotations for the Kubernetes service.
#type: LoadBalancer
#loadBalancerIP: <your-static-ip-address>
type: ClusterIP
portName: virtru-https
port: 443
protocol: TCP
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: csesrv-ip
hosts:
- host: csesrv.yourdomain.com
paths:
- path: /*
pathType: ImplementationSpecific
backend:
serviceName: cse
servicePort: 9000Note
- The
hostvalue must match the FQDN of your CSE service and your SSL certificate. - We are also using Google's ingress standard, please follow your organization or cloud provider standard
2.2 appConfig
Here are the variables you will edit in the values.yaml appConfig section.
| Chart Variable | Description | Example/Command |
|---|---|---|
jwksAuthnIssuers |
A base64-encoded map of accepted Authentication issuer IDs (from the authentication JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by your IDP. | echo '{ "https://accounts.google.com": "https://www.googleapis.com/oauth2/v3/certs" }' | base64 | tee jwksAuthnIssuers_base64.txt |
jwksAuthzIssuers |
A base64-encoded map of accepted Authorization issuer IDs (from the authorization JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by Google and is filled out by default. | Default chart value |
jwtAud |
A base64-encoded JSON map of JWT audiences for authorization and authentication.
|
echo '{ "authn": "00000000000000000.apps.googleusercontent.com", "authz":"cse-authorization" }' | base64 | tee jwtaud_base64.txt |
jwtKaclsUrl |
Public URL for your CSE service. Must match your TLS certificate. | "https://csesrv.yourdomain.com" |
useSsl |
Controls whether the application serves SSL directly. For Kubernetes deployments, this is commonly set to false and TLS is handled with a secret or ingress. |
Default chart value "false"
|
useCks |
Enables integration with a Virtru CKS deployment. | Default chart value "false"
|
cksUrl |
FQDN of your Virtru CKS service. Only needed when useCks is enabled. |
"https://cks.example.com" |
driveLabels |
Enables Google Drive Labels integration for classifying encrypted content. | See example below |
driveLabels: enabled: "false" # serviceAccountEmail: "<your-drive-admin-email-address>" # driveTime: "15" # driveLabelsTime: "15" # adminTime: "15"
Disable drive labels by default by setting the value to false comment the other variable.
2.3 appSecrets
Important
In the appSecrets section, the hmac, secretKey, and cksHmac (if using CKS) values must be plaintext, while ssl values must be base64-encoded.
| Chart Variable | Description | Example/Command |
|---|---|---|
hmac |
Authorize your Google Workspace users to the Virtru org. |
tokenId: "provided-by-virtru" tokenSecret: "provided-by-virtru" |
secretKey |
A named, base64-encoded key for CSE encryption. | echo "secretkey:$(openssl rand 32 | base64)" 2>&1 | tee secretkey.txt |
ssl |
Virtru's VPK for Google CSE runs on a secure connection from Google to the service. The certificates will be mounted into the running container. | see configuration below |
Note
If your organization is using CKS, you may comment out the secretKey variable as it will not be needed.
Important
When filling out the values.yaml file, you will need the private key and certificate chain available. Ensure the certificate matches the URL you configure for jwtKaclsUrl.
There are several approaches:
Option 1 (Default – Quick Start)
- set
useSsl: "false - comment the chart’s
sslsetting:
ssl: {}
# privateKey: <base64-encoded RSA private key>
# certificate: <base64-encoded TLS certificate>
- Instead, create a Kubernetes TLS secret:
tls:
- secretName: cse-tls-secret
hosts:
- csesrv.yourdomain.com
Option 2 (Recommended – Production)
- Use an external secrets manager (e.g., External Secrets Operator)
- Enable
externalAppSecrets - Ensure External Secrets Operator ≥ v0.16.0
- Uses
external-secrets.io/v1
Use of an external secrets manager falls outside the scope of Virtru-managed deployment support. While we can provide general guidance, configuration and setup must be handled within your organization. We are unable to assist with the setup or troubleshooting of these systems.
Option 3 (Not Recommended)
- Alternatively, you can paste the SSL directly
- Base64 encode the private key + certificate and paste them in the into the chart
values.yaml
ssl: privateKey: <base64-encoded RSA private key> certificate: <base64-encoded TLS certificate>
| Chart Variable | Description | Example/Command |
|---|---|---|
ssl.privateKey |
Your certificate's private key must be base64-encoded. | base64 csesrv.customer.com.key | tr -d '\n' | tee csesrv.customer.com.key.b64 |
ssl.certificate |
Your certificate's certificate chain must be base64-encoded. | base64 csesrv.customer.com.crt | tr -d '\n' | tee csesrv.customer.com.crt.b64 |
cksHmac |
tokenId and tokenSecret are provided by the Virtru CKS server. This is an alternative key configuration that allows you manage your virtru encryption keys for all things Virtru. Only used if you have a working Virtru Private Keystore for Virtru solutions. The |
see configuration below |
3. Installing the CSE
3.1 Verify Configuration
Before installing, run a dry-run to validate your configuration:
helm install -n virtru -f ./values.yaml cse ./ --dry-run --debug
Note
The --dry-run flag simulates the installation without making any changes. The --debug flag provides verbose output to help identify configuration issues.
3.2 Install the Chart
Use a standard Helm install command to deploy your CSE:
helm upgrade --install cse . \ -n virtru \ -f values.yaml \ --create-namespace
4. Post-Installation
- For reference on viewing the pods, logs, retrieving the service endpoint, see CSE Helm Post-Installation & Operations
- For complete setup instructions, see Kubernetes: Google CSE Labels Integration.
- For a reference of all Drive Label variables, see Reference: Drive Label Variables.
- Refer to the standard Google Admin documentation for CSE configuration in Google Admin.
Next Steps Proceed to: Create the TLS Secret and Configure Google Workspace IdP fallback option
- Please refer to Google's official documentation when configuring your application.
- Using a third party IDP