On-Premise Deployment

DeepIntShield Enterprise supports on-premise deployments for environments that cannot use cloud-native identity federation. Images are pulled from GCP Artifact Registry using username/password authentication.

Architecture

flowchart LR
    subgraph OnPrem[On-Premise Environment]
        subgraph K8s[Kubernetes Cluster]
            Pod[DeepIntShield Pod]
            Secret[imagePullSecret]
        end
        Docker[Docker Daemon]
    end

    subgraph GCP[GCP]
        AR[Artifact Registry<br/>DeepIntShield Images]
    end

    Secret -->|Credentials| Pod
    Pod -->|Pull| AR
    Docker -->|Pull| AR
    AR -->|Image| Pod
    AR -->|Image| Docker

Prerequisites

• Kubernetes cluster (v1.23+) or Docker runtime
• Network access to us-central1-docker.pkg.dev (or your designated region)
• Docker credentials provided by DeepIntShield team

Note

Contact the DeepIntShield team to receive your Docker username and password credentials.

Credentials

The DeepIntShield team will provide you with:

Credential	Description
Username	_json_key (fixed value for GCP Artifact Registry)
Password	Service account JSON key (base64 encoded or raw JSON)
Registry	REGION-docker.pkg.dev (e.g., us-central1-docker.pkg.dev)
Repository	REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG

Caution

Store credentials securely. Never commit them to version control or expose them in logs.

Docker Deployment

Step 1: Login to Registry

# Using the JSON key file
cat deepintshield-credentials.json | docker login -u _json_key --password-stdin https://REGION-docker.pkg.dev

# Or using the password directly
docker login -u _json_key -p "$(cat deepintshield-credentials.json)" https://REGION-docker.pkg.dev

Step 2: Pull the Image

docker pull REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest

Step 3: Run DeepIntShield

docker run -d \
  --name deepintshield \
  -p 8080:8080 \
  -v /path/to/config.json:/app/data/config.json:ro \
  -v /path/to/data:/app/data \
  REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest

Kubernetes Deployment

Step 1: Create Namespace

kubectl create namespace deepintshield

Step 2: Create imagePullSecret

From JSON Key File

kubectl create secret docker-registry deepintshield-pull-secret \
  --docker-server=REGION-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat deepintshield-credentials.json)" \
  --namespace=deepintshield

From Base64 Key

# If you received a base64-encoded key
kubectl create secret docker-registry deepintshield-pull-secret \
  --docker-server=REGION-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(echo 'BASE64_ENCODED_KEY' | base64 -d)" \
  --namespace=deepintshield

Using YAML

apiVersion: v1
kind: Secret
metadata:
  name: deepintshield-pull-secret
  namespace: deepintshield
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: <BASE64_ENCODED_DOCKER_CONFIG>

Generate the base64-encoded config:

# Create docker config
cat <<EOF > docker-config.json
{
  "auths": {
    "REGION-docker.pkg.dev": {
      "username": "_json_key",
      "password": "$(cat deepintshield-credentials.json | tr -d '\n')",
      "auth": "$(echo -n '_json_key:'$(cat deepintshield-credentials.json | tr -d '\n') | base64 -w 0)"
    }
  }
}
EOF

# Base64 encode for secret
cat docker-config.json | base64 -w 0

Step 3: Create DeepIntShield Configuration

Note

If you use PostgreSQL for config_store or logs_store, ensure the target database is UTF8 encoded. See PostgreSQL UTF8 Requirement.

apiVersion: v1
kind: Secret
metadata:
  name: deepintshield-config
  namespace: deepintshield
type: Opaque
stringData:
  config.json: |
    {
      "config_store": {
        "enabled": true,
        "type": "postgres",
        "config": {
          "host": "postgres.deepintshield.svc.cluster.local",
          "port": "5432",
          "user": "deepintshield",
          "password": "YOUR_PASSWORD",
          "db_name": "deepintshield",
          "ssl_mode": "disable"
        }
      },
      "logs_store": {
        "enabled": true,
        "type": "postgres",
        "config": {
          "host": "postgres.deepintshield.svc.cluster.local",
          "port": "5432",
          "user": "deepintshield",
          "password": "YOUR_PASSWORD",
          "db_name": "deepintshield",
          "ssl_mode": "disable"
        }
      }
    }

Step 4: Deploy DeepIntShield

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deepintshield
  namespace: deepintshield
spec:
  replicas: 2
  selector:
    matchLabels:
      app: deepintshield
  template:
    metadata:
      labels:
        app: deepintshield
    spec:
      imagePullSecrets:
      - name: deepintshield-pull-secret
      containers:
      - name: deepintshield
        image: REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest
        ports:
        - containerPort: 8080
          name: http
        resources:
          requests:
            cpu: "250m"
            memory: "512Mi"
          limits:
            cpu: "1000m"
            memory: "2Gi"
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 5
        volumeMounts:
        - name: config
          mountPath: /app/data/config.json
          subPath: config.json
        - name: data
          mountPath: /app/data
      volumes:
      - name: config
        secret:
          secretName: deepintshield-config
      - name: data
        persistentVolumeClaim:
          claimName: deepintshield-data
---
apiVersion: v1
kind: Service
metadata:
  name: deepintshield
  namespace: deepintshield
spec:
  selector:
    app: deepintshield
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
  type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: deepintshield-data
  namespace: deepintshield
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Step 5: Expose DeepIntShield (Optional)

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: deepintshield
  namespace: deepintshield
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
spec:
  ingressClassName: nginx
  rules:
  - host: deepintshield.your-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: deepintshield
            port:
              number: 80
  tls:
  - hosts:
    - deepintshield.your-domain.com
    secretName: deepintshield-tls

LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: deepintshield-lb
  namespace: deepintshield
spec:
  selector:
    app: deepintshield
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
  type: LoadBalancer

NodePort

apiVersion: v1
kind: Service
metadata:
  name: deepintshield-nodeport
  namespace: deepintshield
spec:
  selector:
    app: deepintshield
  ports:
  - port: 80
    targetPort: 8080
    nodePort: 30080
    protocol: TCP
  type: NodePort

Docker Compose Deployment

For simpler deployments without Kubernetes:

version: '3.8'

services:
  deepintshield:
    image: REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest
    container_name: deepintshield
    ports:
      - "8080:8080"
    volumes:
      - ./config.json:/app/data/config.json:ro
      - deepintshield-data:/app/data
    environment:
      - DEEPINTSHIELD_LOG_LEVEL=info
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    restart: unless-stopped

  postgres:
    image: postgres:15-alpine
    container_name: deepintshield-postgres
    environment:
      - POSTGRES_USER=deepintshield
      - POSTGRES_PASSWORD=YOUR_PASSWORD
      - POSTGRES_DB=deepintshield
    volumes:
      - postgres-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U deepintshield"]
      interval: 10s
      timeout: 5s
      retries: 5
    restart: unless-stopped

volumes:
  deepintshield-data:
  postgres-data:

Login to registry before running:

cat deepintshield-credentials.json | docker login -u _json_key --password-stdin https://REGION-docker.pkg.dev
docker compose up -d

Air-Gapped Environments

For environments without internet access, you can mirror the image to your internal registry.

Step 1: Pull Image (Internet-Connected Machine)

# Login and pull
cat deepintshield-credentials.json | docker login -u _json_key --password-stdin https://REGION-docker.pkg.dev
docker pull REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest

# Save to tar file
docker save REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest > deepintshield-image.tar

Step 2: Transfer and Load (Air-Gapped Machine)

# Load image
docker load < deepintshield-image.tar

# Tag for internal registry
docker tag REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest \
  internal-registry.company.com/deepintshield:latest

# Push to internal registry
docker push internal-registry.company.com/deepintshield:latest

Step 3: Update Kubernetes Manifests

Update the image reference in your deployment:

containers:
- name: deepintshield
  image: internal-registry.company.com/deepintshield:latest

Credential Rotation

When the DeepIntShield team rotates your credentials:

Update Docker Login

cat new-credentials.json | docker login -u _json_key --password-stdin https://REGION-docker.pkg.dev

Update Kubernetes Secret

# Delete old secret
kubectl delete secret deepintshield-pull-secret -n deepintshield

# Create new secret
kubectl create secret docker-registry deepintshield-pull-secret \
  --docker-server=REGION-docker.pkg.dev \
  --docker-username=_json_key \
  --docker-password="$(cat new-credentials.json)" \
  --namespace=deepintshield

# Restart deployment to pick up new secret
kubectl rollout restart deployment/deepintshield -n deepintshield

Verifying Access

Test Docker Authentication

# Verify login
docker login -u _json_key -p "$(cat deepintshield-credentials.json)" https://REGION-docker.pkg.dev

# Test pull
docker pull REGION-docker.pkg.dev/DEEPINTSHIELD_PROJECT/YOUR_HUB_SLUG/deepintshield:latest

Verify Kubernetes Secret

# Check secret exists
kubectl get secret deepintshield-pull-secret -n deepintshield

# Verify secret content (base64 encoded)
kubectl get secret deepintshield-pull-secret -n deepintshield -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d

Troubleshooting

ImagePullBackOff Errors

# Check pod events
kubectl describe pod -l app=deepintshield -n deepintshield

# Common issues:
# - "unauthorized": Invalid credentials - check username/password
# - "not found": Wrong repository path - verify with DeepIntShield team
# - "connection refused": Network issue - check firewall rules

Network Connectivity

# Test DNS resolution
nslookup REGION-docker.pkg.dev

# Test HTTPS connectivity
curl -v https://REGION-docker.pkg.dev/v2/

# Required outbound access:
# - REGION-docker.pkg.dev:443
# - oauth2.googleapis.com:443 (for token refresh)

Credential Issues

# Verify JSON key format
cat deepintshield-credentials.json | jq .

# Check key hasn't expired
cat deepintshield-credentials.json | jq '.private_key_id'

# Contact DeepIntShield team if credentials are invalid

Security Best Practices

1. Store credentials securely: Use a secrets manager (Vault, AWS Secrets Manager) for credential storage
2. Limit access: Only grant imagePullSecret access to required namespaces
3. Rotate regularly: Request credential rotation from DeepIntShield team periodically
4. Audit access: Monitor image pull logs for unauthorized access attempts
5. Network isolation: Restrict outbound access to only required registry endpoints

Next Steps

• Configure DeepIntShield settings for your use case
• Set up observability for monitoring
• Enable clustering for high availability