Deployment
To get started with the Antimatter database proxy, you will need the following:
-A valid Antimatter domain and API key.
-A write-context (e.g., default
).
-A read-context (e.g., default
).
-Connection details for the database you wish to use with the Antimatter encryption proxy.*
We also recommend creating a subordinate peer domain using the peer-domain API endpoint at this stage. This will be useful for later cryptographic operations.
* Alternatively, if you're working in a development environment, we offer a Docker container here, which includes an example dataset for you to experiment with.
Configuration File
To simplify configuration across various deployment platforms, the Antimatter database proxy supports setup via a configuration file. Before deploying the proxy, you'll need to generate this file with your specific configuration details.
cat > /tmp/antimatter/intercept.yaml <<EOF
encryption-parameters:
domain-id: <Antimatter domain ID>
api-key: <Antimatter domain ID's API key>
write-context: <valid write-context name>
read-context: <valid read-context name>
api-url: "https://api.antimatter.io"
proxy:
credentials:
address: "proxy"
port: "5432"
username: "root"
password: "password"
upstream:
credentials:
address: <upstream database's address>
port: <upstream database's port>
username: <upstream database's username>
password: <upstream database's password>
databases:
- <database to proxy name 1>
- <database to proxy name 2>
- <database to proxy name 3>
- ...
EOF
Kubernetes manifest
Kubernetes is a platform for automating the deployment, scaling, and management of containerized applications. Below is a basic Kubernetes manifest for deploying a pod that runs the Antimatter database proxy intercept and engine. This manifest uses the default path values outlined in the Configuration File section above and can be applied directly to your cluster.
Please note that images maintained by Antimatter are subject to update.
apiVersion: apps/v1
kind: Deployment
metadata:
name: db-proxy-deployment
spec:
replicas: 1
selector:
matchLabels:
app: db-proxy-app
template:
metadata:
labels:
app: db-proxy-app
spec:
containers:
- name: db-proxy-intercept
image: antimatterio/db-proxy-intercept:latest
env:
- name: ANTIMATTER_INTERCEPT_CONFIG
value: "/tmp/antimatter/intercept.yaml"
- name: PRODUCTION_MODE
value: "true"
ports:
- containerPort: 54322
volumeMounts:
- name: antimatter-config
mountPath: /tmp/antimatter
- name: db-proxy-engine
image: antimatterio/db-proxy-engine:latest
env:
- name: POSTGRES_USER
value: root
- name: POSTGRES_PASSWORD
value: password
- name: POSTGRES_DB
value: postgres
ports:
- containerPort: 5432
volumeMounts:
- name: db-proxy-engine-data
mountPath: /var/lib/postgresql/data
volumes:
- name: antimatter-config
hostPath:
path: /tmp/antimatter
- name: db-proxy-engine-data
persistentVolumeClaim:
claimName: db-proxy-engine-data-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-proxy-engine-data-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
---
apiVersion: v1
kind: Service
metadata:
name: db-proxy-service
spec:
type: NodePort
ports:
- name: db-proxy-intercept-port
port: 5432
targetPort: 54322
nodePort: 32432
- name: db-proxy-engine-port
port: 54322
targetPort: 5432
nodePort: 30433
selector:
app: db-proxy-app
Docker compose
Below is a minimal Docker Compose file to start the Antimatter database proxy using Docker containers. It utilizes the default path values specified in the Configuration File section above and can be applied directly.
Please note that images maintained by Antimatter are subject to update.
version: '3.8'
services:
intercept:
image: antimatterio/db-proxy-intercept:latest
container_name: db-proxy-intercept
profiles: ["full", "no-infra"]
environment:
ANTIMATTER_INTERCEPT_CONFIG: "/tmp/antimatter/intercept.yaml"
PRODUCTION_MODE: true
depends_on:
proxy:
condition: service_healthy
ports:
- "5432:54322"
volumes:
- /tmp/antimatter:/tmp/antimatter
extra_hosts:
- "host.docker.internal:host-gateway"
engine:
image: antimatterio/db-proxy-engine:latest
container_name: db-proxy-engine
profiles: ["full", "no-infra"]
ports:
- "8433:5432"
environment:
POSTGRES_USER: root
POSTGRES_PASSWORD: password
POSTGRES_DB: postgres
volumes:
- proxy_data:/var/lib/postgresql/data
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U root -h 127.0.0.1 -p 5432" ]
interval: 3s
timeout: 1s
retries: 10
volumes:
proxy_data: