This page documents AlloyDB Omni version 18.1.0 using the Kubernetes deployment option. Choose a different deployment option .

Create a TDE-enabled cluster

Select a documentation version:

The AlloyDB Omni Kubernetes operator automates the lifecycle of Transparent Data Encryption (TDE) clusters using the TdeConfig custom resource. This resource stores Key Management Service (KMS) connection details, enabling the operator to securely inject required credentials into database pods.

Before you begin

Configure HashiCorp Vault's KV-V2 secrets engine to ensure that the Key Encryption Key (KEK) path and JSON Web Token (JWT) is available.
Ensure that AlloyDB Omni has permission to read the JWT token file.
Optional: To deploy a TDE-enabled cluster on OpenShift, grant the hostmount-anyuid Security Context Constraint (SCC) to the DBCluster service account running the database cluster.
```
oc adm policy add-scc-to-user hostmount-anyuid -z DBCLUSTER_NAME 
-sa -n DBCLUSTER_NAMESPACE 
```
Replace DBCLUSTER_NAME with the name of the DBCluster and DBCLUSTER_NAMESPACE with the namespace where you want to create the DBCluster resource.

Configure vault access

Create a secret resource that contains your KEK path and authentication credentials.

  apiVersion 
 : 
  
 v1 
 kind 
 : 
  
 ConfigMap 
 metadata 
 : 
  
 name 
 : 
  
  CONFIG_MAP_NAME 
 
 data 
 : 
  
 kek_url 
 : 
  
 " KEK_URL 
" 
  
 token_path 
 : 
  
 " JWT_TOKEN_PATH 
"

Replace the following:

CONFIG_MAP_NAME : name of the config map. The values defined in kek_url and token_path are used in the TdeConfig resource definition.
KEK_URL : The fully qualified URL to the KEK in HashiCorp Vault. Use vault as the protocol to specify HashiCorp Vault as the KMS provider—for example, vault://vault.default.svc:8200/v1/secrets/data/alloydb_kek .
JWT_TOKEN_PATH : path to the JWT token on the node. For example, /tmp/token . The JWT token access path must be consistent across all nodes in the cluster.

Create a TLS secret

To create a TLS secret to store your certificates, run the following commands:

 kubectl  
create  
secret  
tls  
 VAULT_SECRET_NAME 
  
 \ 
  
--cert = 
vault.crt  
 \ 
  
--key = 
vault.key

kubectl  
patch  
secret  
 VAULT_SECRET_NAME 
  
 \ 
  
-p  
 '{"data":{"ca.crt":"' 
 $( 
base64  
-w  
 0 
  
vault.crt ) 
 '"}}' 
  
 \ 
  
--type = 
merge

Replace VAULT_SECRET_NAME with a name for the TLS secret. You use this secret name when you create the TdeConfig custom resource.

Create the TdeConfig CRD

Create a TdeConfig resource that defines how AlloyDB Omni communicates with the vault to retrieve the KEK. The only supported authentication type is jwt . Make sure that you create the TdeConfig resource in the same namespace as the DbCluster resource.

Ensure that the path to your JWT token is accessible to the postgres user and that your vault instance is reachable over the network.

To create the TdeConfig resource, follow these steps:

Create and apply a manifest for TdeConfig resource.

   
 apiVersion 
 : 
  
 alloydbomni.dbadmin.goog/v1 
  
 kind 
 : 
  
 TdeConfig 
  
 metadata 
 : 
  
 name 
 : 
  
  TDE_CONFIG_NAME 
 
  
 spec 
 : 
  
 kekUrlRef 
 : 
  
 name 
 : 
  
  CONFIG_MAP_NAME 
 
  
 key 
 : 
  
 kek_url 
  
 kmsProvider 
 : 
  
 vault 
 : 
  
 authType 
 : 
  
 "jwt" 
  
 authMount 
 : 
  
 " JWT_AUTH_MOUNT_PATH 
" 
  
 jwt 
 : 
  
 pathRef 
 : 
  
 name 
 : 
  
 " CONFIG_MAP_NAME 
" 
  
 key 
 : 
  
 "token_path" 
  
 role 
 : 
  
 " VAULT_ROLE 
" 
  
 tls 
 : 
  
 certSecret 
 : 
  
 name 
 : 
  
 " VAULT_SECRET_NAME 
"

Replace the following:

TDE_CONFIG_NAME : name of the TdeConfig resource.
JWT_AUTH_MOUNT_PATH : path where the authentication engine is mounted within HashiCorp Vault, as defined by your configuration. For example, auth/kms .
(Optional) VAULT_ROLE : the client role defined in your vault setup. The client role validates the JWT and reflects the specific access rights and identity the role is granted within HashiCorp Vault.
VAULT_SECRET_NAME : name of the secret that contains the certificates for the vault connection. For example, vault-secret .

Deploy the DBCluster

Create and apply a manifest to create a DBCluster resource that references your TdeConfig resource. For more information about creating a database cluster, see Create a database cluster .

  apiVersion 
 : 
  
 alloydbomni.dbadmin.goog/v1 
 kind 
 : 
  
 DBCluster 
 metadata 
 : 
  
 name 
 : 
  
 " DBCLUSTER_NAME 
" 
 spec 
 : 
  
 databaseVersion 
 : 
  
 "18.1.0" 
  
 features 
 : 
  
 transparentDataEncryption 
 : 
  
 tdeConfigRef 
 : 
  
 name 
 : 
  
 " TDE_CONFIG_NAME 
" 
 [ 
 ... 
 ]

Replace TDE_CONFIG_NAME with the name of your TdeConfig resource and DBCLUSTER_NAME with the name of the DBCluster you want to create.

Optional: If you're deploying DBCluster in an Openshift environment, you need to annotate the DBCluster resource with the hostmount-anyuid annotation.
```
 kubectl  
annotate  
dbclusters.alloydbomni.dbadmin.goog  
 ` 
 DBCLUSTER_NAME 
 ` 
  
-n  
 ` 
 DBCLUSTER_NAMESPACE 
 ` 
  
openshift.io/scc = 
anyuid 
```
Replace DBCLUSTER_NAME with the name of your DBCluster resource and DBCLUSTER_NAMESPACE with the namespace where you want to create the DBCluster resource.

View TDE metrics

After the cluster is initialized, complete the following steps to verify that TDE is enabled and view related TDE metrics.

Connect to your database using psql or your preferred client. For detailed instructions on connecting to your instances, see Run and connect to AlloyDB Omni .
Run the following command:
```
  select 
  
 * 
  
 FROM 
  
 pgsnap 
 . 
 g 
 $ 
 tde_stats 
 ; 
 
```
The output shows TDE metrics such as whether TDE is enabled, the KEK URL, KEK version, and KEK creation timestamp.

The following table explains what each metric means.
Name

Description

Label

Unit

Type
alloydb_omni_database_tde_data_blocks_decrypted_count_total

Number of data blocks decrypted.

Not applicable

counter

alloydb_omni_database_tde_data_blocks_encrypted_count_total

Number of data blocks encrypted.

Not applicable

counter

alloydb_omni_database_tde_data_decryption_time_us_total

Total time spent in data block decryption.

Not applicable

microseconds

counter

alloydb_omni_database_tde_data_encryption_time_us_total

Total time spent in data block encryption.

Not applicable

microseconds

counter

alloydb_omni_database_tde_enabled

TDE enabled status.

Not applicable

gauge
alloydb_omni_database_tde_kek_info

TDE KEK information.
kek_version : Version of the KEK
in use for key wrapping.

kek_url : Fully qualified path
to KEK in KMS

kek_creation_timestamp :
Creation time of the KEK version in use.
gauge
alloydb_omni_database_tde_temp_blocks_decrypted_count_total

Number of temporary blocks decrypted.

Not applicable

counter

alloydb_omni_database_tde_temp_blocks_encrypted_count_total

Number of temporary blocks encrypted.

Not applicable

counter

alloydb_omni_database_tde_temp_decryption_time_us_total

Total time spent in temporary block decryption.

Not applicable

microseconds

counter

alloydb_omni_database_tde_temp_encryption_time_us_total

Total time spent in temporary block encryption.

Not applicable

microseconds

counter

alloydb_omni_database_tde_wal_blocks_decrypted_count_total

Number of WAL blocks decrypted.

Not applicable

counter

alloydb_omni_database_tde_wal_blocks_encrypted_count_total

Number of WAL blocks encrypted.

Not applicable

counter

alloydb_omni_database_tde_wal_decryption_time_us_total

Total time spent in WAL block decryption.

Not applicable

microseconds

counter

alloydb_omni_database_tde_wal_encryption_time_us_total

Total time spent in WAL block encryption.

Not applicable

microseconds

counter