Google Cloud Storage Connector — Helm Deployment🔗

The Google Cloud Storage connector monitors a GCS bucket and sends objects to DSX for scanning.

It supports:

Full scans of an entire bucket or prefix
Continuous monitoring of new objects
Remediation actions such as delete, move, or tag after malicious verdicts

Monitoring can be triggered using:

Google Cloud Pub/Sub notifications (recommended)
Webhook events from Cloud Run, Cloud Functions, or other middleware

Prerequisites🔗

Before deploying the connector you must create a Google Cloud service account with access to the target bucket.

Required:

A service account JSON credential
Permission to list and read objects

Optional (for remediation actions):

Permission to move or delete objects

See:

➡️ Google Cloud Credentials

Minimal Deployment🔗

The following steps will install the connector with minimal configuration changes, supporting full-scan only.

Create the GCP service-account Secret:🔗

apiVersion: v1
kind: Secret
metadata:
  name: gcp-sa
type: Opaque
stringData:
  service-account.json: |
    { ...your JSON key... }

kubectl apply -f connectors/google_cloud_storage/deploy/helm/examples/gcp-sa-secret.yaml

Deploy🔗

Quick Installvalues.yaml Install

Minimal install using Helm CLI overrides.

helm install gcs-dev oci://registry-1.docker.io/dsxconnect/google-cloud-storage-connector-chart \
--version <chart-version> \
--set env.DSXCONNECTOR_ASSET=my-bucket/prefix \
--set-string env.DSXCONNECTOR_FILTER=""

--version

The version number is the chart version; removing it installs the latest chart version.

Use a values file when deploying in production or GitOps workflows.

First, pull the chart:

helm pull oci://registry-1.docker.io/dsxconnect/google-cloud-storage-connector-chart --version <connector_version> --untar

--version

The version number is the chart version; removing it uses the latest chart version.

Edit the values.yaml within the untarred chart directory. Start by setting the storage and path alignment:

excerpt of relevant values.yaml env settings:

env:
  DSXCONNECTOR_ASSET: my-bucket/prefix
  DSXCONNECTOR_FILTER: ""  # no filter set here
  DSXCONNECTOR_ITEM_ACTION: nothing

Relevant env settings:

env:
  DSXCONNECTOR_ASSET: my-bucket/prefix
  DSXCONNECTOR_FILTER: ""  # no filter set
  DSXCONNECTOR_ITEM_ACTION: nothing

Full example (env section)

env:
    LOG_LEVEL: "debug"
    # Connector environment mode: dev | stg | prod
    DSXCONNECTOR_APP_ENV: "dev"
    # Optional friendly display name shown in the dsx-connect UI card
    # DSXCONNECTOR_DISPLAY_NAME: "Google Cloud Storage Connector"
    DSXCONNECTOR_TLS_CERTFILE: "/app/certs/tls.crt"
    DSXCONNECTOR_TLS_KEYFILE: "/app/certs/tls.key"
    # DSXCONNECTOR_VERIFY_TLS: "true"
    # DSXCONNECTOR_CA_BUNDLE: "/app/certs/ca.pem"
    # DSXCONNECTOR_DSX_CONNECT_URL: "https://my-dsx-connect.example.com"
    DSXCONNECTOR_ITEM_ACTION: "nothing"
    DSXCONNECTOR_ITEM_ACTION_MOVE_METAINFO: "dsxconnect-quarantine"
    DSXCONNECTOR_ASSET: ""          # bucket name
    DSXCONNECTOR_FILTER: ""
    DSXCONNECTOR_DATA_DIR: "/app/data"
    GCS_PUBSUB_PROJECT_ID: ""
    GCS_PUBSUB_SUBSCRIPTION: ""

If you use DSXCONNECTOR_ITEM_ACTION=move, also configure where you want to move files too

excerpt of item action env settings:

env:
  DSXCONNECTOR_ITEM_ACTION: move
  DSXCONNECTOR_ITEM_ACTION_MOVE_METAINFO: /app/quarantine

Then install with your values file (from the chart directory):

helm install gcs . -f values.yaml

Required Settings🔗

Key	Description
`env.DSXCONNECTOR_ASSET`	Bucket or `bucket/prefix` root to scan.
`env.DSXCONNECTOR_FILTER`	Optional rsync-style include/exclude list relative to the asset root (see Filter reference).
`env.DSXCONNECTOR_ITEM_ACTION` / `env.DSXCONNECTOR_ITEM_ACTION_MOVE_METAINFO`	Remediation rules (`nothing`, `delete`, `move`, `move_tag`, `tag`).
`workers`, `replicaCount`	Concurrency and HA knobs.

Connector-specific🔗

Key	Description
`gcp.credentialsSecretName`	Secret name containing `service-account.json` (default `gcp-sa`).
`env.DSXCONNECTOR_DSX_CONNECT_URL`	Override dsx-connect endpoint when not using in-cluster default (`http://dsx-connect-api`).

Advanced Settings🔗

Auth🔗

See Using DSX-Connect Authentication.

TLS🔗

See Deploying with SSL/TLS.

Monitoring Settings🔗

Monitoring is typically Pub/Sub-based.

Enable monitoring:

Key	Description
`env.DSXCONNECTOR_MONITOR`	`"true"` to enable on-access scanning via Pub/Sub.
`env.GCS_PUBSUB_PROJECT_ID`	Project that owns the subscription.
`env.GCS_PUBSUB_SUBSCRIPTION`	Subscription name or full path (`projects/<proj>/subscriptions/<sub>`).
`env.GCS_PUBSUB_ENDPOINT`	Optional endpoint override (for local emulators).

Notes:

Pub/Sub is the recommended trigger path.
Webhook alternative is supported via /webhook/event if you route events from Cloud Run/Functions or middleware.
For webhook mode, keep env.DSXCONNECTOR_MONITOR=false and expose ingressWebhook.

Asset vs Filter🔗

Asset defines the coarse scan boundary (e.g. bucket, path, container, mailbox).
Filters apply include/exclude rules under that boundary.