Installing on a Kubernetes cluster

You can install the IBM® Security Guardium® Key Lifecycle Manager container on a Kubernetes cluster. You can use the provided Helm charts for the installation.

Before you begin

Prepare the Kubernetes cluster
Set up a Kubernetes cluster. You can use Version 1.17 or later. For more information, see https://kubernetes.io/docs/setup/.
Review the minimum system requirements. For more information, see the Support matrix.
(Optional) If you plan to implement horizontal scaling, configure a load balancer to distribute the incoming traffic to the IBM Security Guardium Key Lifecycle Manager containers. For more information, see Create an external load balancer.
Obtain the Helm charts
  1. Install Helm on the system from which you will access the Kubernetes cluster. For more information, see https://helm.sh/docs/intro/install/.

    For information about the supported Helm version, see Support matrix.

  2. From the IBM Security Guardium Key Lifecycle Manager utilities page, download the file (k8s-helm.zip) that contains the sample Helm charts for installing IBM Security Guardium Key Lifecycle Manager container.
The sample Helm charts include Helm charts for the database, PostgreSQL, as well.
Note: Only PostgreSQL database is supported with IBM Security Guardium Key Lifecycle Manager container on Kubernetes.
Create a storage class for persistent storage
You can use an existing storage class or create a new storage class for persistent storage of the database and the IBM Security Guardium Key Lifecycle Manager application data.

For more information, see https://kubernetes.io/docs/concepts/storage/storage-classes/.

Obtain the container installation files (eImages) and license activation file
Obtain the container installation files (eImages) for IBM Security Guardium Key Lifecycle Manager from IBM Passport Advantage. For more information, see Installation images for containerized platforms.
Extract the container installation files to a local repository directory. You need to provide the location of this directory in the values.yaml file in the chart.

You can avoid downloading the container installation files if you plan to pull the container image directly from the Docker Hub repository.

Install IBM License Service
  1. Install the IBM License Service. For instructions, see the relevant section in License Service for stand-alone products.
  2. Verify the installation by running the following commands:
    # kubectl get pods --namespace ibm-common-services
# kubectl get service --namespace ibm-common-services
# kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services | base64 -d

    Note down the host, port, and service token values from the command output to be updated in the Helm charts file.

  3. Update the following parameters in the sample Helm charts (k8s-helm.zip):
    config:
sklmapp_license: 
license_service_host
license_service_port
secret:
license_service_token

Procedure

Complete the following steps on the system on which you installed Helm:

  1. Extract the k8s-helm.zip file.
  2. In the directory where you extracted the files, navigate to k8s-helm > sklm directory.
    If you plan to install the PostgreSQL database separately, delete the database directory.
  3. Open the values.yaml file and modify the parameter values in the file as per your requirement.
    You must update the following parameters:
    postgressqldb_password
license_service_host
license_service_port
sklmadmin_password
sklmdb_password
liberty_keystore_password
license_service_token
sklmapp_seed

    The values.yaml file contains help description about the parameters. For more information about the parameters, see Parameters to install the IBM Security Guardium Key Lifecycle Manager container.

  4. Optional: Provide the number of IBM Security Guardium Key Lifecycle Manager containers that you want in your deployment by specifying the value for the replicas parameter.
    For example: 
    replicas: 3
    Note: The maximum IBM Security Guardium Key Lifecycle Manager containers that you can scale to is 5. The recommended number of IBM Security Guardium Key Lifecycle Manager containers is 3.
  5. Navigate to k8s-helm directory and run the following command: 
    helm install name sklm

    Where, name is the release name, which you can use in the helm delete command. For example, sklm.

  6. Verify the installation by running the following commands: 
    helm list
kubectl get pods
kubectl get pv
kubectl get pvc
    Sample response:
    helm list
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
sklm            default         3               2020-11-07 21:32:32.063018197 -0800 PST deployed        sklm-0.1.0                      4.1

kubectl get pods
NAME                                                     READY   STATUS    RESTARTS   AGE
postgressqldb-7fd84488fc-abcdc                           1/1     Running   0          2d18h
sklmapp-56768dddc5-al5a2                                 1/1     Running   0          2d1h

kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                       STORAGECLASS   REASON   AGE
pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0   25Gi       RWX            Delete           Bound    default/postgressqldb-pvc   nfs-client              2d18h
pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3   15Gi       RWX            Delete           Bound    default/sklmapp-pvc         nfs-client              2d18h
12:53
NAME                STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
postgressqldb-pvc   Bound    pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0   25Gi       RWX            nfs-client     2d18h
sklmapp-pvc         Bound    pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3   15Gi       RWX            nfs-client     2d18h
  7. Launch the IBM Security Guardium Key Lifecycle Manager graphical user interface. 
    https://master_server_IP_address:port/ibm/SKLM/login.jsp

    Where, master_server_IP_address is the IP address of the master server on the Kubernetes cluster, and port is the port number that IBM Security Guardium Key Lifecycle Manager server listens on for requests.

  8. Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface with the Administrator user credentials (For example, sklmadmin).
  9. Activate IBM Security Guardium Key Lifecycle Manager license. For instructions, see Trying IBM Security Guardium Key Lifecycle Manager trial version and activating a purchased license.
  10. Optional: Configure Kubernetes to call the Health Status REST Service.
    Health checks are a simple way to determine whether a server-side application is working properly. Kubernetes requires two types of health checks: readiness probe and liveness probe. These probes are implemented by performing an HTTPS invocation by using the REST interface.

    For more information about configuring liveness and readiness probes, see the Kubernetes documentation.

What to do next

  • From the Welcome page, configure the drive types, keys, and certificates that your organization requires, or get started with using the product. See Administering.
  • (Optional) Enhance secure communication between the client and the IBM Security Guardium Key Lifecycle Manager server by using a CA-signed certificate. See Importing a server certificate.