Installing on a Kubernetes cluster

You can install the IBM® Security Guardium® Key Lifecycle Manager container on a Kubernetes cluster. You can use the provided Helm charts for the installation.

Before you begin

Prepare the Kubernetes cluster

Set up a Kubernetes cluster. You can use Version 1.17 or later. For more information, see https://kubernetes.io/docs/setup/.

Review the minimum system requirements. For more information, see the Support matrix.

Obtain the Helm charts

Install Helm Version 3.4.0 on the system from which you will access the Kubernetes cluster. For more information, see https://helm.sh/docs/intro/install/.
From the IBM Security Guardium Key Lifecycle Manager utilities page, download the file (k8s-helm.zip) that contains the sample Helm charts for installing IBM Security Guardium Key Lifecycle Manager container.

The sample helm charts include helm charts for the database, PostgreSQL, as well.

Note: Only PostgreSQL database is supported with IBM Security Guardium Key Lifecycle Manager container on Kubernetes.

Create storage class for persistent storage

Create storage class for persistent storage of database and the IBM Security Guardium Key Lifecycle Manager application data. For more information, see https://kubernetes.io/docs/concepts/storage/storage-classes/.

Obtain the container installation files (eImages) and license activation file

Obtain the container installation files (eImages) and license activation file for IBM Security Guardium Key Lifecycle Manager container from IBM Passport Advantage. For more information, see Installation images for containerized platforms.

Extract the container installation files to a local repository directory. You need to provide the location of this directory in the values.yaml file in the chart.

You can avoid downloading the container installation files if you plan to pull the container image directly from the Docker Hub repository.

Install IBM License Service

Install the IBM License Service. For instructions, see the relevant section in License Service for stand-alone products.

Verify the installation by running the following commands:

# kubectl get pods --namespace ibm-common-services
# kubectl get service --namespace ibm-common-services
# kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services | base64 -d

Note down the host, port, and service token values from the command output to be updated in the Helm charts file.

Update the following parameters in the sample Helm charts (k8s-helm.zip):

config:
sklmapp_license: 
license_service_host
license_service_port
secret:
license_service_token

Procedure

Complete the following steps on the system on which you installed Helm:

Extract the k8s-helm.zip file.
In the directory where you extracted the files, navigate to k8s-helm > sklm directory.
If you plan to install the PostgreSQL database separately, delete the database directory.
Open the values.yaml file and modify the parameter values in the file as per your requirement.
The file has information about the mandatory parameters to be updated and description of all the parameters.
Navigate to k8s-helm directory and run the following command:
```
helm install name sklm
```
where, name is the release name, which you can use in the helm delete command. For example, sklm.

Verify the installation by running the following commands:

helm list
kubectl get pods
kubectl get pv
kubectl get pvc

Sample response:

helm list
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
sklm            default         3               2020-11-07 21:32:32.063018197 -0800 PST deployed        sklm-0.1.0                      4.1

kubectl get pods
NAME                                                     READY   STATUS    RESTARTS   AGE
postgressqldb-7fd84488fc-abcdc                           1/1     Running   0          2d18h
sklmapp-56768dddc5-al5a2                                 1/1     Running   0          2d1h

kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                       STORAGECLASS   REASON   AGE
pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0   25Gi       RWX            Delete           Bound    default/postgressqldb-pvc   nfs-client              2d18h
pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3   15Gi       RWX            Delete           Bound    default/sklmapp-pvc         nfs-client              2d18h
12:53
NAME                STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
postgressqldb-pvc   Bound    pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0   25Gi       RWX            nfs-client     2d18h
sklmapp-pvc         Bound    pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3   15Gi       RWX            nfs-client     2d18h

Launch the IBM Security Guardium Key Lifecycle Manager graphical user interface.
```
https://master_server_IP_address:port/ibm/SKLM/login.jsp
```
Where, master_server_IP_address is the IP address of the master server on the Kubernetes cluster, and port is the port number that IBM Security Guardium Key Lifecycle Manager server listens on for requests.
On the Configuration page that appears, click the License Agreements link to review the license terms, and then select the I accept the terms in the License Agreements check box.
Click Activate License.
Upload the IBM Security Guardium Key Lifecycle Manager license activation file and activate the license.
Click Login.
Log in to the IBM Security Guardium Key Lifecycle Manager graphical user interface with the Administrator user credentials (sklmadmin).
Optional: Configure Kubernetes to call the Health Status REST Service.
Health checks are a simple way to determine whether a server-side application is working properly. Kubernetes requires two types of health checks: readiness probe and liveness probe. These probes are implemented by performing an HTTPS invocation by using the REST interface.
For more information about configuring liveness and readiness probes, see the Kubernetes documentation.

What to do next

From the Welcome page, configure the drive types, keys, and certificates that your organization requires, or get started with using the product. See Administering.
Optional: Enhance secure communication between the client and the IBM Security Guardium Key Lifecycle Manager server by using a CA-signed certificate. See Securing communication with IBM Security Guardium Key Lifecycle Manager container using a CA-signed certificate.

Table 1. Topic revision history
Revision date	Change description
29 Apr 2021	Updated the Before you begin section. Refreshed only the English language content.
27 Mar 2021	Updated the section about obtaining installation and license activation files. Refreshed only the English language content.
08 Dec 2020	Initial version.