You can install the IBM® Security Guardium® Key Lifecycle Manager
container on a Kubernetes cluster. You can use the provided Helm charts for the installation.
Before you begin
- Prepare the Kubernetes cluster
- Set up a Kubernetes cluster. You can use Version 1.17 or later. For more information, see https://kubernetes.io/docs/setup/.
- Review the minimum system requirements. For more information, see the Support matrix.
- Obtain the Helm charts
- Install Helm Version 3.4.0 on the system from which you will access the Kubernetes cluster. For
more information, see https://helm.sh/docs/intro/install/.
- From the IBM Security Guardium Key Lifecycle Manager utilities
page, download the file (k8s-helm.zip) that contains the sample Helm charts for
installing IBM Security Guardium Key Lifecycle Manager container.
The sample helm charts include helm charts for the database, PostgreSQL, as well. Note: Only
PostgreSQL database is supported with IBM Security Guardium Key Lifecycle Manager
container on Kubernetes.
- Create storage class for persistent storage
- Create storage class for persistent storage of database and the IBM Security Guardium Key Lifecycle Manager application data. For more information, see
https://kubernetes.io/docs/concepts/storage/storage-classes/.
- Obtain the container installation files (eImages) and license activation file
- Obtain the container installation files (eImages) and license activation file
for IBM Security Guardium Key Lifecycle Manager container from IBM Passport
Advantage. For more information, see Installation images for containerized platforms.
- Extract the container installation files to a local repository directory. You need to provide
the location of this directory in the values.yaml file in the chart.
You can
avoid downloading the container installation files if you plan to pull the container image directly
from the Docker Hub repository.
- Install IBM License Service
-
- Install the IBM License Service. For instructions, see the relevant section in License Service for
stand-alone products.
- Verify the installation by running the following
commands:
# kubectl get pods --namespace ibm-common-services
# kubectl get service --namespace ibm-common-services
# kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services | base64 -d
Note
down the host, port, and service token values from the command output to be updated in the Helm
charts file.
- Update the following parameters in the sample Helm charts
(k8s-helm.zip):
config:
sklmapp_license:
license_service_host
license_service_port
secret:
license_service_token
Procedure
Complete the following steps on the system on which you installed Helm:
-
Extract the k8s-helm.zip file.
-
In the directory where you extracted the files, navigate to
directory.
If you plan to install the PostgreSQL database separately, delete the
database directory.
-
Open the values.yaml file and modify the parameter values in the file as
per your requirement.
The file has information about the mandatory parameters to be
updated and description of all the parameters.
- Navigate to k8s-helm directory and run the following command:
helm install name sklm
where, name is the release name, which you can use in the helm
delete command. For example, sklm.
- Verify the installation by running the following commands:
helm list
kubectl get pods
kubectl get pv
kubectl get pvc
Sample
response:
helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
sklm default 3 2020-11-07 21:32:32.063018197 -0800 PST deployed sklm-0.1.0 4.1
kubectl get pods
NAME READY STATUS RESTARTS AGE
postgressqldb-7fd84488fc-abcdc 1/1 Running 0 2d18h
sklmapp-56768dddc5-al5a2 1/1 Running 0 2d1h
kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0 25Gi RWX Delete Bound default/postgressqldb-pvc nfs-client 2d18h
pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3 15Gi RWX Delete Bound default/sklmapp-pvc nfs-client 2d18h
12:53
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
postgressqldb-pvc Bound pvc-8c45fb02-0f13-4aab-830f-4e82fe1bfba0 25Gi RWX nfs-client 2d18h
sklmapp-pvc Bound pvc-c2b9fa6b-dc6e-43f9-9489-939d64a22aa3 15Gi RWX nfs-client 2d18h
- Launch the IBM Security Guardium Key Lifecycle Manager
graphical user interface.
https://master_server_IP_address:port/ibm/SKLM/login.jsp
Where, master_server_IP_address is the IP address of the master server on the
Kubernetes cluster, and port is the port number that IBM Security Guardium Key Lifecycle Manager server listens on for requests.
- On the Configuration page that appears, click the License
Agreements link to review the license terms, and then select the I accept the
terms in the License Agreements check box.
- Click Activate License.
- Upload the IBM Security Guardium Key Lifecycle Manager
license activation file and activate the license.
- Click Login.
- Log in to the IBM Security Guardium Key Lifecycle Manager
graphical user interface with the Administrator user credentials
(sklmadmin).
- Optional: Configure Kubernetes to call the Health Status REST Service.
Health checks are a simple
way to determine whether a server-side application is working properly. Kubernetes requires two
types of health checks: readiness probe and liveness probe. These probes are implemented by
performing an HTTPS invocation by using the REST interface.
For more information about
configuring liveness and readiness probes, see the Kubernetes documentation.
What to do next
- From the Welcome page, configure the drive types, keys, and certificates that your organization
requires, or get started with using the product. See Administering.
- Optional: Enhance secure communication between the client and the IBM Security Guardium Key Lifecycle Manager server by using a CA-signed certificate. See Securing communication with IBM Security Guardium Key Lifecycle Manager container using a CA-signed certificate.
Table 1. Topic
revision history
Revision date |
Change description |
29 Apr 2021 |
Updated the Before you begin section. Refreshed only the English language content. |
27 Mar 2021 |
Updated the section about obtaining installation and license activation files. Refreshed only
the English language content. |
08 Dec 2020 |
Initial version. |