Install an operator-managed Event Gateway instance
Steps to install an operator-managed Event Gateway instance in your container environment.
Before you begin
Complete the following steps:
- Review the requirements for your environment: Planning your Event Gateway deployment.
- Review the additional requirements for operator-managed gateways: Requirements for an operator-managed Event Gateway.
- Prepare your environment according to your container platform:
- Plan your TLS certificate configuration: Configuring TLS certificates for your Event Gateway.
Procedure
- In the navigation pane, click Administration > Event Gateways.
- Click Add gateway.
- Select the Operator-managed deployment tile, then click Next.
- Provide the configuration details for your gateway, then click
Next.
- Gateway group: Create or specify an existing gateway group for your new gateway.
- Gateway ID: Provide an ID for your new gateway that is unique within the gateway group.
- Replicas: The number of Kubernetes replicas of the gateway pod to create.
- Copy the generated custom resource YAML to two separate files:
gateway_cr_original.yamlgateway_cr.yaml
Important: Keepgateway_cr_original.yamlin a safe location and do not edit it. To remove write permissions to avoid accidental updates to this file, you can run:chmod a-w gateway_cr_original.yaml - Update the
gateway_cr.yamlfile and setspec.license.accepttotrue. - Optional: To create a gateway that uses wildcard routes, update
<gateway name>-gateway_cr.yaml as follows.
spec: listeners: - groups: - endpoint: host: wildcard.<group-name>.<listener-name>-<instance-name>-<namespace>.<cluster-domain> name: <group-name> type: WILDCARD name: <listener-name> port: <port> tls: certificateType: WILDCARDNote:Wildcard routes are not enabled by default in Red Hat OpenShift. See wildcard policy to enable wildcard routes in your ingress controller.
Wildcard hostnames on operator-managed gateways are supported only in Red Hat OpenShift.
- Configure TLS certificates. The following TLS configuration options are available:
-
Use the default self-signed issuer and certificate that the Event Endpoint Management operator generates. In this case, no action is required. Continue to step 9.
- If you want Event Endpoint Management to generate leaf
certificates from your own CA certificate, then update
<gateway name>-gateway_cr.yamlas follows:In the custom resource section, define thetlsproperty inspec.listeners[listener]to refer to a Kubernetes secret that contains your CA certificate:spec: listeners: - name: listener tls: caSecret: secretName: "<Kubernetes secret that contains your root CA certificate and key pair>" -
If you have a certificate and issuer that you want to use (because you created a Kubernetes secret from your own CA and server certificate, or you have an existing Event Gateway instance and you want to use the same certificate and issuer), then update
<gateway name>-gateway_cr.yamlas follows:In the CR section, configurespec.listeners[listener].tlsto refer to the existing gateway certificate:spec: listeners: - name: listener tls: secretName: "<Kubernetes secret that contains your CA and server certificates and key>" key: tls.key serverCertificate: tls.crt caCertificate: ca.crtImportant: If you do not supply a CA certificate in the secret that you specify inspec.listeners[listener].tls.secretNameand specify the CA certificate's key name inspec.listeners[listener].tls.caCertificate, then users cannot download the gateway CA certificate from the Event Endpoint Management UI catalog page.
-
- Other Kubernetes platforms: If you are not installing on Red Hat OpenShift, then you must add the
spec.listeners[].groups[].endpointssection to your<gateway name>-gateway_cr.yamlfile.spec: listeners: - name: <listener-name> groups: - name: <group-name> endpoint: host: my-gateway.example.comFor more information about the
endpointsproperty, see Event Gateway network configuration. - Replace any other placeholder variables in the YAML.
- Create a backup of the updated
gateway_cr.yamlfile, in addition to thegateway_cr_original.yamlfile. - Red Hat OpenShift: To install the Event Gateway through the OpenShift Container Platform
web console, complete the following steps:
- Log in to the Red Hat OpenShift Container Platform web console.
- Click the + (Quick create) icon in the upper-right.
- Select Import YAML.
- Set Project to the namespace where you want to install the Event Gateway.
- Paste in the contents of your updated
gateway_cr.yamlfile. - Click Create to start the Event Gateway installation process.
To install the Event Gateway with the CLI, apply thegateway_cr.yamlfile:oc -n <gateway namespace> apply -f gateway_cr.yaml - Other Kubernetes platforms: To install the Event Gateway by using the CLI, run the following
commands:
- Apply the
gateway_cr.yamlfile in your Kubernetes environment by using thekubectlcommand. For example:kubectl -n <gateway namespace> apply -f gateway_cr.yaml
- Apply the
- Return to the Event Gateways page to monitor the status of the new
Event Gateway. When the gateway is registered, the
status reports
Running. - Verify that your Event Gateway endpoint is
accessible to your Kafka clients and is secured with the TLS certificate that you expect.
- In a web browser, navigate to your Event Gateway endpoint.
The browser responds with a security warning, and an option to view the endpoint’s TLS certificate.
- View the certificate, and confirm that it matches the certificate that you configured for your Event Gateway endpoint. The gateway endpoint does not host any HTTP service, so no HTTP response is returned to the browser. This test is to check only that a client can make a TCP connection with your gateway endpoint.
Tip: Instead of a browser you can use command line tools such as OpenSSL to view the certificate, for example:openssl s_client -connect <gateway endpoint>:443 -servername <gateway endpoint> -showcerts - In a web browser, navigate to your Event Gateway endpoint.