Install an operator-managed Event Gateway instance

Steps to install an operator-managed Event Gateway instance in your container environment.

Before you begin

Complete the following steps:

  1. Review the requirements for your environment: Planning your Event Gateway deployment.
  2. Review the additional requirements for operator-managed gateways: Requirements for an operator-managed Event Gateway.
  3. Prepare your environment according to your container platform:
  4. Plan your TLS certificate configuration: Configuring TLS certificates for your Event Gateway.

Procedure

  1. In the navigation pane, click Administration > Event Gateways.
  2. Click Add gateway.
  3. Select the Operator-managed deployment tile, then click Next.
  4. Provide the configuration details for your gateway, then click Next.
    • Gateway group: Create or specify an existing gateway group for your new gateway.
    • Gateway ID: Provide an ID for your new gateway that is unique within the gateway group.
    • Replicas: The number of Kubernetes replicas of the gateway pod to create.
  5. Copy the generated custom resource YAML to two separate files:
    • gateway_cr_original.yaml
    • gateway_cr.yaml
    Important: Keep gateway_cr_original.yaml in a safe location and do not edit it. To remove write permissions to avoid accidental updates to this file, you can run:
    chmod a-w gateway_cr_original.yaml
  6. Update the gateway_cr.yaml file and set spec.license.accept to true.
  7. Optional: To create a gateway that uses wildcard routes, update <gateway name>-gateway_cr.yaml as follows.
       spec:
         listeners:
           - groups:
               - endpoint:
                   host: wildcard.<group-name>.<listener-name>-<instance-name>-<namespace>.<cluster-domain>
                 name: <group-name>
                 type: WILDCARD
             name: <listener-name>
             port: <port>
             tls:
               certificateType: WILDCARD
    
    Note:

    Wildcard routes are not enabled by default in Red Hat OpenShift. See wildcard policy to enable wildcard routes in your ingress controller.

    Wildcard hostnames on operator-managed gateways are supported only in Red Hat OpenShift.

  8. Configure TLS certificates. The following TLS configuration options are available:
    • Use the default self-signed issuer and certificate that the Event Endpoint Management operator generates. In this case, no action is required. Continue to step 9.

    • If you want Event Endpoint Management to generate leaf certificates from your own CA certificate, then update <gateway name>-gateway_cr.yaml as follows:
      In the custom resource section, define the tls property in spec.listeners[listener] to refer to a Kubernetes secret that contains your CA certificate:
        spec:
          listeners:
          - name: listener
            tls:
              caSecret:
                secretName: "<Kubernetes secret that contains your root CA certificate and key pair>" 
      
    • If you have a certificate and issuer that you want to use (because you created a Kubernetes secret from your own CA and server certificate, or you have an existing Event Gateway instance and you want to use the same certificate and issuer), then update <gateway name>-gateway_cr.yaml as follows:

      In the CR section, configure spec.listeners[listener].tls to refer to the existing gateway certificate:
        spec:
          listeners:
          - name: listener
            tls:
              secretName: "<Kubernetes secret that contains your CA and server certificates and key>"
              key: tls.key
              serverCertificate: tls.crt
              caCertificate: ca.crt
      Important: If you do not supply a CA certificate in the secret that you specify in spec.listeners[listener].tls.secretName and specify the CA certificate's key name in spec.listeners[listener].tls.caCertificate, then users cannot download the gateway CA certificate from the Event Endpoint Management UI catalog page.
  9. Other Kubernetes platforms: If you are not installing on Red Hat OpenShift, then you must add the spec.listeners[].groups[].endpoints section to your <gateway name>-gateway_cr.yaml file.
       spec:
         listeners:
           - name: <listener-name>
             groups:
             - name: <group-name>
               endpoint:
                 host: my-gateway.example.com
    

    For more information about the endpoints property, see Event Gateway network configuration.

  10. Replace any other placeholder variables in the YAML.
  11. Create a backup of the updated gateway_cr.yaml file, in addition to the gateway_cr_original.yaml file.
  12. Red Hat OpenShift: To install the Event Gateway through the OpenShift Container Platform web console, complete the following steps:
    1. Log in to the Red Hat OpenShift Container Platform web console.
    2. Click the + (Quick create) icon in the upper-right.
    3. Select Import YAML.
    4. Set Project to the namespace where you want to install the Event Gateway.
    5. Paste in the contents of your updated gateway_cr.yaml file.
    6. Click Create to start the Event Gateway installation process.
    To install the Event Gateway with the CLI, apply the gateway_cr.yaml file:
    oc -n <gateway namespace> apply -f gateway_cr.yaml
  13. Other Kubernetes platforms: To install the Event Gateway by using the CLI, run the following commands:
    1. Apply the gateway_cr.yaml file in your Kubernetes environment by using the kubectl command. For example:
      kubectl -n <gateway namespace> apply -f gateway_cr.yaml
  14. Return to the Event Gateways page to monitor the status of the new Event Gateway. When the gateway is registered, the status reports Running.
  15. Verify that your Event Gateway endpoint is accessible to your Kafka clients and is secured with the TLS certificate that you expect.
    1. In a web browser, navigate to your Event Gateway endpoint.

      The browser responds with a security warning, and an option to view the endpoint’s TLS certificate.

    2. View the certificate, and confirm that it matches the certificate that you configured for your Event Gateway endpoint. The gateway endpoint does not host any HTTP service, so no HTTP response is returned to the browser. This test is to check only that a client can make a TCP connection with your gateway endpoint.
    Tip: Instead of a browser you can use command line tools such as OpenSSL to view the certificate, for example:
    openssl s_client -connect <gateway endpoint>:443 -servername <gateway endpoint> -showcerts

What to do next

Verify your Event Endpoint Management installation: Verifying your Event Gateway installation.