Installing the Event Gateway as a Kubernetes Deployment
Install an Event Gateway as a Kubernetes Deployment.
Before you begin
Review the planning topic, which covers host system and network requirements for a Kubernetes Deployment.
Creating TLS certificates for the Event Gateway
-
Create a
ClusterIssuerobject. AClusterIssuerobject can issue certificates in all namespaces. If you want to confine the issuer to a single namespace, then create anIssuerobject instead.a. Create a YAML file called
ClusterIssuer.yamland paste in the following contents:apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: eem-selfsigned-ca namespace: cert-manager spec: isCA: true commonName: eem-selfsigned-ca secretName: root-secret privateKey: algorithm: RSA issuerRef: name: selfsigned-issuer kind: ClusterIssuer group: cert-manager.io --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: eem-ca-issuer spec: ca: secretName: root-secretb. Apply the YAML file in your Kubernetes environment:
kubectl -n cert-manager apply -f ClusterIssuer.yaml -
Use the
ClusterIssuerto create your gateway certificate.- Create a file called
GatewayCertificate.yamland paste in the following contents:apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: eem-gateway-cert-request spec: secretName: <gateway group>-<gateway ID>-certs privateKey: algorithm: RSA duration: 2160h # 90d renewBefore: 360h # 15d isCA: false usages: - server auth subject: organizations: - cert-manager commonName: <common name> dnsNames: - <hostname1.ingressdomain> - <hostname2.ingressdomain> - <hostname3.ingressdomain> issuerRef: name: eem-ca-issuer kind: ClusterIssuerSet the following properties:-
spec.secretName: Replace<gateway group>and<gateway ID>with the names that you intend to use for your gateway group and gateway ID. -
spec.commonName: Set a human-readable name for your certificate. -
spec.dnsNames: Set to a list of the FQDNs for your Event Gateway.If you are using a wildcard in your gateway hostnames, then set this to match the value you have assigned to
kafka.listener.{0}.group.{1}.addressesin the ConfigMap. For example:*.example.com:8080.
-
-
Apply the YAML file in your Kubernetes environment:
kubectl -n <gateway namespace> apply -f GatewayCertificate.yaml - Verify that your gateway secret is
created:
kubectl -n <gateway namespace> get secretsThe secret contains the gateway certificate and key in the properties
spec.tls.crtandspec.tls.key.
- Create a file called
Generating your Kubernetes Deployment YAML
-
In the Event Endpoint Management UI navigation pane, click Administration > Event Gateways.
-
Click Add gateway.
-
Select the Kubernetes Deployment tile, then click Next.
-
Provide the configuration properties for your gateway.
- Gateway group: Create or specify an existing gateway group for your new gateway.
- Gateway ID: Provide an ID for your new gateway that is unique within the gateway group.
- Replicas: The number of Kubernetes replicas of the gateway pod to create.
The remaining properties are set later in Configuring your Event Gateway Kubernetes Deployment YAML:
- Server URL is a comma-separated list of the FQDNs and ports of the Event Gateway. See Configuring your Event Gateway Kubernetes Deployment YAML.
- Gateway private key, Gateway certificate, CA certificate are the TLS certificates that are used to secure your Event Gateway endpoint. It is recommended to not upload certificates here, and to use cert-manager to create and manage your certificates, but if you do not want to use cert-manager, then you can upload the certificate PEM files here.
-
Copy the generated YAML to two separate files:
-
gateway_k8s_original.yaml -
gateway_k8s.yaml
Important: Keepgateway_k8s_original.yamlin a safe location and do not edit it. To remove write permissions to avoid accidental updates to this file, you can runchmod a-w gateway_k8s_original.yaml. -
Configuring your Kubernetes Deployment YAML
gateway_k8s.yaml file that you generated and replace all
<placeholder> properties:-
In the Deployment section, set
spec.containers.env.ACCEPT_LICENSEto"true". -
In the ConfigMap section,set
kafka.listener.listener.group.group.addressesto the FQDNs and ports of your gateway. For example:kafka.listener.listener.group.group.addresses=grp1-gwy1-1.ingress.domain:443,grp1-gwy1-2.ingress.domain:443,grp1-gwy1-3.ingress.domain:443 - Delete the
<group name>-<gateway ID>-certssecret from the YAML file and verify that the name of the secret you created matches the value inspec.template.spec.containers[egw].volumes[certs].secret.secretName. - The generated YAML includes a Kubernetes service definition for your gateway. A Kubernetes service is required for client access to your gateway. If the generated service configuration does not suit your requirements then you can either update it in the generated YAML, or delete the definition from the YAML and create the Kubernetes service later.
Install your Kubernetes Deployment
-
Apply the
gateway_k8s.yamlfile in your Kubernetes environment by using thekubectlcommand. For example:kubectl -n <gateway namespace> apply -f gateway_k8s.yaml -
To monitor the deployment of the Event Gateway, in the Event Endpoint Management UI navigation pane, click Administration > Event Gateways. When the gateway is registered, the status reports
Running. -
If you need to customize the gateway for your environment or enable extra gateway features, see advanced gateway configuration.
-
Enable client network access to your gateway.
Enabling client network access
A Kubernetes service must be created on all types of Kubernetes cluster, including Red Hat OpenShift. The service must allow access to the gateway for all types of traffic.
If the Event Gateway is to be exposed outside the host cluster, then you must also create the appropriate ingresses or Red Hat OpenShift route.
Ensure that TLS passthrough is enabled in all network infrastructure and software that processes communication between your Kafka client and your Event Gateway (such as load balancers).
Creating the Kubernetes Service
The Kubernetes service must map the internal ports that you defined in your gateway endpoint. The service can be created only after the Event Gateway Kubernetes Deployment is created.
kubectl expose deployment/<gateway deployment name> --target-port=<port number> --port=<port number> -o yaml --dry-run=client
# generated with oc expose deployment/grp1-gwy1 --target-port=8443 --port=8443 -o yaml --dry-run=client
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: grp1-gwy1
gatewayGroup: grp1
gatewayId: gw1
name: grp1-gwy1
spec:
ports:
# should match what was configured on the gateway in EEM Manager
- port: 8443
protocol: TCP
targetPort: 8443
selector:
app: grp1-gwy1
gatewayGroup: grp1
gatewayId: gw1
For more information about creating Kubernetes services, see How to expose a TCP application with a Kubernetes Service.
Creating a Red Hat OpenShift Route
On Red Hat OpenShift, create the same number of routes as the number of Kafka brokers in the Kafka cluster with the most brokers that your Event Gateway manages traffic for. If you use a wildcard in your gateway hostnames, then refer to the Red Hat OpenShift documentation to create wildcard routes.
Set spec.to.name to the Kubernetes Service that you created in Creating the Kubernetes Service, and set
spec.tls.termination to passthrough.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: gw1-route1
spec:
# host must match the dnsNames entry in the gateway certificate
host: grp1-gwy1-1.example.com
port:
targetPort: 8443
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
to:
kind: Service
name: grp1-gw1
weight: 100
wildcardPolicy: None
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: gw1-route2
spec:
# host must match the dnsNames entry in the gateway certificate
host: grp1-gwy1-2.example.com
port:
targetPort: 8443
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
to:
kind: Service
name: grp1-gw1
weight: 100
wildcardPolicy: None
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: gw1-route3
spec:
# host must match the dnsNames entry in the gateway certificate
host: grp1-gwy1-3.example.com
port:
targetPort: 8443
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
to:
kind: Service
name: grp1-gw1
weight: 100
wildcardPolicy: None
Creating a Kubernetes Ingress
Follow the Kubernetes documentation on creating ingresses.
Postinstallation steps
Verify that your Event Gateway is configured correctly by accessing a topic with a test application. See Verifying your Event Endpoint Management deployment.