Install operators for API Connect, DataPower, and IBM Cloud Pak foundational services so that you can
deploy API Connect subsystems across multiple namespaces on Red Hat OpenShift. If you deploy API Connect subsystems
in different environments, then the corresponding operator must be installed in each environment;
for example, install the DataPower operator in your Gateway environment, and the API Connect operator in your Portal environment.
Before you begin
The API Connect operator
and operand must be at compatible release and fix pack levels. Table 1 lists the current version of
the operator and operand for API Connect.
Table 1. API Connect
operator and operand versions
API Connect
(operand) |
Operator channel version |
Highest operator version |
10.0.8.1 |
v5.3-sc2 |
5.3.0 |
If you want to run API Connect operator and subsystems at different versions, the following table
shows the supported combinations:
Table 2. API Connect versions
supported by the API Connect
operators.
API Connect Operator version |
API Connect version |
5.3.0 |
|
5.2.0 |
|
Note: There can be only one instance of the API Connect operator in your
OpenShift environment. You cannot have multiple namespaces each with their own API Connect operator.The
API Connect operator pods in
your operator namespace must have network access to the namespace where your API Connect subsystems are
installed. Do not configure OpenShift network policies that block communication between any of these
namespaces:
- API Connect operator
- API Connect subsystems
(operands)
- cert-manager
- openshift-operator-lifecycle-manager
- ibm-common-services
Procedure
- Download the IBM Catalog Management Plug-in for IBM Cloud Paks version
1.1.0 or later from GitHub.
The ibm-pak
plug-in enables you to access hosted product images, and to run
oc ibm-pak
commands against the cluster. To confirm that ibm-pak
is installed, run the following command and verify that the response lists the command usage:
oc ibm-pak --help
- Obtain an entitlement key for the Entitled Registry:
- Log in to the IBM Container Library.
- In the Container software library, select Get
entitlement key.
- After the Access your container software heading, click
Copy key.
- Copy the key to a safe location.
-
Create a pull secret in the namespaces where you want to install API Connect.
- Open the Red Hat OpenShift web console, click .
- Ensure that the Project is set to the namespace where you
intend to install API Connect.
- Click Create and select Image pull
secret.
- Set the following parameters for the secret:
- Set Secret name to
ibm-entitlement-key
.
- Set Authentication type to
Image registry
credentials
.
- Set Registry server address to
cp.icr.io
.
- Set Username to
cp
.
- Set Password to the entitlement key generated in Step 2.
- Click Create to create the secret.
Note: If your
Red Hat OpenShift platform is
Red Hat
OpenShift on IBM Cloud (ROKS), you might need to reload your worker nodes after the image pull
secret is created. You can reload the worker nodes either from the
Red Hat
OpenShift web console or from the command line with:
ibmcloud oc worker
reload
. For information on using the
reload
command, see the
Red Hat OpenShift on IBM Cloud documentation.
- Add the API Connect catalog sources to your
cluster.
Air-gapped: If you are in an air-gapped
environment, then skip this step as it is covered in
Air-gapped installation.
Adding catalog sources to your Red Hat OpenShift cluster adds the IBM operators to the list of operators you can install. For most connected and
air-gapped clusters, applying individual catalog sources is the most effective way to fully control
software versioning on the cluster.
- Generate the catalog source files:
- Log into your cluster using the
oc login
command and your user
credentials:oc login <openshift_url> -u <username> -p <password> -n <APIC-namespace>
- Export the variables for the command line to use:
export CASE_NAME=ibm-apiconnect
export CASE_VERSION=5.3.0
export ARCH=amd64
For information on API Connect
CASE versions and their corresponding operators and operands, see Operator, CASE, and platform requirements.
- Download the files for the operators required by API
Connect:
oc ibm-pak get ${CASE_NAME} --version ${CASE_VERSION}
- Generate the catalog sources for API
Connect:
oc ibm-pak generate mirror-manifests ${CASE_NAME} icr.io --version ${CASE_VERSION}
- Optionally get the catalog sources and save them in another directory in case you need to
replicate this installation in the future:
Get the catalog
sources:
cat ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Apply the catalog sources:
- Apply the catalog
sources:
oc apply -f ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Confirm that the catalog sources have been created in the
openshift-marketplace
namespace:oc get catalogsource -n openshift-marketplace
- Add the IBM Cloud Pak foundational services
(common services) catalog sources to your cluster.
Air-gapped: If you are in an air-gapped
environment, then skip this step as it is covered in
Air-gapped installation.
- Generate the catalog source files:
- Log into your cluster using the
oc login
command and your user
credentials:oc login <openshift_url> -u <username> -p <password> -n <APIC-namespace>
- Export the variables for the command line to use; substituting the appropriate CASE
version:
export CASE_NAME=ibm-cp-common-services
export CASE_VERSION=<case version>
export ARCH=amd64
Set <case version> to the value specified for
Foundational services CASE version in Operator, CASE, and platform requirements, for your deployment type.
- Download the files for the operators required by IBM Cloud Pak foundational
services (common
services):
oc ibm-pak get ${CASE_NAME} --version ${CASE_VERSION}
- Generate the catalog
sources:
oc ibm-pak generate mirror-manifests ${CASE_NAME} icr.io --version ${CASE_VERSION}
- Optionally get the catalog sources and save them in another directory in case you need to
replicate this installation in the future:
Get the catalog
sources:
cat ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
This
command might not return anything if there are no architecture-specific catalog sources.
- Apply the catalog sources:
- Apply the catalog
sources:
oc apply -f ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Confirm that the catalog sources have been created in the
openshift-marketplace
namespace:oc get catalogsource -n openshift-marketplace
- Create the
apiconnect
subscription.
- Create the
apiconnect
subscription with the appropriate channel by
creating a file called apic-sub.yaml
and pasting in the following contents:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-apiconnect
namespace: openshift-operators
spec:
channel: v5.3-sc2
name: ibm-apiconnect
source: ibm-apiconnect-catalog
sourceNamespace: openshift-marketplace
- Apply the subscription with the following command:
oc apply -f apic-sub.yaml
- Select , and ensure that Project: All Projects
is selected.
If any operators such as ibm-apiconnect
or IBM DataPower
Gateway
show the status of "Upgrade available", approve the upgrade by completing the
following steps:
- Click Upgrade available.
- Click Preview InstallPlan.
- Click Approve.
- Wait for the
IBM API Connect
and IBM DataPower Gateway
operators to install.
The IBM DataPower Gateway
operator is a prerequisite to API
Connect and must not be removed.
- Install cert manager by completing the following steps:
- Log in to the OpenShift Container Platform web console.
- Navigate to
.
- In the filter box, type:
cert-manager Operator for Red Hat
OpenShift
.
- Select cert-manager Operator for Red Hat OpenShift and click
Install.
- On the Install Operator page, complete the following steps:
- Update the Update channel if needed. The channel defaults to
stable-v1
, which installs the latest stable release of the cert-manager Operator
for Red Hat OpenShift.
- Select the Installed Namespace for the operator.
The default operator
namespace is cert-manager-operator
; if that namespace doesn't exist, it is created
for you.
- Select an Update approval strategy:
- Automatic: allow Operator Lifecycle Manager (OLM) to automatically update
the operator when a new version is available.
- Manual: require a user with the appropriate credentials to approve all
operator updates.
- Click Install.
- Verify the cert-manager installation by completing the following steps:
- Click to .
- Verify that
cert-manager Operator for Red Hat OpenShift
is listed with a Status
of Succeeded
in the cert-manager-operator
namespace.
- Verify that cert-manager pods are up and running by running the following
command:
oc get pods -n cert-manager
For a successful installation, the
response looks like the following
example:
NAME READY STATUS RESTARTS AGE
cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 3m39s
cert-manager-cainjector-56cc5f9868-7g9z7 1/1 Running 0 4m5s
cert-manager-webhook-d4f79d7f7-9dg9w 1/1 Running 0 4m9s
- Create the
ibm-common-services-operator
subscription, if it does not already exist.
- Create a file called common-services-sub.yaml and paste in the
following contents:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-common-service-operator
namespace: openshift-operators
spec:
channel: v4.6
name: ibm-common-service-operator
source: opencloud-operators
sourceNamespace: openshift-marketplace
- Apply the subscription with the following command:
oc apply -f common-services-sub.yaml
- Select , and ensure that Project: All Projects
is selected.
If any operators such as ibm-apiconnect
, IBM Cloud Pak foundational
services
, or Operand Deployment Lifecycle Manager
show the status of
"Upgrade available", approve the upgrade by completing the following steps:
- Click Upgrade available.
- Click Preview InstallPlan.
- Click Approve.
- Check the
ibm-common-services
namespace and ensure that all operators with a
status of "Upgrade available" are approved.
- Wait for the
IBM Cloud Pak foundational services
and Operand Deployment
Lifecycle Manager
operators to install.
- Create the namespaces for your API Connect subsystems either by selecting
in
the UI, or with the command:
oc create ns <APIC-namespace>
Note: Red Hat OpenShift restricts the use of default namespaces for
installing non-cluster services. The following namespaces cannot be used to install
API Connect:
default
kube-system
kube-public
openshift-node
openshift-infra
openshift
What to do next
Proceed to install the API Connect subsystems as explained in: Installing the management subsystem