Install the analytics subsystem by creating and applying the
ingress-ca, common-issuer, and analytics_cr
yaml files.
Before you begin
Important: When you install the analytics subsystem, you must
configure the analytics subsystem so that communication from the management subsystem is secured
with either mTLS or JWT. For more information on inter-subsystem communication, see
Network requirements for inter-subsystem communication.
When installing subsystems in different namespaces you must first create the
cert-manager issuers and certificates required by that subsystem in the same namespace.
- Using the file obtained from Extracting the management ingress-ca certificates, run:
oc apply -f ingress-ca.yaml -n <analytics namespace>
- Create a file called
common-issuer.yaml
and paste in these contents:
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigning-issuer
labels:
app.kubernetes.io/instance: management
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: selfsigning-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ingress-issuer
labels:
app.kubernetes.io/instance: management
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: ingress-issuer
spec:
ca:
secretName: ingress-ca
- Apply the above yaml file with:
oc apply -f common-issuer.yaml -n <analytics
namespace>
- Confirm that the issuers were created and are in ready state:
oc get issuers -n
<analytics namespace>
oc get issuers -n <analytics namespace>
NAME READY
ingress-issuer True
selfsigning-issuer True
About this task
Use the OpenShift CLI to edit the custom resource template for the analytics subsystem, apply the
resource, verify that the pods are up and running.
Procedure
- Create a file that is called
analytics_cr.yaml
and paste in these
contents:
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: analytics.apiconnect.ibm.com/v1beta1
kind: AnalyticsCluster
metadata:
name: analytics
labels:
app.kubernetes.io/instance: analytics
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: analytics
annotations:
apiconnect-operator/cp4i: "false"
spec:
version: $APP_PRODUCT_VERSION
license:
accept: $LICENSE_ACCEPTANCE
use: $LICENSE_USE
license: '$LICENSE_ID'
profile: $PROFILE
microServiceSecurity: certManager
certManagerIssuer:
name: selfsigning-issuer
kind: Issuer
ingestion:
endpoint:
annotations:
cert-manager.io/issuer: ingress-issuer
hosts:
- name: ai.$STACK_HOST
secretName: analytics-ai-endpoint
clientSubjectDN: CN=analytics-ingestion-client,O=cert-manager
storage:
type: $STORAGE_TYPE
shared:
volumeClaimTemplate:
storageClassName: $STORAGE_CLASS
volumeSize: $DATA_VOLUME_SIZE
#master: # uncomment this section if you set storage.type = dedicated.
# volumeClaimTemplate:
# storageClassName: $STORAGE_CLASS
- Edit the YAML file and set the variables:
$APP_PRODUCT_VERSION
- API Connect application version for the subsystems.
version: <version_number>
Example version number: 10.0.8.1
$PROFILE
-
Specify your analytics subsystem profile, where
n
indicates number of replicas,
c
number of cores, and
m
is the minimum memory allocation in GB.
For more information on profiles, see
Deployment and component profiles.
Note: The
profile that you select influences your storage type options. If you select an
n1
profile then you must select the
shared
storage type. For more information about
storage types, see
storage types.
$STACK_HOST
- The desired ingress subdomain for the API Connect stack. Used when
specifying endpoints. Domain names that are used for endpoints cannot contain the underscore "_"
character. You can customize the subdomain or the complete hostname:
- Subdomain customization only
Accept the prefixes predefined for the ingress hostnames to use
and replace all instances of $STACK_HOST
with the desired ingress subdomain for the
API Connect stack. For
example, if your host is myhost.subnet.example.com
:
ingestion:
endpoint:
< ... >
hosts:
- name: ai.myhost.subnet.example.com
secret: analytics-ai-endpoint
< .... >
- Complete hostname customization
Change both the predefined prefixes and the
$STACK_HOST
subdomain to match your desired hostnames.
For example, you can
replace $STACK_HOST
with
my.analytics.ingestion.myhost.subnet.example.com
, where
my.analytics.ingestion
replaces ai
, and
myhost.subnet.example.com
replaces STACK_HOST
.
ingestion:
endpoint:
< ... >
hosts:
- name: my.analytics.ingestion.myhost.subnet.example.com
secret: analytics-ai-endpoint
< ... >
$STORAGE_TYPE
- If you set
$PROFILE
to an n1
(one replica) profile, then set this
to shared
. If you set $PROFILE
to an n3
(three replica) profile then set this to
dedicated
and uncomment the storage.master
section, for
example: storage:
type: dedicated
shared:
volumeClaimTemplate:
storageClassName: $STORAGE_CLASS
volumeSize: $DATA_VOLUME_SIZE
master:
volumeClaimTemplate:
storageClassName: $STORAGE_CLASS
For more information
about storage types, see dedicated or shared storage.
$STORAGE_CLASS
- The Kubernetes storage class to be used for persistent volume claims. For more information, see
Analytics preinstallation planning. Find the available storage
classes in the target cluster by running the following command:
oc get sc
.
Example:storage:
type: shared
shared:
volumeClaimTemplate:
storageClassName: ceph-block
- $DATA_VOLUME_SIZE
-
Size of storage allocated for data. To estimate the storage space you require, see Estimating storage requirements. If you are unable to estimate your storage requirement then
set it to 500Gi.
storage:
type: shared
shared:
volumeClaimTemplate:
storageClassName: ceph-block
volumeSize: 500Gi
$LICENSE_ACCEPTANCE
- Set
accept
to true
. You must accept the license to
successfully deploy API Connect.
$LICENSE_USE
- Set
use
to either production
or nonproduction
to match the license that you purchased.
- $LICENSE_ID
- Set
license:
to the license ID for the version of API Connect that you
purchased. See API Connect licenses.
- Optional: If Cloud Pak for Integration is installed, and you want your
API Connect installation
to be integrated with it, then set
metadata.annotations.apiconnect-operator/cp4i
to
true
.
This annotation enables integration with Cloud Pak for Integration.
- Optional: If you want to disable mTLS for
communications between the
management and analytics subsystem, and between the gateway and analytics subsystem, and enable
JWT instead, then add and set the properties
mtlsValidateClient
and
jwksUrl
. spec:
...
mtlsValidateClient: false
jwksUrl: <JWKS URL>
where
<JWKS URL> is the URL of the JWKS endpoint that is hosted on the management
subsystems. To find out the jwksUrl
, describe the management CR and check the
status:
section:kubectl describe mgmt -n <namespace>
...
status:
- name: jwksUrl
secretName: api-endpoint
type: API
uri: https://api.apic.acme.com/api/cloud/oauth2/certs
For more information about JWT security, see Enable JWT security instead of mTLS.Note: It is not possible to use JWT on the V5 compatible gateway to analytics message
flow.
- Optional: If you plan to configure analytics database backups, then define the storage that is required
for backups:
Define your backup PVC by adding the
backup.volumeClaimTemplate
property in
spec.storage
. For example:
spec:
storage:
backup:
volumeClaimTemplate:
storageClassName: <storage class>
volumeSize: <size>
If you are not sure of the volume
size that you need, then you can configure the backup.volumeClaimTemplate
after
installation.
-
Install the analytics subsystem by applying the modified CR with the following command:
oc apply -f analytics_cr.yaml -n <namespace>
- Verify that the analytics subsystem is fully installed:
oc get AnalyticsCluster -n <namespace>
The installation is complete when READY
shows all pods running
(n/n
), and the STATUS
reports Running
.
Example:
NAME READY STATUS VERSION RECONCILED VERSION AGE
analytics n/n Running 10.0.8.0 10.0.8.0-1281 86m
It is not necessary to wait for analytics installation to complete before you move on to the next
subsystem installation.
- Backup your analytics subsystem and configure scheduled analytics database backups: Backing up and restoring the analytics subsystem.
What to do next
If you are creating a new deployment of API Connect, install other
subsystems as needed.
When you have completed the installation of all required API Connect subsystems, you
can proceed to defining your API Connect configuration by
using the API Connect
Cloud Manager; refer to the Cloud Manager
configuration checklist.