Installing API Connect

Use the top-level APIConnectCluster CR to install all the API Connect subsystems into a shared namespace on OpenShift while connected to the internet.

Before you begin

Review installation considerations and complete and prerequisite tasks as explained in:
  1. Preparing for installation
  2. Installing operators

About this task

Important: When you install API Connect, you must configure secure communication between subsystems. Use mTLS or JWT for management to portal and analytics subsystems. Use JWT for management to gateway communication. For more information on inter-subsystem communication, see Network requirements for inter-subsystem communication.

Procedure

  1. Install the subsystems using the OpenShift web console.

    API Connect uses a single top-level APIConnectCluster CR to quickly deploy all of the subsystems. With the APIConnectCluster CR, you provide values for a few properties, and then the installation logic chooses sensible defaults for the other properties during subsystem deployment.

    1. Click Operators->Installed Operators.
    2. Select the IBM API Connect operator.
    3. Click Create Instance on the API Connect cluster tile to install the top-level Custom Resource.

      Selecting API Connect cluster installs all the API Connect subsystems with the default configuration. The API Connect subsystems are Management, Developer Portal, Gateway, and Analytics.

    4. Provide values for the fields shown in Table 1.
      Table 1. Properties for the API Connect top-level CR
      Input Value
      Name The name to be used when deploying the APIConnectCluster CR.
      License acceptance Required. Click to accept the license. You must accept the license to install API Connect.
      License use Required. Select production or nonproduction to match the type of license that you purchased.
      License metric Optional. Enter the unit of measurement that is used for your program license:
      • PROCESSOR_VALUE_UNIT - Default value. If you leave the field blank, this value is used.
      • MONTHLY_API_CALL - Applies only to the IBM API Connect Hybrid Entitlement program.
      License ID Required. Select the license ID for the API Connect program that you purchased. To view all license IDs, see API Connect licenses.
      Deployment profile The deployment profile defines the number of worker nodes, CPU, and memory that is available for API Connect. The available profiles are listed in API Connect deployment profiles for OpenShift and Cloud Pak for Integration.
      Product version Optional. The API Connect application version. Defaults to the latest version available.
      Default storage class name The name of the Storage class to be used.
      You can set a default to appear here with the command:
      oc patch storageclass <storage class name> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
      Database Backup settings
      Backup Certs The name of the Kubernetes secret containing your S3 access key and secret or your or SFTP username and password or SSH key.

      Default: (Generated Value)

      See Configuring management database backups.

      Backup S3 URI style Indicates whether URIs to your S3 backup specify a host or a path value. Set to either host or path.
      Credentials The name of the Kubernetes secret containing your S3 access key and secret or your or SFTP username and password or SSH key.

      Default: (Generated Value)

      See Configuring management database backups.

      Server hostname Hostname of your remote SFTP backup server or object-store endpoint.
      If specifying an S3 object-store, use the format <S3endpoint>/<S3region>. For example:
      s3.eu-gb.cloud-object-storage.appdomain.cloud/eu-standard

      Default: none

      See Configuring management database backups.

      Path The path to the location of for your backups on your remote server.

      If you are using a remote SFTP server, then this is a directory path.

      If you are using an object-store, then this is the name of your S3 bucket. For example, bucket-name/folder. The use of subdirectories in the bucket name is not supported. Ensure that bucket-name/folder is empty.

      Default: none

      See Configuring management database backups.

      Server port Not used for S3 object-store backups.
      RepoRetentionFull The number of days to retain backups for.

      For example, if RepoRetentionFull is set to 30, then any backups older than 30 days are deleted.

      Schedule Cron like schedule for performing automatic backups. The format for the schedule is:
      • * * * * * *
      • - - - - - -
      • | | | | | |
      • | | | | | +----- day of week (0 - 6) (Sunday=0)
      • | | | | +------- month (1 - 12)
      • | | | +--------- day of month (1 - 31)
      • | | +----------- hour (0 - 23)
      • | +------------- min (0 - 59)
      • +--------------- sec (0 - 59)

      The backup schedule defaults to 0 0 * * * *. This means a backup is run every day at midnight and minute zero UTC.

      When you configure a host, if you do not specify a value for schedule, the default backup schedule is automatically set. Note that the default backup schedule is not set, and scheduled backups not enabled, until host configuration is completed.

      See Configuring management database backups.

    5. If you want to configure additional settings, click Advanced and see API Connect configuration settings for information on the advanced settings.
    6. Optional: If Cloud Pak for Integration is installed, and you want your API Connect installation to be integrated with it, then click the YAML tab and set metadata.annotations.apiconnect-operator/cp4i to true.

      This annotation enables integration with Cloud Pak for Integration.

  2. Optional: If you are installing API Connect as a Cloud Pak for Integration component and you want to deploy with Cloud Pak endpoints, complete the following steps. This step is not applicable if you already disabled API Connect integration with Cloud Pak for Integration by setting metadata.annotations.apiconnect-operator/cp4i to false.

    Beginning with version 10.0.7.0, API Connect no longer uses the Cloud Pak cpd routes for endpoints when deployed as a component of Cloud Pak for Integration. Instead, the API Management component uses the typical default API Connect routes (or the custom endpoints configured in the CR).

    1. Click the YAML tab to manually edit the CR.
    2. Insert the deprecatedCloudPakRoute object into the spec.management section as shown in the following example:
      apiVersion: apiconnect.ibm.com/v1beta1
      kind: APIConnectCluster
      metadata:
        labels:
          app.kubernetes.io/instance: apiconnect
          app.kubernetes.io/managed-by: ibm-apiconnect
          app.kubernetes.io/name: apiconnect-minimum
        name: <name_of_your_instance> 
        namespace: <APIC-namespace> 
      spec:
        license:
          accept: true
          license: L-MMBZ-295QZQ
          metric: PROCESSOR_VALUE_UNIT
          use: nonproduction
        profile: n1xc17.m48
        version: 10.0.8.0
        storageClassName: <default-storage-class>
        management:
          deprecatedCloudPakRoute:
            enabled: true
            cloudPakEndpoint:
              hosts:
              - name: cpd-apic.apps.admin-<domain>.com
    3. Optional: If you want to add a custom certificate for the Cloud Pak route, complete the following steps:
      1. Create a Cloud Pak certificate that was signed by a Cloud Pak CA as in the following example:
        ---
        apiVersion: cert-manager.io/v1
        kind: Issuer
        metadata:
         name: custom-cpd-ca
         namespace: apic
        spec:
         selfSigned: {}
        ---
        apiVersion: cert-manager.io/v1
        kind: Certificate
        metadata:
          name: custom-cpd
          namespace: apic
        spec:
          commonName: small-mgmt-cpd
          dnsNames:
          - cpd-apic.apps.admin-apickeycloak.cp.fyre.ibm.com
          duration: 17520h0m0s
          issuerRef:
            kind: Issuer
            name: custom-cpd-ca
          privateKey:
            algorithm: RSA
            rotationPolicy: Always
            size: 2048
          renewBefore: 720h0m0s
          secretName: custom-cpd
          usages:
          - key encipherment
          - digital signature
          - server auth
      2. In the CR, provide the secret name within the cloudPakEndpoint property of the new deprecatedCloudPakRoute object; for example:
        
        spec:
          deprecatedCloudPakRoute:
            enabled: true
            cloudPakEndpoint:
              hosts:
              - name: cpd-apic.apps.admin-<domain>.com
                secretName: custom-cpd
  3. Click Create to install API Connect.
  4. To verify that your API Connect cluster is successfully installed, run oc get apic -n <APIC-namespace>.
  5. Verify that you can log in to the API Connect Cloud Manager UI:
    1. To determine the location for logging in, view all the endpoints:
      oc get routes -n <APIC-namespace>
    2. Locate the mgmt-admin-apic endpoint, and access the Cloud Manager UI.
    3. Login as admin.

      When you install with the top-level CR, the password is auto-generated. To get the password, run the following commands:

      oc get secret -n <APIC-namespace> | grep mgmt-admin-pass
      
      oc get secret -n <APIC-namespace> <secret_name_from_previous command> -o jsonpath="{.data.password}" | base64 -d && echo ""
  6. Optional: Complete the following tasks:
    Note: You can also install the Toolkit and Local Test Environment from IBM Fix Central. For a link to the latest files on Fix Central, see What's new in the latest release.

What to do next

Configure backups for all your API Connect subsystems: Backing up, restoring, and disaster recovery.