Installing the gateway subsystem in a shared namespace

Install the gateway subsystem by creating and applying the apigateway_cr.yaml file.

Before you begin

Complete the following tasks to prepare for deploying API Connect:

  1. Preparing for installation
  2. Installing operators
  3. Setting up a certificate issuer

About this task

Important: When you install the gateway subsystem, you must configure the gateway subsystem so that communication from the management subsystem is secured with either mTLS or JWT. For more information on inter-subsystem communication, see Network requirements for inter-subsystem communication.

Use the OpenShift CLI to edit the custom resource template for the gateway, apply the resource, verify that the pods are up and running.

Procedure

  1. Create the gateway admin secret with: oc -n <gateway namespace> create secret generic admin-secret --from-literal=password=admin
  2. If you are installing the API Gateway (v6), create a yaml file that is called apigateway_cr.yaml and paste in these contents:
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    # 
    #     http://www.apache.org/licenses/LICENSE-2.0
    # 
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    
    
    apiVersion: gateway.apiconnect.ibm.com/v1beta1
    kind: GatewayCluster
    metadata:
      name: gwv6
      labels:
        app.kubernetes.io/instance: gateway
        app.kubernetes.io/managed-by: ibm-apiconnect
        app.kubernetes.io/name: gwv6
      annotations:
        apiconnect-operator/cp4i: "false"
    spec:
      version: $APP_PRODUCT_VERSION
      profile: $PROFILE
      apicGatewayServiceV5CompatibilityMode: false
      mgmtPlatformEndpointCASecret:
        secretName: ingress-ca
      mgmtPlatformEndpointSvcCASecret:
        secretName: management-ca
      gatewayEndpoint:
        annotations:
          cert-manager.io/issuer: ingress-issuer
        hosts:
        - name: rgw.$STACK_HOST
          secretName: gwv6-endpoint
      gatewayManagerEndpoint:
        annotations:
          cert-manager.io/issuer: ingress-issuer
        hosts:
        - name: rgwd.$STACK_HOST
          secretName: gwv6-manager-endpoint
      apicGatewayServiceTLS:
        secretName: gateway-service
      apicGatewayPeeringTLS:
        secretName: gateway-peering
      datapowerLogLevel: 3
      license:
        accept: $LICENSE_ACCEPTANCE
        use: $LICENSE_USE
        license: '$LICENSE_ID'
      tokenManagementService:
        enabled: true
        storage:
          storageClassName: $STORAGE_CLASS
          volumeSize: 30Gi
      adminUser:
        secretName: admin-secret
      mtlsValidateClient: true
      # syslogConfig:
      #   enabled: false # if true, provide below details
      #   remoteHost: $DATAPOWER_SYSLOG_TCP_REMOTE_HOST # must be a string
      #   remotePort: $DATAPOWER_SYSLOG_TCP_REMOTE_PORT # must be an int
      #   secretName: $DATAPOWER_SYSLOG_TCP_TLS_SECRET # must be a string
    
    If you are installing the v5 gateway, create a yaml file that is called v5gateway_cr.yaml and paste in these contents:
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    # 
    #     http://www.apache.org/licenses/LICENSE-2.0
    # 
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    
    
    apiVersion: gateway.apiconnect.ibm.com/v1beta1
    kind: GatewayCluster
    metadata:
      name: gwv5
      labels:
        app.kubernetes.io/instance: gateway
        app.kubernetes.io/managed-by: ibm-apiconnect
        app.kubernetes.io/name: gwv5
    spec:
      version: $APP_PRODUCT_VERSION
      profile: $PROFILE
      apicGatewayServiceV5CompatibilityMode: true
      gatewayEndpoint:
        annotations:
          cert-manager.io/issuer: ingress-issuer
        hosts:
        - name: gw.$STACK_HOST
          secretName: gwv5-endpoint
      gatewayManagerEndpoint:
        annotations:
          cert-manager.io/issuer: ingress-issuer
        hosts:
        - name: gwd.$STACK_HOST
          secretName: gwv5-manager-endpoint
      apicGatewayServiceTLS:
        secretName: gateway-service
      apicGatewayPeeringTLS:
        secretName: gateway-peering
      datapowerLogLevel: 3
      license:
        accept: $LICENSE_ACCEPTANCE
        use: $LICENSE_USE
        license: '$LICENSE_ID'
      adminUser:
        secretName: admin-secret
      mtlsValidateClient: true
      # syslogConfig:
      #   enabled: false # if true, provide below details
      #   remoteHost: $DATAPOWER_SYSLOG_TCP_REMOTE_HOST # must be a string
      #   remotePort: $DATAPOWER_SYSLOG_TCP_REMOTE_PORT # must be an int
      #   secretName: $DATAPOWER_SYSLOG_TCP_TLS_SECRET # must be a string
    
  3. Edit the YAML file and set the variables:
    $APP_PRODUCT_VERSION
    API Connect application version for the subsystems.
    version: <version_number>

    Example version number: 10.0.8.1

    $PROFILE

    Specify your gateway subsystem profile, where n indicates number of replicas, c number of cores, and m is the minimum memory allocation in GB. For more information on profiles, see Deployment and component profiles.

    $STACK_HOST
    The desired ingress subdomain for the API Connect stack. Used when specifying endpoints. Domain names that are used for endpoints cannot contain the underscore "_" character. You can do one of the following:
    • Subdomain customization only

      Accept the prefixes predefined for the ingress hostnames to use and replace all instances of STACK_HOST to be the desired ingress subdomain for the API Connect stack. For example, if your host is myhost.subnet.example.com:

      gatewayEndpoint:
            < ... >
          hosts: 
          - name: rgw.myhost.subnet.example.com
            secret: gwv6-endpoint
        
        gatewayManagerEndpoint:
             < ... >
          hosts: 
          - name: rgwd.myhost.subnet.example.com
            secret: gwv6-manager-endpoint
        
    • Complete hostname customization

      Change both the predefined prefixes and the STACK_HOST subdomain to match your desired hostnames.

      For example, for gatewayEndpoint, you can replace rgw.$STACK_HOST with my.gateway.endpoint.myhost.subnet.example.com, where my.gateway.endpoint replaces rgw, and myhost.subnet.example.com replaces $STACK_HOST:

      gatewayEndpoint:
             < ... >
          hosts: 
          - name: my.gateway.endpoint.myhost.subnet.example.com
            secret: gwv6-endpoint

      You can do this for some or all of the hostnames, depending on your customization requirements.

    $STORAGE_CLASS
    The OCP storage class to be used for Persistent Volume Claims. Find the available storage classes in the target cluster by running the following command: oc get sc.
    storageClassName: local-storage
    $LICENSE_ACCEPTANCE
    Set accept to true. You must accept the license to successfully deploy API Connect.
    $LICENSE_USE
    Set use to either production or nonproduction to match the license that you purchased.
    $LICENSE_ID
    Set license: to the license ID for the version of API Connect that you purchased. See API Connect licenses.
    syslogConfig
    To enable this feature uncomment this section, set enabled: true, and set the properties:
    $DATAPOWER_SYSLOG_TCP_REMOTE_HOST
    remoteHost: <remote.host>

    String. The hostname of the server for syslogConfig.

    $DATAPOWER_SYSLOG_TCP_REMOTE_PORT
    remotePort: <remote_port_number>

    Integer. The port number of the server for syslogConfig.

    $DATAPOWER_SYSLOG_TCP_TLS_SECRET
    secretName: <secret>

    String. The TLS secret name of the server for syslogConfig.

  4. Optional: If Cloud Pak for Integration is installed, and you want your API Connect installation to be integrated with it, then set metadata.annotations.apiconnect-operator/cp4i to true.

    This annotation enables integration with Cloud Pak for Integration.

  5. Optional: If applicable to your deployment, update the gateway CR file to configure DataPowerService APIs to customize your DataPower deployment. See Customizing a DataPower deployment.
  6. Optional: If you want to enable JWT security for communications between the management and gateway, add and set the property jwksUrl, and set spec.mtlsValidateClient to false.
    spec:
      ...
      jwksUrl: <JWKS URL>
      mtlsValidateClient: false
    where <JWKS URL> is the URL of the JWKS endpoint that is hosted on the management subsystems. To find out the jwksUrl, describe the management CR and check the status: section:
    kubectl describe mgmt -n <namespace>
    ...
    status:
      - name: jwksUrl
        secretName: api-endpoint
        type: API
        uri: https://api.apic.acme.com/api/cloud/oauth2/certs
    For more information about JWT security, see Enable JWT security instead of mTLS.
  7. Optional: Update the gateway CR file to enable autoscaling of gateway pods to ensure high availability of DataPower pods. See Enabling autoscaling of gateway pods.
  8. Install the gateway Custom Resource by applying the yaml file:
    For a DataPower® API Gateway, run the following command:
    oc apply -f apigateway_cr.yaml -n <namespace>
    For a DataPower Gateway (v5 compatible), run the following command:
    oc apply -f v5cgateway_cr.yaml -n <namespace>
  9. To verify that the gateway subsystem is fully installed, run the following command:
    oc get GatewayCluster -n <namespace>

    The installation is complete when the READY status is True, and the SUMMARY reports that all services are online ( 2/2) for all the gateway subsystems that were installed. Example:

    NAME   READY   SUMMARY   VERSION    RECONCILED VERSION   AGE
    gwv6   True    2/2       <version>  <version-build>      7m32s
    There is no need to wait for the READY status to be True before moving on to next Subsystem installation.
  10. Verify that the gateway is ready to be registered with the Management subsystem by calling the health api on the gatewayManagerEndpoint.hosts.name defined in your yaml file: https://gwd.$STACK_HOST/health.
    curl -k https://gwd.example.com/health
    {"status":"ok"}

What to do next

If you are creating a new deployment of API Connect, install other subsystems as needed.

When you have completed the installation of all required API Connect subsystems, you can proceed to defining your API Connect configuration by using the API Connect Cloud Manager; refer to the Cloud Manager configuration checklist.