Enabling governance on VMware

You can optionally configure governance in IBM® API Connect on VMware by enabling the governance service.

About this task

The governance service is an optional add-on to API Connect that can be used to validate and enforce organizational governance policies and best practices to your API development process.

Note:
  • These instructions apply only to VMware installations. For Kubernetes, OpenShift, and IBM Cloud Pak for Integration installations, see Enabling governance on Kubernetes.
  • Governance rulesets cannot be added to your deployment until the governance service is enabled.
  • All of the commands must be run in the apicup management project directory.
  • If you're using a two data center disaster recovery (2DCDR) deployment, the governance service must be enabled on both the active and warm-standby centers. Enable the service on the warm-standby data center first, and then the active center.
To enable or disable the governance service, see the following instructions:

After the governance service is enabled, governance resources can be created. For more information, see Configuring governance in the Cloud Manager, and Configuring governance in the API Manager.

Procedure

  • Enabling the governance service
    1. Open your API Connect installation project directory.
    2. Run the following apicup command to enable the governance service:
      apicup subsys set <mgmt_subsystem_name> governance-enabled=true

      Where <mgmt_subsystem_name> is the name of the management subsystem that you are configuring.

    3. Install the new setting for the governance service by running the following command:
      apicup subsys install <mgmt_subsystem_name> --debug

      Including the --debug option enables the debug output for the command.

    4. Monitor the health-check output until the management subsystem is healthy by running the following command:
      apicup subsys health-check <mgmt_subsystem_name>
      If one or more of the health criteria are not met, the command stops processing and displays a message with the failure, and exits with a status of 1. The following output is an example of unhealthy output while the install is running:
      Error: Cluster not in good health:
       ManagementCluster (current ha mode: active) is not ready | State: 15/17 Phase: Pending
       ManagementCluster (current ha mode: active) is not ready | State: 15/17 Phase: Pending
      When all of the health criteria are successfully met, the command displays no output, and exits with a status of 0.
  • Disabling the governance service
    1. Open your API Connect installation project directory.
    2. Run the following apicup command to disable the governance service:
      apicup subsys set <mgmt_subsystem_name> governance-enabled=false

      Where <mgmt_subsystem_name> is the name of the management subsystem that you are configuring.

    3. Install the new setting for the governance service by running the following command:
      apicup subsys install <mgmt_subsystem_name> --debug

      Including the --debug option enables the debug output for the command.

Results

Note that when the governance service is enabled, there are a number of new deployments, jobs, and pods in the ManagementCluster namespace. These Kubernetes governance resources have names containing either compliance-service or compliance-ui. For example:
kubectl get pods -n apic | grep compliance
management-compliance-service-f6cdf95fc-t4qkx                     1/1     Running     0          127m
management-compliance-ui-59897fcc4-zm25v                          1/1     Running     0          126m
management-up-compliance-service-data-populate-0-to-1-t2f4d       0/1     Completed   1          132m
management-up-compliance-service-schema-0-to-1-2lkqq              0/1     Completed   0