Deploying operators in a single-namespace API Connect cluster
Deploy the Kubernetes operator files in a single namespace cluster.
Before you begin
- Ensure you completed the prerequisite tasks for installing operators. See Deploying operators and cert-manager.
- Be sure to review your strategy for using certificates with API Connect. See Deployment requirements.
Procedure
- Ensure
KUBECONFIG
is set for the target cluster:export KUBECONFIG=<path_to_cluster_config_YAML_file>
An example path is
/Users/user/.kube/clusters/<cluster_name>/kube-config-<cluster_name>.yaml
- Decide on a namespace to be used for
installation.
If not using the default namespace, create the namespace in the Kubernetes cluster where the API Connect deployment will take place. Use the following command, replacing
<namespace>
with the namespace for the deployment:kubectl create ns <namespace>
Note: The following namespaces are reserved and must not be used for your installation:default
openshift-*
kube-*
- Install a cert-manager.
Cert-manager adds convenience to the generation and management of API Connect certificates. For more information about cert-manager, see Key Concepts: Cert-manager, Issuers, and Secrets.
Note: If you are deploying a two data center disaster recovery deployment on Kubernetes, then do not do this step, follow the steps in Installing cert-manager and certificates in a two data center deployment, then return here.- Obtain the certificate manager.
API Connect uses cert-manager v1.12.13 of cert-manager, which is a native Kubernetes certificate management controller.
You can obtain cert-manager v1.12.13 from the API Connect v10 distribution
helper_files.zip
archive, or download it from https://github.com/cert-manager/cert-manager/releases/tag/v1.12.13 - Apply the CR:
kubectl apply -f cert-manager-1.12.13.yaml
Do not specify a custom namespace.
See https://cert-manager.io/docs/release-notes/release-notes-1.12/.
- Wait for
cert-manager
pods to enterRunning 1/1
status before proceeding. To check the status:
There are 3kubectl get po -n cert-manager
cert-manager
pods in total.
- Obtain the certificate manager.
- Create a registry secret with credentials to be used to pull down product images.
Use the following command, replacing
<namespace>
with the namespace for your deployment, and replacing<registry_server>
with the location of the Docker Registry where the installation product images were pushed:kubectl create secret docker-registry apic-registry-secret --docker-server=<registry_server> --docker-username=<username@example.com> --docker-password=<password> --docker-email=<username@example.com> -n <namespace>
- Create a registry secret for the DataPower registry with the credentials to be used to
pull down product images.
Use the following command, replacing
<namespace>
with the desired namespace for the deployment:kubectl create secret docker-registry datapower-docker-local-cred --docker-server=<docker_server> --docker-username=<username@example.com> --docker-password=<password> --docker-email=<username@example.com> -n <namespace>
- Create a DataPower admin secret.
Use the following command, replacing
<namespace>
with the desired namespace for the deployment:kubectl create secret generic datapower-admin-credentials --from-literal=password=admin -n <namespace>
The admin secret will be used for
$ADMIN_USER_SECRET
when deploying the gateway CR. - If you are using a namespace other than
default
, openibm-apiconnect.yaml
in a text editor. Replace each occurrence ofdefault
with the namespace for your deployment. - Open
ibm-apiconnect.yaml
in a text editor. Replace the value of eachimage:
key with the location of the API Connect operator images (from theibm-apiconnect
container and theibm-apiconnect-init
container), either uploaded to your own registry or pulled from a public registry.serviceAccountName: ibm-apiconnect imagePullSecrets: - name: apic-registry-secret initContainers: - name: ibm-apiconnect-init image: <My_registry_or_public_registry>/ibm-apiconnect-operator-init@sha256:0d3bbac7c67372ad013407a8049c69dbd08b1559b59a7606fcd87eb0f4519ce1 ... containers: - name: ibm-apiconnect image: <My_registry_or_public registry>/ibm-apiconnect-operator@sha256:a7473ee26c252fca4931b682cd95d73b4149e4b5b773834408f9f22d0246a76c
- If DataPower Gateway is desired in this installation, and if you are using a namespace
other than
default
, openibm-datapower.yaml
in a text editor. Replace each occurrence ofdefault
with the namespace for your deployment. -
Open
ibm-datapower.yaml
in a text editor.- Locate the
image:
key in the containers section of the deployment yaml immediately afterimagePullSecrets:
. Replace the value of theimage:
key with the location of thedatapower
operator image, either uploaded to your own registry or pulled from a public registry. - Update the
IBM_DOCKER_HUB
andIBM_ENTITLED_REGISTRY
value in theenv
section with the registry address where the images were uploaded with the image-tool in Obtaining product files.For example, the default entries are:
- name: IBM_ENTITLED_REGISTRY value: "cp.icr.io/cp/datapower" - name: IBM_DOCKER_HUB value: "cp.icr.io/cp/datapower"
- Locate the
- Install the ibm-apiconnect CRDs.
kubectl apply --server-side --force-conflicts -f ibm-apiconnect-crds.yaml
- Install the ibm-apiconnect Kubernetes deployment.
kubectl apply -f ibm-apiconnect.yaml
- If DataPower Gateway is desired in this installation, install the ibm-datapower
Kubernetes deployment for DataPower Gateway, with the following command, replacing
<namespace>
with the desired namespace for the deployment (-n <namespace>
may be omitted if default namespace is being used for installation):kubectl apply -f ibm-datapower.yaml -n <namespace>
Troubleshooting: If your DataPower operator pod fails to start, see Troubleshooting install.
- Install the
ingress-ca
Issuer to be used bycert-manager
.Note:If you are installing a two data center disaster recovery deployment, skip this step, and follow the steps in: Installing cert-manager and certificates in a two data center deployment.
- Use the following command, replacing
<namespace>
with the desired namespace for the deployment:kubectl apply -f ingress-issuer-v1.yaml -n <namespace>
The file
ingress-issuer-v1.yaml
is included in the release files contained inhelper_files.zip
- Validate that the command
succeeded:
kubectl get certificates -n <namespace>
Example output indicating success:
NAME READY SECRET AGE analytics-ingestion-client True analytics-ingestion-client 70s gateway-peering True gateway-peering 69s gateway-service True gateway-service 69s ingress-ca True ingress-ca 71s portal-admin-client True portal-admin-client 71s portal-tunnel-client True portal-tunnel-client 70s
The list of certificates might vary based on your deployment.
- Use the following command, replacing
- Continue with Installing the API Connect subsystems.