Running Config Sync as a cronjob on OpenShift

Running the apic-configsync utility as a cronjob on Red Hat OpenShift or IBM Cloud Pak for Integration enables the utility to be run on a timed basis, such as every 10 minutes.

Before you begin

Ensure that the following prerequisites are satisfied before attempting to configure the cronjob:

  • Ensure that you have a tool available for copying the image into your image registry.

    The examples in this topic use skopeo to copy the image to the target registry, but you could use equivalent docker or podman commands instead.

  • Expose the OpenShift registry with defaultRoute by running the following command:
    oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
    For more information, see Exposing the registry in the OpenShift documentation. It is not necessary to perform step 5 (the "podman login" step) in the instructions.
  • Set the REGISTRY_HOST environment variable to the OpenShift registry by running the following command:
    REGISTRY_HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
  • Set the APIC_PROJECT environment variable to the namespace (project) where you intend to run the cronjob. For optimal performance, the cronjob should run within the same OpenShift environment as the target API Connect cluster.

About this task

You can configure the apic-configsync utility to run as a cronjob in an API Connect deployment running on OpenShift or Cloud Pak for Integration. The apic-configsync utility should run as close to the target cluster as possible, so the cronjob should be configured to run within the same OpenShift environment as the target API Connect cluster.

Procedure

  1. Download and extract the API Connect Config Sync package.
  2. Extract the Config Sync image from the extracted API Connect Config Sync package by running the following command:
    tar xf ibm-apic-configsync-image.tar.gz
  3. Copy the extracted Config Sync image to the target registry.

    For example, if you use skopeo, run the following command:

    skopeo copy --dest-tls-verify=false --dest-registry-token=$(oc whoami -t) dir:./ibm-apic-configsync/ibm-apic-configsync-<version>/<tag> docker://$REGISTRY_HOST/$APIC_PROJECT/ibm-apic-configsync-<version>:<tag>

    Replace <version> and <tag> with their actual values. To ensure that you use the most recent values, copy them from the README file located in the root of the extracted API Connect Config Sync package.

  4. Define the environment variables for the source and target catalogs.
  5. Create secrets to host configuration details for the source cluster and the target cluster.
    1. Create a secret to host the configuration details for the source cluster in the namespace where you intend to run the cronjob:
      oc create secret --namespace $APIC_PROJECT generic source-catalog-details \
          --from-literal=SOURCE_MGMT_SERVER=$SOURCE_MGMT_SERVER \
          --from-literal=SOURCE_ORG=$SOURCE_ORG \
          --from-literal=SOURCE_REALM=$SOURCE_REALM \
          --from-literal=SOURCE_ADMIN_USER=$SOURCE_ADMIN_USER \
          --from-literal=SOURCE_ADMIN_PASSWORD=$SOURCE_ADMIN_PASSWORD \
          --from-literal=SOURCE_CATALOG=$SOURCE_CATALOG \
          --from-literal=SOURCE_TOOLKIT_CREDENTIALS_CLIENTID=$SOURCE_TOOLKIT_CREDENTIALS_CLIENTID \
          --from-literal=SOURCE_TOOLKIT_CREDENTIALS_CLIENTSECRET=$SOURCE_TOOLKIT_CREDENTIALS_CLIENTSECRET
    2. Create a secret to host the configuration details for the target cluster in the namespace where you intend to run the cronjob:
      oc create secret --namespace $APIC_PROJECT generic target-catalog-details \
          --from-literal=TARGET_MGMT_SERVER=$TARGET_MGMT_SERVER \
          --from-literal=TARGET_ORG=$TARGET_ORG \
          --from-literal=TARGET_REALM=$TARGET_REALM \
          --from-literal=TARGET_ADMIN_USER=$TARGET_ADMIN_USER \
          --from-literal=TARGET_ADMIN_PASSWORD=$TARGET_ADMIN_PASSWORD \
          --from-literal=TARGET_CATALOG=$TARGET_CATALOG \
          --from-literal=TARGET_TOOLKIT_CREDENTIALS_CLIENTID=$TARGET_TOOLKIT_CREDENTIALS_CLIENTID \
          --from-literal=TARGET_TOOLKIT_CREDENTIALS_CLIENTSECRET=$TARGET_TOOLKIT_CREDENTIALS_CLIENTSECRET
  6. Create the cronjob:
    1. Open the helper_files/configsync-cronjob-ocp.yaml file located in the extracted API Connect Config Sync package.
    2. Modify the schedule property to specify how frequently the job will run.

      The minimum recommended schedule period is 1 minute; however, a deployment with a large number of objects might require more time for the job to complete. Because concurrent jobs are not allowed, the total time between the start of two consecutive jobs might be longer.

    3. Set the concurrencyPolicy to Forbid.

      Config Sync operates on a single source-target catalog pair at a time. If you want to sync multiple different source-target catalog pairs, create a separate cronjob for each pair.

    4. In the image property, replace the <APIC_PROJECT> variable with the namespace (project) where you will run the cronjob.
    5. Create the cronjob resource in the cluster by running the following command:
      oc --namespace $APIC_PROJECT apply -f helper_files/configsync-cronjob-ocp.yaml