Deploying the API Portal subsystem by using the CLI

Install the cert-manager Operator for Red Hat OpenShift. Follow the steps for Installing the cert-manager Operator for Red Hat OpenShift using the web console in the Red Hat OpenShift documentation.

Change to the namespace where you want to install the subsystem:

oc project <namespace>

If you have installed the API Manager subsystem in another namespace, extract the API Manager ingress-ca certificates.

oc -n <api manager namespace> get secret ingress-ca -o yaml > ingress-ca.yaml

Edit the ingress-ca.yaml file and remove the following properties:

• metadata.creationTimestamp

• metadata.namespace

• metadata.resourceVersion

• metadata.uid

• metadata.selfLink Keep this file. You will need to apply it in the namespaces of your other subsystems so that they can communicate with the API Manager subsystem.

Apply the file to the API Portal namespace:

oc apply -f ingress-ca.yaml

Create a file that is called api-portal-certs.yaml and paste in the following contents:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigning-issuer
  labels: {
    app.kubernetes.io/instance: "api-manager",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "selfsigning-issuer"
  }
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ingress-issuer
  labels: {
    app.kubernetes.io/instance: "api-manager",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "ingress-issuer"
  }
spec:
  ca:
    secretName: ingress-ca

Apply the file to your namespace:

oc apply -f api-portal-certs.yaml

Verify that the command installation succeeded:

oc get issuers

All issuers created successfully:

NAME                 READY
ingress-issuer       True
selfsigning-issuer   True

Create a PortalCluster YAML file. For example, you can create a file that is called api-portal.yaml with the following example configuration. All fields in the example are required. Update the values as applicable for your configuration:

apiVersion: portal.apiconnect.ibm.com/v1beta1
kind: PortalCluster
metadata:
  name: api-portal
  annotations:
    apiconnect-operator/cp4i: "false"
spec:
  version: 10.0.8.8
  profile: n1xc2.m8
  mgmtPlatformEndpointCASecret:
    secretName: ingress-ca
  mgmtConsumerEndpointCASecret:
    secretName: ingress-ca
  mgmtPlatformEndpointSvcCASecret:
    secretName: api-manager-ca
  mgmtConsumerEndpointSvcCASecret:
    secretName: api-manager-ca
  portalAdminEndpoint:
    annotations:
      cert-manager.io/issuer: ingress-issuer
    hosts:
    - name: api.portal.$STACK_HOST
      secretName: portal-admin
  portalUIEndpoint:
    annotations:
      cert-manager.io/issuer: ingress-issuer
    hosts:
    - name: portal.$STACK_HOST
      secretName: portal-web
  databaseVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 15Gi
  databaseLogsVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 6Gi
  webVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 8Gi
  backupVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 15Gi
  adminVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 6Gi
  certVolumeClaimTemplate:
    storageClassName: <storage-class>
    volumeSize: 4Gi
  adminClientSubjectDN: CN=portal-admin-client,O=cert-manager
  microServiceSecurity: certManager
  certManagerIssuer:
    name: selfsigning-issuer
    kind: Issuer
  license:
    accept: false
    use: production
    license: L-HTFS-UAXYM3

• Change the value of spec.license.accept to true if you accept the license agreement. For more information, see Licensing.

• In metadata.annotations, do not remove apiconnect-operator/cp4i: "false". This annotation guarantees that API Gateway does not attempt to integrate with Cloud Pak for Integration identity and access management. It does not prevent you from managing the instance in the Platform UI.

• For spec.license.use enter production or nonproduction to match the type of license that you purchased.

• For spec.license.license enter the license ID for the API Connect program that you purchased. To get the available license IDs, see API Connect licenses in the API Connect documentation.

• For spec.profile enter the type of installation profile that you want. For more information, see Portal component deployment profile limits.

• For spec.version enter the API Connect product version or channel to be installed.

• For <storage-class>, specify the RWO block storage class to use for persistence storage. For more information about selecting storage classes for Cloud Pak for Integration, see Storage considerations. To review API Connect storage support, see the "Supported storage types" section in Deployment requirements, in the API Connect documentation.

• Replace $STACK_HOST with the desired ingress subdomain for the API Connect stack. This variable is used when specifying endpoints. Domain names that are used for endpoints cannot contain the underscore "_" character. The host on OpenShift is typically prefixed by apps. Such as apps.subnet.example.com.

Apply the YAML file to the cluster:

oc apply -f api-portal.yaml

Check the status of API Portal by running the following command in the project (namespace) where it was deployed:

oc get PortalCluster

The installation is complete when the READY status changes to True, and the SUMMARY reports that all services are online:

NAME         READY   SUMMARY   VERSION    RECONCILED VERSION       AGE
api-portal   True    3/3       <version>   <version-build>         7m17s