Deploying the API Manager subsystem by using the CLI
Deploy the individual API Manager subsystem. This procedure uses the CLI.
API Connect subsystems can be installed by creating individual subsystem Kubernetes resources (CRs), instead of using an API Connect cluster.
There are four subsystems that can be installed:
API Manager: Discussed in this procedure
API Analytics: For more information, see Deploying the API Analytics subsystem by using the CLI
API Portal: For more information, see Deploying the API Portal subsystem by using the CLI
API Gateway: For more information, see Deploying the API Gateway subsystem by using the CLI
Deploying the API Manager subsystem involves three main tasks:
Installing a certificate manager
Install the cert-manager Operator for Red Hat OpenShift. Follow the steps for Installing the cert-manager Operator for Red Hat OpenShift using the web console in the Red Hat OpenShift documentation.
Setting up the certificates
Change to the namespace where you want to install the subsystem:
oc project <namespace>Create a file that is called
api-manager-certs.yamland paste in the following contents:apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigning-issuer labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "selfsigning-issuer" } spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ingress-issuer labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-issuer" } spec: ca: secretName: ingress-ca --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ingress-ca labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "ingress-ca" } spec: duration: 87600h # 10 years renewBefore: 720h # 30 days secretName: ingress-ca commonName: "ingress-ca" usages: - digital signature - key encipherment - cert sign isCA: true issuerRef: name: selfsigning-issuer kind: Issuer secretTemplate: labels: app.kubernetes.io/instance: "api-manager" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "ingress-ca" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: portal-admin-client labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "portal-admin-client" } spec: subject: organizations: - cert-manager commonName: portal-admin-client secretName: portal-admin-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days secretTemplate: labels: app.kubernetes.io/instance: "api-manager" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "portal-admin-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: gateway-client-client labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "gateway-client-client" } spec: subject: organizations: - cert-manager commonName: gateway-client-client secretName: gateway-client-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days secretTemplate: labels: app.kubernetes.io/instance: "api-manager" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "gateway-client-client" --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: analytics-ingestion-client labels: { app.kubernetes.io/instance: "api-manager", app.kubernetes.io/managed-by: "ibm-apiconnect", app.kubernetes.io/name: "analytics-ingestion-client" } spec: subject: organizations: - cert-manager commonName: analytics-ingestion-client secretName: analytics-ingestion-client issuerRef: name: ingress-issuer usages: - "client auth" - "signing" - "key encipherment" duration: 17520h # 2 years renewBefore: 720h # 30 days secretTemplate: labels: app.kubernetes.io/instance: "api-manager" app.kubernetes.io/managed-by: "ibm-apiconnect" app.kubernetes.io/name: "analytics-ingestion-client"Apply the file to your namespace:
oc apply -f api-manager-certs.yamlVerify that the command installation succeeded:
oc get certificatesAll certificates created successfully:
NAME READY SECRET AGE analytics-ingestion-client True analytics-ingestion-client 70s gateway-client-client True gateway-client-client 70s ingress-ca True ingress-ca 71s portal-admin-client True portal-admin-client 71s
Deploying API Manager
Create a
ManagementClusterYAML file. For example, you can create a file that is calledapi-manager.yamlwith the following example configuration. All fields in the example are required. Update the values as applicable for your configuration:apiVersion: management.apiconnect.ibm.com/v1beta1 kind: ManagementCluster metadata: name: api-manager annotations: apiconnect-operator/cp4i: "false" spec: version: 10.0.11.0 profile: n1xc2.m16 portal: admin: secretName: portal-admin-client analytics: ingestion: secretName: analytics-ingestion-client gateway: client: secretName: gateway-client-client cloudManagerEndpoint: annotations: cert-manager.io/issuer: ingress-issuer hosts: - name: admin.$STACK_HOST secretName: cm-endpoint apiManagerEndpoint: annotations: cert-manager.io/issuer: ingress-issuer hosts: - name: manager.$STACK_HOST secretName: apim-endpoint platformAPIEndpoint: annotations: cert-manager.io/issuer: ingress-issuer hosts: - name: api.$STACK_HOST secretName: api-endpoint consumerAPIEndpoint: annotations: cert-manager.io/issuer: ingress-issuer hosts: - name: consumer.$STACK_HOST secretName: consumer-endpoint databaseVolumeClaimTemplate: storageClassName: <storage-class> microServiceSecurity: certManager certManagerIssuer: name: selfsigning-issuer kind: Issuer license: accept: false use: production license: L-KYAL-S3RCBMChange the value of
spec.license.accepttotrueif you accept the license agreement. For more information, see Licensing.In
metadata.annotations, do not removeapiconnect-operator/cp4i: "false". This annotation guarantees that API Gateway does not attempt to integrate with Cloud Pak for Integration identity and access management. It does not prevent you from managing the instance in the Platform UI.For
spec.license.useenterproductionornonproductionto match the type of license that you purchased.For
spec.license.licenseenter the license ID for the API Connect program that you purchased. To get the available license IDs, see API Connect licenses in the API Connect documentation.For
spec.profileenter the type of installation profile that you want, based on your environment. See Management subsystem deployment profile limits in the API Connect documentation.For
spec.versionenter the API Connect product version or channel to be installed.For
spec.databaseVolumeClaimTemplate.storageClassName, specify the RWO block storage class to use for persistence storage. For more information about selecting storage classes for Cloud Pak for Integration, see Storage considerations. To review API Connect storage support, see the "Supported storage types" section in Deployment requirements, in the API Connect documentation.Replace
$STACK_HOSTwith the desired ingress subdomain for the API Connect stack. This variable is used when specifying endpoints. Domain names that are used for endpoints cannot contain the underscore "_" character. The host on OpenShift is typically prefixed byapps. Such asapps.subnet.example.com. Do one of the following:For subdomain customization only: For the ingress hostnames (
hosts.name), retain the prefixes that are predefined for the ingress hostnames and replace all instances of STACK_HOST with the desired ingress subdomain for the API Connect stack. For example, if your host isapps.subnet.example.com:cloudManagerEndpoint: < ... > hosts: - name: admin.apps.subnet.example.com secret: cm-endpoint apiManagerEndpoint: < ... > hosts: - name: manager.apps.subnet.example.com platformAPIEndpoint: < ... > hosts: - name: api.apps.subnet.example.com secret: api-endpoint consumerAPIEndpoint: < ... > hosts: - name: consumer.apps.subnet.example.com secret: consumer-endpointFor complete hostname customization: Change both the predefined prefixes and the
STACK_HOSTsubdomain to match your desired hostnames.For example, for
cloudManagerEndpoint, you can replaceadmin.$STACK_HOSTwithmy.cloudmgr.myhost.subnet.example.com, wheremy.cloudmgrreplacesadmin, andapps.subnet.example.comreplacesSTACK_HOST:cloudManagerEndpoint: < ... > hosts: - name: my.cloudmgr.apps.subnet.example.com secret: cm-endpointYou can do this for some or all of the hostnames, depending on your customization requirements.
Configure database backups for the API Manager. To successfully restore API Connect in the event of a disaster, where you need to redeploy a new cluster, you must configure the database backup settings before the initial installation of the Management subsystem. For more information on configuring backup settings, see Configuring management database backups.
Apply the YAML file to the cluster:
oc apply -f api-manager.yamlCheck the status of the API manager by running the following command in the project (namespace) where it was deployed:
oc get ManagementClusterThe installation is complete when the READY status changes to
True, and the SUMMARY reports that all services are online:NAME READY SUMMARY VERSION RECONCILED VERSION AGE api-manager True 17/17 <version> <version-build> 7m17sVerify that you can log in to the Cloud Manager UI.
Run the following command to get the API Connect endpoints, so you can determine the URL for the Cloud Manager UI:
oc get routesLocate the
management-adminendpoint, and note it down.Get the Cloud Manager
adminuser password:oc get secret api-manager-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo ""Open a browser and go to the
api-manager-adminendpoint.Log in to the Cloud Manager as an administrator by using the administrator password.
What's next?
Install other subsystems as needed.