Deploying the Gateway subsystem on Linux x86_64

Deploy the API Connect Gateway subsystem on the Linux x86_64 cluster.

Before you begin

Verify that you copied the ingress issuers to the Linux x86_64 cluster.

Restriction: This task applies only to deployments where the Management and Portal subsystems were installed on Linux for IBM Z.

If you are deploying all subsystems to Linux x86_64, follow the instructions in Deploying all API management subsystems on Linux x86_64 (Platform UI) to install all subsystems at the same time with a top-level CR.

Procedure

  1. Create a file called gateway-certs.yaml with the following contents:

    Replace <apiconnectCluster_name> with the name of the API Connect cluster.

    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    # 
    #     http://www.apache.org/licenses/LICENSE-2.0
    # 
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    
    ---
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: gateway-service
      labels: {
        app.kubernetes.io/instance: "gatewaycluster",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "gateway-service"
      }
    spec:
      commonName: gateway-service
      secretName: gateway-service
      issuerRef:
        name: <apiconnectCluster_name>-ingress-issuer
      usages:
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 48h
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: gateway-peering
      labels: {
        app.kubernetes.io/instance: "gatewaycluster",
        app.kubernetes.io/managed-by: "ibm-apiconnect",
        app.kubernetes.io/name: "gateway-peering"
      }
    spec:
      commonName: gateway-peering
      secretName: gateway-peering
      issuerRef:
        name: <apiconnectCluster_name>-ingress-issuer
      usages:
      - "server auth"
      - "client auth"
      - "signing"
      - "key encipherment"
      duration: 17520h # 2 years
      renewBefore: 48h
  2. Run the following command to apply the gateway-certs.yaml file to the target namespace of the Linux x86_64 :
    oc apply -f gateway-certs.yaml -n <namespace>
  3. Run the following command to create the secret for the admin user of the Gateway:
    oc create secret generic admin-secret --from-literal=password=admin -n <namespace>
  4. Create a file called gateway_cr.yaml containing the desired Gateway CR configuration; for example:

    Replace <apiconnectCluster_name> with the name of the API Connect cluster, and supply appropriate values for <license_ID> and <block_storage>.

    apiVersion: gateway.apiconnect.ibm.com/v1beta1
    kind: GatewayCluster
    metadata:
      name: apic-prod-gw
      labels:
        app.kubernetes.io/instance: gateway
        app.kubernetes.io/managed-by: ibm-apiconnect
        app.kubernetes.io/name: gateway
    spec:
      license:
        accept: true
        license: <license_ID>
        use: nonproduction
      apicGatewayServiceTLS:
        secretName: gateway-service
      profile: n3xc4.m8
      apicGatewayPeeringTLS:
        secretName: gateway-peering
      version: 10.0.5.0
      tokenManagementService:
        enabled: true
        storage:
          storageClassName: <block_storage>
          volumeSize: 30Gi
      gatewayEndpoint:
        annotations:
          cert-manager.io/issuer: <apiconnectCluster_name>-ingress-issuer
      apicGatewayServiceV5CompatibilityMode: false
      adminUser:
        secretName: admin-secret
      datapowerLogLevel: 5
      gatewayManagerEndpoint:
        annotations:
          cert-manager.io/issuer: <apiconnectCluster_name>-ingress-issuer
  5. Run the following command to apply the gateway CR:
    oc apply -f gateway_cr.yaml -n <namespace>
  6. Run the following command to verify that the gateway cluster reports all services as READY:
    oc get gatewaycluster -n <namespace>