Installing operators

Install the operators that are required to deploy and manage DataPower Interact Gateway.

Before you begin

About this task

DataPower Interact Gateway depends on multiple operators that must be installed in the following order.

  1. API Connect operator
  2. NanoGateway operator
  3. Valkey operator and Valkey instance (optional)
  4. IDIG NanoGateway operator
  5. IDIG operator

After all required operators are installed and available, you can deploy the IDIG cluster.

Note: The sed commands used in this section use GNU sed syntax for Linux systems. If you are using macOS or Windows, adjust the commands as needed:
  • On macOS, use sed -i '' instead of sed -i because macOS uses BSD sed.
  • On Windows, use a Linux-compatible environment such as Windows Subsystem for Linux (WSL) or Git Bash to run the commands as documented.

Procedure

  1. Install the API Connect (APIC) operator.
    1. Install the API Connect platform components CRDs.

      Before deploying the APIC operator, you must install APIC platform components CRDs. The APIC operator requires these CRDs to function properly.

      kubectl apply --server-side --force-conflicts -f dependencies/ibm-apiconnect-crds.yaml -n ${KUBE_NAMESPACE}

      where dependencies/ibm-apiconnect-crds.yaml is the path to the ibm-apiconnect-crds.yaml file,

      The --server-side --force-conflicts options are required to avoid metadata.annotations: Too long errors that can occur when Kubernetes applies API Connect operator.

    2. Open dependencies/ibm-apiconnect.yaml in a text editor and replace the following placeholder values.
      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands.
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/ibm-apiconnect.yaml
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/ibm-apiconnect.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/ibm-apiconnect.yaml dependencies/ibm-apiconnect.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/ibm-apiconnect.yaml) out of 55 occurrences replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/ibm-apiconnect.yaml) out of 4 occurrences replaced"
        echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/ibm-apiconnect.yaml) out of 1 occurrence replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/ibm-apiconnect.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    3. Deploy the APIC operator.
      kubectl apply -f dependencies/ibm-apiconnect.yaml -n ${KUBE_NAMESPACE}
    4. Wait for the APIC operator to be ready.
      kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available deployment/ibm-apiconnect --timeout=300s
  2. Deploy the NanoGateway operator.
    1. Install the NanoGateway CRDs.
      kubectl apply -f dependencies/ibm-nanogw-crds.yaml
    2. Open dependencies/ibm-nanogw.yaml in a text editor and replace the following placeholder values.
      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the IBM entitlement key secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands.
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/ibm-nanogw.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|ibm-entitlement-key|g" dependencies/ibm-nanogw.yaml
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/ibm-nanogw.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/ibm-nanogw.yaml) out of 3 occurrences replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/ibm-nanogw.yaml) out of 1 occurrences replaced"
        echo "Image pull secret: $(grep -c "ibm-entitlement-key" dependencies/ibm-nanogw.yaml) out of 1 occurrences replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/ibm-nanogw.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    3. Deploy the NanoGateway operator.
      kubectl apply -f dependencies/ibm-nanogw.yaml -n ${KUBE_NAMESPACE}
  3. Deploy the Valkey operator.

    Deploy a Valkey operator and operand to install Valkey instance as a Redis-compatible database using the release files.

    1. Create certificates for Valkey TLS communication.
      
      # Create directory for certificates
      mkdir -p certs
      cd certs
      
      # Generate CA key and certificate
      openssl genrsa -out ca.key 2048
      openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/CN=ValkeyCA"
      
      # Generate server key
      openssl genrsa -out tls.key 2048
      
      # Generate certificate signing request
      openssl req -new -key tls.key -out tls.csr -subj "/CN=valkey.${KUBE_NAMESPACE}.svc.cluster.local"
      
      # Create config file for SAN
      cat > san.cnf <<EOF
      [req]
      req_extensions = v3_req
      distinguished_name = req_distinguished_name
      
      [req_distinguished_name]
      
      [v3_req]
      basicConstraints = CA:FALSE
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName = @alt_names
      
      [alt_names]
      DNS.1 = valkey.${KUBE_NAMESPACE}.svc.cluster.local
      DNS.2 = valkey.${KUBE_NAMESPACE}.svc
      EOF
      
      # Generate the certificate with SAN
      openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
        -out tls.crt -days 365 -sha256 -extfile san.cnf -extensions v3_req
      
      cd ..
    2. Create Valkey secrets.
      
      # Create TLS secret
      kubectl create secret generic valkey-tls \
        --from-file=ca.crt=certs/ca.crt \
        --from-file=tls.crt=certs/tls.crt \
        --from-file=tls.key=certs/tls.key \
        -n ${KUBE_NAMESPACE}
      
      # Create Valkey credentials secret
      kubectl create secret generic valkey-secret \
        --from-literal=username=default \
        --from-literal=password=admin \
        -n ${KUBE_NAMESPACE}
    3. Apply the Valkey CRDs.
      kubectl apply --server-side --force-conflicts -f dependencies/valkey-crds.yaml
    4. Update the Valkey operator deployment file.

      Open dependencies/valkey-operator.yaml in a text editor and replace the following placeholder values:

      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands:
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/valkey-operator.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/valkey-operator.yaml
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/valkey-operator.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/valkey-operator.yaml) out of 3 occurrences replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/valkey-operator.yaml) out of 2 occurrences replaced"
        echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/valkey-operator.yaml) out of 1 occurrence replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/valkey-operator.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    5. Deploy the Valkey operator.
      kubectl apply --server-side --force-conflicts -f dependencies/valkey-operator.yaml -n ${KUBE_NAMESPACE}
    6. Deploy the Valkey instance.

      Edit dependencies/valkey_standalone_cr.yaml to replace the following placeholders:

      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands:
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/valkey_standalone_cr.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/valkey_standalone_cr.yaml
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/valkey_standalone_cr.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced"
        echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/valkey_standalone_cr.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    7. Deploy Valkey instance.
      kubectl apply -f dependencies/valkey_standalone_cr.yaml -n ${KUBE_NAMESPACE}
    8. Wait for the Valkey CR to be ready.
      
      # Wait 30 seconds for operator to create pods
      sleep 30
      # Wait for pods to be ready
      kubectl -n ${KUBE_NAMESPACE} wait --for=condition=ready pod \
        -l app.kubernetes.io/name=valkey --timeout=300s
    9. Verify that Valkey is deployed.
      kubectl get pods -n ${KUBE_NAMESPACE} -l app.kubernetes.io/name=valkey
  4. Deploy the IDIG NanoGateway operator.
    1. Open ibm-idig-nanogw.yaml in a text editor and replace the following placeholder values:
      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands:
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" ibm-idig-nanogw.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" ibm-idig-nanogw.yaml
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" ibm-idig-nanogw.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" ibm-idig-nanogw.yaml) out of 1 occurrence replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" ibm-idig-nanogw.yaml) out of 1 occurrence replaced"
        echo "Image pull secret: $(grep -c "apic-registry-secret" ibm-idig-nanogw.yaml) out of 1 occurrence replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" ibm-idig-nanogw.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    2. Deploy the IDIG NanoGateway operator.
      kubectl apply -f ibm-idig-nanogw.yaml -n ${KUBE_NAMESPACE}
    3. Wait for the IDIG NanoGateway operator to become available.
      
      kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available \
        deployment/idig-gw-operator --timeout=120s
  5. Deploy the IDIG operator.
    1. Open ibm-idig-operator.yaml in a text editor and replace the following placeholder values:
      • Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
      • Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
      • Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
      Alternatively, if you want to replace all placeholders at once, run the following commands:
      1. Replace all placeholders at once.
        
        sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" ibm-idig-operator.yaml
        sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" ibm-idig-operator.yaml
        sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" ibm-idig-operator.yaml
      2. Verify that all placeholder values are replaced successfully.
        
        echo "Checking replacements..."
        echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" ibm-idig-operator.yaml) out of 7 occurrences replaced"
        echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" ibm-idig-operator.yaml) out of 1 occurrence replaced"
        echo "Image pull secret: $(grep -c "apic-registry-secret" ibm-idig-operator.yaml) out of 1 occurrence replaced"
        echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" ibm-idig-operator.yaml || echo "0")"
        Confirm that the output shows the expected values and reports 0 remaining placeholders.
    2. Deploy the IDIG operator.
      kubectl apply -f ibm-idig-operator.yaml -n ${KUBE_NAMESPACE}
    3. Wait for the IDIG operator to become available.
      
      kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available \
        deployment/idig-operator --timeout=120s
    4. Continue to install IDIG cluster.
    If you encounter any problem while installing operators, see Troubleshooting installation on Kubernetes section.