Installing operators
Install the operators that are required to deploy and manage DataPower Interact Gateway.
Before you begin
About this task
DataPower Interact Gateway depends on multiple operators that must be installed in the following order.
- API Connect operator
- NanoGateway operator
- Valkey operator and Valkey instance (optional)
- IDIG NanoGateway operator
- IDIG operator
After all required operators are installed and available, you can deploy the IDIG cluster.
sed commands used in this section use GNU sed syntax for
Linux systems. If you are using macOS or Windows, adjust the commands as needed:- On macOS, use
sed -i ''instead ofsed -ibecause macOS uses BSDsed. - On Windows, use a Linux-compatible environment such as Windows Subsystem for Linux (WSL) or Git Bash to run the commands as documented.
Procedure
- Install the API Connect (APIC) operator.
-
Install the API Connect platform components CRDs.
Before deploying the APIC operator, you must install APIC platform components CRDs. The APIC operator requires these CRDs to function properly.
kubectl apply --server-side --force-conflicts -f dependencies/ibm-apiconnect-crds.yaml -n ${KUBE_NAMESPACE}where dependencies/ibm-apiconnect-crds.yaml is the path to the ibm-apiconnect-crds.yaml file,
The
--server-side --force-conflictsoptions are required to avoid metadata.annotations: Too long errors that can occur when Kubernetes applies API Connect operator. -
Open dependencies/ibm-apiconnect.yaml in a text editor and replace the
following placeholder values.
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands.- Replace all placeholders at once.
sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/ibm-apiconnect.yaml sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/ibm-apiconnect.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/ibm-apiconnect.yaml dependencies/ibm-apiconnect.yaml - Verify that all placeholder values are replaced
successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/ibm-apiconnect.yaml) out of 55 occurrences replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/ibm-apiconnect.yaml) out of 4 occurrences replaced" echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/ibm-apiconnect.yaml) out of 1 occurrence replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/ibm-apiconnect.yaml || echo "0")"
-
Deploy the APIC operator.
kubectl apply -f dependencies/ibm-apiconnect.yaml -n ${KUBE_NAMESPACE} -
Wait for the APIC operator to be ready.
kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available deployment/ibm-apiconnect --timeout=300s
-
Install the API Connect platform components CRDs.
-
Deploy the NanoGateway operator.
-
Install the NanoGateway CRDs.
kubectl apply -f dependencies/ibm-nanogw-crds.yaml -
Open dependencies/ibm-nanogw.yaml in a text editor and replace the
following placeholder values.
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the IBM entitlement key secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands.- Replace all placeholders at once.
sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/ibm-nanogw.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|ibm-entitlement-key|g" dependencies/ibm-nanogw.yaml sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/ibm-nanogw.yaml - Verify that all placeholder values are replaced
successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/ibm-nanogw.yaml) out of 3 occurrences replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/ibm-nanogw.yaml) out of 1 occurrences replaced" echo "Image pull secret: $(grep -c "ibm-entitlement-key" dependencies/ibm-nanogw.yaml) out of 1 occurrences replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/ibm-nanogw.yaml || echo "0")"
- Deploy the NanoGateway operator.
kubectl apply -f dependencies/ibm-nanogw.yaml -n ${KUBE_NAMESPACE}
-
Install the NanoGateway CRDs.
-
Deploy the Valkey operator.
Deploy a Valkey operator and operand to install Valkey instance as a Redis-compatible database using the release files.
-
Create certificates for Valkey TLS communication.
# Create directory for certificates mkdir -p certs cd certs # Generate CA key and certificate openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/CN=ValkeyCA" # Generate server key openssl genrsa -out tls.key 2048 # Generate certificate signing request openssl req -new -key tls.key -out tls.csr -subj "/CN=valkey.${KUBE_NAMESPACE}.svc.cluster.local" # Create config file for SAN cat > san.cnf <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = valkey.${KUBE_NAMESPACE}.svc.cluster.local DNS.2 = valkey.${KUBE_NAMESPACE}.svc EOF # Generate the certificate with SAN openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out tls.crt -days 365 -sha256 -extfile san.cnf -extensions v3_req cd .. -
Create Valkey secrets.
# Create TLS secret kubectl create secret generic valkey-tls \ --from-file=ca.crt=certs/ca.crt \ --from-file=tls.crt=certs/tls.crt \ --from-file=tls.key=certs/tls.key \ -n ${KUBE_NAMESPACE} # Create Valkey credentials secret kubectl create secret generic valkey-secret \ --from-literal=username=default \ --from-literal=password=admin \ -n ${KUBE_NAMESPACE} -
Apply the Valkey CRDs.
kubectl apply --server-side --force-conflicts -f dependencies/valkey-crds.yaml -
Update the Valkey operator deployment file.
Open dependencies/valkey-operator.yaml in a text editor and replace the following placeholder values:
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands:- Replace all placeholders at once.
sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/valkey-operator.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/valkey-operator.yaml sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/valkey-operator.yaml - Verify that all placeholder values are replaced
successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/valkey-operator.yaml) out of 3 occurrences replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/valkey-operator.yaml) out of 2 occurrences replaced" echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/valkey-operator.yaml) out of 1 occurrence replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/valkey-operator.yaml || echo "0")"
-
Deploy the Valkey operator.
kubectl apply --server-side --force-conflicts -f dependencies/valkey-operator.yaml -n ${KUBE_NAMESPACE} -
Deploy the Valkey instance.
Edit dependencies/valkey_standalone_cr.yaml to replace the following placeholders:
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands:- Replace all placeholders at once.
sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" dependencies/valkey_standalone_cr.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" dependencies/valkey_standalone_cr.yaml sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" dependencies/valkey_standalone_cr.yaml - Verify that all placeholder values are replaced
successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced" echo "Image pull secret: $(grep -c "apic-registry-secret" dependencies/valkey_standalone_cr.yaml) out of 1 occurrences replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" dependencies/valkey_standalone_cr.yaml || echo "0")"
-
Deploy Valkey instance.
kubectl apply -f dependencies/valkey_standalone_cr.yaml -n ${KUBE_NAMESPACE} -
Wait for the Valkey CR to be ready.
# Wait 30 seconds for operator to create pods sleep 30 # Wait for pods to be ready kubectl -n ${KUBE_NAMESPACE} wait --for=condition=ready pod \ -l app.kubernetes.io/name=valkey --timeout=300s -
Verify that Valkey is deployed.
kubectl get pods -n ${KUBE_NAMESPACE} -l app.kubernetes.io/name=valkey
-
Create certificates for Valkey TLS communication.
-
Deploy the IDIG NanoGateway operator.
-
Open ibm-idig-nanogw.yaml in a text editor and replace the following
placeholder values:
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands:- Replace all placeholders at once.
sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" ibm-idig-nanogw.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" ibm-idig-nanogw.yaml sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" ibm-idig-nanogw.yaml - Verify that all placeholder values are replaced successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" ibm-idig-nanogw.yaml) out of 1 occurrence replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" ibm-idig-nanogw.yaml) out of 1 occurrence replaced" echo "Image pull secret: $(grep -c "apic-registry-secret" ibm-idig-nanogw.yaml) out of 1 occurrence replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" ibm-idig-nanogw.yaml || echo "0")"
-
Deploy the IDIG NanoGateway operator.
kubectl apply -f ibm-idig-nanogw.yaml -n ${KUBE_NAMESPACE} -
Wait for the IDIG NanoGateway operator to become available.
kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available \ deployment/idig-gw-operator --timeout=120s
-
Open ibm-idig-nanogw.yaml in a text editor and replace the following
placeholder values:
-
Deploy the IDIG operator.
-
Open ibm-idig-operator.yaml in a text editor and replace the following
placeholder values:
- Replace the placeholder REPLACE-NAMESPACE with name of the namespace you created for your DataPower Interact Gateway deployment.
- Replace the placeholder REPLACE-DOCKER-REGISTRY with the location of the target registry in which you uploaded the container images. For details, see Obtaining product files.
- Replace the placeholder DEFAULT_IMAGE_PULL_SECRET with the registry secret name that you created while Preparing the deployment environment.
Alternatively, if you want to replace all placeholders at once, run the following commands:- Replace all placeholders at once.
sed -i "s|REPLACE-NAMESPACE|${KUBE_NAMESPACE}|g" ibm-idig-operator.yaml sed -i "s|REPLACE-DOCKER-REGISTRY|${APIC_DOCKER_REGISTRY}|g" ibm-idig-operator.yaml sed -i "s|DEFAULT_IMAGE_PULL_SECRET|apic-registry-secret|g" ibm-idig-operator.yaml - Verify that all placeholder values are replaced successfully.
Confirm that the output shows the expected values and reports 0 remaining placeholders.echo "Checking replacements..." echo "Namespace (${KUBE_NAMESPACE}): $(grep -c "${KUBE_NAMESPACE}" ibm-idig-operator.yaml) out of 7 occurrences replaced" echo "Registry (${APIC_DOCKER_REGISTRY}): $(grep -c "${APIC_DOCKER_REGISTRY}" ibm-idig-operator.yaml) out of 1 occurrence replaced" echo "Image pull secret: $(grep -c "apic-registry-secret" ibm-idig-operator.yaml) out of 1 occurrence replaced" echo "Remaining placeholders: $(grep -c "REPLACE-DOCKER-REGISTRY\|REPLACE-NAMESPACE\|DEFAULT_IMAGE_PULL_SECRET" ibm-idig-operator.yaml || echo "0")"
-
Deploy the IDIG operator.
kubectl apply -f ibm-idig-operator.yaml -n ${KUBE_NAMESPACE} -
Wait for the IDIG operator to become available.
kubectl -n ${KUBE_NAMESPACE} wait --for=condition=Available \ deployment/idig-operator --timeout=120s - Continue to install IDIG cluster.
If you encounter any problem while installing operators, see Troubleshooting installation on Kubernetes section. -
Open ibm-idig-operator.yaml in a text editor and replace the following
placeholder values: