Installing prerequisite components

Install the third-party prerequisite components that are required before you deploy DataPower Interact Gateway on Kubernetes.

Before you begin

Make sure that the following requirements are met:

  • You obtained the product release files. For details, see Obtaining product files.
  • You installed the latest Docker version.
  • Your Kubernetes cluster is running version 1.28 or later.
  • kubectl is configured to access your Kubernetes cluster.
  • You have Kubernetes cluster administrator permissions to create custom resource definitions (CRDs) and other cluster-scoped resources.
  • You have credentials to access the target container registry to which you want to upload the container images.

About this task

In this task, you use the manifests in the helper_files directory of the DataPower Interact Gateway product release files to install and configure the third-party components that provide certificate management and network routing services for the IDIG platform. You will perform the following tasks.
  1. Create a namespace for the DataPower Interact Gateway deployment.
  2. Install cert-manager.
  3. Install and configure the ingress issuer.
  4. Install the Kubernetes Gateway API custom resource definitions (CRDs).
  5. Install and configure Envoy Gateway.
  6. Create the GatewayClass that is required by DataPower Interact Gateway.
  7. Obtain Watsonx credentials to enable GenAI service.

Procedure

  1. Set your KUBECONFIG to point to your target cluster.
    export KUBECONFIG=path_to_cluster_kubeconfig_YAML_file

    An example path is /Users/user/.kube/clusters/cluster_name/kube-config-cluster_name.yaml.

  2. Create a new namespace in the Kubernetes cluster for your DataPower Interact Gateway deployment.
    
    # Set the KUBE_NAMESPACE environment variable
    export KUBE_NAMESPACE="idig-system"
    # Create a Kubernetes namespace using the value stored in the KUBE_NAMESPACE environment variable.
    kubectl create namespace ${KUBE_NAMESPACE}

    In the example, idig-system is the IDIG namespace name and export KUBE_NAMESPACE="idig-system" sets the KUBE_NAMESPACE environment variable in the current shell session allowing subsequent commands to reference the namespace without hardcoding its value. You can provide any name to the IDIG namespace.

  3. Install cert-manager.

    Cert-manager adds convenience to the generation and management of DataPower Interact Gateway certificates.

    1. Obtain the certificate manager.

      DataPower Interact Gateway uses cert-manager v1.20.2, which is a native Kubernetes certificate management controller.

      You can obtain the cert-manager-1.20.2.yaml file from the helper_files directory in the DataPower Interact Gateway v12.1 product files, or download it from https://github.com/cert-manager/cert-manager/releases/tag/v1.20.2.

    2. Apply the Custom Resource (CR).
      kubectl apply -f helper_files/cert-manager-1.20.2.yaml

      where helper_files/cert-manager-1.20.2.yaml is the path to the cert-manager-1.20.2.yaml file.

    3. Verify that all three cert-manager pods are running.
      
      kubectl get pods -n cert-manager
      # Wait until all three cert-manager pods in the cert-manager namespace reach the Ready state.
      kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=cert-manager -n cert-manager --timeout=180s
      
  4. Install the ingress-ca issuer that cert-manager uses to issue certificates and configure the root self-signed Certificate Authority (CA) for DataPower Interact Gateway platform components.
    1. Apply the ingress-issuer-v1.yaml file to the IDIG namespace.
      kubectl apply -f helper_files/ingress-issuer-v1.yaml -n ${KUBE_NAMESPACE}

      where helper_files/ingress-issuer-v1.yaml is the path to the ingress-issuer-v1.yaml file.

    2. Verify that the ingress-ca issuer is created.
      
      kubectl get issuers -n ${KUBE_NAMESPACE}
      #Wait for the issuer to become ready.
      kubectl wait --for=condition=ready issuer ingress-issuer -n ${KUBE_NAMESPACE} --timeout=60s

      Sample output:

      
      NAME             READY   AGE
      ingress-issuer   True    1m
  5. Install Kubernetes Gateway API custom resource definitions (CRDs).

    Gateway API provides advanced traffic-routing capabilities for Kubernetes. DataPower Interact Gateway requires Gateway API v1.4.1 experimental CRDs and Envoy Gateway.

    1. Install the Gateway API v1.4.1 experimental CRD from the helper_files directory in the DataPower Interact Gateway v12.1 product files.
      kubectl apply --server-side --force-conflicts -f helper_files/gateway-api-experimental-install-v1.4.1.yaml

      where: helper_files/gateway-api-experimental-install-v1.4.1.yaml is the path to the gateway-api-experimental-install-v1.4.1.yaml file,

      The --server-side --force-conflicts options are required to avoid metadata.annotations: Too long errors that can occur when Kubernetes applies Gateway API CRDs.

    2. Install Envoy Gateway v1.7.0 using the official installation manifest.
      
      # Install Envoy Gateway with server-side apply to handle CRD conflicts
      kubectl apply --force-conflicts --server-side \
        -f https://github.com/envoyproxy/gateway/releases/download/v1.7.0/install.yaml
      
      # Wait for Envoy Gateway to be ready (this may take 1-2 minutes)
      kubectl wait --timeout=300s \
        --for=condition=available deployment/envoy-gateway \
        -n envoy-gateway-system
      
      # Verify installation
      kubectl get pods -n envoy-gateway-system

      For alternative installation methods, see the Envoy Gateway Installation Guide.

    3. Configure Envoy Proxy with Gateway Merging enabled.
      Create an Envoy Proxy resource with mergeGateways: true enabled. This setting is required for DataPower Interact Gateway to function correctly, as it allows multiple Gateway resources to share the same Envoy proxy infrastructure.
      
      kubectl apply -f - <<EOF
      apiVersion: gateway.envoyproxy.io/v1alpha1
      kind: EnvoyProxy
      metadata:
        name: custom-proxy-config
        namespace: envoy-gateway-system
      spec:
        # Required: Enable gateway merging for API Connect
        mergeGateways: true
        provider:
          type: Kubernetes
          kubernetes:
            envoyDeployment:
              pod:
                # Optional: Customize pod configuration as needed
                # Remove or modify nodeSelector based on your cluster topology
                nodeSelector:
                  node-role.kubernetes.io/control-plane: ""
      EOF
      
      # Verify EnvoyProxy resource creation
      kubectl get envoyproxy -n envoy-gateway-system
    4. Create the Gateway Class that references the custom EnvoyProxy configuration.
      
      kubectl apply -f - <<EOF
      apiVersion: gateway.networking.k8s.io/v1
      kind: GatewayClass
      metadata:
        name: envoy
      spec:
        controllerName: gateway.envoyproxy.io/gatewayclass-controller
        parametersRef:
          group: gateway.envoyproxy.io
          kind: EnvoyProxy
          name: custom-proxy-config
          namespace: envoy-gateway-system
      EOF
      
      # Verify GatewayClass is accepted
      kubectl get gatewayclass envoy

      The output should show ACCEPTED: True in the status.

    5. Verify the installation.
      
      # Check all Envoy Gateway components
      kubectl get all -n envoy-gateway-system
      
      # Verify GatewayClass status
      kubectl describe gatewayclass envoy
      
      # Check EnvoyProxy configuration
      kubectl describe envoyproxy custom-proxy-config -n envoy-gateway-system
    6. Verify that the Gateway API v1.4.1 CRDs are installed.
      
      kubectl get crd gatewayclasses.gateway.networking.k8s.io
      kubectl get crd httproutes.gateway.networking.k8s.io
    7. Configure Envoy Gateway to support TLS 1.3 for backend connections and to enable Backend custom resources (CRs).

      Backend custom resources are required by DataPower Interact Gateway for backend TLS communication and to set up gateway merging for advanced routing capabilities.

      1. Configure TLS 1.3 support.
        1. Edit the EnvoyProxy resource and enable TLS 1.3 for backend connections.
          kubectl edit envoyproxy custom-proxy-config -n envoy-gateway-system
        2. Add the following backendTLS configuration under the spec section and save the changes.
          
          spec:
            backendTLS:
              minVersion: "1.3"
              maxVersion: "1.3"
          # ... rest of existing configuration
           
        3. Verify that the TLS configuration is applied.
          kubectl get envoyproxy custom-proxy-config -n envoy-gateway-system
          kubectl get envoyproxy custom-proxy-config -n envoy-gateway-system -o jsonpath='{.spec.backendTLS}'
          Sample output:
          {"maxVersion":"1.3","minVersion":"1.3"}
      2. Enable backend CR support.
        1. Edit the envoy-gateway-config ConfigMap to enable backend custom resources.
          kubectl edit configmap envoy-gateway-config -n envoy-gateway-system
        2. Add the extensionApis section with enableBackend: true to the envoy-gateway.yaml data field.
          
          data:
            envoy-gateway.yaml: |
              apiVersion: gateway.envoyproxy.io/v1alpha1
              kind: EnvoyGateway
              extensionApis:
                enableBackend: true
              gateway:
                controllerName: gateway.envoyproxy.io/gatewayclass-controller
              # ... rest of existing configuration
        3. Verify that the backend support is enabled.
          kubectl get configmap envoy-gateway-config -n envoy-gateway-system -o jsonpath='{.data.envoy-gateway\.yaml}' | grep -A 1 "extensionApis:"
          Sample output:
          extensionApis:
            enableBackend: true
    8. Restart the envoy-gateway deployment to apply the updated ConfigMap configuration.
      
      kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
      kubectl rollout status deployment envoy-gateway -n envoy-gateway-system --timeout=120s
      Important: DataPower Interact Gateway requires these configurations to properly manage backend TLS connections and advanced routing through Backend CRs.
  6. Optional: If you want to enable the GenAI service and use the MCP server enhancer feature to improve tool descriptions when converting APIs to MCP tools, obtain the following Watsonx credentials:
    • Watsonx API key
    • Watsonx Project ID
    Note: If you do not provide Watsonx credentials, the GenAI service is not deployed. All other DataPower Interact Gateway platform components are installed and continue to function normally.
  7. Configure registry credentials, image pull secrets, and optional Watsonx credentials that are required to deploy DataPower Interact Gateway. For details, see Preparing the deployment environment.