Install the third-party prerequisite components that are required before you deploy
DataPower Interact
Gateway
on Kubernetes.
Before you begin
Make sure that the following requirements are met:
- You obtained the product release files. For details, see Obtaining product files.
- You installed the latest Docker version.
- Your Kubernetes cluster is running version 1.28 or
later.
kubectl is configured to access your Kubernetes cluster.
- You have Kubernetes cluster administrator permissions to create custom resource definitions
(CRDs) and other cluster-scoped resources.
- You have credentials to access the target container registry to which you want
to upload the container images.
About this task
In this task, you use the manifests in the
helper_files directory of
the
DataPower Interact
Gateway product release files to install and configure the third-party components that provide
certificate management and network routing services for the IDIG platform. You will perform the
following tasks.
- Create a namespace for the DataPower Interact
Gateway
deployment.
- Install cert-manager.
- Install and configure the ingress issuer.
- Install the Kubernetes Gateway API custom resource definitions (CRDs).
- Install and configure Envoy Gateway.
- Create the GatewayClass that is required by DataPower Interact
Gateway.
- Obtain Watsonx credentials to enable GenAI service.
Procedure
-
Set your KUBECONFIG to point to your target cluster.
export KUBECONFIG=path_to_cluster_kubeconfig_YAML_file
An example path is /Users/user/.kube/clusters/cluster_name/kube-config-cluster_name.yaml.
-
Create a new namespace in the Kubernetes cluster for your DataPower Interact
Gateway
deployment.
# Set the KUBE_NAMESPACE environment variable
export KUBE_NAMESPACE="idig-system"
# Create a Kubernetes namespace using the value stored in the KUBE_NAMESPACE environment variable.
kubectl create namespace ${KUBE_NAMESPACE}
In the example, idig-system is the IDIG namespace name and export
KUBE_NAMESPACE="idig-system" sets the KUBE_NAMESPACE environment variable in the current
shell session allowing subsequent commands to reference the namespace without hardcoding its value.
You can provide any name to the IDIG namespace.
-
Install cert-manager.
Cert-manager adds convenience to the generation and management of DataPower Interact
Gateway
certificates.
-
Obtain the certificate manager.
-
Apply the Custom Resource (CR).
kubectl apply -f helper_files/cert-manager-1.20.2.yaml
where helper_files/cert-manager-1.20.2.yaml is the path to the
cert-manager-1.20.2.yaml file.
-
Verify that all three cert-manager pods are running.
kubectl get pods -n cert-manager
# Wait until all three cert-manager pods in the cert-manager namespace reach the Ready state.
kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=cert-manager -n cert-manager --timeout=180s
-
Install the ingress-ca issuer that cert-manager uses to issue certificates and configure the
root self-signed Certificate Authority (CA) for DataPower Interact
Gateway
platform components.
-
Apply the ingress-issuer-v1.yaml file to the IDIG namespace.
kubectl apply -f helper_files/ingress-issuer-v1.yaml -n ${KUBE_NAMESPACE}
where helper_files/ingress-issuer-v1.yaml is the path to the
ingress-issuer-v1.yaml file.
-
Verify that the ingress-ca issuer is created.
kubectl get issuers -n ${KUBE_NAMESPACE}
#Wait for the issuer to become ready.
kubectl wait --for=condition=ready issuer ingress-issuer -n ${KUBE_NAMESPACE} --timeout=60s
Sample output:
NAME READY AGE
ingress-issuer True 1m
-
Install Kubernetes Gateway API custom resource definitions (CRDs).
Gateway API provides advanced traffic-routing capabilities for Kubernetes. DataPower Interact
Gateway
requires Gateway API v1.4.1 experimental CRDs and Envoy Gateway.
-
Install the Gateway API v1.4.1 experimental CRD from the helper_files
directory in the DataPower Interact
Gateway v12.1
product files.
kubectl apply --server-side --force-conflicts -f helper_files/gateway-api-experimental-install-v1.4.1.yaml
where: helper_files/gateway-api-experimental-install-v1.4.1.yaml is the path
to the gateway-api-experimental-install-v1.4.1.yaml file,
The --server-side --force-conflicts options are required to avoid
metadata.annotations: Too long errors that can occur when Kubernetes
applies Gateway API CRDs.
-
Install Envoy Gateway v1.7.0 using the official installation manifest.
# Install Envoy Gateway with server-side apply to handle CRD conflicts
kubectl apply --force-conflicts --server-side \
-f https://github.com/envoyproxy/gateway/releases/download/v1.7.0/install.yaml
# Wait for Envoy Gateway to be ready (this may take 1-2 minutes)
kubectl wait --timeout=300s \
--for=condition=available deployment/envoy-gateway \
-n envoy-gateway-system
# Verify installation
kubectl get pods -n envoy-gateway-system
For alternative installation methods, see the Envoy Gateway
Installation Guide.
- Configure
Envoy Proxy with Gateway Merging enabled. Create
an
Envoy Proxy resource with
mergeGateways: true enabled. This
setting is required for
DataPower Interact
Gateway to
function correctly, as it allows multiple Gateway resources to share the same Envoy proxy
infrastructure.
kubectl apply -f - <<EOF
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: custom-proxy-config
namespace: envoy-gateway-system
spec:
# Required: Enable gateway merging for API Connect
mergeGateways: true
provider:
type: Kubernetes
kubernetes:
envoyDeployment:
pod:
# Optional: Customize pod configuration as needed
# Remove or modify nodeSelector based on your cluster topology
nodeSelector:
node-role.kubernetes.io/control-plane: ""
EOF
# Verify EnvoyProxy resource creation
kubectl get envoyproxy -n envoy-gateway-system
-
Create the Gateway Class that references the custom
EnvoyProxy
configuration.
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: custom-proxy-config
namespace: envoy-gateway-system
EOF
# Verify GatewayClass is accepted
kubectl get gatewayclass envoy
The output should show ACCEPTED: True in the status.
- Verify the installation.
# Check all Envoy Gateway components
kubectl get all -n envoy-gateway-system
# Verify GatewayClass status
kubectl describe gatewayclass envoy
# Check EnvoyProxy configuration
kubectl describe envoyproxy custom-proxy-config -n envoy-gateway-system
-
Verify that the Gateway API v1.4.1 CRDs are installed.
kubectl get crd gatewayclasses.gateway.networking.k8s.io
kubectl get crd httproutes.gateway.networking.k8s.io
-
Configure Envoy Gateway to support TLS 1.3 for backend connections and to enable Backend custom
resources (CRs).
Backend custom resources are required by DataPower Interact
Gateway for
backend TLS communication and to set up gateway merging for advanced routing capabilities.
- Configure TLS 1.3 support.
- Edit the EnvoyProxy resource and enable TLS 1.3 for backend
connections.
kubectl edit envoyproxy custom-proxy-config -n envoy-gateway-system
- Add the following
backendTLS configuration under the spec
section and save the changes.
spec:
backendTLS:
minVersion: "1.3"
maxVersion: "1.3"
# ... rest of existing configuration
- Verify that the TLS configuration is
applied.
kubectl get envoyproxy custom-proxy-config -n envoy-gateway-system
kubectl get envoyproxy custom-proxy-config -n envoy-gateway-system -o jsonpath='{.spec.backendTLS}'
Sample output:
{"maxVersion":"1.3","minVersion":"1.3"}
- Enable backend CR support.
- Edit the
envoy-gateway-config ConfigMap to enable backend custom
resources.kubectl edit configmap envoy-gateway-config -n envoy-gateway-system
- Add the
extensionApis section with enableBackend: true to the
envoy-gateway.yaml data field.
data:
envoy-gateway.yaml: |
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
extensionApis:
enableBackend: true
gateway:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
# ... rest of existing configuration
- Verify that the backend support is
enabled.
kubectl get configmap envoy-gateway-config -n envoy-gateway-system -o jsonpath='{.data.envoy-gateway\.yaml}' | grep -A 1 "extensionApis:"
Sample
output:extensionApis:
enableBackend: true
-
Restart the envoy-gateway deployment to apply the updated ConfigMap configuration.
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
kubectl rollout status deployment envoy-gateway -n envoy-gateway-system --timeout=120s
Important: DataPower Interact
Gateway
requires these configurations to properly manage backend TLS connections and advanced routing
through Backend CRs.
- Optional:
If you want to enable the GenAI service and use the MCP server enhancer feature to improve tool
descriptions when converting APIs to MCP tools, obtain the following Watsonx credentials:
- Watsonx API key
- Watsonx Project ID
Note: If you do not provide Watsonx credentials, the GenAI service is not deployed. All other DataPower Interact
Gateway
platform components are installed and continue to function normally.
- Configure registry credentials, image pull secrets, and optional Watsonx credentials that
are required to deploy DataPower Interact
Gateway. For
details, see Preparing the deployment environment.