API Connect installation with 2nd Gateway Cluster

The write-up describes how to install API Connect with the secondary GatewayCluster. When you install API Connect using the top-level custom resource (CR) called APIConnectCluster, all the subsystems will be installed — Management cluster, Analytics cluster, Portal cluster and gateway cluster.

In many cases, you will need a second Gateway cluster for external APIs. You can deploy using the custom resource (CR) called GatewayCluster.

We should assume that we have these components installed

1. Red Hat OpenShift Container Platform v4.12
2. Cloud Pak for Integration (common services) v2022.4.1
3. API Connect Operator 3.3

Steps

1. Create a project/namespace

% oc new-project apic

2. Create an IBM entitlement key

% oc create secret docker-registry ibm-entitlement-key \
    --docker-username=cp \
    --docker-password=[REPLACE_ME]
    --docker-server=cp.icr.io \
    --namespace=apic

3. Create APIConnectCluster by applying the following YAML file.

% oc apply -f apiconnectcluster.yaml -n apic

## apiconnectcluster.yaml
apiVersion: apiconnect.ibm.com/v1beta1
kind: APIConnectCluster
metadata:
  name: myapic
  labels:
    app.kubernetes.io/instance: apiconnect
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: myapic
  namespace: apic
spec:
  license:
    accept: true
    license: L-VQYA-YNM22H
    metric: VIRTUAL_PROCESSOR_CORE
    use: nonproduction
  gateway:
    datapowerLogLevel: 3
    replicaCount: 1
    webGUIManagementEnabled: true
    webGUIManagementPort: 9090
  analytics:
    storage:
      enabled: true
      type: shared
    mtlsValidateClient: true
  portal:
    mtlsValidateClient: true
  profile: n1xc7.m48
  version: 10.0.5.3

4. Create Certificates for external gateway.

% oc apply -f ext-gw-certificate.yaml -n apic

## ext-gw-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapic-ext-gw-svc
  labels: {
    app.kubernetes.io/instance: "myapic",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "myapic-ext-gw-svc"
  }
spec:
  commonName: myapic-ext-gw-svc
  secretName: myapic-ext-gw-svc
  issuerRef:
    name: myapic-ingress-issuer
  usages:
  - "client auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 48h
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapic-ext-gw-peer
  labels: {
    app.kubernetes.io/instance: "myapic",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "myapic-ext-gw-peer"
  }
spec:
  commonName: myapic-ext-gw-peer
  secretName: myapic-ext-gw-peer
  issuerRef:
    name: myapic-ingress-issuer
  usages:
  - "server auth"
  - "client auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 48h

5. Create admin secret for external gateway.

% oc create secret generic myapic-ext-gw-admin --from-literal=password=[REPLACE_ME]

6. Create GatewayCluster by applying the following YAML file.

% oc apply -f ext-gatewaycluster.yaml -n apic

## ext-gatewaycluster.yaml
apiVersion: gateway.apiconnect.ibm.com/v1beta1
kind: GatewayCluster
metadata:
  name: myapic-ext-gw
  labels:
    app.kubernetes.io/part-of: myapic
spec:
  version: 10.0.5.3
  profile: n1xc4.m8
  apicGatewayServiceV5CompatibilityMode: false
  gatewayEndpoint:
    annotations:
      cert-manager.io/issuer: myapic-ingress-issuer
    hosts:
    - name: [NAME]-gateway-[NAMESPACE].[DOMAIN_NAME]
      secretName: myapic-ext-gw
  gatewayManagerEndpoint:
    annotations:
      cert-manager.io/issuer: myapic-ingress-issuer
    hosts:
    - name: [NAME]-gateway-manager-[NAMESPACE].[DOMAIN_NAME]
      secretName: [NAME]-gateway-manager
  apicGatewayServiceTLS:
    secretName: myapic-ext-gw-svc
  apicGatewayPeeringTLS:
    secretName: myapic-ext-gw-peer
  certManagerIssuer:
    kind: Issuer
    name: myapic-self-signed
  datapowerLogLevel: 3
  defaultLogFormat: text
  replicaCount: 1
  webGUIManagementEnabled: true
  webGUIManagementPort: 9090
  configSequenceInterval: 3000
  mtlsValidateClient: false
  apiDebugProbeMaxRecords: 1000
  apiDebugProbe: true
  apiDebugProbeExpirationMinutes: 60
  license:
    accept: true
    use: nonproduction
    license: L-VQYA-YNM22H
    metric: VIRTUAL_PROCESSOR_CORE
  adminUser:
    secretName: myapic-ext-gw-admin

7. Check the status of the APIConnectCluster deployment.

% oc get apiconnectcluster -n apic
NAME     READY   STATUS   VERSION    RECONCILED VERSION   MESSAGE                        AGE
myapic   7/7     Ready    10.0.5.3   10.0.5.3-4934        API Connect cluster is ready   2d12h

8. Check the status of the GatewayCluster deployment.

NAME            READY   STATUS    VERSION    RECONCILED VERSION   AGE
myapic-ext-gw   2/2     Running   10.0.5.3   10.0.5.3-4934        2d12h
myapic-gw       2/2     Running   10.0.5.3   10.0.5.3-4934        2d12h

9. After installation is complete, you will need to Register the Gateway.