Want to create your own certs and secrets for API Connect?
Feel free to use this..... I do :)
This is a TEST tool, provided to help you quickly and easily generate all the certs that are required for API Connect.
There are a number of scenarios where customers might want to generate their own certificates and use that in a deployment of API Connect. Before doing this, you will want to test the scenario. This blog will provide you a tool that will generate the certificates, build .yaml files and deploy the secrets to your environment. It will also create a set of custom resources for each subsystem type within API Connect.
A couple of notes:
- This is not an officially supported tool, I think I mentioned it is a test tool ;-)
- This will generate all certs, including external endpoints as well as internal APIC communications. Find more information here: [Certificate reference](https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/rapic_apicup_certs_reference.html)
- This is meant to be used for development and test purposes
- Verify the secrets that are applied are accurate to your yaml files
- Code is free to use and can be altered as you need
- For more information on Governance and other great material on APIC check out Chris Phillips blog information here.
- Also special thanks to Chris Phillips, Jeff Imholz and Barry Mosakowski on pulling all this together.
Instructions to run:
This will also apply the secrets to the project space you are currently logged into.
To use this,
- Copy and paste the code below in a file. I called the script APIC_Crypto_all.sh to your local machine.
- Run the following command to add "executable" to the script
chmod +x APIC_Crypto_all.sh
- Login to your OCP cluster via the command line. To do this :
- Go to your Openshift Console.
- In the upper right hand corner click "IAM XXXX".
- Then click copy login command.
- This will bring up a new tab on your browser with "display token" Click this
- Now copy the ocp command under Log in with this token.
- Then paste that into your CLI.
- Switch to the project space you wish to install, or create a new space such as APIC (any or all of the subsystems)
- This script and the custom resources it defines assumes the default for the APIC subsystem names. (management, gateway, portal, analytics)
- Edit the script for your SITENAME as well. In this scenario it is dev.
- Edit the script for your defined block storage. In this scenario, it is ibmc_block_gold.
- Run
./APIC_Crypto_all.sh
After completion you will have all the secrets applied in the project space needed. This includes the certs and secrets applied on your OCP cluster to run APIC subsystems. Make sure you run the apply at the very bottom.
The Script
#!/bin/bash
#parse project
oc project > one.txt
while read -ra line;
do
for word in "${line[2]}";
do
echo "${word:1:${#word}-2}" > two.txt
done;
done < one.txt
NS=`cat two.txt`
rm one.txt two.txt
#parse host
oc get routes -A > one.txt
sed '3q;d' one.txt > two.txt
while read -ra line;
do
for word in "${line[2]}";
do
echo "${word#*.}" > three.txt
done;
done < two.txt
HOST=`cat three.txt`
rm one.txt two.txt three.txt
#Subsystem urls
NAMESPACE=$NS
MGMT=${NAMESPACE}-admin.$HOST
MGMT2=${NAMESPACE}-manager.$HOST
MGMT3=${NAMESPACE}-api.$HOST
MGMT4=${NAMESPACE}-consumer.$HOST
ANALYTICSCLIENT=${NAMESPACE}-ac.$HOST
ANALYTICSINGESTION=${NAMESPACE}-ai.$HOST
PORTAL_ADMIN=${NAMESPACE}-api.portal.$HOST
PORTALURL=${NAMESPACE}-portal.$HOST
GW=${NAMESPACE}-gateway.$HOST
GWMGR=${NAMESPACE}-gateway-manager.$HOST
GW5=${NAMESPACE}-v5gateway.$HOST
GWMGR5=${NAMESPACE}-v5gateway-manager.$HOST
SITENAME=dev
oc project $NAMESPACE
SUBJ="/O=cert-manager/CN="
CA_SUBJ="/C=US/ST=US/L=US/O=APIC/OU=TechSales/CN=apic-ca
"
# Root Key
openssl genrsa -out ca.key 4096
# Root CA
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj $CA_SUBJ
cat >ingress.yaml <<EOF
apiVersion: v1
data:
ca.crt: $(base64 ca.crt | tr -d '\n' )
tls.crt: $(base64 ca.crt | tr -d '\n' )
tls.key: $(base64 ca.key | tr -d '\n' )
kind: Secret
metadata:
name: ingress-ca
type: kubernetes.io/tls
EOF
oc apply -f ingress.yaml
# variables for external certificates by all apic subsystems
VAR_SUBJ[1]=$SUBJ
VAR_KEY[1]=api-endpoint
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:$MGMT3,DNS:$MGMT3\nextendedKeyUsage=serverAuth"
VAR_SUBJ[2]=$SUBJ
VAR_KEY[2]=consumer-endpoint
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:$MGMT4,DNS:$MGMT4\nextendedKeyUsage=serverAuth"
VAR_SUBJ[3]=$SUBJ
VAR_KEY[3]=apim-endpoint
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:$MGMT2,DNS:$MGMT2\nextendedKeyUsage=serverAuth"
VAR_SUBJ[4]=$SUBJ
VAR_KEY[4]=cm-endpoint
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:$MGMT,DNS:$MGMT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[5]=$SUBJ
VAR_KEY[5]=portal-admin
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:$PORTAL_ADMIN,DNS:$PORTAL_ADMIN\nextendedKeyUsage=serverAuth"
VAR_SUBJ[6]=$SUBJ
VAR_KEY[6]=portal-web
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:$PORTALURL,DNS:$PORTALURL\nextendedKeyUsage=serverAuth"
VAR_SUBJ[7]=$SUBJ
VAR_KEY[7]=analytics-ac-endpoint
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSCLIENT,DNS:$ANALYTICSCLIENT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[8]=$SUBJ
VAR_KEY[8]=analytics-ai-endpoint
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSINGESTION,DNS:$ANALYTICSINGESTION\nextendedKeyUsage=serverAuth"
VAR_SUBJ[9]=$SUBJ
VAR_KEY[9]=portal-admin-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[10]=$SUBJ
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[11]=$SUBJ
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[12]=$SUBJ
VAR_KEY[12]=gateway-client-client
VAR_EXT[12]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[13]=$SUBJ
VAR_KEY[13]=gwv6-endpoint
VAR_EXT[13]="\n[SAN]\nsubjectAltName=DNS:$GW,DNS:$GW\nextendedKeyUsage=serverAuth"
VAR_SUBJ[14]=$SUBJ
VAR_KEY[14]=gwv6-manager-endpoint
VAR_EXT[14]="\n[SAN]\nsubjectAltName=DNS:$GWMGR,DNS:$GWMGR\nextendedKeyUsage=serverAuth"
VAR_SUBJ[15]=$SUBJ
VAR_KEY[15]=gwv5-endpoint
VAR_EXT[15]="\n[SAN]\nsubjectAltName=DNS:$GW5,DNS:$GW5\nextendedKeyUsage=serverAuth"
VAR_SUBJ[16]=$SUBJ
VAR_KEY[16]=gwv5-manager-endpoint
VAR_EXT[16]="\n[SAN]\nsubjectAltName=DNS:$GWMGR5,DNS:$GWMGR5\nextendedKeyUsage=serverAuth"
# variables for Internal certificates for all subsystems
VAR_SUBJ[17]=$SUBJ
VAR_KEY[17]=management-client
VAR_EXT[17]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-client.$NAMESPACE.svc,DNS:management-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[18]=$SUBJ
VAR_KEY[18]=portal-client
VAR_EXT[18]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.portal-client.$NAMESPACE.svc,DNS:portal-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[19]=$SUBJ
VAR_KEY[19]=analytics-client
VAR_EXT[19]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.analytics-client.$NAMESPACE.svc,DNS:analytics-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[20]=$SUBJ
VAR_KEY[20]=management-server
VAR_EXT[20]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-server.$NAMESPACE.svc,DNS:management-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[21]=$SUBJ
VAR_KEY[21]=portal-server
VAR_EXT[21]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.portal-server.$NAMESPACE.svc,DNS:portal-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[22]=$SUBJ
VAR_KEY[22]=analytics-server
VAR_EXT[22]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.analytics-server.$NAMESPACE.svc,DNS:analytics-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[23]=$SUBJ
VAR_KEY[23]=gateway-peering
VAR_EXT[23]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[24]=$SUBJ
VAR_KEY[24]=gateway-service
VAR_EXT[24]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[25]=${SUBJ}management-${SITENAME}-postgres
VAR_KEY[25]=dbServerCertificate
VAR_NAME[25]=db-server-certificate
VAR_EXT[25]="\n[SAN]\nkeyUsage=critical,digitalSignature, keyEncipherment\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-$SITENAME-postgres.$NAMESPACE.svc,DNS:management-$SITENAME-postgres\nextendedKeyUsage=serverAuth"
VAR_SUBJ[26]=${SUBJ}postgres-pgbouncer
VAR_KEY[26]=pgBouncerServerCertificate
VAR_NAME[26]=pg-bouncer-server-certificate
VAR_EXT[26]="\n[SAN]\nkeyUsage=critical,digitalSignature, keyEncipherment\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.postgres-pgbouncer.$NAMESPACE.svc,DNS:management-$SITENAME-postgres-pgbouncer, DNS:postgres-pgbouncer\nextendedKeyUsage=serverAuth"
VAR_SUBJ[27]=${SUBJ}pgo.tls
VAR_KEY[27]=PGOTLSCertificate
VAR_NAME[27]=pgo.tls
VAR_EXT[27]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.postgres-operator.$NAMESPACE.svc,DNS:postgres-operator\nextendedKeyUsage=serverAuth"
VAR_SUBJ[28]=${SUBJ}management-natscluster-mgmt
VAR_KEY[28]=NATSTLSCertificate
VAR_NAME[28]=management-natscluster-mgmt
VAR_EXT[28]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-natscluster-mgmt.$NAMESPACE.svc,DNS:management-natscluster-mgmt\nextendedKeyUsage=serverAuth\nextendedKeyUsage=clientAuth"
VAR_SUBJ[29]=${SUBJ}postgres
VAR_KEY[29]=dbClientPostgres
VAR_NAME[29]=db-client-postgres
VAR_EXT[29]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:postgres.$NAMESPACE.svc,DNS:postgres\nextendedKeyUsage=clientAuth"
VAR_SUBJ[30]=${SUBJ}pgbouncer
VAR_KEY[30]=dbClientPgbouncer
VAR_NAME[30]=db-client-pgbouncer
VAR_EXT[30]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.pgbouncer.$NAMESPACE.svc,DNS:pgbouncer\nextendedKeyUsage=clientAuth"
VAR_SUBJ[31]=${SUBJ}replicator
VAR_KEY[31]=dbClientReplicator
VAR_NAME[31]=db-client-replicator
VAR_EXT[31]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:replicator.$NAMESPACE.svc,DNS:replicator\nextendedKeyUsage=clientAuth"
VAR_SUBJ[32]=${SUBJ}apicuser
VAR_KEY[32]=dbClientApicuser
VAR_NAME[32]=db-client-apicuser
VAR_EXT[32]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:apicuser.$NAMESPACE.svc,DNS:apicuser\nextendedKeyUsage=clientAuth"
# main
i=1
while [[ $i -le 24 ]]; do
echo -- ${VAR_SUBJ[$i]} --
echo -- ${VAR_KEY[$i]} --
echo -- ${VAR_EXT[$i]} --
openssl genrsa -out ${VAR_KEY[$i]}.key 2048
if [ $? != 0 ] ; then exit 1 ; fi
openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}${VAR_KEY[$i]}" -out ${VAR_KEY[$i]}.csr
cat /etc/ssl/openssl.cnf > tmp.cnf
echo ${VAR_EXT[$i]} >> tmp.cnf
echo ${VAR_EXT[$i]} > tmp2.cnf
if [ $? != 0 ] ; then exit 1 ; fi
openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN
cat >ksec.yaml <<EOF
apiVersion: v1
data:
ca.crt: $(base64 ca.crt | tr -d '\n' )
tls.crt: $(base64 ${VAR_KEY[$i]}.crt | tr -d '\n' )
tls.key: $(base64 ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
name: ${VAR_KEY[$i]}
type: kubernetes.io/tls
EOF
if [ $? != 0 ] ; then exit 1 ; fi
oc apply -f ksec.yaml
if [ $? != 0 ] ; then exit 1 ; fi
let i+=1
done
i=25
while [[ $i -le 32 ]]; do
echo -- ${VAR_SUBJ[$i]} --
echo -- ${VAR_KEY[$i]} --
echo -- ${VAR_NAME[$i]} --
echo -- ${VAR_EXT[$i]} --
openssl genrsa -out ${VAR_KEY[$i]}.key 2048
if [ $? != 0 ] ; then exit 1 ; fi
openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}" -out ${VAR_KEY[$i]}.csr
cat /etc/ssl/openssl.cnf > tmp.cnf
echo ${VAR_EXT[$i]} >> tmp.cnf
echo ${VAR_EXT[$i]} > tmp2.cnf
if [ $? != 0 ] ; then exit 1 ; fi
openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN
cat >ksec1.yaml <<EOF
apiVersion: v1
data:
ca.crt: $(base64 ca.crt | tr -d '\n' )
tls.crt: $(base64 ${VAR_KEY[$i]}.crt | tr -d '\n' )
tls.key: $(base64 ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
name: ${VAR_NAME[$i]}
type: kubernetes.io/tls
EOF
if [ $? != 0 ] ; then exit 1 ; fi
oc apply -f ksec1.yaml
if [ $? != 0 ] ; then exit 1 ; fi
let i+=1
done
rm *.cnf
# Install a secret for gateway admin
cat >admin.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: admin-secret
data:
password: YWRtaW4yMDIwCg==
type: Opaque
EOF
oc apply -f admin.yaml
# Install the subsystems
cat >mgmt.yaml <<EOF
apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementCluster
metadata:
name: management
labels:
app.kubernetes.io/instance: management
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: management
namespace: $NAMESPACE
spec:
license:
accept: true
use: nonproduction
databaseVolumeClaimTemplate:
storageClassName: ibmc-block-gold
gateway:
client:
secretName: gateway-client-client
analytics:
client:
secretName: analytics-client-client
ingestion:
secretName: analytics-ingestion-client
apiManagerEndpoint:
hosts:
- name: $MGMT2
secretName: apim-endpoint
profile: n1xc4.m16
portal:
admin:
secretName: portal-admin-client
cloudManagerEndpoint:
hosts:
- name: $MGMT
secretName: cm-endpoint
microServiceSecurity: custom
customCertificates:
- name: caCertificate
secretName: ingress-ca
- name: clientCertificate
secretName: management-client
- name: serverCertificate
secretName: management-server
- name: dbServerCertificate
secretName: db-server-certificate
- name: pgBouncerServerCertificate
secretName: pg-bouncer-server-certificate
- name: PGOTLSCertificate
secretName: pgo.tls
- name: NATSTLSCertificate
secretName: management-natscluster-mgmt
- name: dbClientPostgres
secretName: db-client-postgres
- name: dbClientReplicator
secretName: db-client-replicator
- name: dbClientPgbouncer
secretName: db-client-pgbouncer
- name: dbClientApicuser
secretName: db-client-apicuser
version: 10.0.1.1-eus
siteName: $SITENAME
consumerAPIEndpoint:
hosts:
- name: $MGMT4
secretName: consumer-endpoint
platformAPIEndpoint:
hosts:
- name: $MGMT3
secretName: api-endpoint
billing:
enabled: true
EOF
cat >analytics.yaml <<EOF
apiVersion: analytics.apiconnect.ibm.com/v1beta1
kind: AnalyticsCluster
metadata:
name: analytics
labels:
app.kubernetes.io/instance: analytics
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: analytics
namespace: $NAMESPACE
spec:
license:
accept: true
use: nonproduction
ingestion:
clientSubjectDN: 'CN=analytics-ingestion-client,O=cert-manager'
endpoint:
hosts:
- name: $ANALYTICSINGESTION
secretName: analytics-ai-endpoint
profile: n1xc2.m16
client:
clientSubjectDN: 'CN=analytics-client-client,O=cert-manager'
endpoint:
hosts:
- name: $ANALYTICSCLIENT
secretName: analytics-ac-endpoint
microServiceSecurity: custom
customCertificates:
- name: caCertificate
secretName: ingress-ca
- name: clientCertificate
secretName: analytics-client
- name: serverCertificate
secretName: analytics-server
version: 10.0.1.1-eus
storage:
data:
volumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 200Gi
master:
volumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 10Gi
EOF
cat >gw.yaml <<EOF
apiVersion: gateway.apiconnect.ibm.com/v1beta1
kind: GatewayCluster
metadata:
name: gateway
labels:
app.kubernetes.io/instance: gateway
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: gateway
namespace: $NAMESPACE
spec:
license:
accept: true
use: nonproduction
apicGatewayServiceTLS:
secretName: gateway-service
profile: n1xc4.m8
apicGatewayPeeringTLS:
secretName: gateway-peering
version: 10.0.1.1-eus
openTracing:
enabled: false
imageAgent: >-
cp.icr.io/cp/icp4i/od/icp4i-od-agent@sha256:18bf9e7ab3c6818865488c919d9d26de74186223db0318c8e118184a08ef9956
imageCollector: >-
cp.icr.io/cp/icp4i/od/icp4i-od-collector@sha256:1eceef4bbd0f963b04ff57fbf8b24f497217ae8579ad3b58f833dce3c72eaab2
odTracingDataHostname: od-store-od.tracing.svc
odTracingRegistrationHostname: icp4i-od.tracing.svc
syslogConfig:
enabled: false
remoteHost: gateway.example.com
remotePort: 200
secretName: mySecretName
tokenManagementService:
enabled: true
storage:
storageClassName: ibmc-block-gold
volumeSize: 30Gi
gatewayEndpoint:
hosts:
- name: $GATEWAY
secretName: gwv6-endpoint
apicGatewayServiceV5CompatibilityMode: false
adminUser:
secretName: admin-secret
datapowerLogLevel: 4
gatewayManagerEndpoint:
hosts:
- name: $GWMGR
secretName: gwv6-manager-endpoint
EOF
cat >portal.yaml <<EOF
apiVersion: portal.apiconnect.ibm.com/v1beta1
kind: PortalCluster
metadata:
name: portal
labels:
app.kubernetes.io/instance: portal
app.kubernetes.io/managed-by: ibm-apiconnect
app.kubernetes.io/name: portal
namespace: $NAMESPACE
spec:
license:
accept: true
use: nonproduction
databaseVolumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 300Gi
webVolumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 200Gi
profile: n1xc2.m8
adminVolumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 20Gi
microServiceSecurity: custom
customCertificates:
- name: caCertificate
secretName: ingress-ca
- name: clientCertificate
secretName: portal-client
- name: serverCertificate
secretName: portal-server
databaseLogsVolumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 12Gi
portalUIEndpoint:
hosts:
- name: $PORTALURL
secretName: portal-web
version: 10.0.1.1-eus
portalAdminEndpoint:
hosts:
- name: $PORTAL_ADMIN
secretName: portal-admin
backupVolumeClaimTemplate:
storageClassName: ibmc-block-gold
volumeSize: 300Gi
adminClientSubjectDN: 'CN=portal-admin-client,O=cert-manager'
EOF
Install subsystems
Before installing the subsystems, please make sure you have an entitlement key to pull the images in your project, as well as the APIC and DataPower operator deployed.
Now that you have created the certificates, secrets, and generated yaml for the subsystems, you can apply them to your cluster to get APIC up and running. Issue the following commands by subsystem name. They should be in the same directly you ran the above script in. (mgmt.yaml, gw.yaml, portal.yaml, analytics.yaml)
oc apply -f mgmt.yaml
#MarkBarry#Bringup#Bringup#APIConnect