API Connect

Create APIConnect internal and external certs - TOOLING

By Mark Parzygnat posted Wed February 24, 2021 09:54 AM

  

Want to create your own certs and secrets for API Connect?

Feel free to use this..... I do :)

This is a TEST tool, provided to help you quickly and easily generate all the certs that are required for API Connect. 

There are a number of scenarios where customers might want to generate their own certificates and use that in a deployment of API Connect. Before doing this, you will want to test the scenario. This blog will provide you a tool that will generate the certificates, build .yaml files and deploy  the secrets to your environment. It will also create a set of custom resources for each subsystem type within API Connect.

A couple of notes:

  • This is not an officially supported tool, I think I mentioned it is a test tool ;-)
  • This will generate all certs, including external endpoints as well as internal APIC communications. Find more information here: [Certificate reference](https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/rapic_apicup_certs_reference.html)
  • This is meant to be used for development and test purposes
  • Verify the secrets that are applied are accurate to your yaml files
  • Code is free to use and can be altered as you need
  • For more information on Governance and other great material on APIC check out Chris Phillips blog information here.
  • Also special thanks to Chris Phillips, Jeff Imholz and Barry Mosakowski on pulling all this together. 

Instructions to run:

This will also apply the secrets to the project space you are currently logged into.

To use this,

  • Copy and paste the code below in a file. I called the script APIC_Crypto_all.sh to your local machine.
  • Run the following command to add "executable" to the script
chmod +x APIC_Crypto_all.sh

  • Login to your OCP cluster via the command line. To do this :
    • Go to your Openshift Console.
    • In the upper right hand corner click "IAM XXXX".
    • Then click copy login command.
    • This will bring up a new tab on your browser with "display token" Click this
    • Now copy the ocp command under Log in with this token. 
    • Then paste that into your CLI.
  • Switch to the project space you wish to install, or create a new space such as APIC (any or all of the subsystems)
    • To create a new project space named APIC run
      oc new-project APIC​
    • To switch project spaces you run
      oc project <whatever_project>
      ​

  • This script and the custom resources it defines assumes the default for the APIC subsystem names. (management, gateway, portal, analytics)
  • Edit the script for your SITENAME as well. In this scenario it is dev.
  • Edit the script for your defined block storage. In this scenario, it is ibmc_block_gold.
  • Run
./APIC_Crypto_all.sh

After completion you will have all the secrets applied in the project space needed. This includes the certs and secrets applied on your OCP cluster to run APIC subsystems. Make sure you run the apply at the very bottom.


The Script

#!/bin/bash
#parse project

oc project > one.txt

while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word:1:${#word}-2}" > two.txt
    done;
done < one.txt

NS=`cat two.txt`
rm one.txt two.txt

#parse host

oc get routes -A > one.txt
sed '3q;d' one.txt > two.txt
while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word#*.}" > three.txt
    done;
done < two.txt

HOST=`cat three.txt`
rm one.txt two.txt three.txt

#Subsystem urls
NAMESPACE=$NS
MGMT=${NAMESPACE}-admin.$HOST
MGMT2=${NAMESPACE}-manager.$HOST
MGMT3=${NAMESPACE}-api.$HOST
MGMT4=${NAMESPACE}-consumer.$HOST
ANALYTICSCLIENT=${NAMESPACE}-ac.$HOST
ANALYTICSINGESTION=${NAMESPACE}-ai.$HOST
PORTAL_ADMIN=${NAMESPACE}-api.portal.$HOST
PORTALURL=${NAMESPACE}-portal.$HOST
GW=${NAMESPACE}-gateway.$HOST
GWMGR=${NAMESPACE}-gateway-manager.$HOST
GW5=${NAMESPACE}-v5gateway.$HOST
GWMGR5=${NAMESPACE}-v5gateway-manager.$HOST
SITENAME=dev

oc project $NAMESPACE
SUBJ="/O=cert-manager/CN="
CA_SUBJ="/C=US/ST=US/L=US/O=APIC/OU=TechSales/CN=apic-ca
"
# Root Key

openssl genrsa -out ca.key 4096

# Root CA
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj $CA_SUBJ

cat >ingress.yaml <<EOF
apiVersion: v1
data:
  ca.crt: $(base64   ca.crt | tr -d '\n' )
  tls.crt: $(base64  ca.crt | tr -d '\n' )
  tls.key: $(base64   ca.key | tr -d '\n' )
kind: Secret
metadata:
  name: ingress-ca
type: kubernetes.io/tls
EOF

oc apply -f ingress.yaml

# variables for external certificates by all apic subsystems
VAR_SUBJ[1]=$SUBJ
VAR_KEY[1]=api-endpoint
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:$MGMT3,DNS:$MGMT3\nextendedKeyUsage=serverAuth"
VAR_SUBJ[2]=$SUBJ
VAR_KEY[2]=consumer-endpoint
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:$MGMT4,DNS:$MGMT4\nextendedKeyUsage=serverAuth"
VAR_SUBJ[3]=$SUBJ
VAR_KEY[3]=apim-endpoint
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:$MGMT2,DNS:$MGMT2\nextendedKeyUsage=serverAuth"
VAR_SUBJ[4]=$SUBJ
VAR_KEY[4]=cm-endpoint
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:$MGMT,DNS:$MGMT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[5]=$SUBJ
VAR_KEY[5]=portal-admin
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:$PORTAL_ADMIN,DNS:$PORTAL_ADMIN\nextendedKeyUsage=serverAuth"
VAR_SUBJ[6]=$SUBJ
VAR_KEY[6]=portal-web
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:$PORTALURL,DNS:$PORTALURL\nextendedKeyUsage=serverAuth"
VAR_SUBJ[7]=$SUBJ
VAR_KEY[7]=analytics-ac-endpoint
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSCLIENT,DNS:$ANALYTICSCLIENT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[8]=$SUBJ
VAR_KEY[8]=analytics-ai-endpoint
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSINGESTION,DNS:$ANALYTICSINGESTION\nextendedKeyUsage=serverAuth"
VAR_SUBJ[9]=$SUBJ
VAR_KEY[9]=portal-admin-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[10]=$SUBJ
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[11]=$SUBJ
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[12]=$SUBJ
VAR_KEY[12]=gateway-client-client
VAR_EXT[12]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[13]=$SUBJ
VAR_KEY[13]=gwv6-endpoint
VAR_EXT[13]="\n[SAN]\nsubjectAltName=DNS:$GW,DNS:$GW\nextendedKeyUsage=serverAuth"
VAR_SUBJ[14]=$SUBJ
VAR_KEY[14]=gwv6-manager-endpoint
VAR_EXT[14]="\n[SAN]\nsubjectAltName=DNS:$GWMGR,DNS:$GWMGR\nextendedKeyUsage=serverAuth"
VAR_SUBJ[15]=$SUBJ
VAR_KEY[15]=gwv5-endpoint
VAR_EXT[15]="\n[SAN]\nsubjectAltName=DNS:$GW5,DNS:$GW5\nextendedKeyUsage=serverAuth"
VAR_SUBJ[16]=$SUBJ
VAR_KEY[16]=gwv5-manager-endpoint
VAR_EXT[16]="\n[SAN]\nsubjectAltName=DNS:$GWMGR5,DNS:$GWMGR5\nextendedKeyUsage=serverAuth"

# variables for Internal certificates for all subsystems

VAR_SUBJ[17]=$SUBJ
VAR_KEY[17]=management-client
VAR_EXT[17]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-client.$NAMESPACE.svc,DNS:management-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[18]=$SUBJ
VAR_KEY[18]=portal-client
VAR_EXT[18]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.portal-client.$NAMESPACE.svc,DNS:portal-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[19]=$SUBJ
VAR_KEY[19]=analytics-client
VAR_EXT[19]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.analytics-client.$NAMESPACE.svc,DNS:analytics-client\nextendedKeyUsage=clientAuth"
VAR_SUBJ[20]=$SUBJ
VAR_KEY[20]=management-server
VAR_EXT[20]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-server.$NAMESPACE.svc,DNS:management-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[21]=$SUBJ
VAR_KEY[21]=portal-server
VAR_EXT[21]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.portal-server.$NAMESPACE.svc,DNS:portal-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[22]=$SUBJ
VAR_KEY[22]=analytics-server
VAR_EXT[22]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.analytics-server.$NAMESPACE.svc,DNS:analytics-server\nextendedKeyUsage=serverAuth"
VAR_SUBJ[23]=$SUBJ
VAR_KEY[23]=gateway-peering
VAR_EXT[23]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[24]=$SUBJ
VAR_KEY[24]=gateway-service
VAR_EXT[24]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[25]=${SUBJ}management-${SITENAME}-postgres
VAR_KEY[25]=dbServerCertificate
VAR_NAME[25]=db-server-certificate
VAR_EXT[25]="\n[SAN]\nkeyUsage=critical,digitalSignature, keyEncipherment\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-$SITENAME-postgres.$NAMESPACE.svc,DNS:management-$SITENAME-postgres\nextendedKeyUsage=serverAuth"
VAR_SUBJ[26]=${SUBJ}postgres-pgbouncer
VAR_KEY[26]=pgBouncerServerCertificate
VAR_NAME[26]=pg-bouncer-server-certificate
VAR_EXT[26]="\n[SAN]\nkeyUsage=critical,digitalSignature, keyEncipherment\nbasicConstraints=critical, CA:FALSE\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.postgres-pgbouncer.$NAMESPACE.svc,DNS:management-$SITENAME-postgres-pgbouncer, DNS:postgres-pgbouncer\nextendedKeyUsage=serverAuth"
VAR_SUBJ[27]=${SUBJ}pgo.tls
VAR_KEY[27]=PGOTLSCertificate
VAR_NAME[27]=pgo.tls
VAR_EXT[27]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.postgres-operator.$NAMESPACE.svc,DNS:postgres-operator\nextendedKeyUsage=serverAuth"
VAR_SUBJ[28]=${SUBJ}management-natscluster-mgmt
VAR_KEY[28]=NATSTLSCertificate
VAR_NAME[28]=management-natscluster-mgmt
VAR_EXT[28]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.management-natscluster-mgmt.$NAMESPACE.svc,DNS:management-natscluster-mgmt\nextendedKeyUsage=serverAuth\nextendedKeyUsage=clientAuth"
VAR_SUBJ[29]=${SUBJ}postgres
VAR_KEY[29]=dbClientPostgres
VAR_NAME[29]=db-client-postgres
VAR_EXT[29]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:postgres.$NAMESPACE.svc,DNS:postgres\nextendedKeyUsage=clientAuth"
VAR_SUBJ[30]=${SUBJ}pgbouncer
VAR_KEY[30]=dbClientPgbouncer
VAR_NAME[30]=db-client-pgbouncer
VAR_EXT[30]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:*.pgbouncer.$NAMESPACE.svc,DNS:pgbouncer\nextendedKeyUsage=clientAuth"
VAR_SUBJ[31]=${SUBJ}replicator
VAR_KEY[31]=dbClientReplicator
VAR_NAME[31]=db-client-replicator
VAR_EXT[31]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:replicator.$NAMESPACE.svc,DNS:replicator\nextendedKeyUsage=clientAuth"
VAR_SUBJ[32]=${SUBJ}apicuser
VAR_KEY[32]=dbClientApicuser
VAR_NAME[32]=db-client-apicuser
VAR_EXT[32]="\n[SAN]\nbasicConstraints=critical, CA:FALSE\nkeyUsage=critical,digitalSignature, keyEncipherment\nsubjectAltName=DNS:*.$NAMESPACE, DNS:*.$NAMESPACE.svc, DNS:apicuser.$NAMESPACE.svc,DNS:apicuser\nextendedKeyUsage=clientAuth"

# main
i=1
while [[ $i -le 24 ]]; do
  echo --  ${VAR_SUBJ[$i]} --
  echo --  ${VAR_KEY[$i]} --
  echo --  ${VAR_EXT[$i]} --
  openssl genrsa -out ${VAR_KEY[$i]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}${VAR_KEY[$i]}" -out ${VAR_KEY[$i]}.csr
  cat /etc/ssl/openssl.cnf > tmp.cnf
  echo ${VAR_EXT[$i]} >> tmp.cnf
  echo ${VAR_EXT[$i]} > tmp2.cnf
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN

cat >ksec.yaml <<EOF
apiVersion: v1
data:
  ca.crt: $(base64   ca.crt | tr -d '\n' )
  tls.crt: $(base64  ${VAR_KEY[$i]}.crt | tr -d '\n' )
  tls.key: $(base64   ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
  name:  ${VAR_KEY[$i]}
type: kubernetes.io/tls
EOF
  if [ $? != 0 ] ; then exit 1 ; fi
  oc apply -f ksec.yaml
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done


i=25

while [[ $i -le 32 ]]; do
  echo --  ${VAR_SUBJ[$i]} --
  echo --  ${VAR_KEY[$i]} --
  echo --  ${VAR_NAME[$i]} --
  echo --  ${VAR_EXT[$i]} --
  openssl genrsa -out ${VAR_KEY[$i]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}" -out ${VAR_KEY[$i]}.csr
  cat /etc/ssl/openssl.cnf > tmp.cnf
  echo ${VAR_EXT[$i]} >> tmp.cnf
  echo ${VAR_EXT[$i]} > tmp2.cnf
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN
cat >ksec1.yaml <<EOF
apiVersion: v1
data:
  ca.crt: $(base64   ca.crt | tr -d '\n' )
  tls.crt: $(base64  ${VAR_KEY[$i]}.crt | tr -d '\n' )
  tls.key: $(base64   ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
  name:  ${VAR_NAME[$i]}
type: kubernetes.io/tls
EOF
  if [ $? != 0 ] ; then exit 1 ; fi
  oc apply -f ksec1.yaml
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done
rm *.cnf


# Install a secret for gateway admin
cat >admin.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: admin-secret
data:
  password: YWRtaW4yMDIwCg==
type: Opaque
EOF
oc apply -f admin.yaml


# Install the subsystems


cat >mgmt.yaml <<EOF
apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementCluster
metadata:
  name: management
  labels:
    app.kubernetes.io/instance: management
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: management
  namespace: $NAMESPACE
spec:
  license:
    accept: true
    use: nonproduction
  databaseVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
  gateway:
    client:
      secretName: gateway-client-client
  analytics:
    client:
      secretName: analytics-client-client
    ingestion:
      secretName: analytics-ingestion-client
  apiManagerEndpoint:
    hosts:
      - name: $MGMT2
        secretName: apim-endpoint
  profile: n1xc4.m16
  portal:
    admin:
      secretName: portal-admin-client
  cloudManagerEndpoint:
    hosts:
      - name: $MGMT
        secretName: cm-endpoint
  microServiceSecurity: custom
  customCertificates:
   - name: caCertificate
     secretName: ingress-ca
   - name: clientCertificate
     secretName: management-client
   - name: serverCertificate
     secretName: management-server
   - name: dbServerCertificate
     secretName: db-server-certificate
   - name: pgBouncerServerCertificate
     secretName: pg-bouncer-server-certificate
   - name: PGOTLSCertificate
     secretName: pgo.tls
   - name: NATSTLSCertificate
     secretName: management-natscluster-mgmt
   - name: dbClientPostgres
     secretName: db-client-postgres
   - name: dbClientReplicator
     secretName: db-client-replicator
   - name: dbClientPgbouncer
     secretName: db-client-pgbouncer
   - name: dbClientApicuser
     secretName: db-client-apicuser
  version: 10.0.1.1-eus
  siteName: $SITENAME
  consumerAPIEndpoint:
    hosts:
      - name: $MGMT4
        secretName: consumer-endpoint
  platformAPIEndpoint:
    hosts:
      - name: $MGMT3
        secretName: api-endpoint
  billing:
    enabled: true
EOF

cat >analytics.yaml <<EOF
apiVersion: analytics.apiconnect.ibm.com/v1beta1
kind: AnalyticsCluster
metadata:
  name: analytics
  labels:
    app.kubernetes.io/instance: analytics
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: analytics
  namespace: $NAMESPACE
spec:
  license:
    accept: true
    use: nonproduction
  ingestion:
    clientSubjectDN: 'CN=analytics-ingestion-client,O=cert-manager'
    endpoint:
      hosts:
        - name: $ANALYTICSINGESTION
          secretName: analytics-ai-endpoint
  profile: n1xc2.m16
  client:
    clientSubjectDN: 'CN=analytics-client-client,O=cert-manager'
    endpoint:
      hosts:
        - name: $ANALYTICSCLIENT
          secretName: analytics-ac-endpoint
  microServiceSecurity: custom
  customCertificates:
   - name: caCertificate
     secretName: ingress-ca
   - name: clientCertificate
     secretName: analytics-client
   - name: serverCertificate
     secretName: analytics-server
  version: 10.0.1.1-eus
  storage:
    data:
      volumeClaimTemplate:
        storageClassName: ibmc-block-gold
        volumeSize: 200Gi
    master:
      volumeClaimTemplate:
        storageClassName: ibmc-block-gold
        volumeSize: 10Gi
EOF

cat >gw.yaml <<EOF
apiVersion: gateway.apiconnect.ibm.com/v1beta1
kind: GatewayCluster
metadata:
  name: gateway
  labels:
    app.kubernetes.io/instance: gateway
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: gateway
  namespace: $NAMESPACE
spec:
  license:
    accept: true
    use: nonproduction
  apicGatewayServiceTLS:
    secretName: gateway-service
  profile: n1xc4.m8
  apicGatewayPeeringTLS:
    secretName: gateway-peering
  version: 10.0.1.1-eus
  openTracing:
    enabled: false
    imageAgent: >-
      cp.icr.io/cp/icp4i/od/icp4i-od-agent@sha256:18bf9e7ab3c6818865488c919d9d26de74186223db0318c8e118184a08ef9956
    imageCollector: >-
      cp.icr.io/cp/icp4i/od/icp4i-od-collector@sha256:1eceef4bbd0f963b04ff57fbf8b24f497217ae8579ad3b58f833dce3c72eaab2
    odTracingDataHostname: od-store-od.tracing.svc
    odTracingRegistrationHostname: icp4i-od.tracing.svc
  syslogConfig:
    enabled: false
    remoteHost: gateway.example.com
    remotePort: 200
    secretName: mySecretName
  tokenManagementService:
    enabled: true
    storage:
      storageClassName: ibmc-block-gold
      volumeSize: 30Gi
  gatewayEndpoint:
    hosts:
      - name: $GATEWAY
        secretName: gwv6-endpoint
  apicGatewayServiceV5CompatibilityMode: false
  adminUser:
    secretName: admin-secret
  datapowerLogLevel: 4
  gatewayManagerEndpoint:
    hosts:
      - name: $GWMGR
        secretName: gwv6-manager-endpoint
EOF

cat >portal.yaml <<EOF
apiVersion: portal.apiconnect.ibm.com/v1beta1
kind: PortalCluster
metadata:
  name: portal
  labels:
    app.kubernetes.io/instance: portal
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: portal
  namespace: $NAMESPACE
spec:
  license:
    accept: true
    use: nonproduction
  databaseVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
    volumeSize: 300Gi
  webVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
    volumeSize: 200Gi
  profile: n1xc2.m8
  adminVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
    volumeSize: 20Gi
  microServiceSecurity: custom
  customCertificates:
   - name: caCertificate
     secretName: ingress-ca
   - name: clientCertificate
     secretName: portal-client
   - name: serverCertificate
     secretName: portal-server
  databaseLogsVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
    volumeSize: 12Gi
  portalUIEndpoint:
    hosts:
      - name: $PORTALURL
        secretName: portal-web
  version: 10.0.1.1-eus
  portalAdminEndpoint:
    hosts:
      - name: $PORTAL_ADMIN
        secretName: portal-admin
  backupVolumeClaimTemplate:
    storageClassName: ibmc-block-gold
    volumeSize: 300Gi
  adminClientSubjectDN: 'CN=portal-admin-client,O=cert-manager'
EOF

Install subsystems

Before installing the subsystems, please make sure you have an entitlement key to pull the images in your project, as well as the APIC and DataPower operator deployed.

Now that you have created the certificates, secrets, and generated yaml for the subsystems, you can apply them to your cluster to get APIC up and running. Issue the following commands by subsystem name. They should be in the same directly you ran the above script in. (mgmt.yaml, gw.yaml, portal.yaml, analytics.yaml)

oc apply -f mgmt.yaml


#MarkBarry

#Bringup
#Bringup

#APIConnect​​​​​
0 comments
24 views

Permalink