This post should guide you through the steps on how to deploy a datapower gateway to use as a remote gateway with API Connect Reserved instance, optionally configuring the inbound management traffic through IBM Cloud Satellite Connector.

Installing the Operators

To install the operators in your cluster, the steps are as described in the documentation on how to install the operators

Set up certificates

Again follow the steps for creating certificates in the documentation.

Deploy the Gateway Cluster

Deploying the gateway cluster into Openshift is just a case of creating the GatewayCluster CR - you can start from this template.

• Create a pull-secret with access to download the datapower images and reference it under imagePullSecrets. You can download the image to mirror to your registry from the 'Download Gateway' button in the reserved instance Config Manager.

• Create a secret containing the password for the datapower admin user and ensure it is referenced under adminUser - you can use the following command to create this:

  oc create secret generic admin-secret --from-literal=password={SET-PASSWORD-HERE!}

• Update imageRegistry to point to your image registry.

• Update the jwksUrl for your reserved instance, this needs to be the platform api endpoint for the reserved instance followed by /api/cloud/oauth2/certs - you can find the platform api endpoint url from the 'Download Clients' link in the API Manager interface.

• Select and configure the appropriate profile for your cluster.

• Create a secret with the CA the reserved instance endpoints are signed by - Let's Encrypt X2 Root CA (Download from the Let's Encrypt site) and ensure the secretName for mgmtPlatformEndpointCASecret points to this.

  curl https://letsencrypt.org/certs/isrg-root-x2.pem -o isrg-root-x2.pem oc create secret generic isrg-root-x2 --from-file=ca.crt=isrg-root-x2.pem

• [Optional] If you are routing the inbound traffic through IBM Cloud Satellite Connector, you will need to configure the hostname for the gatewayManagerEndpoint to match the private cloud endpoint hostname for your connector - typically c-01.private.{region}.link.satellite.cloud.ibm.com.

• Apply the gateway cluster yaml

• You can check the status of the cluster using oc get gatewaycluster. If you see any issues you can use oc describe gatewaycluster for more details.

Set up Satellite Connector [optional]

Optionally, deploy a satellite connector agent on the same cluster as the remote gateway

• Create a Satellite Connector
• Deploy the agent
• Create a Connector Endpoint for the gateway management interface docs. For the Gateway management endpoint you will need the following details:
  • Destination FQDN: {gateway-cluster-name}-datapower.{namespace}.svc e.g. api-gateway-datapower.apicri-gateway.svc
  • Destination Port: 3000
  • TCP

Register gateway with Reserved Instance

Create TLS Client Profile so that the manager can trust the CA that signs the certificate for the gateway management endpoint. This can be done through the RI Config manager under TLS.

• Create a Trust Store containing the CA Certificate which can be obtained by copying out the ca.crt from the gateway-manager-endpoint-secret and putting it in a file named ca.pem (API Connect needs the .pem extension for the upload to be accepted.)
• Create TLS Client Profile referencing the Trust store created

Create TLS Server profiles to present to clients invoking the APIs:

• Create TLS Key Store containing the certificate and private key to present - typically these would be obtained through an external Certificate Authority.
• Create a Server profile referencing the key store created.

To register the gateway on the 'Gateways' tab you will need the following details:

• URL of management endpoint: If using Satellite, this is the link endpoint URL including the port number. If not, this will be the hostname from the gatewayManagerEndpoint in the gateway cluster CR.
• TLS Client Profile: profile created above
• Base URL of API Invocation endpoint: The host from the gatewayEndpoint in the CR that inbound clients will use
  • TLS Server Profile: profile created above

France 2024

• 13 Aug - Utah Beach, Journey to Fondettes
• 14 Aug - La Membrolle sur Choisille
• 15 Aug - Château de Chenonceau
• 16 Aug - Château d'Ussé - Château de L'Islette
• 17 Aug - Tours
• 18 Aug - Candes-Saint-Martin
• 19 Aug - Le Baud'Rillé
• 20 Aug - Villandry
• 21 Aug - Cherbourg

To finish off the holiday we spent a night in Cherbourg so that we didn't have such an early start for the ferry the next day. We spent a lovely evening exploring along the waters edge and had dinner in the hotel restaurant.

Candes-Saint-Martin is close to the confluence of the Loire and the Vienne rivers. We went on a lovely circular walk from the town up through the nearby vineyards to the view point.

First we headed up from the river through the town.

Where we reached the vineyards and sunflower fields.

After heading across the fields above the town where we saw many fields of produce we reached the viewpoint overlooking the confluence of the rivers.

We then headed down and walked back along the edge of the town nearest the Loire - it was amazing to see the markers showing just how high the water had risen in the past.

After the walk we stopped at a picnic spot along the way back just up from the river.

The Château de Chenonceau is built spanning the river Cher and is one of the best-known châteaux of the Loire Valley.