Sample OpenShift Deployment Files
This topic provides Openshift deployment sample files that can be used for internal testing. CA Technologies highly recommends that you build your own configuration files and use these files as a starting point only.
gateway93
This topic provides Openshift deployment sample files that can be used for internal testing. CA Technologies highly recommends that you build your own configuration files and use these files as a starting point only.
When you copy and paste from the sample file code block, beware of possible reformatting that may result in differences between the pasted content and the content from the sample file. Make sure you validate the content in your file before deploying (for example, using a validation site such as yamllint.com).
IMPORTANT:
.Container Gateway Platform Support v9.3 environment for deploying the Container Gateway in a production environment.The MySQL configuration in the sample deployment files are only suitable for testing. In production deployments, a highly available and performant MySQL cluster should be used instead. For more information on how to use a MySQL cluster, see Amazon's documentation on RDS or MySQL's documentation for InnoDB Clusters.
The below configuration templates are just an example.
Items in this special bracket are default configuration values that are
highly recommended to replace
. <<
this is a sample value>>
.To replace properly, remove the special brackets. For example:
Before replace:
echo "LICENSE=\"$(gzip -c <<~/workspace/gateway/LICENSE.xml>> | base64 --wrap=0)\"" > LICENSE.gz.base64
After replace:
echo "LICENSE=\"$(gzip -c /home/userB/openshift/gateway/LICENSE_ABC.xml | base64 --wrap=0)\"" > LICENSE.gz.base64
Contents:
deploy.sh
#!/bin/bash fail () { echo $1 exit 1 } # Variables for internal testing when you need to re-deploy several times UNIQUE_PROJECT_NAME="<<project-uniquename>>" DISPLAY_NAME="<<Unique display name>>" ROUTE_IDENTIFIER="<<unique.prefix>>" oc whoami || fail "need to be logged into an OpenShift server" echo "--Creating the project" oc new-project "$UNIQUE_PROJECT_NAME" --display-name "$DISPLAY_NAME" || fail "couldn't create project" echo "--Creating the MySQL database" oc process openshift//mysql-ephemeral --param MYSQL_VERSION=5.7 --param MYSQL_USER=ssgdbuser --param MYSQL_PASSWORD=dbpassword --param MYSQL_DATABASE=ssg --param DATABASE_SERVICE_NAME=mysql-server --labels db=container_gateway_db | oc create -f - echo "--Waiting for the database to be ready" while ( ! oc get pods | grep '^mysql-' | grep -v deploy | grep Running | awk '{ print $2 }' | grep -F '1/1' &> /dev/null ); do echo "waiting for database to be ready..." sleep 10 done echo "--Setting the license and SSL key" # The strings for LICENSE and SSLKEY should not contain any new lines, for Windows/Linux, use 'base64 --wrap=0' instead of 'base64' echo "LICENSE=\"$(gzip -c <<~/workspace/gateway/LICENSE.xml>> | base64 --wrap=0)\"" > LICENSE.gz.base64 echo "SSLKEY=\"$(cat <<~/workspace/gateway/SSLKEY.p12>> | base64)\"" > SSLKEY.base64 echo "--Creating the secrets" oc process -f container-gateway-secrets.yml --param-file=LICENSE.gz.base64 --param-file=SSLKEY.base64 | oc create -f - #secret for the docker registry oc secrets new-dockercfg <<my_docker_registry_resource_name>> --docker-server=<<my_docker_registry_hostname.com>> --docker-username=<<myusername>> --docker-password=<<mypassword>> --docker-email=<<nobody@ca.com>> #link secret to service account oc secrets link serviceaccount/default secret/<<my_docker_registry_resource_name>> --for=pull echo "--Creating the deployment" oc process -f container-gateway.yml --param-file=container-gateway.env --param=CONTAINER_GATEWAY_PUBLIC_HOST=$ROUTE_IDENTIFIER.<<openshift.generic.com>> | oc create -f -
container-gateway.env
DOCKER_REGISTRY=<<my.docker.registry.com>> DOCKER_IMAGE_NAME=<<images/gateway-image>> DOCKER_IMAGE_TAG=<<latest>> DOCKER_REGISTRY_INSECURE=false ACCEPT_LICENSE=<<false>> SSG_JVM_HEAP=4096m SSG_DATABASE_JDBC_URL=jdbc:mysql://mysql-server:3306/ssg SSG_CLUSTER_HOST=<<host.sample.com>> EXTRA_JAVA_ARGS="-XX:ParallelGCThreads=4 -Dcom.l7tech.bootstrap.env.license.enable=true"
By setting the ACCEPT_LICENSE environment variable to "true", you are expressing that you have a valid and existing commercial license for CA API Gateway and that you have reviewed and accepted the terms of the CA End User License Agreement (EULA), which shall govern your use of the
CA API Gateway
.container-gateway-secrets.yml
# Create the secrets resource in OpenShift, edit the values to suit your needs, then run something like: #echo "LICENSE=\"$(gzip -c ~/workspace/gateway/LICENSE.xml | base64)\"" > LICENSE.gz.base64 #echo "SSLKEY=\"$(cat ~/workspace/gateway/SSLKEY.p12 | base64)\"" > SSLKEY.base64 #oc process -f container-gateway-secrets.yml --param-file=LICENSE.gz.base64 --param-file=SSLKEY.base64 | oc create -f - apiVersion: v1 kind: Template metadata: name: container-gateway-secrets labels: name: container-gateway-secrets annotations: description: Template for Secrets for the Container Gateway objects: - apiVersion: v1 kind: Secret metadata: name: containergateway stringData: ssg.adminusername: <<adminUser>> ssg.adminpassword: <<somepassword>> ssg.dbuser: ssgdbuser ssg.dbpass: dbpassword ssg.clusterhostpass: <<clusterpassword>> ssg.sslkey: ${SSLKEY} ssg.sslkeypass: <<keypassword>> ssg.license: ${LICENSE} parameters: - name: SSLKEY required: false - name: LICENSE required: false
container-gateway.yml
# this file can be processed by running something like: # oc process -f openshift/container-gateway.yml --param-file=openshift/container-gateway.env | oc create -f - apiVersion: v1 kind: Template metadata: name: container-gateway-template labels: name: containergateway annotations: description: Template for the Container Gateway objects: - apiVersion: v1 kind: ImageStream metadata: annotations: description: Container Gateway image stream openshift.io/image.insecureRepository: "${DOCKER_REGISTRY_INSECURE}" labels: name: containergateway name: container-gateway-is spec: tags: - annotations: from: kind: DockerImage name: "${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" name: "${DOCKER_IMAGE_TAG}" importPolicy: scheduled: true insecure: ${{DOCKER_REGISTRY_INSECURE}} - apiVersion: v1 kind: Service metadata: labels: name: containergateway service: container-gateway-svc name: container-gateway-svc annotations: description: "The Container Gateway service" spec: ports: - port: 8080 targetPort: 8080 protocol: TCP name: container-gateway-http-port - port: 8443 targetPort: 8443 protocol: TCP name: container-gateway-https-port - port: 9443 targetPort: 9443 protocol: TCP name: container-gateway-pm-port selector: name: containergateway type: ClusterIP - apiVersion: v1 kind: Route metadata: labels: name: containergateway router: default name: container-gateway-pm-route annotations: description: "The route to expose the Container Gateway's Policy Manager port" spec: host: pm.${CONTAINER_GATEWAY_PUBLIC_HOST} to: kind: Service name: container-gateway-svc port: targetPort: container-gateway-pm-port tls: termination: passthrough - apiVersion: v1 kind: Route metadata: labels: name: containergateway router: default name: container-gateway-http-route annotations: description: "The route to expose the Container Gateway's HTTP port" spec: host: http.${CONTAINER_GATEWAY_PUBLIC_HOST} to: kind: Service name: container-gateway-svc port: targetPort: container-gateway-http-port - apiVersion: v1 kind: Route metadata: labels: name: containergateway router: default name: container-gateway-https-route annotations: description: "The route to expose the Container Gateway's HTTPS port" spec: host: https.${CONTAINER_GATEWAY_PUBLIC_HOST} to: kind: Service name: container-gateway-svc port: targetPort: container-gateway-https-port tls: termination: passthrough - apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: name: container-gateway-hpa labels: name: containergateway spec: scaleTargetRef: kind: DeploymentConfig name: container-gateway-dc apiVersion: extensions/v1beta1 minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 75 - apiVersion: v1 kind: DeploymentConfig metadata: name: container-gateway-dc labels: name: containergateway annotations: description: "The Container Gateway deployment configuration" spec: strategy: type: Rolling rollingParams: timeoutSeconds: 1200 triggers: - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true containerNames: - gateway-container from: kind: ImageStreamTag name: "container-gateway-is:${DOCKER_IMAGE_TAG}" replicas: 1 selector: name: containergateway deploymentconfig: container-gateway-dc template: metadata: labels: name: containergateway deploymentconfig: container-gateway-dc spec: containers: - name: gateway-container image: "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" imagePullPolicy: Always resources: requests: cpu: 4000m memory: 6Gi limits: cpu: 4000m memory: 6Gi terminationMessagePath: /dev/termination-log ports: - containerPort: 8080 - containerPort: 8443 - containerPort: 9443 env: - name: ACCEPT_LICENSE value: ${ACCEPT_LICENSE} - name: SSG_JVM_HEAP value: ${SSG_JVM_HEAP} - name: SSG_ADMIN_USERNAME valueFrom: secretKeyRef: name: containergateway key: ssg.adminusername - name: SSG_ADMIN_PASSWORD valueFrom: secretKeyRef: name: containergateway key: ssg.adminpassword - name: SSG_LICENSE valueFrom: secretKeyRef: name: containergateway key: ssg.license - name: SSG_SSL_KEY valueFrom: secretKeyRef: name: containergateway key: ssg.sslkey - name: SSG_SSL_KEY_PASS valueFrom: secretKeyRef: name: containergateway key: ssg.sslkeypass - name: SSG_DATABASE_JDBC_URL value: ${SSG_DATABASE_JDBC_URL} - name: SSG_DATABASE_USER valueFrom: secretKeyRef: name: containergateway key: ssg.dbuser - name: SSG_DATABASE_PASSWORD valueFrom: secretKeyRef: name: containergateway key: ssg.dbpass - name: SSG_CLUSTER_HOST value: ${SSG_CLUSTER_HOST} - name: SSG_CLUSTER_PASSWORD valueFrom: secretKeyRef: name: containergateway key: ssg.clusterhostpass - name: EXTRA_JAVA_ARGS value: ${EXTRA_JAVA_ARGS} readinessProbe: exec: command: [sh, /opt/docker/rc.d/diagnostic/health_check.sh] initialDelaySeconds: 120 timeoutSeconds: 5 periodSeconds: 5 successThreshold: 1 livenessProbe: exec: command: [sh, /opt/docker/rc.d/diagnostic/health_check.sh] initialDelaySeconds: 120 timeoutSeconds: 5 periodSeconds: 5 successThreshold: 1 dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 60 test: false status: {} parameters: - name: CONTAINER_GATEWAY_PUBLIC_HOST description: Openshift public hostname required: true - name: DOCKER_REGISTRY description: The FQDN of the Docker registry to pull the Docker image from required: true - name: DOCKER_REGISTRY_INSECURE description: Whether the Docker Registry we're pulling from uses self signed certs required: true - name: DOCKER_IMAGE_NAME description: The name of the Docker image to pull (i.e. the part between the registry and the tag when running docker pull) required: true - name: DOCKER_IMAGE_TAG description: The tag of the Docker image to deploy required: true - name: ACCEPT_LICENSE description: Accept License required: true - name: SSG_LICENSE description: Gateway license ( cat license.xml | gzip | base64 ) required: false - name: SSG_JVM_HEAP description: The argument to use for the -Xms and -Xmx JVM heap size options required: false - name: SSG_ADMIN_USERNAME description: The admin username required: false - name: SSG_ADMIN_PASSWORD description: The admin password required: false - name: SSG_DATABASE_JDBC_URL description: The external database JDBC url required: false - name: SSG_DATABASE_USER description: User to connect to the external db. required: false - name: SSG_DATABASE_PASSWORD description: Password to connect to the external db required: false - name: SSG_CLUSTER_HOST description: The cluster hostname required: false - name: SSG_CLUSTER_PASSWORD description: The cluster password required: false - name: EXTRA_JAVA_ARGS description: Extra system properties or other arguments to add to the JVM command line required: false
Tips
In the container-gateway.yml configuration file, if you are pulling Gateway image directly from
hub.docker.com
, without going through another docker registry, you need to make the following modifications to the files.container-gateway.yml file: spec: tags: - annotations: from: kind: DockerImage #name: "${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" <== original name: "${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}" <== removed "${DOCKER_REGISTRY}/" name: "${DOCKER_IMAGE_TAG}" importPolicy: scheduled: true insecure: ${{DOCKER_REGISTRY_INSECURE}} and - name: DOCKER_REGISTRY description: The FQDN of the Docker registry to pull the Docker image from #required: true <== original required: false <== changed to and container-gateway.env file: DOCKER_REGISTRY='' <== can either leave as empty or remove the env variable completely
If your policy manager connection keeps on getting disconnected, you can modify the load balance algorithm
container-gateway.yml file: - apiVersion: v1 kind: Route metadata: labels: name: containergateway router: default name: container-gateway-pm-route annotations: description: "The route to expose the Container Gateway's Policy Manager port" haproxy.router.openshift.io/balance: source <== added "reference: https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/routes.html#route-specific-annotations"