This article describes how to install IBM API Connect v10 on a one-node Kubernetes for personal/demo/PoC/MVP usage.

This article will not cover steps to provision a VM, install Docker, Kubernetes, nginx ingress, registry and configure dynamic provisioning. Those topics are described in Installing IBM API Connect 2018 article and can be used for this installation as well.

One important comment: please check supported versions of Kubernetes on IBM's site: https://www.ibm.com/software/reports/compatibility/clarity/softwareReqsForProduct.html
Currently only 1.16 and 1.17 are supported. You MUST use supported version, otherwise unpredictable result can happen.
You can use this command to list available Kubernetes packages:
yum list kubeadm --showduplicates | sort -r
In order to install 1.17 version use:
yum install -y kubelet-1.17.7 kubectl-1.17.7 kubeadm-1.17.7
Don't forget to set a particular version of Kubernetes control plane during "kubeadm init". Otherwise it will install the latest version which could be incompatible with your kubectl client version. For example:
kubeadm init --apiserver-advertise-address=YOUR_APISERVER_IP --pod-network-cidr=10.1.0.0/16 --kubernetes-version=v1.17.7

The article includes steps to:
1. Obtain and upload files to the Registry
2. Install Kubernetes operators
3. Install cert-manager and certificates
4. Install Management subsystem
5. Install Developer Portal subsystem
6. Install Gateway subsystem
7. Install Analytics subsystem
8. First login and Topology configuration

1. Obtain and upload files to the Registry

Get/Download distributives from IBM:

  • IBM API Connect Operator Install Files 10.0.0 long-term support for Containers
  • IBM API Connect 10.0.0 long-term support for Containers English
  • IBM API Connect Toolkit 10.0.0 long-term support for Linux, OSX, Windows
IBM API Connect v10 distributives

Unzip all downloaded archives.

unzip IBM_API_CONNECT_OPERATOR_INSTALL_.zip
unzip release_files.zip
unzip IBM_API_CONNECT_TOOLKIT_10.0.0_LO.zip
tar -xzvf toolkit-loopback-linux.tgz
unzip IBM_API_CONNECT_MANAGEMENT_10.0.0.zip
rm -f release_files.*
rm -f toolkit-loopback-m* toolkit-loopback-w* toolkit-loopback-linux.tgz.*
rm -f toolkit-loopback-linux.tgz
rm -f apiconnect-image-tool-10.0.0.0.tar.gz.asc IBM_API_CONNECT_*

apiconnect-image-tool-10.0.0.0.tar.gz archive contains images for all API Connect subsystems.
Load the image-tool from the archive.
docker load < apiconnect-image-tool-10.0.0.0.tar.gz

Load IBM API Connect v10 images from tar archive

'docker images' will show loaded image:

Loaded IBM API Connect v10 images

You can use this command to list images inside IBM API Connect v10 image tool.
docker run --rm apiconnect-image-tool-10.0.0.0 version --images

Upload images to the registry.
docker run --rm apiconnect-image-tool-10.0.0.0 upload YOUR_HOSTNAME:5443 --tls-verify=false

2. Install Kubernetes operators

Configure environment variables and create a namespace.

export NAMESPACE=apiconnect
echo "export NAMESPACE=apiconnect" >> /root/.bashrc
kubectl create namespace $NAMESPACE
export KUBECONFIG=$HOME/.kube/config
alias k="kubectl -n apiconnect"
echo "export KUBECONFIG=$HOME/.kube/config" >> /root/.bashrc
echo 'alias k="kubectl -n apiconnect"' >> /root/.bashrc

2.1 Create secrets

Create a registry secret with credentials to be used to pull down product images.
kubectl create secret docker-registry apic-registry-secret --docker-server=YOUR_HOSTNAME:5443 --docker-username=any --docker-password=any --docker-email=dmitrii@marukhno.com -n apiconnect

Create a registry secret for the DataPower registry with the credentials to be used to pull down product images.
kubectl create secret docker-registry datapower-docker-local-cred --docker-server=YOUR_HOSTNAME:5443 --docker-username=any --docker-password=any --docker-email=dmitrii@marukhno.com -n apiconnect

Create a DataPower admin secret. The admin secret will be used for $ADMIN_USER_SECRET (a variable in Gateway CR) when deploying the gateway CR.
kubectl create secret generic datapower-admin-credentials --from-literal=password=admin -n apiconnect

2.2 Configure ibm-apiconnect.yaml

Open ibm-apiconnect.yaml in a text editor. Replace each occurrence of default with the namespace for your deployment.
We are going to replace "namespace: default" with "namespace: apiconnect" in ibm-apiconnect.yaml for this installation.

Open ibm-apiconnect.yaml in a text editor. Locate the 'image: key' in the containers section of the deployment yaml right below imagePullSecrets:. Replace the value of the 'image: key' with the location of the apiconnect operator image. To get the image tag use Registry API:
curl -XGET https://YOUR_HOSTNAME:5443/v2/ibm-apiconnect-operator/tags/list | jq

Get ibm-apiconnect-operator tag

Then, in ibm-apiconnect.yaml find "image:" and replace it with your value:

Set correct image for ibm-apiconnect-operator in ibm-apiconnect.yaml

2.3 Configure ibm-datapower.yaml

Open ibm-datapower.yaml in a text editor. Replace each occurrence of default with the namespace for your deployment. We are going to replace "namespace: default" with "namespace: apiconnect" in ibm-datapower.yaml for this installation.

Open ibm-datapower.yaml in a text editor. Locate the 'image: key' in the containers section of the deployment yaml right below imagePullSecrets:. Replace the value of the 'image: key' with the location of the datapower operator image. To get the image tag use Registry API:
curl -XGET https://YOUR_HOSTNAME:5443/v2/datapower-operator/tags/list | jq

Get datapower-operator tag

Then, in ibm-datapower.yaml find "image:" and replace it with your value:

Set correct image for datapower-operator in ibm-datapower.yaml

2.4 Install CRDs

Install the ibm-apiconnect CRDs.
kubectl apply -f ibm-apiconnect-crds.yaml

Install the ibm-apiconnect Kubernetes deployment.
kubectl apply -f ibm-apiconnect.yaml

Install the ibm-datapower Kubernetes deployment for DataPower Gateway
kubectl apply -f ibm-datapower.yaml -n apiconnect

3. Install cert-manager and certificates

API Connect v10 uses cert-manager v0.10.1 of cert-manager, which is a native Kubernetes certificate management controller.
You can obtain cert-manager v0.10.1 from the API Connect v10 distribution helper_files.zip archive, or from https://github.com/jetstack/cert-manager.

Apply the CR. Do not specify a custom namespace.
kubectl apply -f cert-manager-0.10.1.yaml --validate=false

Wait for cert-manager pods to enter Running 1/1 status before proceeding. To check the status:
kubectl get po -n cert-manager

cert-manager pods are up and running

Install the ingress-ca Issuer to be used by cert-manager.
kubectl apply -f ingress-issuer-v1-alpha1.yaml -n apiconnect

Validate that the command succeeded:
kubectl get certificates -n apiconnect

4. Install Management subsystem

Redact management_cr.yaml which is in helper_files.zip

You will have to replace the following variables:
$APP_PRODUCT_VERSION = 10.0.0.0
$SECRET_NAME = apic-registry-secret
$PROFILE = n1xc4.m16
(this is for development profile which deploys a subsystem with the scale of one with 4 cores, and 16 GB memory)
$DOCKER_REGISTRY = YOUR_HOSTNAME:5443
$STACK_HOST =
admin.YOUR_HOSTNAME
manager.YOUR_HOSTNAME
api.YOUR_HOSTNAME
consumer.YOUR_HOSTNAME

$STORAGE_CLASS = myblock

Verify and accept the license setting.
license:
accept: true
use: nonproduction

My management_cr.yaml as an example is below.

apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementCluster
metadata:
  name: management
spec:
  appVersion: 10.0.0.0
  imagePullSecrets:
  - apic-registry-secret
  imageRegistry: YOUR_HOSTNAME:5443
  profile: n1xc4.m16
  portal:
    admin:
      secretName: portal-admin-client
  analytics:
    client:
      secretName: analytics-client-client
    ingestion:
      secretName: analytics-ingestion-client
  cloudManagerEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: admin.YOUR_HOSTNAME
      secretName: cm-endpoint
  apiManagerEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: manager.YOUR_HOSTNAME
      secretName: apim-endpoint
  platformAPIEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: api.YOUR_HOSTNAME
      secretName: api-endpoint
  consumerAPIEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: consumer.YOUR_HOSTNAME
      secretName: consumer-endpoint
  databaseVolumeClaimTemplate:
    storageClassName: myblock
    volumeSize: 20Gi
  microServiceSecurity: certManager
  certManagerIssuer:
    name: selfsigning-issuer
    kind: Issuer
  license:
    accept: true
    use: nonproduction

Install the management Custom Resource to the target installation namespace in the Kubernetes cluster.
kubectl apply -f management_cr.yaml -n apiconnect

Verify that the Management subsystem is fully installed:
kubectl get ManagementCluster -n apiconnect

The installation has completed when the READY status is True, and the SUMMARY reports that all services are online (e.g. 14/14).
There is no need to wait for the READY status to be True before moving on to the next Subsystem installation.

IBM API Connect v10: Management subsystem

Check your connection to the Cloud Manager user interface on the Management subsystem on your Cloud Manager endpoint.
https://admin.YOUR_HOSTNAME/admin

5. Install Developer Portal subsystem

Redact portal_cr.yaml template which is in helper_files.zip

You will have to replace the following variables:
$APP_PRODUCT_VERSION = 10.0.0.0
$PROFILE = n1xc2.m8
Describes a hardware profile of 1 node, 4 cores, and 8 GB memoryю. Deploys a subsystem with the scale of one; a single node, non-HA subsystem. Recommended use of this profile is for development and testing.
$SECRET_NAME = apic-registry-secret
$DOCKER_REGISTRY = YOUR_HOSTNAME:5443
$STACK_HOST =
api.portal.YOUR_HOSTNAME
portal.YOUR_HOSTNAME

$STORAGE_CLASS = myblock

Verify and accept the license setting.
license:
accept: true
use: nonproduction

My portal_cr.yaml as an example is below.

apiVersion: portal.apiconnect.ibm.com/v1beta1
kind: PortalCluster
metadata:
  name: portal
spec:
  appVersion: 10.0.0.0
  profile: n1xc2.m8
  imagePullSecrets:
    - apic-registry-secret
  imageRegistry: YOUR_HOSTNAME:5443
  portalAdminEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: api.portal.YOUR_HOSTNAME
      secretName: portal-admin
  portalUIEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: portal.YOUR_HOSTNAME
      secretName: portal-web
  databaseVolumeClaimTemplate:
    storageClassName: myblock
  databaseLogsVolumeClaimTemplate:
    storageClassName: myblock
  webVolumeClaimTemplate:
    storageClassName: myblock
  backupVolumeClaimTemplate:
    storageClassName: myblock
  adminVolumeClaimTemplate:
    storageClassName: myblock
  adminClientSubjectDN: CN=portal-admin-client,O=cert-manager
  microServiceSecurity: certManager
  certManagerIssuer:
    name: selfsigning-issuer
    kind: Issuer
  license:
    accept: true
    use: nonproduction

Install the Portal Custom Resource
kubectl apply -f portal_cr.yaml -n apiconnect

Verify that the Portal subsystem is fully installed
kubectl get PortalCluster -n apiconnect

IBM API Connect v10: Portal subsystem

6. Install Gateway subsystem

Redact apigateway_cr.yaml template which is in helper_files.zip

You will have to replace the following variables:
$APP_PRODUCT_VERSION = 10.0.0.0
$PROFILE = n1xc4.m8
Describes a hardware profile of 1 nodes, 4 cores, and 8 GB memory. Deploys a subsystem with the scale of one; a single node, non-HA subsystem. Recommended use of this profile is for development and testing.
$SECRET_NAME = apic-registry-secret
$DOCKER_REGISTRY = YOUR_HOSTNAME:5443
$STACK_HOST
rgw.YOUR_HOSTNAME
rgwd.YOUR_HOSTNAME

$STORAGE_CLASS = myblock
$ADMIN_USER_SECRET = datapower-admin-credentials

Verify and accept the license setting.
license:
accept: true
use: nonproduction

My apigateway_cr.yaml as an example is below.

apiVersion: gateway.apiconnect.ibm.com/v1beta1
kind: GatewayCluster
metadata:
  name: gwv6
spec:
  appVersion: 10.0.0.0
  profile: n1xc4.m8
  imagePullSecrets:
  - apic-registry-secret
  imageRegistry: YOUR_HOSTNAME:5443
  apicGatewayServiceV5CompatibilityMode: false
  gatewayEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: rgw.YOUR_HOSTNAME
      secretName: gwv6-endpoint
  gatewayManagerEndpoint:
    annotations:
      certmanager.k8s.io/issuer: ingress-issuer
    hosts:
    - name: rgwd.YOUR_HOSTNAME
      secretName: gwv6-manager-endpoint
  apicGatewayServiceTLS:
    secretName: gateway-service
  apicGatewayPeeringTLS:
    secretName: gateway-peering
  datapowerLogLevel: 3
  license:
    accept: true
    use: nonproduction
  tokenManagementService:
    enabled: true
    storage:
      storageClassName: myblock
      volumeSize: 30Gi
  adminUser:
    secretName: datapower-admin-credentials
  openTracing:
    enabled: false
    odTracingRegistrationHostname: $OD_TRACING_REGISTRATION_HOSTNAME
    odTracingDataHostname: $OD_TRACING_HOSTNAME
    imageAgent: $AGENT_IMAGE
    imageCollector: $COLLECTOR_IMAGE
  syslogConfig:
    enabled: false 

Install the Gateway Custom Resource by applying the Gateway template file
kubectl apply -f apigateway_cr.yaml -n apiconnect

To verify that the Gateway subsystem(s) are fully installed
kubectl get GatewayCluster -n apiconnect

IBM API Connect v10: Gateway subsystem

7. Install Analytics subsystem

Redact analytics_cr.yaml template which is in helper_files.zip

You will have to replace the following variables:
$APP_PRODUCT_VERSION = 10.0.0.0
$PROFILE = n1xc2.m16
For development use
$SECRET_NAME = apic-registry-secret
$DOCKER_REGISTRY = YOUR_HOSTNAME:5443
$STACK_HOST
** ac.YOUR_HOSTNAME
ai.YOUR_HOSTNAME**
$STORAGE_CLASS = myblock

Verify and accept the license setting.
license:
accept: true
use: nonproduction

My analytics_cr.yaml as an example is below.

apiVersion: analytics.apiconnect.ibm.com/v1beta1
kind: AnalyticsCluster
metadata:
  name: analytics
spec:
  appVersion: 10.0.0.0
  license:
    accept: true
    use: nonproduction
  profile: n1xc2.m16
  imagePullSecrets:
  - apic-registry-secret
  imageRegistry: YOUR_HOSTNAME:5443
  microServiceSecurity: certManager
  certManagerIssuer:
    name: selfsigning-issuer
    kind: Issuer
  client:
    endpoint:
      annotations:
        certmanager.k8s.io/issuer: ingress-issuer
      hosts:
      - name: ac.YOUR_HOSTNAME
        secretName: analytics-ac-endpoint
    clientSubjectDN: CN=analytics-client-client,O=cert-manager
  ingestion:
    endpoint:
      annotations:
        certmanager.k8s.io/issuer: ingress-issuer
      hosts:
      - name: ai.YOUR_HOSTNAME
        secretName: analytics-ai-endpoint
    clientSubjectDN: CN=analytics-ingestion-client,O=cert-manager
  storage:
    data:
      volumeClaimTemplate:
        storageClassName: myblock
    master:
      volumeClaimTemplate:
        storageClassName: myblock

Run the following command to apply the analytics_cr.yaml:
kubectl apply -f analytics_cr.yaml -n apiconnect

Verify that the analytics subsystem is fully installed by running the following command:
kubectl get AnalyticsCluster -n apiconnect

IBM API Connect v10: Analytics subsystem

8. First login and Topology configuration

Open Cloud Manager endpoint: https://admin.YOUR_HOSTNAME/admin
For the first time use admin/7iron-hide to login. You will be prompted to change the password.
After login you will need to configure SMTP server and Topology in order to use IBM API Connect. Those steps are the same in IBM API Connect v10 as they were in IBM API Connect v2018. Thus, please follow my v2018-based guide's 'Configure an SMTP server' and 'Configure IBM API Connect topology': https://marukhno.com/ibm-api-connect-2018-installation

Enjoy!

IBM API Connect v10: Cloud Manager