Openshift & API gateway for Centos7

Document ID : KB000123478
Last Modified Date : 21/12/2018
Show Technical Document Details
Introduction:
Have been following the steps mentioned in below link to setup a test gateway container in our Openshift environment - https://docops.ca.com/ca-api-gateway/9-3/en/other-gateway-form-factors/using-the-container-gateway/getting-started-with-the-container-gateway/run-the-container-gateway-on-openshift We have been successful in deploying the pods. They seem to be healthy and logging. But we are not able to hit the enpoints via the routes. We are also not able to start the policy manager following the steps as described in the above documentation script

Looking for how to deploy and access Gateway resources in Openshift environment 
Background:
OpenShift is a family of containerization software developed by Red Hat. Its flagship product is the OpenShift Container Platform—an on-premises platform as a service built around Docker containers orchestrated and managed by Kubernetes on a foundation of Red Hat Enterprise Linux

Broadcom sample creates two PODS MySQL and Gateway the issue with access through OpenShift Gateway listens on multiple ports for one hostname - this is based on the sample from documentation 

https://docops.ca.com/ca-api-gateway/9-4/en/other-gateway-form-factors/using-the-container-gateway/getting-started-with-the-container-gateway/run-the-container-gateway-on-openshift/sample-openshift-deployment-files\

 
Environment:
Gateway 9.4
OpenShift Master:v3.11.0+8de5c34-71
Kubernetes Master:v1.11.0+d4cacc0
OpenShift Web Console:V3.11.0+ea422
Instructions:
Steps based on youtube video:  https://www.youtube.com/watch?v=aqXSbDZggK4
  1. Setup image with Centos-7 with your favorite virtual tools set: 
VMware
Oracle VM VirtualBox
VSphere
  1. For this TEST this setup used Oracle VM VirtualBox using CentOS-7-x86_64-Minimal-1810.iso
Operating system configuration:
  • 4 CPU
  • 16 GB memory 
  • Hard disk as Fix 120 GB 
  • Network Bridge 
  • Enable Network
  • Root password (7layer)
  • New user with admin privilege (Example{ mcqst02:7layer)
  1. Access system as root retrieve IP address for SSH access #ip addr
  2. SSH perform the following steps to prepare and setup OpenShift
Sets hostname and updates OS, then reboots
#hostnamectl set-hostname mcqst02-centos7-6.ca.com
#yum update
#shutdown -r now
  1. Install CentOS packages:
#yum install git docker net-tools mlocate
  1. Call clone of the repository from github (shared Openshift environment good for testing)
#git clone https://github.com/gshipley/installcentos.git
#export DOMAIN=support.local
#export USERNAME=mcqst02
#export PASSWORD=7layer
  1. Run the install Openshift
#cd installcentos
#./install-openshift.sh
NOTE: This could take over 30 minutes to complete
Expected output:
******
* Your console is https://console.support.local:8443
* Your username is mcqst02
* Your password is 7layer
*
* Login using:
*
$ oc login -u mcqst02 -p 7layer https://console.support.local:8443/
OpenShift should now be up and running
Validate on the Openshift server:
#oc login -u mcqst02 -p 7layer https://console.support.local:8443/
Validation using browser first update your local host file example:
138.42.59.223 console.support.local hawkular-metrics.apps.support.local
 
Browser enter: https://console.support.local:8443/
Enter credentials defined during setup (mcqst02:7layer) 
15 Projects should be displayed 
https://console.ssosites.com:8443/console/about
Version
OpenShift Master:v3.11.0+8de5c34-71
Kubernetes Master:v1.11.0+d4cacc0
OpenShift Web Console:V3.11.0+ea422

Next step deploy Gateway containers to Openshift 
  1. Sample deployment files (Assuming all files will deployed/unzipped to /root/gateway) https://docops.ca.com/ca-api-gateway/9-4/en/other-gateway-form-factors/using-the-container-gateway/getting-started-with-the-container-gateway/run-the-container-gateway-on-openshift/sample-openshift-deployment-files
  2. Modify container-gateway.env (ssg94-6.support.local for this setup)
# DOCKER_REGISTRY=my.docker.registry.com #(comment out using default)
DOCKER_IMAGE_NAME=caapim/gateway
DOCKER_IMAGE_TAG=latest
DOCKER_REGISTRY_INSECURE=false

ACCEPT_LICENSE=false
SSG_JVM_HEAP=4096m

SSG_DATABASE_JDBC_URL=jdbc:mysql://mysql-server:3306/ssg
SSG_CLUSTER_HOST=ssg94-6.support.local
EXTRA_JAVA_ARGS="-XX:ParallelGCThreads=4 -Dcom.l7tech.bootstrap.env.license.enable=true"
  1. Modify deploy.sh:
UNIQUE_PROJECT_NAME="ssg"
DISPLAY_NAME="SSG Container"
ROUTE_IDENTIFIER="unique.prefix"
 Last line modify Openshift hostname:
oc process -f container-gateway.yml --param-file=container-gateway.env --param=CONTAINER_GATEWAY_PUBLIC_HOST=ssg94-6.support.local | oc create -f -
  1. License files MUST be copied to the same location /root/gateway (home of root/gateway). How it is called form deploy.sh
echo "LICENSE=\"$(gzip -c ~/gateway/LICENSE.xml | base64 --wrap=0)\"" > LICENSE.gz.base64
echo "SSLKEY=\"$(cat ~/gateway/SSLKEY.p12 | base64 --wrap=0)\"" > SSLKEY.base64
  1. For Oracle VM VirtualBOX I needed to modify container.gateway.yml CPU (container not starting with error Insufficient CPU)
        Commented out the two lines from  container.gateway.yml
               requests:
                 # cpu: 4000m
                  memory: 2Gi
                limits:
                 # cpu: 4000m
  1. The container-gateway-secrets.yml contains user info for policy manager, ssp database
  2. Delopy.sh
[root@mcqst02-centos7-6 gateway]# ./deploy.sh
mcqst02
--Creating the project
Already on project "ssg" on server "https://console.support.local:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git

to build a new example application in Ruby.
--Creating the MySQL database
secret/mysql-server created
service/mysql-server created
deploymentconfig.apps.openshift.io/mysql-server created
--Waiting for the database to be ready
waiting for database to be ready...
waiting for database to be ready...
waiting for database to be ready...
--Setting the license and SSL key
--Creating the secrets
secret/containergateway created
Command "new-dockercfg" is deprecated, use oc create secret
secret/hub.docker.com created
--Creating the deployment
imagestream.image.openshift.io/container-gateway-is created
service/container-gateway-svc created
route.route.openshift.io/container-gateway-pm-route created
route.route.openshift.io/container-gateway-http-route created
route.route.openshift.io/container-gateway-https-route created
horizontalpodautoscaler.autoscaling/container-gateway-hpa created
deploymentconfig.apps.openshift.io/container-gateway-dc created

 
Openshift commands to verify:
Projects:
[root@mcqst02-centos7-6 gateway]# oc get projects
NAME                                DISPLAY NAME    STATUS
default                                             Active
kube-public                                         Active
kube-service-catalog                                Active
kube-system                                         Active
management-infra                                    Active
openshift                                           Active
openshift-console                                   Active
openshift-infra                                     Active
openshift-logging                                   Active
openshift-metrics-server                            Active
openshift-monitoring                                Active
openshift-node                                      Active
openshift-sdn                                       Active
openshift-template-service-broker                   Active
openshift-web-console                               Active
ssg                                 SSG Container   Active
Pods: (one or more containers based on YML file)
[root@mcqst02-centos7-6 gateway]# oc get pods
NAME                           READY     STATUS    RESTARTS   AGE
container-gateway-dc-1-bvzr6   1/1       Running   0          4m
mysql-server-1-snk4v           1/1       Running   0          5m
Issues:Openshift host is NOT able to configure same hostname to different ports example SSL and non SSL with the same hostname name - Error from openshift console for port 8080 and 8443
OpenShift Error
Resolution: Uses a different hostname for each port (YML file) this includes Policy Manager access as shown in example:
CONTAINER_GATEWAY_PUBLIC_HOST=ssg94-6.support.local
pm.${CONTAINER_GATEWAY_PUBLIC_HOST}
https.${CONTAINER_GATEWAY_PUBLIC_HOST}
http.${CONTAINER_GATEWAY_PUBLIC_HOST}

 
Local host file to access each endpoint
138.42.59.223        console.support.local hawkular-metrics.apps.support.local
138.42.59.223        pm.ssg94-6.support.local 
138.42.59.223        http.ssg94-6.support.local
138.42.59.223        https.ssg94-6.support.local

 
Openshift console with configured and operating Gateway container:
Openshift Console
 
Openshift routes:
External access: http://http.ssg94-6.support.local
Route container-gateway-https-route, target port 8080
External access: https://pm.ssg94-6.support.local
Route container-gateway-pm-route, target port 9443 (Policy Admin)
External access: https://https.ssg94-6.support.local
Route container-gateway-http-route, target port 8443
Policy Manager Access:
OpenShift access route to Policy Manager route 
Gateway need to include host that routes to port 9443 on gateway through port 443 of Openshift
From the YML file: https://pm.ssg94-6.support.local
PM Login

Presented with a certificate message - Click OKAY
Certificate Error
Configure & Test Endpoint: Policy manager created endpoint for /basic1
None SSL access URL: http://http.ssg94-6.support.local/basic1
Routes to gateway Port 8080 

SSL access URL:  https://https.ssg94-6.support.local/basic1
Routes to gateway Port 8443

Review logs for Gateway POD, first get POD name
[root@mcqst02-centos7-6 gateway]# oc get pods
NAME                           READY     STATUS    RESTARTS   AGE
container-gateway-dc-1-bvzr6   1/1       Running   0          14m
mysql-server-1-snk4v           1/1       Running   0          15m

[root@mcqst02-centos7-6 gateway]# oc logs container-gateway-dc-1-bvzr6

Using MySQL database
SSG_DATABASE_WAIT_TIMEOUT set to 300 seconds.
SSG_JVM_HEAP will be 2048m
SSG_CLUSTER_HOST will be ssg94-6.support.local
Waiting for one of the databases to come up...
Liquibase 'status' Successful
Liquibase Update Successful
Starting gateway in foreground
2018-12-20T17:31:19.978+0000 CONFIG  1      com.l7tech.logging: Logging initialized from '/opt/SecureSpan/Gateway/node/default/etc/conf/ssglog.properties', with defaults from 'jar:file:/opt/SecureSpan/Gateway/runtime/Gateway.jar!/com/l7tech/server/resources/logging.properties'
2018-12-20T17:31:20.492+0000 INFO    1      com.l7tech.server.boot.GatewayBoot: Starting CA API Gateway 9.4.00 build 8872, built 20181012143850 by teamcity at apim-teamcityagent19
2018-12-20T17:31:20.528+0000 INFO    1      com.l7tech.server.boot.GatewayBoot: Database type: mysql
2018-12-20T17:31:20.531+0000 INFO    1      com.l7tech.server.boot.GatewayBoot: Starting gateway in TRADITIONAL mode
.
.
.