Deploy API Connectivity Manager on Kubernetes

The guide provides step-by-step instructions to deploy NGINX API Connectivity Manager on Kubernetes using a Helm chart.

Requirements

Review the following requirements for API Connectivity Manager before continuing.

Install Instance Manager

Important:
To install API Connectivity Manager, you must first install Instance Manager. This is because API Connectivity Manager relies on features that are included with Instance Manager.

Dependencies with Instance Manager

Refer to the following table to see the module compatibility for each NGINX Management Suite chart.

NGINX Management Suite chart Instance Manager API Connectivity Manager
1.13.0 2.16.0 1.9.2
1.12.1 2.15.1 1.9.2
1.12.1 2.15.1 1.9.1
1.12.0 2.15.0 1.9.1
1.11.0 2.14.0 1.9.0
1.10.1 2.13.1 1.9.0
1.10.0 2.13.1 1.8.0
1.9.0 2.13.0 1.8.0
1.8.2 2.12.0 1.8.0
1.8.1 2.12.0 1.8.0
1.8.0 2.12.0 1.7.0
1.7.2 2.11.0 1.7.0
1.7.1 2.11.0 1.7.0
1.7.0 2.11.0 1.6.0
1.6.0 2.10.1 1.6.0
1.5.2 2.10.0 1.6.0
1.5.1 2.10.0 1.6.0
1.5.0 2.10.0 1.5.0
1.4.0 2.9.1 1.5.0
1.3.1 2.9.0 1.5.0
1.3.0 2.9.0 1.4.1
1.2.1 2.8.0 1.4.1
1.2.0 2.8.0 1.4.0
1.1.2 2.7.0 1.4.1
1.1.1 2.7.0 1.4.0
1.1.0 2.7.0 1.3.1
1.0.0 2.6.0 1.3.1

Download Docker Image

Follow these steps to download the Docker image for API Connectivity Manager:

  1. Go to the MyF5 website, then select Resources > Downloads.

  2. In the Select Product Family list, select NGINX.

  3. In the Product Line list, select NGINX API Connectivity Manager.

  4. Select the following download options:

    • Product version – Select the version of API Connectivity Manager you want to install. Make sure this version is compatible with the version of Instance Manager you installed as a prerequisite. Refer to the Dependencies with Instance Manager section above.
    • Linux distribution – Select the Linux distribution you’re deploying to. For example, ubuntu.
    • Distribution Version – Select the Linux distribution’s version. For example, 20.04.
    • Architecture – Select the architecture. For example, amd64.

  5. In the Download Files section, download the nms-acm-<version>-img.tar.gz file.

Load Docker Image

Note:
To complete the commands in this section, you need to have Docker 20.10 or later installed.

  1. Change to the directory where you downloaded the Docker image:

    cd <directory name>

  2. Load the Docker image from the nms-acm-<version>-img.tar.gz archive:

    docker load -i nms-acm-<version>-img.tar.gz

    The output looks similar to the following:

    $ docker load -i nms-acm-<version>-img.tar.gz
1b5933fe4b5: Loading layer [==================================================>]  5.796MB/5.796MB
fbe0fc9bcf95: Loading layer [==================================================>]  17.86MB/17.86MB
...
112ae1f604e0: Loading layer [==================================================>]   67.8MB/67.8MB
4b6a693b90f4: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: nms-acm:1.5.0
    Important:

    Take note of the loaded image’s name and tag. You’ll need to reference this information in the next section when pushing the image to your private registry.

    In the example output above, nms-acm is the image name and 1.5.0 is the tag. The image name or tag could be different depending on the product version you downloaded from MyF5.

Push Image to Private Registry

Note:
To complete the steps in this section, you need an externally-accessible private Docker registry to push the container images to.

To push the Docker images to your private registry, take the following steps:

  • Replace <my-docker-registry:port> with your private Docker registry and port (if needed).

  • Replace <version> with the tag you noted when loading the Docker image above.

  1. Log in to your private registry:

    docker login <my-docker-registry:port>

  2. Tag the image with the image name and version you noted when loading the Docker image.

    docker tag nms-acm:<version> <my-docker-registry:port>/nms-acm:<version>

    For example:

    docker tag nms-acm:1.5 myregistryhost:5000/nms-acm:1.5

  3. Push the image to your private registry:

    docker push <my-docker-registry:port>/nms-acm:<version>

    For example:

    docker push nms-acm:1.5 myregistryhost:5000/nms-acm:1.5

Enable API Connectivity Manager

To enable the API Connectivity Manager Module, take the following steps:

  1. Open the values.yaml file for editing.

  2. Add the following snippet to the values.yaml file:

    • Replace <my-docker-registry:port> with your private Docker registry and port (if needed).
    • Replace <version> with the tag you noted when loading the Docker image above.
    • In the imagePullSecrets section, add the credentials for your private Docker registry.
    # values.yaml
global:
    nmsModules:
        nms-acm:
            enabled: true
nms-acm:
    imagePullSecrets:
    - name: regcred
    acm:
        image:
            repository: <my-docker-registry:port>/nms-acm
            tag: <version>

  3. Close and save the values.yaml file.

Upgrade NGINX Management Suite Deployment

Note:
To complete the steps in this section, you need to have OpenSSL 1.1.1 or later installed.

Run the following command to upgrade the NGINX Management Suite deployment:

  • Replace <path-to-your-values.yaml> with the path to the values.yaml file you created.

  • Replace YourPassword123# with a secure password that contains a combination of uppercase and lowercase letters, numbers, and special characters.

    Important:
    Make sure to copy and save the password for future reference. Only the encrypted password is stored in Kubernetes. There’s no way to recover or reset a lost password.

  • (Optional) Replace <nms-chart-version> with the desired version; see the table below for the available versions. Alternatively, you can omit this flag to install the latest version.

helm upgrade -n nms --set nms-hybrid.adminPasswordHash=$(openssl passwd -6 'YourPassword123#') nms nginx-stable/nms -f <path-to-your-values.yaml> [--version <nms-chart-version>] --wait

This command upgrades an existing Helm chart deployment named nms with a new version of the chart located in the nginx-stable/nms repository. It also sets the value of the nms-hybrid.adminPasswordHash to the hashed version of the provided password and uses a values.yaml file located at the provided path.

Upgrade Existing API Connectivity Manager Deployment

If you’ve already deployed API Connectivity Manager and would like to upgrade to a newer version, take the following steps:

  1. Repeat the steps above to:

  2. Run the helm upgrade command above to upgrade the NGINX Management Suite deployment.

Access Web Interface

You can access the NGINX Management Suite web interface using the external IP address for the API Gateway.

  1. To look up the external IP address for the API Gateway, run the following command:

    kubectl -n nms get svc apigw

    This kubectl command retrieves the service named apigw from the namespace nms. It outputs the details of the service, such as its type, port, cluster and external IP addresses.

    The default service type is ClusterIP and the output looks similar to the following example:

    NAME    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
apigw   ClusterIP   10.108.57.167   <none>        443/TCP   32s

    Using the CLUSTER-IP value, go to https://<CLUSTER-IP>:443/ui.

    For example, https://10.108.57.167/ui.

    This IP address might not be reachable, depending on how the Kubernetes cluster networking was configured. If so, the apigw service type can be changed to a more suitable option, such as LoadBalancer, by changing the Configurable Helm Setting value for nms-hybrid.apigw.service.type .

Add License

A valid license is required to make full use of all the features in API Connectivity Manager.

Refer to the Add a License topic for instructions on how to download and apply a trial license, subscription license, or Flexible Consumption Program license.

Configurable Helm Settings

The following table lists the configurable parameters and default values used by the API Connectivity Manager chart when installing from a Helm chart.

To modify a configuration for an existing release, run the helm upgrade command and use -f <my-values-file>, where my-values-file is a path to a values file with your desired configuration.

Parameter Description Default
nms-acm.acm.logLevel Set the log level for the backend API service. The log level can be fatal, error, warning, info, or debug info
nms-acm.acm.image.repository Repository name and path for the acm image. acm
nms-acm.acm.image.tag Tag used for pulling images from registry. latest
nms-acm.acm.image.pullPolicy Image pull policy. IfNotPresent
nms-acm.acm.container.port.http TCP port for the pod to listen on. 8037
nms-acm.acm.container.port.db Port to use for Dqlite. 9300
nms-acm.acm.metrics.enabled Enable metrics. false
nms-acm.acm.service.httpPort TCP port for the service to listen on. 8037
nms-acm.acm.resources.requests.cpu CPU resource limits to allow for the acm pods. 500m
nms-acm.acm.resources.requests.memory Memory resource limits to allow for the api pods. 512Mi
nms-acm.acm.persistence.enabled Optionally disable persistent storage, used for database data. true
nms-acm.acm.persistence.claims An array of persistent volume claims, can be modified to use an existing PVC. See the Dqlite configuration section below.
nms-acm.acm.devportal.credentials.enabled Enables the Create Credentials Endpoint on the Developer Portal false
nms-acm.acm.devportal.credentials.ssl This should be set to true if mTLS has been configured between API Connectivity Manager and the Developer Portal, for more information see Create Credentials Endpoint on the Developer Portal false
nms-acm.acm.devportal.client.caSecret.name This should be set if an unknown Certificate Authority is needed for communication with the Developer Portal in order to provide a CA certificate. This should be set to the name of the secret in the release namespace that contains the CA certificate. Blank
nms-acm.acm.devportal.client.caSecret.key This should be set if an unknown Certificate Authority is needed for communication with the Developer Portal in order to provide a CA certificate. This should be set to the key of the secret in the release namespace that contains the CA certificate. Blank
API Connectivity Manager Dqlite Storage Configuration 
  - name: dqlite
    existingClaim:
    size: 500Mi
    accessMode: ReadWriteOnce

Troubleshooting

For help with common issues and suggested solutions and workarounds, refer to the NGINX Management Suite Troubleshooting Guide.

For guidance on how to create a support package containing system and service details to share with NGINX Customer Support, refer to the guide Create a Support Package from a Helm Installation.