/
Cloud Agent Prerequisites

IBM DataPower Operations Dashboard v1.0.21.x

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

Cloud Agent Prerequisites

Owned by Shachar Greenberg
Last updated: Jul 14, 2024
5 min read

Make sure your environment meets the following requirements prior to installing the DataPower Operations Dashboard Cloud Agent Operator and deploying the Custom Resources.

In this page:

Software Requirements

  • Kubernetes 1.25,1.27 / OpenShift Container Platform (OCP) 4.12, 4.14.

  • Operator Lifecycle Manager (OLM) installed.

  • IBM DataPower Gateway operator v1.8.x-v1.11.x.

  • The DPOD instance and the DPOD Cloud Agent operand must have the same version modification level (e.g.: 1.0.21.x).
    For example, it is possible to connect a DPOD Cloud Agent operand of version 1.0.21.2 with a DPOD instance of version 1.0.21.1.
    However, it is highly recommended that both components have exactly the same version (e.g.: 1.0.21.2).

Resource Requirements

Component

CPU

Memory

Component

CPU

Memory

Operator

500m (limit: 2)

512Mi (limit: 2Gi)

Cloud Agent Messaging - messaging-broker container

500m (limit: 2)

4Gi

Cloud Agent Manager - manager container

500m

1526Mi

Cloud Agent Manager - api-proxy container

200m

512Mi

Cloud Agent Syslog Ingester - syslog-ingester container

500m (limit: 2)

2Gi

Cloud Agent HTTP Ingester - http-ingester container

500m (limit: 2)

2Gi

Total

2.7 (limit: 8.7)

10.5Gi (limit: 12Gi)

Storage Requirements

A block storage class that provides ReadWriteOnce (RWO) access mode and 10 IOPS (Input-Output Operations per second) that is at least 50 GB, for storing the collected data in the DPOD Cloud Agent Messaging.

Network Requirements

The Cloud Agent communicates with the DataPower Operations Dashboard instance which is installed outside the Kubernetes cluster. Therefore, proper inbound (ingress) communication must be configured for the different services of the Cloud Agent.

The firewall requirements for the Cloud Agent, based on the DPOD deployment type, are detailed at Firewall Requirements.

Cloud Agent Manager

The manager exposes APIs to interact with the Cloud Agent and the DataPower Gateways.

Network topology:

  • The manager is using the HTTPS protocol.

  • The manager may have a single pod or several pods/replicas.

  • The replicas are identical, and incoming traffic may arrive to any of them, using any algorithm, such as Round Robin.

The following properties (in the Cloud Agent CR) control the way DPOD communicates with the manager pods:

  • externalHost - The external host for accessing the manager pods from outside the cluster.
    It is the user’s responsibility to configure this host as a DNS entry that is available to DPOD.
    You can inspect the generated host in .status.endpoints of the Cloud Agent CR (see also Endpoints).

  • externalPort - The external port for accessing the manager pods from outside the cluster (default for OpenShift is 443, otherwise 30120).

  • incomingTrafficMethod - The method of exposing the manager pods to incoming traffic from outside the cluster. Available options are:

    • Route (default for OpenShift) - the operator will create a Service and a Route resources.

    • NodePort (default for Kubernetes) - the operator will create a NodePort Service resource.

    • Custom - see “Custom Network Configuration” below.

  • incomingTrafficPort - The port for exposing the manager pods to incoming traffic from outside the cluster (when incomingTrafficMethod is NodePort, default is the value of externalPort).

For more information, see Manager API documentation.

Cloud Agent Messaging

The messaging serves the collected transactional data.

Network topology:

  • The messaging is using the Kafka protocol.

  • The messaging may have a single pod or several pods/replicas. The replicas count must be an odd number, since Kafka must create a quorum.

  • Each messaging pod manages its own storage, so incoming traffic must be able to directly connect to each of the messaging pods independently.

  • Initial connection/discovery utilizes a bootstrap endpoint that may redirect incoming traffic to any of the messaging pods.

The following properties (in the Cloud Agent CR) control the way DPOD communicates with the messaging pods:

  • externalHost - The external host for accessing the messaging pods from outside the cluster. This value will be published by the messaging brokers (Kafka).
    The bootstrap endpoint will use this host, and each messaging broker will use a consecutive host name with its number at the end of the first part of the FQDN.
    For example, if the externalHost is set to dpod-cloud-agent-messaging.mycluster.com, then the bootstrap endpoint will use the host dpod-cloud-agent-messaging.mycluster.com, the first messaging broker will use the host dpod-cloud-agent-messaging-0.mycluster.com, the second messaging broker will use the host dpod-cloud-agent-messaging-1.mycluster.com, and so on.
    It is the user’s responsibility to configure these hosts as DNS entries that are available to DPOD.
    You can inspect the list of the generated hosts in .status.endpionts of the Cloud Agent CR (see also Endpoints).

  • externalPortStart - The starting external port for accessing the messaging pods from outside the cluster.
    The bootstrap endpoint will use this port, and each messaging broker will use a consecutive port (default is 30100).
    For example, if the externalPortStart is set to 30100, then the bootstrap endpoint will use port 30100, the first messaging broker will use port 30101, the second messaging broker will use port 30102, and so on.

  • incomingTrafficMethod - The method of exposing the messaging pods to incoming traffic from outside the cluster. Available options are:

    • NodePort (default) - the operator will create NodePort Service resources (one for the bootstrap named <CR name>-msg-bse-svc and one for each messaging broker named <CR name>-msg-dir-svc-<broker number>).

    • Custom - see “Custom Network Configuration” below.

  • incomingTrafficPortStart - The starting port for exposing the messaging to incoming traffic from outside the cluster (when incomingTrafficMethod is NodePort). The bootstrap endpoint will use this port, and each messaging broker will use a consecutive port (default is the value of externalPortStart).

For more information, see Messaging API documentation.

Custom Network Configuration

The Cloud Agent operator includes several standard types of network configuration, such as NodePort and Route (for OpenShift).

However, it is also possible to use a custom network configuration. If you choose to use a custom network configuration, the Cloud Agent operator will not create any resources for exposing the services externally to the cluster, and it is the user’s responsibility to create, update and delete these resources (e.g.: Ingress controller, LoadBalancer services, etc.).

Cluster-scope Permissions

The DataPower Operations Dashboard Cloud Agent Operator requires the following cluster-scope permissions. These are brought in by ClusterRoles and bound to the operator's and the manager’s ServiceAccounts via ClusterRoleBindings.

API Groups

Resources

Verbs

Description

API Groups

Resources

Verbs

Description

console.openshift.io

consoleyamlsamples

create, get, update, delete

Permissions needed to customize OCP web console YAML samples

storage.k8s.io

storageclasses

get, list

Permissions needed to list storage

apiextensions.k8s.io

customresourcedefinitions

get, list

Permissions needed to list CustomResourceDefinitions

integration.ibm.com

dpodcloudagents, dpodcloudagents/status

create, delete, get, list, patch, update, watch

Permissions needed for management of owned CustomResourceDefinitions

rbac.authorization.k8s.io

clusterroles, roles, rolebindings

create, delete, get, list, patch, update, watch

Permissions needed for management of roles

'' (none)

pods, services

get, list, watch

Permissions needed to list pods and services

datapower.ibm.com

datapowerservices, datapowerservicebindings

get, list, watch

Permissions needed to list DataPower service

'' (none)

namespaces

get, list, watch

Permissions needed to list namespaces

'' (none)

pods, services, persistentvolumeclaims, configmaps, secrets, serviceaccounts

create, delete, get, list, patch, update, watch

Permissions needed for management of cloud agent components

apps

deployments, statefulsets

create, delete, get, list, patch, update, watch

Permissions needed for management of cloud agent workloads

route.openshift.io

routes, routes/custom-host

create, delete, get, list, patch, update, watch

Permissions needed for management of routes

events.k8s.io

events

create

Permissions needed for creating of events

coordination.k8s.io

leases

create, delete, get, list, patch, update, watch

Permissions needed for management of leases

'' (none)

services, pods

get, list, watch

Permissions needed to list services and pods

Copyright © 2015 MonTier Software (2015) Ltd.