Error to Deploy Gateway on GCP

[ThiBorges]

Hello !

I'm receving the error below when I try deploy the Gateway Chart

logs apim-gateway-796f98fbd-q4x2r -f Using MySQL database SSG_DATABASE_WAIT_TIMEOUT set to 300 seconds. SSG_JVM_HEAP will be 2g SSG_CLUSTER_HOST will be my.localdomain SSG_GC_ARGS will be -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=20M -Xloggc:/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log -XX:+PrintTenuringDistribution Waiting for one of the databases to come up... Liquibase 'status' Successful Unexpected error running Liquibase: Error executing SQL CREATE TABLE ssg.resource_entry (goid BINARY(16) NOT NULL, version INT(10) NOT NULL, description VARCHAR(2048) NULL, uri VARCHAR(4096) NOT NULL, uri_hash VARCHAR(128) NOT NULL, type VARCHAR(32) NOT NULL, content_type VARCHAR(1024) NOT NULL, content MEDIUMTEXT NOT NULL, resource_key1 VARCHAR(4096) NULL, resource_key2 VARCHAR(4096) NULL, resource_key3 VARCHAR(4096) NULL, security_zone_goid BINARY(16) NULL): Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs

ERROR - Failed to create or update the Gateway's database

I have MYSQL 8 on GCP with the flags below

Is a blank DB

Regards

[amoghsa]

Can you please share your values.yaml file for chart?

[amoghsa]

Also, are you bringing up a container for Mysql 8 or using database instance from GCP?

[ThiBorges]

@amoghsa,

I'm using Database instance from GCP

Here is my values.yaml content

nameOverride: "" fullnameOverride: ""

Use set file to place a Gateway license here

license: value: accept: false

image: registry: docker.io repository: caapim/gateway tag: 10.0.00 pullPolicy: Always

Will create a Registry secret and apply it to the Gateway

secretName: credentials: username: password: email:

Number of Edge Gateways to deploy

replicas: 1

Update strategy

updateStrategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0

Cluster Hostname

clusterHostname: my.localdomain

Cluster Password

clusterPassword: 7layer

This enables/disables Policy Manager Access and sets the SSG_ADMIN username and password

Credentials will be moved to a secret object in the next push..

management: enabled: true

Enable Restman, if DBbacked this setting will persist until manually deleted via Policy Manager.

restman: enabled: false username: admin password: 7layer

Database configuration

database:

DB Backed or ephemeral

enabled: true

A MySQL Database is configured with this Chart, set to false and set jdbcURL to use your own DB server

create: false jdbcURL: jdbc:mysql://x.x.x.x:3306/ssg?allowPublicKeyRetrieval=true

Configurable, update the mysql. if you change this

username: gateway password: 7layer name: des-ssg-pix

Beta - enable/disable the background metrics processing task

Enabling this creates a policy on the Gateway and routes service metrics to influxDbUrl

Disabling on upgrade will have no effect on the deployed policy

To be replaced with a user defined bundle relevant to the endpoint they wish to relay service metrics to.

InfluxDbUrl and tags are Cluster-Wide-Properties.

serviceMetrics: enabled: false

By default influxdb is not deployed with this Chart.

Set influxdb.enabled in the subchart section to true to deploy it.

external: false influxDbUrl: http://influxdb:8086 influxDbDatabase: serviceMetricsDb tags: env=dev

config: heapSize: "2g" javaArgs:

• -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
• -Dcom.l7tech.server.audit.message.saveToInternal=false
• -Dcom.l7tech.server.audit.admin.saveToInternal=false
• -Dcom.l7tech.server.audit.system.saveToInternal=false
• -Dcom.l7tech.server.audit.log.format=json
• -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties
• -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true
• -Dcom.l7tech.security.ssl.hostAllowWildcard=true log: override: true properties: |- handlers = com.l7tech.server.log.GatewayRootLoggingHandler, com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler com.l7tech.server.log.GatewayRootLoggingHandler.formatter = com.l7tech.util.JsonLogFormatter java.util.logging.SimpleFormatter.format= com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.formatter = com.l7tech.util.JsonLogFormatter com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.level = CONFIG cwp: enabled: false properties:
  • name: io.httpsHostAllowWildcard value: true
  • name: log.levels value: | com.l7tech.level = CONFIG com.l7tech.server.policy.variable.ServerVariables.level = SEVERE com.l7tech.external.assertions.odata.server.producer.jdbc.GenerateSqlQuery.level = SEVERE com.l7tech.server.policy.assertion.ServerSetVariableAssertion.level = SEVERE com.l7tech.external.assertions.comparison.server.ServerComparisonAssertion = SEVERE
  • name: audit.setDetailLevel.FINE value: 152 7101 7103 9648 9645 7026 7027 4155 150 4716 4114 6306 4100 9655 150 151 11000 4104

tls: customKey: enabled: false

when enabled, the pass cannot be empty. key value needs to be base64 encoded .p12

This key will become the default ssl key. Can only have one.

ex. DEMO_KEY=cat demo-key.p12 | base64 --wrap=0

use with helm command: --set "tls.customDefaultSslKey.key=$DEMO_KEY"

customDefaultSslKey: enabled: false key: pass:

Install Gateway solution kit(s) using restman.

Prerequisites:

1) restman is enabled

2) .sskar file(s) exist on Gateway container image under /tmp (e.g. /tmp/OAuthSolutionKit-4.4.1-4425.sskar)

Description of solution kit(s):

1) OAuth Solution Kit: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/install-the-oauth-solution-kit.html

installSolutionKits: enabled: false restmanPort: 8443 restmanReadyWait: 150s solutionKits:

Additional Environment variables to be added to the Gateway Configmap

additionalEnv: key1: value

key1: value

key2: value

Additional Secret variables to be added to the Gateway Secret

additionalSecret: key1: value

key1: value

key2: value

This mounts a bundle folder to the Gateway.

bundle: enabled: false path: "bundles/*.bundle"

service:

Service Type, ClusterIP, NodePort, LoadBalancer

type: ClusterIP

Load Balancer sources

https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

loadBalancerSourceRanges:

- 10.10.10.0/24

Set the ExternalIPs

externalIPs:

Set the LoadBalancerIP

loadBalancerIP:

Update this port list if additional ports need to be exposed

ports:

• name: https internal: 8443 external: 8443
• name: management internal: 9443 external: 9443

  Additional Service annotations, the example below shows configuration for an internal load balancer on GCP

  See the docs for more ==> https://kubernetes.io/docs/concepts/services-networking/service/

  annotations: { cloud.google.com/load-balancer-type: "Internal" }

This project does not currently support Google's GCE controller.

The default way to expose the Gateway is via L4 Load Balancer because it goes far beyond the HTTP(S) limitation ingress currently imposes

Certificates are not created here, please specify an existing cert secret to use if enabling TLS

ingress:

Set to true to create ingress object

enabled: false class: nginx

Ingress annotations

annotations:

Ingress class

nginx.ingress.kubernetes.io/ssl-passthrough: "true"

When the ingress is enabled, a host pointing to this will be created

By default clusterHostname is used, only set this if you want to use a different host

hostname:

The port that you want to route to via ingress. This needs to be available via service.ports.

port: https

Define additional hostnames and ports as key-value pairs.

additionalHostnamesAndPorts:

managementhost.domain: management

Enable TLS configuration for the hostname defined at ingress.hostname/clusterHostname parameter

tls: false secretName:

livenessProbe: enabled: true type: command command: /opt/docker/rc.d/diagnostic/health_check.sh

type: httpGet

path: /ssg/ping

port: 8443

scheme: HTTPS

initialDelaySeconds: 40 timeoutSeconds: 1 periodSeconds: 15 successThreshold: 1 failureThreshold: 15

readinessProbe: enabled: true type: command command: /opt/docker/rc.d/diagnostic/health_check.sh

type: httpGet

path: /ssg/ping

port: 8443

scheme: HTTPS

initialDelaySeconds: 40 timeoutSeconds: 1 periodSeconds: 15 successThreshold: 1 failureThreshold: 15

resources:

There are no resource limits set by default, this is a consicious choice for the user and

increases the chance of these running on environments with fewer resources available

Remove the curly braces and uncomment cpu/memory to set.

limits: {}

cpu: 1000m

memory: 2Gi

requests: {}

cpu: 1000m

memory: 2Gi

serviceAccount:

name:

create: true

Subchart Configuration

MySQL stable chart - this is not scalable nor will be in this format.

mysql: imageTag: "8" mysqlUser: gateway mysqlPassword: mypassword mysqlDatabase: ssg

mysqlRootPassword: mypassword

persistence: enabled: true size: 8Gi

storageClass:

configurationFiles: my.cnf: |- [mysqld] character-set-server = utf8 innodb_log_buffer_size = 32M innodb_log_file_size = 80M max_allowed_packet = 8M default-authentication-plugin=mysql_native_password log-bin-trust-function-creators=1

Settings for Hazelcast - https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml

The Gateway currently supports Hazelcast 3.x servers

hazelcast:

If you wish to connect to an existing Hazelcast instance set enabled to false

external to true, and uncomment and set url.

enabled: false external: false

url: hazelcast.example.com:5701

image: tag: "3.12.8" cluster: memberCount: 2 mancenter: enabled: false hazelcast: yaml: hazelcast: network: join: multicast: enabled: false kubernetes: enabled: true service-name: ${serviceName} namespace: ${namespace} resolve-not-ready-addresses: true

Settings for InfluxDB - https://github.com/influxdata/helm-charts/tree/master/charts/influxdb

This is not a production implementation!

influxdb: enabled: false service: port: 8086 persistence: enabled: true

storageClass:

size: 8Gi

env:

• name: INFLUXDB_DB value: "serviceMetricsDb"

Settings for Grafana - https://github.com/bitnami/charts/tree/master/bitnami/grafana

grafana: enabled: false

Change this to update the UI Password

admin: user: admin password: password dashboardsProvider: enabled: true customDashboard: value: dashboardsConfigMaps:

• configMapName: grafana-configmap fileName: gateway-service-metrics.json datasources: secretName: grafana-secret

[amoghsa]

@ThiBorges - You are not accepting license agreements which is causing failure. You need to change accept to true in license section as shown below: license: value: accept: true

[amoghsa]

Or you can run this command: helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway

[ThiBorges]

I've used the command accepting the license as have on the documentation

helm upgrade --install -f values.yaml apim -n des-apim-pix --set-file "license.value=license.xml" --set "license.accept=true" layer7/gateway

I think is other thing related to GCP Mysql causing this error

[amoghsa]

@ThiBorges - Can you please create a rally ticket for this one? It would be safer to share details there. And someone from support can assist you. Please include steps and details for reproducing this issue with any logs and screenshots those are available.

[ThiBorges]

@amoghsa I already have a case - 32786881

I've provided all details to support but I need a help to move a little be more faster

Thanks for the reply :-)

Regards

[Gazza7205]

@ThiBorges - I was able to recreate the issue by creating the ssg database with a utf8mb4 Character Set.

Could you confirm that the ssg database has the following configuration?

[ThiBorges]

@Gazza7205,

Yes my DB have this configuration

[Gazza7205]

Thanks @ThiBorges - I've just taken a closer look at your values.yaml.

database:
  enabled: true
  create: false
  jdbcURL: jdbc:mysql://x.x.x.x:3306/ssg?allowPublicKeyRetrieval=true
  username: gateway
  password: 7layer
  name: des-ssg-pix

database.jdbcURL database should match database.name and what you have on Cloud SQL.

database:
  enabled: true
  create: false
  jdbcURL: jdbc:mysql://x.x.x.x:3306/des_ssg_pix?allowPublicKeyRetrieval=true
  username: gateway
  password: 7layer
  name: des_ssg_pix

[ThiBorges]

@Gazza7205 you are right

My fault

After change the link my deployment works lika a charm

Thanks a lot for the help and sorry for my mistake

I will send this informations to the case I've opened asking to close

Regards