This guide walks you through deploying the Integration Control Plane (ICP) on a fresh Kubernetes cluster.
- Kubernetes cluster (1.25+)
kubectlconfigured to access your cluster- Docker image
wso2icp:2.0.0available in your cluster
cert-manager is required for automatic TLS certificate management.
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml
# Wait for cert-manager to be ready
kubectl wait --for=condition=available --timeout=300s deployment/cert-manager -n cert-manager
kubectl wait --for=condition=available --timeout=300s deployment/cert-manager-webhook -n cert-manager
kubectl wait --for=condition=available --timeout=300s deployment/cert-manager-cainjector -n cert-managerNGINX Gateway Fabric provides the Gateway API implementation.
# Install Gateway API CRDs
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
# Install NGINX Gateway Fabric
kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v2.3.0/deploy/crds.yaml
kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v2.3.0/deploy/default/deploy.yaml
# Wait for NGINX Gateway to be ready
kubectl wait --for=condition=available --timeout=300s deployment/nginx-gateway -n nginx-gatewaykubectl apply -f deployment.yamlkubectl apply -f service.yamlkubectl wait --for=condition=ready --timeout=300s pod -l app=icpkubectl apply -f issuer.yamlkubectl apply -f cert.yamlkubectl wait --for=condition=ready --timeout=60s certificate/icp-certThe backend uses self-signed certificates, so we need to extract and trust them.
# Extract the backend certificate
kubectl exec deployment/icp-deployment -- sh -c 'echo | openssl s_client -connect localhost:9446 2>/dev/null | openssl x509 -outform PEM' > /tmp/icp-backend-cert.pem
# Create ConfigMap with the backend CA certificate
kubectl create configmap icp-backend-ca --from-file=ca.crt=/tmp/icp-backend-cert.pem
# Clean up temporary file (optional)
rm /tmp/icp-backend-cert.pemkubectl apply -f gateway.yamlkubectl apply -f route.yamlkubectl apply -f backend-tls-policy.yamlAdd icp.local to your /etc/hosts file pointing to the Gateway's external IP or localhost if using port-forwarding.
# Get the Gateway external IP
GATEWAY_IP=$(kubectl get gateway icp-gateway -o jsonpath='{.status.addresses[0].value}')
echo "$GATEWAY_IP icp.local" | sudo tee -a /etc/hosts# Port forward the nginx-gateway service
kubectl port-forward -n nginx-gateway service/nginx-gateway 443:443 &
# Add localhost mapping
echo "127.0.0.1 icp.local" | sudo tee -a /etc/hosts# Check pods
kubectl get pods -l app=icp
# Check service
kubectl get svc icp-service
# Check gateway
kubectl get gateway icp-gateway
# Check HTTPRoute
kubectl get httproute icp-route
# Check BackendTLSPolicy
kubectl get backendtlspolicy icp-backend-tls
# Check certificate
kubectl get certificate icp-cert# Test the web interface
curl -k https://icp.local
# You should see HTML content from the ICP web application
# Test with verbose output
curl -k -v https://icp.local 2>&1 | head -30Open your browser and navigate to:
https://icp.local
Note: You may need to accept the self-signed certificate warning in your browser.
kubectl logs -l app=icp --tail=100kubectl describe gateway icp-gatewaykubectl describe httproute icp-routekubectl describe backendtlspolicy icp-backend-tlskubectl logs -n nginx-gateway deployment/nginx-gateway --tail=100# Test inside the pod
kubectl exec deployment/icp-deployment -- curl -k https://localhost:9446502 Bad Gateway: This usually means the Gateway cannot connect to the backend. Ensure:
- The BackendTLSPolicy is properly configured
- The backend CA certificate ConfigMap exists
- The Service has
appProtocol: httpsset
Connection refused: Ensure:
- The pod is running:
kubectl get pods -l app=icp - The service endpoints exist:
kubectl get endpoints icp-service
Certificate issues: Verify cert-manager is working:
kubectl get certificate -A
kubectl describe certificate icp-certTo remove all resources:
# Delete application resources
kubectl delete -f backend-tls-policy.yaml
kubectl delete -f route.yaml
kubectl delete -f gateway.yaml
kubectl delete -f cert.yaml
kubectl delete -f issuer.yaml
kubectl delete -f service.yaml
kubectl delete -f deployment.yaml
# Delete ConfigMap
kubectl delete configmap icp-backend-ca
# Optionally remove NGINX Gateway Fabric
kubectl delete -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v2.3.0/deploy/default/deploy.yaml
kubectl delete -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v2.3.0/deploy/crds.yaml
# Optionally remove cert-manager
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yamlClient (Browser)
|
| HTTPS (TLS Terminated)
v
Gateway (icp-gateway)
|
| HTTPS (Re-encrypted with BackendTLSPolicy)
v
Service (icp-service:9446)
|
v
Pod (icp-deployment)
- Port 9446: Web Console (HTTPS)
- Port 9446: GraphQL API (HTTPS)
- Port 9446: Observability API(HTTPS)
deployment.yaml- ICP application deploymentservice.yaml- Service with appProtocol: httpsissuer.yaml- Self-signed certificate issuercert.yaml- TLS certificate for client-facing Gatewaygateway.yaml- Gateway API gateway with TLS terminationroute.yaml- HTTPRoute for path-based routingbackend-tls-policy.yaml- Policy for backend HTTPS communication