Open in app

Sign in

Write

Sign in

Mastodon

API Management with 3Scale — Baby steps

Aymen Abdelwahed
uleap
Published in
5 min readJun 3, 2020

--

In this blog post, I’ll explain the experience and outcome of a recent work to add support for API Management and API Gateway deployments and integration.

The document drives through the implementation of 3Scale 2.8 API Management (API M) and APICast Gateway v3.8 utilizing OpenShift Templates.

Architecture & Components

Red Hat 3Scale API Management solution is a single pane of glass to manage and sustain APIs, and is mainly composed by two logical planes, the Management plane “3Scale API-Management” and the data plane, which can be a bunch of APICast Gateways deployed On-Premises, or running on any cloud platform or region.

3Scale API-M involves different components such as PostgreSQL/MySQL, Redis, Zync and others, deployed through the usage of one OpenShift template. Redis, PostgreSQL/MySQL can be running externally as a Managed Service offering.

API-M natively provides access to three portals.

  • Master Portal: For Multi tenancy administration,
  • Admin Portal: For API products/services administration,
  • Developer Portal: For API Developers consuming the APIs.

Out of the box, 3Scale comes with two embedded APICast gateways, deployed within the same namespace where API Management is deployed. After the installation, additional gateways can be added, if required.

Adding new API Casts is not covered within our article.

For persistency, 3Scale relies on a backend storage and several databases, detailed below.

Database — Which database shall we choose?

3Scale is offering support to MySQL, PostgreSQL, Redis and the legacy Oracle DB.

I advise attaching 3Scale to an external database to achieve high availabilty. I suggest though cloud-hosted databases such as Azure Cache for Redis, Azure databases for PostgreSQL for minimal day2 operations.

Storage

3Scale APIM already offers storage backend support on AWS S3, Azure Files, Azure Disks and many more for both of RWO/RWX access modes.

The following will be used as persistent volumes:

  • 1 ReadWriteMany (RWX) persistent volume for CMS and System-App assets,
  • 3 RWO PVs for Redis and MySQL persistence. (This is required for Pod based databases deployments)

NB. I do not recommend in any way the usage of the legacy NFS, for performance and security reasons.

AuthN/AuthZ

One of the great things about 3Scale is that it entirely separates Authentication (AuthN) and Authorization (AuthZ). 3Scale API Manager can be integrated with Red Hat Single Sign-On 7.x or connected with OpenShift OAuth for user authentication.

No RBAC policies are supported yet. However, 3Scale APIM is offering two authorizations’ levels:

  • Admin for full control,
  • Member for limited access.

Newly created users will be assigned the default “Member” access. Ensure adapting their authorization to your needs once they log in.

Deployment

Different implementation methods exist:

  • Template-based deployment,
  • Operator based deployment, compatible only with OpenShift 4 or Kubernetes 1.17.

Within this article we are covering template based deployments. The Operator based one is still not widely supported by Red Hat.

Download 3Scale templates

3Scale API Manager and API Cast are created from official OpenShift templates provided and supported by Red Hat.

This implementation is based on 3Scale 2.8, which explains the branch selected in the following command.

git clone — branch 2.8.0.GA https://github.com/3scale/3scale-amp-openshift-templates.git

Once the Git Repository is cloned locally, different folders are created:

  • The “amp-*” folders hosts templates concerning the 3Scale API Manager,
  • The “apicast-gateway” holds the template to create API Cast gateways separately.

Obtaining the Template does not require any licences, but the container base images do. This is because the container base images are provided and maintained by Red Hat. (OpenSource alternatives can be used in certain cases).

Login to OpenShift

oc login -u system:admin

Create a new Project

Start by a creating a new project. This project will host both of the ImageStreams and the PI Management solution.

oc new-project 3scale-apim --display-name "3Scale API Management"

Storage Backend

Before proceeding with the next steps, please ensure a storage class with ReadWriteMany (RWX) is created and ready to be used by 3scale. Make note of the name as this will be provided later on as a parameter to the Template.

From the CLI you can check the existing storage classes:

oc get storageclass
#or
oc get sc

Create Secret for the Red Hat Registry

Before utilising the 3Scale Templates to create APIM or APICast, an image stream has to be imported from the Red Hat registry “registry.redhat.io”.

The access to Red Hat registry requires privileges which need to be set up using OpenShift-Secrets.

OpenShift registry requires credentials to be able to authenticate and pull the container images related to 3scale from “registry.redhat.io”.

The registry credentials have to be created and picked up from the Red Hat portal, following this link.

NB. A Red Hat account is required for this step.

Make notes of the UserID and Token generated during this process, which will be provided respectively as Docker Registry Username/Password.

Create a secret using the procedure mentioned below:

oc create secret docker-registry threescale-registry-auth \
--docker-server=registry.redhat.io \
--docker-username=”registry-service-account-username” \
--docker-password=”registry-service-account-password”

Once the secret is created, you can proceed with the import of the Image Streams.

oc create -f 3scale-image-streams.yml

Check whether the ImageStream is successfully imported before moving forward:

oc describe is <ImageStreamName>

Deploy 3Scale

Now you are fully ready to deploy 3Scale. Within the folder cloned previously, please launch the command:

oc new-app — file /opt/amp/templates/amp.yml \
--param WILDCARD_DOMAIN=<WILDCARD_DOMAIN>
--param RWX_STORAGE_CLASS=azure-file \
--param WILDCARD_DOMAIN="apps.<CLUSTER_ID>.westeurope.azmosa.io"

Please make notes of the template execution output, as it holds admin and master credentials to access 3Scale Admin portal and Master portal.

Login to 3Scale

When you deploy 3scale using the template, a default tenant is created, with a fixed URL: “3scale-admin.${WildcardDomain}” . To access the default 3Scale tenant use the URL structure mentioned below and then provide the credentials shown as output of template execution to login.

https://3scale-admin.${WildcardDomain}

To create additional 3Scale tenants, please log in to the MasterConsole through its default URL: “master.${WildcardDomain}”.

What’s Next?

Considering observing the full platform including the 3Scale API Management and the API Gateways is inescapable. Since the availability of Red Hat 3Scale 2.3, metrics for Prometheus are natively provided from the APICast pods and easily integrated with dashboards such as Grafana and others.

Please, let me have your comments.

3scale
Api Management
API
Api Gateway
Openshift

--

--

Aymen Abdelwahed
uleap

120 Followers
Editor for

Is a Cloud-Native enthusiast with 14 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams