Chapter 8. Using the 3scale operator to configure and provision 3scale


As a 3scale administrator, you can use the 3scale operator to configure 3scale services and provision 3scale resources. You use the operator in the OpenShift Container Platform (OCP) user interface. Using the operator is an alternative to configuring and provisioning 3scale in the Admin Portal or by using the 3scale internal API.

When you use the 3scale operator to configure a service or provision a resource the only way to update that service or resource is to update its custom resource (CR). While new services and resources appear in the Admin Portal, you cannot update the service or resource in the Admin Portal or by using the internal 3scale API. If you try to, the operator reverts updates and the CR remains as it was.

Important

3scale operator for capabilities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

This chapter includes details about how operator application capabilities work and how to use the operator to deploy custom resources:

Additionally, there is information about the limitations of capabilities when using the 3scale operator.

8.1. General prerequisites

To configure and provision 3scale by using the 3scale operator, these are the required elements:

8.2. Application capabilities via the 3scale operator

The 3scale operator contains these featured capabilities:

  • Allows interaction with the underlying Red Hat 3scale API Management solution.
  • Manages the 3scale application declaratively using custom resources from OpenShift.

The diagram below shows 3scale entities and relations that are eligible for management using OpenShift custom resources in a declarative way. Products contain one or more backends. At the product level, you can configure applications, application plans, as well as mapping rules. At the backend level, you can set up metrics, methods and mapping rules for each backend.

3scale entities and relations eligible for management using OpenShift custom resources.

The 3scale operator provides custom resource definitions and their relations, which are visible in the following diagram.

3scale entities and relations eligible for management using OpenShift custom resources.

8.3. Deploying your first 3scale product and backend

Using Openshift Container Platform in your newly created tenant, you will deploy your first 3scale product and backend with the minimum required configuration.

Prerequisites

The same installation requirements as listed in General prerequisites, with these considerations:

  • The 3scale account can be local in the working OpenShift namespace or a remote installation.
  • The required parameters from this account are the 3scale Admin URL address and the access token.

Procedure

  1. Create a secret for the 3scale provider account using the credentials from the 3scale Admin Portal. For example: adminURL=https://3scale-admin.example.com and token=123456.

    oc create secret generic threescale-provider-account --from-literal=adminURL=https://3scale-admin.example.com --from-literal=token=123456
  2. Configure the 3scale backend with the upstream API URL:

    1. Create a YAML file with the following content:

      apiVersion: capabilities.3scale.net/v1beta1
      kind: Backend
      metadata:
        name: backend1
      spec:
        name: "Operated Backend 1"
        systemName: "backend1"
        privateBaseURL: "https://api.example.com"
      • Once you create the file, the operator will confirm if the step was successful.
      • For more details about the fields of Backend custom resource and possible values, see the Backend CRD Reference.
    2. Create a custom resource:

      oc create -f backend1.yaml
  3. Configure the 3scale product:

    1. Create a product with all the default settings applied to the previously created backend:

      apiVersion: capabilities.3scale.net/v1beta1
      kind: Product
      metadata:
        name: product1
      spec:
        name: "OperatedProduct 1"
        systemName: "operatedproduct1"
        backendUsages:
          backend1:
            path: /
      • Once you create the file, the operator will confirm if the step was successful.
      • For more details about the fields of the Product custom resource and possible values, see the Product CRD Reference.
    2. Create a custom resource:

      oc create -f product1.yaml
  4. Created custom resources will take a few seconds to populate your 3scale instance. To confirm when resources are synchronized, you can choose one of these alternatives:

    • Verify the status field of the object.
    • Use the oc wait commands:

      oc wait --for=condition=Synced --timeout=-1s backend/backend1
      oc wait --for=condition=Synced --timeout=-1s product/product1

8.4. Promoting a product’s APIcast configuration

Using the 3scale operator, you can promote the product’s APIcast configuration to staging or production. The ProxyConfigPromote custom resource (CR) promotes the latest APIcast configuration to the staging environment. Optionally, you can configure the ProxyConfigPromote CR to promote to the production environment as well.

Note

ProxyConfigPromote objects only take effect when created. After creation, any updates on them are not reconciled.

Prerequisites

The same installation requirements as listed in General prerequisites, including:

Procedure

  1. Create and save a YAML file with the following content:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ProxyConfigPromote
    metadata:
      name: proxyconfigpromote-sample
    spec:
      productCRName: product1-sample

    To promote the APIcast configuration to the production environment, set the optional field spec.production to true:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ProxyConfigPromote
    metadata:
      name: proxyconfigpromote-sample
    spec:
      productCRName: product1-sample
      production: true

    To delete the ProxyConfigPromote object after a successful promotion, set the optional field spec.deleteCR to true:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ProxyConfigPromote
    metadata:
      name: proxyconfigpromote-sample
    spec:
      productCRName: product1-sample
      deleteCR: true
  2. To check the status condition of the file, type the following command:

    oc get proxyconfigpromote proxyconfigpromote-sample -o yaml
    1. The output should show the satus is Ready:

      apiVersion: capabilities.3scale.net/v1beta1
      kind: ProxyConfigPromote
      metadata:
        name: proxyconfigpromote-sample
      spec:
        productCRName: product1-sample
      status:
        conditions:
        - lastTransitionTime: "2022-10-28T11:35:19Z"
          status: "True"
          type: Ready
  3. Create the custom resource:

    oc create -f proxyconfigpromote-sample.yaml
    • For the given example, the output would be:

      proxyconfigpromote.capabilities.3scale.net/proxyconfigpromote-sample created

Additional resources

8.6. Deploying 3scale OpenAPI custom resources

An OpenAPI custom resource (CR) is one way to import an OpenAPI Specification (OAS) document that you can use for ActiveDocs in the Developer Portal. The OAS is a standard that does not tie you to using one particular programming language for your APIs. Humans and computers can more easily understand the capabilities of the API product without source code access, documentation, or network traffic inspection.

Prerequisites

  • A user account with administrator privileges for a 3scale 2.13 On-Premises instance.
  • An OAS document that defines your API.
  • An understanding of how an OpenAPI CR links to a tenant.

8.6.1. Deploying a 3scale OpenAPI custom resource that imports an OAS document from a secret

Deploy an OpenAPI custom resource (CR) so that you can create 3scale backends and products.

Note

The operator reads only the content in the secret. The operator does not read the field name in the secret.

Procedure

  1. Define a secret that contains an OAS document. For example, you might create the myoasdoc1.yaml with this content:

    openapi: "3.0.2"
    info:
      title: "some title"
      description: "some description"
      version: "1.0.0"
    paths:
      /pet:
        get:
          operationId: "getPet"
          responses:
            405:
              description: "invalid input"
  2. Create the secret. For example:

    $ oc create secret generic myoasdoc1 --from-file myoasdoc1.yaml
    
    secret/myoasdoc1 created
  3. Define your OpenAPI CR. Be sure to specify a reference to the secret that contains your OAS document. For example, you might create the myopenapicr1.yaml file:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: OpenAPI
    metadata:
      name: myopenapicr1
    spec:
      openapiRef:
        secretRef:
          name: myoasdoc1
  4. Create the resource you just defined. For example:

    $ oc create -f myopenapicr1.yaml

    For the given example, the output would be:

    openapi.capabilities.3scale.net/myopenapicr1 created

8.6.2. Features of 3scale OpenAPI custom resource definitions

Knowledge of the OpenAPI custom resource definition (CRD) deployment features will help you with configuration of the 3scale product, backend, and the subsequent creation of ActiveDocs for the Developer Portal.

  • The OAS document can be read from the following:

    • The Kubernetes secret
    • The URL in both http and https formats
  • In an OAS document, the info.title setting must not exceed 215 characters. The operator uses this setting to create OpenShift object names, which have length limitations.
  • Only the first servers[0].url element in a server list is parsed as a private URL. The OpenAPI Specification (OAS) uses its basePath component of servers[0].url element.
  • The OpenAPI CRD supports a single top level security requirement, however it does not support operational level security.
  • The OpenAPI CRD supports the apiKey security scheme.

8.6.3. Import rules when defining OpenAPI custom resources

The import rules specify how the OpenAPI Specification (OAS) works with 3scale when you are setting up an OpenAPI document for your 3scale deployment.

Product name

The default product system name is taken from the info.title field in the OpenAPI document. To override the product name in an OpenAPI document, specify the spec.productSystemName field in an OpenAPI custom resource (CR).

Private base URL

The private base URL is read from the OpenAPI CR servers[0].url field. You can override this by using the spec.privateBaseURL field in your OpenAPI CR.

3scale methods

Each operation that is defined in the imported OpenAPI document translates to one 3scale method at the product level. The method name is read from the operationId field of the operation object.

3scale mapping rules

Each operation that is defined in the imported OpenAPI document translates to one 3scale mapping rule at the product level. Previously existing mapping rules are replaced by those imported with the OpenAPI CR.

In an OpenAPI document, the paths object provides mapping rules for verb and pattern properties. 3scale methods are associated accordingly to the operationId.

The delta value is hard-coded to 1.

By default, Strict matching policy is configured. Matching policy can be switched to Prefix matching using the spec.PrefixMatching field of the OpenAPI CRD.

Authentication

Just one top level security requirement is supported. Operation level security requirements are not supported.

The supported security scheme is apiKey.

The apiKey security scheme type:

  • credentials location will be read from the OpenAPI document in field of the security scheme object.
  • Auth user key will be read from the OpenAPI document name field of the security scheme object.

The following is a partial example of OAS 3.0.2 with apiKey security requirement:

openapi: "3.0.2"
security:
  - petstore_api_key: []
components:
  securitySchemes:
    petstore_api_key:
      type: apiKey
      name: api_key
      in: header

When the OpenAPI document does not specify any security requirements, the following applies:

  • The product authentication will be configured for apiKey.
  • credentials location will default to 3scale value As query parameters (GET) or body parameters (POST/PUT/DELETE).
  • The Auth user key defaults to 3scale value user_key.

3scale Authentication Security can be set using the spec.privateAPIHostHeader and the spec.privateAPISecretToken fields of the OpenAPI CRD.

ActiveDocs

No 3scale ActiveDoc is created.

3scale product policy chain

The 3scale policy chain is the default one 3scale creates.

3scale deployment mode

By default, the configured 3scale deployment mode will be APIcast 3scale managed. However, when the spec.productionPublicBaseURL or the spec.stagingPublicBaseURL, or both fields are present in an OpenAPI CR, the product’s deployment mode is APIcast self-managed.

Example of a OpenAPI CR with custom public base URL:

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  name: openapi1
spec:
  openapiRef:
    url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
  productionPublicBaseURL: "https://production.my-gateway.example.com"
  stagingPublicBaseURL: "https://staging.my-gateway.example.com"

8.6.4. Deploying a 3scale OpenAPI custom resource that imports an OAS document from a URL

You can deploy an OpenAPI custom resource that imports an OAS document from a URL that you specify. You can then use this OAS document as the foundation for ActiveDocs for your API in the Developer Portal.

Prerequisites

  • If you are creating an OpenAPI custom resource that does not link to the default tenant in the 3scale instance that is in the same namespace then the namespace that will contain the OpenAPI CR contains a secret that identifies the tenant that the OpenAPI CR links to. The name of the secret is one of the following:

    • threescale-provider-account
    • User defined

    This secret contains the URL for a 3scale instance and a token that contains credentials for access to one tenant in that 3scale instance.

Procedure

  1. In your OpenShift account, navigate to Operators > Installed operators.
  2. Click the 3scale operator.
  3. Choose the YAML tab.
  4. Create an OpenAPI custom resource. For example:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: OpenAPI
    metadata:
      name: openapi1
    spec:
      openapiRef:
        url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
      providerAccountRef:
        name: mytenant
  5. Click Save. It takes a few seconds for the 3scale operator to create the OpenAPI CR.

Verification

  1. In OpenShift, in the 3scale Product Overview page, confirm that the Synced condition is marked as True.
  2. Go to your 3scale account.
  3. Confirm that the OAS document is present. For the example above, you would see a new OAS document named openapi1.

8.6.5. Additional resources

8.7. Deploying 3scale ActiveDoc custom resources

Red Hat 3scale API Management ActiveDocs are based on API definition documents that define RESTful web services that conform to the OpenAPI Specification. An ActiveDoc custom resource (CR) is one way to import an OpenAPI Specification (OAS) document that you can use for ActiveDocs in the Developer Portal. The OAS is a standard that does not tie you to using one particular programming language for your APIs. Humans and computers can more easily understand the capabilities of the API product without source code access, documentation, or network traffic inspection.

Prerequisites

  • A user account with administrator privileges for a 3scale 2.13 On-Premises instance.
  • An OAS document that defines your API.
  • An understanding of how an ActiveDoc CR links to a tenant.

8.7.1. Deploying a 3scale ActiveDoc custom resource that imports an OAS document from a secret

Deploy an ActiveDoc custom resource (CR) so that you can create 3scale backends and products.

Note

The operator reads only the content in the secret. The operator does not read the field name in the secret. For example, data is structured in key: value pairs where value represents the content of a file and key is the file name. The file name is ignored by the operator in this context of ActiveDoc CRD. The operator reads only the content of the file.

Prerequisites

  • You understand How the 3scale operator identifies the tenant that a custom resource links to.
  • Define a secret that contains an OAS (OpenAPI Specification) document. For example, you might create the myoasdoc1.yaml with this content:

    openapi: "3.0.2"
    info:
      title: "some title"
      description: "some description"
      version: "1.0.0"
    paths:
      /pet:
        get:
          operationId: "getPet"
          responses:
            405:
              description: "invalid input"

Procedure

  1. Create the secret. For example:

    $ oc create secret generic myoasdoc1 --from-file myoasdoc1.yaml
    
    secret/myoasdoc1 created
  2. Define your ActiveDoc CR. Be sure to specify a reference to the secret that contains your OAS document. For example, you might create the myactivedoccr1.yaml file:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ActiveDoc
    metadata:
      name: myactivedoccr1
    spec:
      name: "Operated ActiveDoc From secret"
      activeDocOpenAPIRef:
        secretRef:
          name: myoasdoc1
  3. Create the resource you just defined. For example:

    $ oc create -f myactivedoccr1.yaml

    For the given example, the output would be:

    activedoc.capabilities.3scale.net/myactivedoccr1 created

Verification

  1. Log in to your Red Hat OpenShift Container Platform (OCP) administrator account.
  2. Navigate to Operators > Installed Operators.
  3. Click Red Hat Integration - 3scale.
  4. Click the Active Doc tab.
  5. Confirm that the OAS document is present. For the example above, you would see a new OAS document named myactivedoccr1.

8.7.2. Features of 3scale ActiveDoc custom resource definitions

The ActiveDoc custom resource definition (CRD) concerns product documentation in the OpenAPI document format for developers. Knowledge of the ActiveDoc CRD deployment features help you with the creation of ActiveDocs for the Developer Portal.

  • An ActiveDoc CR, can read and OpenAPI document from either of the following:

    • Secret
    • A URL in either http or https format
  • Optionally, you can link the ActiveDoc CR with a 3scale product using the productSystemName field. The value must be the system_name of the 3scale product’s CR.
  • You can publish or hide the ActiveDoc document in 3scale using the published field. By default, this is set to be hidden.
  • You can skip OpenAPI 3.0 validation using the skipSwaggerValidations field. By default, the ActiveDoc CR is validated.

8.7.3. Deploying a 3scale ActiveDoc custom resource that imports an OAS document from a URL

You can deploy an ActiveDoc custom resource (CR) that imports an OAS (OpenAPI Specification) document from a URL that you specify. You can then use this OAS document as the foundation for ActiveDocs for your API in the Developer Portal.

Procedure

  1. In your OpenShift account, navigate to Operators > Installed operators.
  2. Click the 3scale operator.
  3. Click the Active Doc tab.
  4. Create an ActiveDoc CR. For example:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ActiveDoc
    metadata:
      name: myactivedoccr1
    spec:
      openapiRef:
        url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
      providerAccountRef:
        name: mytenant
  5. Optional. For self-managed APIcast, in the ActiveDoc CR, set the productionPublicBaseURL and stagingPublicBaseURL fields to the URLs for your deployment. For example:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: ActiveDoc
    metadata:
      name: myactivedoccr1
    spec:
      openapiRef:
        url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
      productionPublicBaseURL: "https://production.my-gateway.example.com"
      stagingPublicBaseURL: "https://staging.my-gateway.example.com"
  6. Click Save. It takes a few seconds for the 3scale operator to create the ActiveDoc CR.

Verification

  1. Log in to your Red Hat OpenShift Container Platform (OCP) administrator account.
  2. Navigate to Operators > Installed Operators.
  3. Click Red Hat Integration 3scale.
  4. Click the Active Doc tab.
  5. Confirm that the OAS document is present. For the example above, you would see a new OAS document named myactivedoccr1.

8.7.4. Additional resources

8.10. Deploying 3scale CustomPolicyDefinition custom resources

You can use a CustomPolicyDefinition CRD to configure your custom policy in a 3scale product from the Admin Portal.

When the 3scale operator finds a new CustomPolicyDefinition CR, the operator identifies the tenant that owns the CR as described in How the 3scale operator identifies the tenant that a custom resource links to.

Prerequisites

Procedure

  1. Define a CustomPolicyDefinition custom resource and save it in, for example, the my-apicast-custom-policy-definition.yaml file:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: CustomPolicyDefinition
    metadata:
      name: custompolicydefinition-sample
    spec:
      version: "0.1"
      name: "APIcast Example Policy"
      schema:
        name: "APIcast Example Policy"
        version: "0.1"
        $schema: "http://apicast.io/policy-v1/schema#manifest#"
        summary: "This is just an example."
        configuration:
          type: object
          properties: {}
  2. Deploy the CustomPolicyDefinition CR:

    oc create -f my-apicast-custom-policy-definition.yaml

8.11. Deploying a tenant custom resource

A Tenant custom resource is also known as the Provider Account.

When you deploy an APIManager custom resource (CR) you are using the 3scale operator to deploy 3scale. A default 3scale installation includes a default tenant ready to be used. Optionally, you can create other tenants by deploying Tenant custom resources.

Prerequisites

Procedure

  1. Navigate to the OpenShift project in which 3scale is installed. For example, if the name of the project is my-3scale-project, run the following command:

    oc project my-3scale-project
  2. Create a secret that contains the password for the 3scale admin account for the new tenant. In the definition of the Tenant CR, set the passwordCredentialsRef attribute to the name of this secret. In the example of a Tenant CR definition in step 4, ADMIN_SECRET is the placeholder for this secret. The following command provides an example of creating the secret:

    oc create secret generic ecorp-admin-secret --from-literal=admin_password=<admin password value>
  3. Obtain the 3scale master account hostname. When you deploy 3scale by using the operator, the master account has a fixed URL with this pattern: master.${wildcardDomain}

    If you have access to the namespace where 3scale is installed, you can obtain the master account hostname with this command:

    oc get routes --field-selector=spec.to.name==system-master -o jsonpath="{.items[].spec.host}"

    In the example of a Tenant CR definition in step 4, MASTER_HOSTNAME is the placeholder for this name.

  4. Create a file that defines the new Tenant custom resource.

    In the definition of the Tenant CR, set the masterCredentialsRef.name attribute to system-seed. You can perform tenant management tasks only by using the 3scale master account credentials, preferably an access token. During deployment of an APIManager CR, the operator creates the secret that contains master account credentials. The name of the secret is system-seed.

    If 3scale is installed in cluster wide mode, you can deploy the new tenant in a namespace that is different from the namespace that contains 3scale. To do this, set masterCredentialsRef.namespace to the namespace that contains the 3scale installation.

    The following example assumes that 3scale is installed in cluster wide mode.

    apiVersion: capabilities.3scale.net/v1alpha1
    kind: Tenant
    metadata:
      name: ecorp-tenant
      namespace: <namespace-in-which-to-create-Tenant-CR>
    spec:
      username: admin
      systemMasterUrl: https://<MASTER_HOSTNAME>
      email: admin@ecorp.com
      organizationName: ECorp
      masterCredentialsRef:
        name: system-seed
        namespace: <namespace-where-3scale-is-deployed>
      passwordCredentialsRef:
        name: <ADMIN_SECRET>
      tenantSecretRef:
        name: tenant-secret
  5. Create the Tenant custom resource. For example, if you saved the previous example CR in the mytenant.yaml file, you would run:

    oc create -f mytenant.yaml

    As a result of this command:

    • The operator deploys a tenant in the 3scale installation pointed to by the setting of the spec.systemMasterUrl attribute.
    • The 3scale operator creates a secret that contains credentials for the new tenant. The name of the secret is the value you specified for the tenantSecretRef.name attribute. This secret contains the new tenant`s admin URL and access token.

      As a reference, this is an example of the secret that the operator creates:

      apiVersion: v1
      kind: Secret
      metadata:
        name: tenant-secret
      type: Opaque
      stringData:
        adminURL: https://my3scale-admin.example.com:443
        token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    • You can now deploy Product, Backend, OpenAPI, DeveloperAccount, and DeveloperUser CRs that link to your new tenant.

Deleting a Tenant custom resource

To delete a deployed Tenant custom resource, you can specify the name of the file that contains the resource definition, for example:

oc delete -f mytenant.yaml

Alternatively, you can run the oc delete command, specify the name in the Tenant CR and also specify the tenant’s namespace. For example:

oc delete tenant.capabilities.3scale.net mytenant -n mynamespace

When you delete a tenant, the 3scale operator does the following:

  • Hides the tenant from the 3scale installation.
  • Deletes the deployed custom resources that the tenant owns.
  • Marks the tenant to be deleted after 15 days.

After you delete a tenant, you cannot recover it. You have 15 days to back up any resources that the tenant owned and you can do this only in the Admin Portal. After 15 days, 3scale deletes the tenant. To comply with data protection laws, some data is kept for future reference.

Important

Do not delete a tenant in the Admin Portal if you deployed that tenant with a Tenant CR. If you do, the operator creates another tenant by using the CR for the tenant that you tried to delete.

Additional resources

8.12. Managing 3scale developers by deploying custom resources

As a 3scale administrator, you can use custom resources (CRs) to deploy developer accounts that group together individual developer users. These accounts let you organize and manage developer access to 3scale-managed APIs in the Developer Portal.

A tenant can contain any number of developer accounts and each developer account links to exactly one tenant. A developer account can contain any number of developer users and each developer user links to exactly one developer account. The tenant plan determines any limits on how many developer accounts you can create and how many developer users can be grouped in each developer account.

To use developer custom resources, 3scale must have been installed by the 3scale operator. You can deploy developer custom resources in only the namespace that contains the 3scale operator. Deployment of developer custom resources is an alternative to managing developers by using the 3scale Admin Portal or the 3scale internal API.

Important

When you create developer accounts or developer users by deploying custom resources you cannot use the Admin Portal or the internal 3scale API to update those developer accounts or developer users. It is important to be aware of this because after you deploy a developer CR, the Admin Portal displays the new developer account or new developer user in its Accounts page. If you try to use the Admin Portal or API to update a developer account or developer user that was deployed with a CR, the 3scale operator reverts the changes to reflect the deployed CR. This is a limitation that is expected to be removed in a future release. You can, however, use the Admin Portal or API to delete a developer account or developer user that you created by deploying a CR.

8.12.1. Prerequisites

  • 3scale was installed by the 3scale operator.
  • Access token with read and write permissions in the Account Management API scope, which provides administrator privileges for 3scale.

8.12.2. Managing 3scale developer accounts by deploying DeveloperAccount custom resources

When you use the 3scale operator to install 3scale you can deploy DeveloperAccount and DeveloperUser custom resources (CRs). These CRs let you create and update accounts for developer access to 3scale-managed APIs in the Developer Portal.

To deploy a new DeveloperAccount CR, you must also deploy a DeveloperUser CR for a user who has the admin role. The procedure provided here is for deploying a new DeveloperAccount CR. After you deploy a DeveloperAccount CR, the procedure for updating or deleting it is the same as for any other CR.

You can deploy CRs only in the namespace that contains the 3scale operator.

Prerequisites

  • An understanding of how the 3scale operator identifies the tenant that a custom resource links to.
  • If you are creating a DeveloperAccount custom resource that does not link to the default tenant in the 3scale instance that is in the same namespace then the namespace that will contain the DeveloperAccount CR contains a secret that identifies the tenant that the DeveloperAccount CR links to. The name of the secret is one of the following:

    • threescale-provider-account
    • User defined

    This secret contains the URL for a 3scale instance and a token that contains credentials for access to one tenant in that 3scale instance.

  • You have the user name, password, and email address for at least one developer user who will have the admin role in the new DeveloperAccount CR.

Procedure

  1. In the namespace that contains the 3scale operator, create and save a resource file that defines a secret that contains the user name and password for a developer user who will have the admin role in the new developer account resource. For example, the myusername01.yaml file might contain:

    apiVersion: v1
    kind: Secret
    metadata:
      name: myusername01
    stringData:
      password: "123456"
  2. Create the secret. For example:

    oc create -f myusername01.yaml

    For the given example, the output would be:

    secret/myusername01 created
  3. Create and save a .yaml file that defines a DeveloperUser CR for a developer who has the admin role. This DeveloperUser CR is required for the 3scale operator to deploy a new DeveloperAccount CR. For example, the developeruser01.yaml file might contain:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: DeveloperUser
    metadata:
      name: developeruser01
    spec:
      username: myusername01
      email: myusername01@example.com
      passwordCredentialsRef:
        name: myusername01
      role: admin
      developerAccountRef:
        name: developeraccount1
      providerAccountRef:
        name: mytenant

    In a DeveloperUser CR:

    • The developer user account name, user name, and email must be unique in the tenant that the containing DeveloperAccount links to.
    • The developer account name that you specify here must match the name of the DeveloperAccount CR that you are deploying in this procedure. It does not matter whether you create the DeveloperAccount CR before or after you create this DeveloperUser CR.
    • The tenant that a DeveloperUser CR links to must be the same tenant that the specified DeveloperAccount CR links to.
  4. Create the resource you just defined. For example:

    oc create -f developeruser01.yaml

    For the given example, the output would be:

    developeruser.capabilities.3scale.net/developeruser01 created
  5. Create and save a .yaml file that defines a DeveloperAccount CR. In this .yaml file, the spec.OrgName field must specify an organization name. For example, the developeraccount01.yaml file might contain:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: DeveloperAccount
    metadata:
      name: developeraccount01
    spec:
      orgName: Ecorp
      providerAccountRef:
        name: mytenant
  6. Create the resource you just defined. For example:

    oc create -f developeraccount01.yaml

    For the given example, the output would be:

    developeraccount.capabilities.3scale.net/developeraccount01 created

Next steps

It takes a few seconds for the 3scale operator to update the 3scale configuration to reflect new or updated custom resources. To check whether the operator is propagating custom resource information successfully, check the DeveloperAccount custom resource status field or run the oc wait command, for example:

oc wait --for=condition=Ready --timeout=30s developeraccount/developeraccount1

In case of failure, the custom resource’s status field indicates if the error is transient or permanent, and provides an error message that helps fix the problem.

Notify any new developer users that they can log in to the Developer Portal. You might also need to communicate their log-in credentials.

You can update a deployed DeveloperAccount custom resource in the same way that you update any other custom resource. For example, in the OpenShift project that contains the tenant that owns the DeveloperAccount CR that you want to update, you would run the following command to update the devaccount1 CR:

oc edit developeraccount devaccount1

8.12.3. Managing 3scale developer users by deploying DeveloperUser custom resources

When you use the 3scale operator to install 3scale you can deploy DeveloperUser custom resources (CRs) for managing developer access to 3scale-managed APIs in the Developer Portal. The procedure provided here is for deploying a new DeveloperUser CR. After you deploy a DeveloperUser CR, the procedure for updating or deleting it is the same as for any other CR.

You can deploy CRs only in the namespace that contains the 3scale operator.

Prerequisites

  • An understanding of how the 3scale operator identifies the tenant that a custom resource links to.
  • There is at least one deployed DeveloperAccount custom resource that contains at least one deployed DeveloperUser CR for a user who has the admin role. If you are creating a DeveloperUser custom resource that does not link to the default tenant in the 3scale instance that is in the same namespace then the namespace that will contain the DeveloperUser CR contains a secret that identifies the tenant that the DeveloperUser CR links to. The name of the secret is one of the following:

    • threescale-provider-account
    • User defined

    This secret contains the URL for a 3scale instance and a token that contains credentials for access to one tenant in that 3scale instance.

  • For a new DeveloperUser custom resource, you have that developer’s user name, password, and email address.

Procedure

  1. In the namespace that contains the 3scale operator, create and save a resource file that defines a secret that contains the user name and password for a developer user. For example, the myusername02.yaml file might contain:

    apiVersion: v1
    kind: Secret
    metadata:
      name: myusername02
    stringData:
      password: "987654321"
  2. Create the secret. For example:

    oc create -f myusername02.yaml

    For the given example, the output would be:

    secret/myusername02 created
  3. Create and save a .yaml file that defines a DeveloperUser CR. In the spec.role field, specify admin or member. For example, the developeruser02.yaml file might contain:

    apiVersion: capabilities.3scale.net/v1beta1
    kind: DeveloperUser
    metadata:
      name: developeruser02
    spec:
      username: myusername02
      email: myusername02@example.com
      passwordCredentialsRef:
        name: myusername02
      role: member
      developerAccountRef:
        name: developeraccount1
      providerAccountRef:
        name: mytenant

    In a DeveloperUser CR:

    • The developer user name (specified in the metadata.name field), the user name, and email must be unique in the tenant that the containing DeveloperAccount links to.
    • The developerAccountRef field must specify the name of a deployed DeveloperAccount CR.
    • The tenant that a DeveloperUser CR links to must be the same tenant that the specified DeveloperAccount CR links to.
  4. Create the resource you just defined. For example:

    oc create -f developefuser02.yaml

    For the given example, the output would be:

    developeruser.capabilities.3scale.net/developeruser02 created

Next steps

It takes a few seconds for the 3scale operator to update the 3scale configuration to reflect new or updated custom resources. To check whether the operator is propagating custom resource information successfully, check the DeveloperUser custom resource status field or run the oc wait command, for example:

oc wait --for=condition=Ready --timeout=30s developeruser/developeruser02

In case of failure, the custom resource’s status field indicates if the error is transient or permanent, and provides an error message that helps fix the problem.

Notify any new developer users that they can log in to the Developer Portal. You might also need to communicate their log-in credentials.

You can update a deployed DeveloperUser custom resource in the same way that you update any other custom resource.

8.12.4. Deleting DeveloperAccount or DeveloperUser custom resources

You can delete a 3scale developer entity by deleting the custom resource that manages it. When you delete a DeveloperAccount custom resource the 3scale operator also deletes any DeveloperUser CRs that link to the deleted DeveloperAccount CR.

Important

The only way to delete a developer account or developer user defined by a custom resource is to follow the procedure described here. Do not use the Admin Portal nor the 3scale API to delete a developer entity that was deployed as a custom resource.

Prerequisites

  • 3scale administrator permissions or an OpenShift role that has delete permissions in the namespace that contains the custom resource you want to delete. To confirm that you can delete a particular custom resource, run the oc auth can-i delete command. For example, if the name in the DeveloperAccount CR is devaccount1, run this command:

    oc auth can-i delete developeraccount.capabilities.3scale.net/devaccount1 -n my-namespace
  • The DeveloperAccount or DeveloperUser CR to be deleted links to a valid tenant.

Procedure

  • In the OpenShift project that contains the tenant that the CR links to, run the oc delete command to delete a DeveloperAccount or DeveloperUser custom resource. For example, if you deployed a DeveloperAccount CR that was defined in the devaccount1.yaml file, you would run the following command:

    oc delete -f devaccount1.yaml

    Alternatively, you can run the oc delete command and specify the name of the CR as specified in its definition. For example:

    oc delete developeraccount.capabilities.3scale.net/devaccount1

8.13. Limitations of 3scale operator capabilities

In Red Hat 3scale API Management 2.13, 3scale operator contains these limitations with capabilities:

  • Deletion of a backend custom resource definition (CRD) is not reconciled: existing backends in 3scale will not be deleted.
  • Deletion of a product CRD is not reconciled: existing products in 3scale will not be deleted.
  • Deletion of DeveloperAccount or DeveloperUser custom resources is not reconciled. While the operator receives the deletion event, the operator does not act on the event. The developer account or developer user remains. If you try to create a new developer account or developer user with the same account name, username or email address as a custom resource that you deleted, you receive an error that the account already exists. You must specify different parameters to create the account.
  • Single Sign-On (SSO) authentication for the Admin Portal.
  • SSO authentication for the Developer Portal.
  • ActiveDocs CRD not currently available.
  • Gateway Policy CRD not currently available.
  • Product CRD Gateway does not support response custom code and errors
  • 3scale operator CRD holding OAS3 does not reference as source of truth for 3scale product configuration.

8.14. Additional resources

For more information, check the following guides:

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.