Chapter 10. Configuring service discovery
This guide helps you to configure Service Discovery with the following alternatives:
Additionally, you can find instructions to make an API discoverable.
10.1. Prerequisites Copy linkLink copied to clipboard!
- You must deploy 3scale 2.5 on an OpenShift cluster, version 3.10 or later.
- You must use 3scale-amp-openshift-templates to deploy 3scale on OpenShift.
10.2. Configuring with RH SSO Copy linkLink copied to clipboard!
When configuring with Red Hat Single Sign On (RH SSO), consider the following:
- Users will be redirected to the OAuth Server.
- If users are not logged into the OAuth Server, they will see a request to enter the credentials to log in.
- If it is the first time they use 3scale Service Discovery feature with SSO, the OAuth server will request them to authorize 3scale to perform the relevant actions.
- They will be redirected back to 3scale.
To configure Service Discovery feature with RH SSO, you have the following options:
10.2.1. Using OpenShift OAuth server Copy linkLink copied to clipboard!
As a system administrator, you want users to individually authenticate and authorize 3scale to discover APIs on their behalf using OpenShift builtin OAuth server. This means that 3scale tenant admin users who are willing to use Service Discovery are required to be also OpenShift users, possibly with different access levels over the cluster among them.
Create an OpenShift OAuth client for 3scale. For more details about OpenShift authentication, see OAuth Clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Edit 3scale Service Discovery settings.
oc project <3scale-project>
$ oc project <3scale-project> $ oc edit configmap system
Copy to Clipboard Copied! Toggle word wrap Toggle overflow You need to configure the following settings:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Ensure users have proper permissions to view cluster projects containing discoverable services.
Additional notes:
-
After modifying
configmap
, you need to redeploy thesystem-app
andsystem-sidekiq
pods to apply the changes. - Token lifespan: By default, OpenShift OAuth session tokens expire after 24 hours, as indicated in OpenShift Token Options.
10.2.2. Using RH SSO server (Keycloak) Copy linkLink copied to clipboard!
As a system administrator, you can allow users to individually authenticate and authorize 3scale to discover services using Red Hat SSO for OpenShift.
Create an OAuth client for 3scale in Red Hat OAuth server (Keycloak).
IMPORTANT: In the client configuration, make sure that the user's username maps to `preferred_username`, so OpenShift can link accounts.
IMPORTANT: In the client configuration, make sure that the user's username maps to `preferred_username`, so OpenShift can link accounts.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Edit 3scale Service Discovery settings.
oc project <3scale-project>
$ oc project <3scale-project> $ oc edit configmap system
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Make sure these settings are configured.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Make sure users have proper permissions to view cluster projects containing discoverable services
Additional notes:
-
After modifying
configmap
, you need to redeploy thesystem-app
andsystem-sidekiq
pods to apply the changes. - Token lifespan: By default, session tokens expire after 1 minute, as indicated in Keycloak - Session and Token Timeouts. However, it is a good recommendation to set the timeout to an acceptable value of 1 day.
10.3. Configuring without RH SSO Copy linkLink copied to clipboard!
To configure Service Discovery feature without SSO, you can use 3scale Single Service Account to authenticate to OpenShift API service. In this case, there is a seamless authentication to the cluster for the service discovery feature without an authorization layer at the user level, meaning all 3scale tenant administration users will have the same access level to the cluster while discovering API services through 3scale.
Procedure
Edit 3scale Service Discovery settings.
oc project <3scale-project>
$ oc project <3scale-project> $ oc edit configmap system
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Make sure these settings are configured.
service_discovery.yml: production: enabled: <%= cluster_token_file_exists = File.exists?(cluster_token_file_path = '/var/run/secrets/kubernetes.io/serviceaccount/token') %> bearer_token: "<%= File.read(cluster_token_file_path) if cluster_token_file_exists %>" authentication_method: service_account
service_discovery.yml: production: enabled: <%= cluster_token_file_exists = File.exists?(cluster_token_file_path = '/var/run/secrets/kubernetes.io/serviceaccount/token') %> bearer_token: "<%= File.read(cluster_token_file_path) if cluster_token_file_exists %>" authentication_method: service_account
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Provide 3scale deployment
amp
service account with the relevant permissions to view projects containing discoverable services, by following one of these options:Grant 3scale deployment
amp
service account withview
cluster level permission.-------------------------------- oc adm policy add-cluster-role-to-user view system:serviceaccount:<3scale-project>:amp -------------------------------
-------------------------------- oc adm policy add-cluster-role-to-user view system:serviceaccount:<3scale-project>:amp -------------------------------
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Apply a more restrictive policy. For more information, see OpenShift - Service Accounts.
10.4. Making a service discoverable Copy linkLink copied to clipboard!
An API service, deployed or to be deployed to the OpenShift cluster, can be discoverable by 3scale. To achieve this, configure the OpenShift Service Object YAML definition to include the following metadata:
From the described metadata, port
and scheme
are mandatory annotations.
Additionally, Service Discovery will only import the specification if the Content-Type
header is one of the following values:
-
application/swagger+json
-
application/vnd.oai.openapi+json
-
application/json
Make sure the user or service account (depending on the configured authentication mode) has the right privileges to view the namespace and service.