Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuration requirements

Your OpenShift Container Platform (OCP) on premise administrator must deploy Fuse Online and 3scale API Management on the same cluster.

In addition, the following configurations are required:

  • For Fuse Online, the default behavior is that APIs are not exposed for automatic discovery in 3scale. The OpenShift administrator must configure Fuse Online to enable 3scale discovery of APIs.

    Note

    When Fuse Online is configured to enable 3scale discovery, it does not provide URLs for testing APIs that you publish. You might want the administrator to configure this setting after you have tested your APIs in Fuse Online.

  • The 3scale API Management administrator must configure 3scale for service discovery. For example, the administrator must ensure that users have proper permissions to view cluster projects that contain discoverable services.

If you create an API provider integration, you might want to enable discovery of the API for that integration in 3scale. For Fuse Online environments that are installed on OCP, a user with cluster administration permissions can enable 3scale discovery of APIs by setting a Fuse Online server configuration environment variable.

The default behavior is that APIs are not exposed for automatic discovery in 3scale. Turning on 3scale service discovery applies to all API provider integrations in your Fuse Online environment. You cannot choose which APIs are discoverable.

When 3scale service discovery is turned on:

  • Fuse Online does not provide an external URL for an API provider integration that is running.
  • The API is accessible only through 3scale. Configuration in 3scale is required to expose the endpoint. For details, see Red Hat 3scale API Management, Service Discovery.

Prerequisites

  • Fuse Online is installed on OCP on premise.
  • You have cluster administration permissions.

Procedure

Edit the syndesis-server DeploymentConfig object to set the CONTROLLERS_EXPOSE_VIA3SCALE environment variable to true. To do this, enter the following command on one line:

$ oc patch dc syndesis-server -p '{"spec":{"template":{"spec":{"containers":[{"name":"syndesis-server","env":[{"name":"CONTROLLERS_EXPOSE_VIA3SCALE","value":"true"}]}]}}}}'

Note

After the administrator enables 3scale discovery for Fuse Online, you must republish any running APIs before they can be discoverable by 3scale.

2.2. Configuring Service Discovery
Copy link

As a 3scale administrator, you can configure Service Discovery with or without Red Hat Single Sign-On (RH SSO).

Prerequisites

  • You must deploy 3scale 2.6 to an OpenShift cluster (version 3.11 or later).
  • To deploy 3scale to OpenShift, you need to use 3scale-amp-openshift-templates.
  • 3scale users that want to use Service Discovery 3scale must have access to the OpenShift cluster.

2.2.1. Configuring with RH SSO
Copy link

After you configure 3scale Service Discovery with Red Hat Single Sign-On (RH SSO), when a 3scale user signs in to 3scale:

  • The user is redirected to the OAuth Server.
  • If the user is not already logged in to the OAuth Server, the user is prompted to log in.
  • If it is the first time that the user implements 3scale Service Discovery with SSO, the OAuth server prompts for authorization to perform the relevant actions.
  • The user is redirected back to 3scale.

To configure Service Discovery with RH SSO, you have the following options:

  1. Section 2.2.1.1, “Using OpenShift OAuth server”
  2. Section 2.2.1.2, “Using RH SSO server (Keycloak)”

2.2.1.1. Using OpenShift OAuth server
Copy link

As a 3scale system administrator, you can allow users to individually authenticate and authorize 3scale to discover APIs by using OpenShift built-in OAuth server.

  1. Create an OpenShift OAuth client for 3scale. For more details about OpenShift authentication, see OAuth Clients. 

        $ oc project default
    $ cat <<-EOF | oc create -f -
    kind: OAuthClient
    apiVersion: v1
    metadata:
     name: 3scale
    secret: "<choose-a-client-secret>"
    redirectURIs:
     - "<3scale-master-domain-route>"
    grantMethod: prompt
    EOF

  2. Open the 3scale Service Discovery settings file: 

        $ oc project <3scale-project>
    $ oc edit configmap system

  3. Configure the following settings: 

        service_discovery.yml:
      production:
        enabled: true
        authentication_method: oauth
        oauth_server_type: builtin
        client_id: '3scale'
        client_secret: '<choose-a-client-secret>'

  4. Ensure that users have proper permissions to view cluster projects containing discoverable services.

    For example, to give <user> view permission for the <namespace> project, use this command: 

    oc adm policy add-role-to-user view <user> -n <namespace>

  5. After modifying configmap, you need to redeploy the system-app and system-sidekiq pods to apply the changes. 

    oc rollout latest dc/system-app
oc rollout latest dc/system-sidekiq

Additional note

By default, OpenShift OAuth session tokens expire after 24 hours, as indicated in OpenShift Token Options.

2.2.1.2. Using RH SSO server (Keycloak)
Copy link

As a system administrator, you can allow users to individually authenticate and authorize 3scale to discover services using Red Hat SSO for OpenShift.

  1. Create an OAuth client for 3scale in Red Hat OAuth server (Keycloak). 

    IMPORTANT: In the client configuration, verify that the user's username maps to `preferred_username`, so that OpenShift can link accounts.

  2. Edit 3scale Service Discovery settings. 

        $ oc project <3scale-project>
    $ oc edit configmap system

  3. Verify that these settings are configured. 

        service_discovery.yml:
      production:
        enabled: true
        authentication_method: oauth
        oauth_server_type: rh_sso
        client_id: '3scale'
        client_secret: '<choose-a-client-secret>'

  4. Make sure users have proper permissions to view cluster projects containing discoverable services.

    For example, to give <user> view permission for the <namespace> project, use this command: 

    oc adm policy add-role-to-user view <user> -n <namespace>
  5. After modifying configmap, you need to redeploy the system-app and system-sidekiq pods to apply the changes.

Additional note:

  • Token lifespan: By default, session tokens expire after one minute, as indicated in Keycloak - Session and Token Timeouts. However, it is recommended to set the timeout to an acceptable value of one day.

2.2.2. Configuring without RH SSO
Copy link

To configure the 3scale Service Discovery without SSO, you can use 3scale Single Service Account to authenticate to OpenShift API service. 3scale Single Service Account provides a seamless authentication to the cluster for the Service Discovery without an authorization layer at the user level. All 3scale tenant administration users have the same access level to the cluster while discovering API services through 3scale.

Procedure

  1. Verify that the 3scale project is the current project. 

       $ oc project <3scale-project>

  2. Open the 3scale Service Discovery settings in an editor. 

       $ oc edit configmap system

  3. Verify that the following settings are configured. 

    service_discovery.yml:
   production:
      enabled: <%= cluster_token_file_exists = File.exists?(cluster_token_file_path = '/var/run/secrets/kubernetes.io/serviceaccount/token') %>
      bearer_token: "<%= File.read(cluster_token_file_path) if cluster_token_file_exists %>"
      authentication_method: service_account

  4. Provide the 3scale deployment amp service account with the relevant permissions to view projects containing discoverable services by following one of these options:

    • Grant the 3scale deployment amp service account with view cluster level permission. 

      oc adm policy add-cluster-role-to-user view system:serviceaccount:<3scale-project>:amp
    • Apply a more restrictive policy as described in OpenShift - Service Accounts.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top