Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 2. Configuring Red Hat Integration products for API development and deployment
Your OpenShift Container Platform (OCP) on premise administrator must deploy Fuse Online and 3scale API Management on the same cluster.
In addition, the following configurations are required:
- For Fuse Online, the default behavior is that APIs are not exposed for automatic discovery in 3scale. You must enable discovery for the OpenShift project in which you install Fuse Online.
- A 3scale API Management administrator must configure 3scale for service discovery. For example, the administrator must ensure that users have proper permissions to view cluster projects that contain discoverable services.
2.1. Configuring Fuse Online to enable 3scale discovery of APIs
If you create an API provider integration, you might want to enable discovery of the API for that integration in Red Hat 3scale. The default behavior is that APIs are not exposed for automatic discovery in 3scale.
For Fuse Online environments that are installed on OCP, you can enable 3scale discovery of APIs by updating the Fuse Online syndesis custom resource. Your update must provide a URL for a 3scale user interface, which turns on 3scale service discovery. When you enable discovery, it applies to only the OpenShift project that you are connected to when you update the resource.
Turning on 3scale service discovery means that:
The default behavior is that 3scale publishes API provider integrations. When 3scale publishes an API provider integration:
- Fuse Online does not provide an external URL for an API provider integration that is running.
- The API is accessible only through 3scale. Configuration in 3scale is required to expose the endpoint. For details, see Red Hat 3scale API Management, Service Discovery.
- The creator of an API provider integration can disable 3scale discovery for that integration. In other words, each API provider integration creator can choose whether that integration’s API is discoverable.
Prerequisites
- Fuse Online is installed on OCP on-site.
-
The
occlient tool is installed and it is connected to the OCP cluster in which Fuse Online is installed. - You have permission to install Fuse Online in the project for which you want to enable discovery of APIs.
Procedure
Log in to OpenShift with an account that has permission to install Fuse Online. For example:
oc login -u developer -p developer
$ oc login -u developer -p developerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Switch to an OpenShift project in which Fuse Online is running. You are enabling discovery for only this project. For example:
oc project my-fuse-online-project
$ oc project my-fuse-online-projectCopy to Clipboard Copied! Toggle word wrap Toggle overflow Invoke the
oc patchcommand on thesyndesiscustom resource and provide the URL for the 3scale user interface. In the following sample command, replace 3scale-url-here with the actual URL for your 3scale user interface:oc patch syndesis app --type='merge' -p '{"spec":{"components":{"server":{"features":{"managementUrlFor3scale":"3scale-url-here"}}}}}'oc patch syndesis app --type='merge' -p '{"spec":{"components":{"server":{"features":{"managementUrlFor3scale":"3scale-url-here"}}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Results
The oc patch command updates the syndesis custom resource. The update sets the OPENSHIFT_MANAGEMENT_URL_FOR3SCALE environment variable to the specified URL for the 3scale user interface. This change to the syndesis custom resource triggers the syndesis-operator, which is responsible for installing Fuse Online, to redeploy syndesis-server. In the OpenShift project that you switched to, the new default behavior is that APIs are exposed for discovery in 3scale.
Do not edit the syndesis-server DeploymentConfig object to set the OPENSHIFT_MANAGEMENT_URL_FOR3SCALE environment variable. This does not work because the syndesis-operator reverts your change. The syndesis-operator ensures that Fuse Online is deployed only and always according to the syndesis custom resource.
2.2. Configuring Service Discovery
As a 3scale administrator, you can configure Service Discovery with or without Red Hat Single Sign-On (RH SSO).
Prerequisites
- You must deploy 3scale 1.0 to an OpenShift cluster (version 3.11 or later).
- To deploy 3scale to OpenShift, you need to use 3scale-amp-openshift-templates.
- 3scale users that want to use Service Discovery in 3scale must have access to the OpenShift cluster.
2.2.1. Configuring with RH SSO
Configuration of 3scale Service Discovery with Red Hat Single Sign-On (RH SSO) causes the following behavior when a 3scale user signs in to 3scale:
- The user is redirected to the OAuth Server.
- If the user is not already logged in to the OAuth Server, the user is prompted to log in.
- If it is the first time that the user implements 3scale Service Discovery with SSO, the OAuth server prompts for authorization to perform the relevant actions.
- The user is redirected back to 3scale.
To configure Service Discovery with RH SSO, you have the following options:
2.2.1.1. Using OpenShift OAuth server
As a 3scale system administrator, you can allow users to individually authenticate and authorize 3scale to discover APIs by using OpenShift built-in OAuth server.
Create an OpenShift OAuth client for 3scale. For more details about OpenShift authentication, see OAuth Clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Open the 3scale Service Discovery settings file:
oc project <3scale-project>
$ oc project <3scale-project> $ oc edit configmap systemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the following settings:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ensure that users have proper permissions to view cluster projects containing discoverable services.
For example, to give
<user>view permission for the<namespace>project, use this command:oc adm policy add-role-to-user view <user> -n <namespace>
oc adm policy add-role-to-user view <user> -n <namespace>Copy to Clipboard Copied! Toggle word wrap Toggle overflow After modifying
configmap, you need to redeploy thesystem-appandsystem-sidekiqpods to apply the changes.oc rollout latest dc/system-app oc rollout latest dc/system-sidekiq
oc rollout latest dc/system-app oc rollout latest dc/system-sidekiqCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional note
By default, OpenShift OAuth session tokens expire after 24 hours, as indicated in OpenShift Token Options.
2.2.1.2. Using RH SSO server (Keycloak)
As a system administrator, you can allow users to individually authenticate and authorize 3scale to discover services using Red Hat SSO for OpenShift.
Create an OAuth client for 3scale in Red Hat OAuth server (Keycloak).
IMPORTANT: In the client configuration, verify that the user's username maps to `preferred_username`, so that OpenShift can link accounts.
IMPORTANT: In the client configuration, verify that the user's username maps to `preferred_username`, so that OpenShift can link accounts.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Edit 3scale Service Discovery settings.
oc project <3scale-project>
$ oc project <3scale-project> $ oc edit configmap systemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that these settings are configured.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Make sure users have proper permissions to view cluster projects containing discoverable services.
For example, to give
<user>view permission for the<namespace>project, use this command:oc adm policy add-role-to-user view <user> -n <namespace>
oc adm policy add-role-to-user view <user> -n <namespace>Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
After modifying
configmap, you need to redeploy thesystem-appandsystem-sidekiqpods to apply the changes.
Additional note:
- Token lifespan: By default, session tokens expire after one minute, as indicated in Keycloak - Session and Token Timeouts. However, it is recommended to set the timeout to an acceptable value of one day.
2.2.2. Configuring without RH SSO
To configure the 3scale Service Discovery without SSO, you can use 3scale Single Service Account to authenticate to OpenShift API service. 3scale Single Service Account provides a seamless authentication to the cluster for the Service Discovery without an authorization layer at the user level. All 3scale tenant administration users have the same access level to the cluster while discovering API services through 3scale.
Verify that the 3scale project is the current project.
oc project <3scale-project>
$ oc project <3scale-project>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Open the 3scale Service Discovery settings in an editor.
oc edit configmap system
$ oc edit configmap systemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that the following settings are configured.
service_discovery.yml: production: enabled: <%= cluster_token_file_exists = File.exists?(cluster_token_file_path = '/var/run/secrets/kubernetes.io/serviceaccount/token') %> bearer_token: "<%= File.read(cluster_token_file_path) if cluster_token_file_exists %>" authentication_method: service_accountservice_discovery.yml: production: enabled: <%= cluster_token_file_exists = File.exists?(cluster_token_file_path = '/var/run/secrets/kubernetes.io/serviceaccount/token') %> bearer_token: "<%= File.read(cluster_token_file_path) if cluster_token_file_exists %>" authentication_method: service_accountCopy to Clipboard Copied! Toggle word wrap Toggle overflow Provide the 3scale deployment
ampservice account with the relevant permissions to view projects containing discoverable services by following one of these options:Grant the 3scale deployment
ampservice account withviewcluster level permission.oc adm policy add-cluster-role-to-user view system:serviceaccount:<3scale-project>:amp
oc adm policy add-cluster-role-to-user view system:serviceaccount:<3scale-project>:ampCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Apply a more restrictive policy as described in OpenShift - Service Accounts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}