Red Hat OpenShift API Management Service Definition
Table of Contents
- Advanced API Management Service Configurations
- Customer OpenShift Dedicated IDP
- Tenancy Model
- Path-Based Routing
- Staging and Production Managed APIcast
- Self-Managed APIcast & Custom Policies
- Billing Support
- Invite Feature
- OpenShift Service Registry
- Deployment Models
- Environment Isolation for Development, Testing/Staging, and Production
Application programming interfaces (APIs) are key to agile integration and delivering business value in a digital world. APIs support innovation, enable cross-enterprise agility, and simplify the creation of new products and revenue streams.
The Red Hat OpenShift API Management service makes it easy to manage your APIs. Share, secure, distribute, and control your APIs on an infrastructure platform built for performance, customer control, and future growth.
It is available as an add-on to the following OpenShift-managed services:
- Red Hat OpenShift Dedicated - a platform for developing and running containerized applications
- Red Hat OpenShift Service on AWS - a fully-managed OpenShift service, jointly managed and supported by both Red Hat and Amazon Web Services (AWS)
The Red Hat OpenShift API Management Service is a fully Red Hat-managed API traffic control and API program management solution that includes analytics, access control, developer workflows, and more. It is based on the Red Hat 3scale API Management platform.
The API management service also includes an implementation of the Red Hat Single Sign-on to secure and protect your APIs. This service is intended solely for use within API Management (e.g., restricting access to your APIs and the 3scale Developer Portal) and not as a company-wide SSO solution.
Advanced API Management Service Configurations
Customer OpenShift Dedicated IDP
Because many of the development and notification procedures of the API management service are based on email correspondence, it is important that your identity provider (IDP) contains a valid email address for each enabled developer.
With your subscription, in addition to the primary tenant that is preconfigured, you can request up to 20 additional tenants. To request these tenants, please file a ticket with Red Hat Support.
More information about multi-tenancy can be found in the 3scale on-premise documentation: Multi-tenancy in Red Hat 3scale API Management.
NOTE: The configuration of multiple tenants does not affect the total number of messages available through your subscription.
This feature has been supplanted by the products and backends feature in 3scale. More information on this feature can be found in the Getting Started: Product and Backends documentation.
Staging and Production Managed APIcast
Included in the OpenShift API Management service and managed by Red Hat are two managed APIcast instances: Staging and Production. These are preconfigured by Red Hat and are ready for consumption right away. Both of these are installed in a single cluster and are intended for code promotion in 3scale.
Self-Managed APIcast & Custom Policies
In the event you need to manage your custom APIs (e.g., in a different region or data center from your Red Hat OpenShift API Management service deployment), your subscription includes the ability to install and self-manage localized APIcast instances.
NOTE: In order to use custom policies, you must install the policies in self-managed APIcast instances.
Commercially reasonable support is included with your subscription and can be accessed by filing a ticket with Red Hat Support. It is the customer's responsibility to monitor and maintain any deployed self-managed APIcast instances.
More information can be found in the APIcast self-managed Red Hat 3scale API Management documentation.
Red Hat OpenShift API Management has achieved Payment Card Industry Data Security Standard (PCI DSS) Compliance Certification and now supports API Management Billing features.
Currently, Braintree global payments are not supported on Red Hat OpenShift API Management.
For more information on the support provided, please refer to the Billing Settings documentation.
All users can access the 3scale API Management Admin Portal through the Red Hat OpenShift API Management service. To add users to the 3scale API Management Admin Portal you must add users by configuring the identity provider for your cluster. For more information, see Configuring identity providers. Although the 3scale Admin Portal appears to have the capability to invite new users to access the Admin Portal, this feature is not currently supported in OpenShift API Management.
OpenShift Service Registry
Red Hat OpenShift Service Registry is available as a freely entitled service to the users of the following services:
You can use OpenShift Service Registry with OpenShift API Management to store and manage API definitions based on standards such as OpenAPI, GraphQL, WSDL, and AsyncAPI. Refer to the Red Hat OpenShift Service Registry Service Definition for more information.
Red Hat OpenShift API Management Service is available only on the AWS versions of OpenShift Dedicated, including the Red Hat OpenShift Service on AWS. For more details about the AWS version offerings for OpenShift, please refer to the following documentation:
OpenShift Dedicated and the Red Hat OpenShift Service on AWS 4 can be configured to be private, public, or public/private. Red Hat OpenShift API Management is available in all of those configurations; however, the visibility of the clusters determines which APIs can be managed. It is critical to test your configuration before releasing it to production, to validate that the routes are available and working as expected.
Environment Isolation for Development, Testing/Staging, and Production
Red Hat recommends separating different environments into distinct clusters with automated build and deployment pipelines, that are used to migrate development or testing clusters to staging and production clusters.
This separation ensures that software in development does not impact your production workloads. In addition, you will have the ability to test newer versions of both OpenShift and the API Management service on pre-production clusters.
Security and Compliance
As a Red Hat-managed service, the included components and services are installed in protected namespaces (
redhat-rhoam prefix). These namespaces are monitored and managed by our certified Red Hat SRE teams. Default customer access to these namespaces is restricted; users of the
dedicated-admins group are given read access for monitoring. Note that if the customer has requested the OpenShift Dedicated
cluster-admin access, the customer does have the ability to modify settings in these namespaces. If that happens, then there is no longer a guarantee of service availability until the namespaces have been restored to the base Red Hat configuration.
The Red Hat managed services inherit the security and compliance protocols from the OpenShift Dedicated environment. As such, ISO 27001 and PCI certifications are in process, with future work planned for FedRAMP.
Platform Logging & API Metrics
If you enable the optional OpenShift Dedicated logging stack, the Red Hat OpenShift API Management service logs will be available in the cluster logging stack. Retention and visibility are maintained in the OpenShift Dedicated logging stack. For more information, please refer to the OpenShift Dedicated Service Definition.
Red Hat OpenShift API Management-specific metrics are retained for a maximum of 45 days or up to 50GiB of storage - whichever is reached first. Currently, there is no way to extend this time period or storage limit.
User Workload Monitoring
If the User Workload Monitoring feature of managed OpenShift is enabled and Red Hat OpenShift API Management is installed, users will receive false alerts.
Scalability and Service Levels
There are a number of subscriptions with associated message quotas available to meet your needs. At this time, you can deploy a single Red Hat OpenShift API Management service on each cluster and must choose a single subscription accordingly. You cannot add multiple subscriptions to increase the quota on an individual cluster.
While the subscription levels are purchased based on a daily total request rate, each subscription is monitored, and the quota is based on the number of calls per minute. Please refer to the following table (Table 1) for the breakdown:
Table 1: Subscription levels and associated quotas
|Subscription level||Maximum throughput|
|100 Thousand API calls per day||69.4 API calls per minute|
|1 Million API calls per day||695 API calls per minute|
|5 Million API calls per day||3473 API calls per minute|
|10 Million API calls per day||6945 API calls per minute|
|20 Million API calls per day||13889 API calls per minute|
|50 Million API calls per day||34723 API calls per minute|
|100 Million API calls per day||69444 API calls per minute|
Red Hat has specified the compute resources based on an average payload size of 1MB. Your APIs can have different payload sizes which will impact your overall performance and throughput. You are encouraged to run performance tests to validate actual throughput based on your specific APIs and custom API payloads.
You will be notified via email as you approach the maximum throughput for your subscription, as defined in Table 1: Subscription levels and associated quotas.
It is important to note that API calls routed through self-managed APIcast instances also count toward the total quota.
The benchmark is based on the following:
- Lightweight customer-like application (no heavy computation)
- 10% of requests are for authentication
- 45% of requests are GETs against 3scale APIcast
- 45% of requests are POSTs against 3scale APIcast
- POST requests payload up to 1MB
- Use of production APIcast server
NOTE: Red Hat does not support an equivalent load on the staging APIcast. Performance testing should use the production APIcast.
When you install and configure the Red Hat OpenShift API Management service it is automatically distributed to your OpenShift Dedicated compute nodes. Currently, it is not possible to manage the distribution of the Red Hat OpenShift API Management service to specific nodes.
If you have purchased a Multi-AZ OpenShift Dedicated cluster instance, the managed service will automatically be spread across multiple availability zones to minimize service disruptions. For more information on Multi-AZ please refer to the Availability section.
The following tables detail the resource requirements for each of the Red Hat OpenShift API Management supported SKUs.
Table 2: Approximate AWS resource requirements for Single-AZ
|100 Thousand API Calls||11 Reserved||24 GiB Reserved||50GiB Reserved|
|1 Million API Calls||11 Reserved||24 GiB Reserved||50GiB Reserved|
|5 Million API Calls||12 Reserved||25 GiB Reserved||50GiB Reserved|
|10 Million API Calls||13 Reserved||25 GiB Reserved||50GiB Reserved|
|20 Million API Calls||14 Reserved||27 GiB Reserved||50GiB Reserved|
|50 Million API Calls||19 Reserved||28 GiB Reserved||50GiB Reserved|
|100 Million API Calls||25 Reserved||32 GiB Reserved||50GiB Reserved|
Table 3: Approximate AWS resource requirements for Multi-AZ (presumes 3 zones) - Total vCPU
|1 Million API Calls||11 Reserved
|24 GiB Reserved
36 GiB Recommended*
(50GiB Reserved per AZ)
|5 Million API Calls||12 Reserved
|25 GiB Reserved
38 GiB Recommended*
(50GiB Reserved per AZ)
|10 Million API Calls||13 Reserved
|25 GiB Reserved
38 GiB Recommended*
(50GiB Reserved per AZ)
|20 Million API Calls||14 Reserved
|27 GiB Reserved
41 GiB Recommended*
(50GiB Reserved per AZ)
|50 Million API Calls||19 Reserved
|28 GiB Reserved
41 GiB Recommended*
(50GiB Reserved per AZ)
|100 Million API Calls||25 Reserved
|32 GiB Reserved
48 GiB Recommended*
(50GiB Reserved per AZ)
* The additional vCPU and memory for 3 availability zones are to ensure total throughput in the event of a zone loss. The remaining two zones need enough resources to fulfill the demand for the API service.
NOTE: If you install the API Management service on a cluster, it is configured to take resource priority over other customer workloads. Specifically, other pods will be a lower priority and can be stopped to free space for the API Management service according to the table above. To avoid this, please ensure that you have allocated enough compute resources to your OpenShift Dedicated cluster.
If you are a Customer Cloud Subscription (CCS) user, it is important to note that Red Hat leverages AWS Multi-AZ services for Redis and Postgres, including the associated backups. These are required and consume resources from your AWS account as follows:
- Red Hat creates a new VPC and peers it to the cluster default VPC. This VPC contains Red Hat's AWS service instances. The CIDR range for this VPC can be specified at installation.
- 3 cache.t3.micro instance (2 AZs Enabled)
- 3 db.t3.small instances for Postgres (2 AZs Enabled)
- 20GiB of AWS Storage by default auto-scaling to 100 GiB (3 RDS 20GiB each across 2 AZ = 120GiB)
- S3 buckets for metrics/backups - Size dependent on consumption
Encryption is enabled by default for data at rest for Redis, Postgres and their backups.
NOTE: The CIDR prefix length range must be between
/26. Only CIDR values within this range are permitted. You can use
10.1.0.0/26as the default CIDR range. The CIDR range must not overlap with any network you would like to peer with in the OpenShift cluster VPC. After submitting the initial configuration, you cannot modify the CIDR range. If you want to change the CIDR range, you must delete and reinstall Red Hat OpenShift API Management.
NOTE: Red Hat OpenShift API Management supports bring-your-own VPC (BYOVPC) configurations. Single-AZ, Multi-AZ, and PrivateLink Multi-AZ installations are supported.
NOTE: For CCS consumers, Red Hat reserves the right to increase the resources required to meet the SLAs of our service. It is expected that the customer will be notified of the increase. To modify your subscription level, please contact your account representative directly or visit www.redhat.com/en/contact to submit a request.
NOTE: Changes to the subscription level or quota updates may affect the Redis cache and result in a minor disruption to your Red Hat OpenShift API Management service.
Ensure the minimum resource requirements required for the Red Hat OpenShift API Management service are met at all times for clusters that have autoscaling features enabled. To achieve this, configure the autoscaler so that the cluster has enough resources to satisfy Red Hat OpenShift API Management minimum requirements when the cluster is scaled to the maximum allowable number of nodes.
Updates and Upgrades
Upgrades of the Managed API product will be scheduled with the customer and rolled out by our SRE team.
Non-customer-impacting upgrades and critical CVEs to our management platform will be automatically rolled out to clusters by our SRE team.
OpenShift Version Support
Red Hat OpenShift API Management is validated against the current version and the version immediately preceding the current version, of the managed OpenShift service only. In the event an issue arises relating to OpenShift API Management where an older version of the OpenShift service is in use, customers are advised to upgrade to a supported version.
Red Hat maintains a 99.95% availability for its managed services, including the underlying OpenShift Dedicated managed environment. For more information, refer to Appendix 4 (Online Subscription Services) of the Red Hat Enterprise Agreements.
Multi-AZ High Availability (HA) deployments are supported if the underlying cluster is configured to be Multi-AZ. In order to support a Multi-AZ HA deployment, the Red Hat OpenShift API Management service is deployed with multiple replicas of the pods that make up the service. These pods are given a set of pod anti-affinity rules that influence the Kubernetes scheduler and should avoid scheduling them on nodes within the same AZ. Additionally, Red Hat has raised the priority of these pods using pod priority, to ensure the Kubernetes scheduler takes the managed service scheduling needs into consideration ahead of other non-infrastructure pods on the cluster.
Backups and Disaster Recovery
In addition to the daily backups that occur in the OpenShift Dedicated environment, additional snapshots are taken of the managed API service, including its data and configurations. In the event of a catastrophic failure, Red Hat SREs will use a commercially reasonable approach to first recover your OpenShift Dedicated environment, and then your Managed API service.
Managed Service Removal
The Red Hat OpenShift API Management Service may be removed by the customer from their cluster via the standard add-on deletion flows. Note that once this operation is invoked, this action is non-reversible and cannot be undone. Deletion includes the automatic removal of all Red Hat OpenShift API Management add-on data and backups.
As a premium offering by Red Hat, you have full access to the Red Hat Customer Portal with 24x7 production and developer-level support. To achieve the best resolutions, file a ticket whenever you have a question or issue. When opening a support case for the Red Hat OpenShift API Management Service, select the product named “Red Hat OpenShift API Management Service”.
Refer to the Support Matrix for more information.
- hosted offering
- Article Type
The "Configuring IDP" link is broken: https://access.redhat.com/documentation/en-us/openshift_dedicated/4/html-single/authentication/index#configuring-identity-providers