Chapter 7. Installing the 3scale Operator on OpenShift


3scale supports the last two general availability (GA) releases of OpenShift Container Platform (OCP). For more information, see the Red Hat 3scale API Management Supported Configurations page.

This documentation shows you how to:

  • Create a new project.
  • Deploy a Red Hat 3scale API Management instance.
  • Create the threescale-registry-auth secret in the project.
  • Install the 3scale operator through Operator Lifecycle Manager (OLM).
  • Deploy the custom resources once the operator has been deployed.



Deploy the 3scale operator and custom resource definitions (CRDs) in a separate newly created, empty project. If you deploy them in an existing project containing infrastructure, it could alter or delete existing elements.

To install the 3scale operator on OpenShift, perform the steps outlined in the following sections:

7.1. Creating a new OpenShift project

This procedure explains how to create a new OpenShift project named 3scale-project. Replace this project name with your own.


To create a new OpenShift project:

  • Indicate a valid name using alphanumeric characters and dashes. As an example, run the command below to create 3scale-project:

    oc new-project 3scale-project

This creates the new OpenShift project where the operator, the APIManager custom resource (CR), and the Capabilities custom resources will be installed. The operator manages the custom resources through OLM in that project.

7.2. Installing and configuring the 3scale operator using the OLM

Use Operator Lifecycle Manager (OLM) to install the 3scale operator on an OpenShift Container Platform (OCP) 4.3 cluster through the OperatorHub in the OCP console.




  1. In the OpenShift Container Platform console, log in using an account with administrator privileges.
  2. The menu structure depends on the version of OpenShift you are using:

    • Click Operators > OperatorHub
  3. In the Filter by keyword box, type 3scale operator to find the 3scale operator.
  4. Click the 3scale operator. Information about the Operator is displayed.
  5. Read the information about the operator and click Install. The Create Operator Subscription page opens.
  6. On the Create Operator Subscription page, accept all of the default selections and click Subscribe.


    The operator will only be available in the specific single namespace on the cluster that you have selected.

    The 3scale-operator details page is displayed, where you can see the Subscription Overview.

  7. Confirm that the subscription upgrade status is shown as Up to date.
  8. Verify that the 3scale operator ClusterServiceVersion (CSV) is displayed, and the Status of the operator ultimately resolves to InstallSucceeded in the project you defined in Creating a new OpenShift project:

    • Click Operators > Installed Operators. In this case, successful installation will register the APIManager CRD, and the CRDs related to the Capabilities functionality of the operator in the OpenShift API server.
  9. After successful installation, query the resource types defined by the CRDs via oc get.

    1. For example, to verify that the APIManager CRD has been correctly registered, execute the following command:

      oc get apimanagers
  10. You should see the following output:

    No resources found.

7.2.1. Allowing domains on restricted networks


When configuring the 3scale operator on restricted networks, database images are missing and will not be automatically mirrored. They must be mirrored manually. Refer to the OCP documentation guide on Using Operator Lifecycle Manager on restricted networks.

To manually mirror database images, do the following:

  • Find the images you need to mirror.
  • Use the oc image mirror command to mirror the images to the bastion registry.
  • Create an imageContentSourcePolicy object in OCP to make the mirrored images recognized.


  1. Create a file with the following contents and name it databases_images.txt:<BASTION_REGISTRY>/threescale-db/redis-32-rhel7<BASTION_REGISTRY>/threescale-db/postgresql-10-rhel7<BASTION_REGISTRY>/threescale-db/mysql-57-rhel7

    The BASTION_REGISTRY is the address of your bastion registry concrete digest (sha256:), which may differ.

  2. Get your bastion registry concrete digest by invoking bastion registry in the OCP project where you already deployed the 3scale operator using OLM:

    oc get csv 3scale-operator.v0.6.0 -o yaml | grep 'redis-32-rhel7\|postgresql-10-rhel7\|mysql-57-rhel7'
  3. Run the command below. In this case, REG_CREDS_FILE is the file containing Docker-like formatted registry credentials for and their bastion registry.

    oc image mirror -f databases_images.txt -a <REG_CREDS_FILE>
  4. Create the following file additional-dbs-icspolicy.yml:

    kind: ImageContentSourcePolicy
      name: additional-threescale-dbs
      - mirrors:
        - <bastion registry>/threescale-db/redis-32-rhel7
      - mirrors:
        - <bastion registry>/threescale-db/postgresql-10-rhel7
      - mirrors:
        - <bastion registry>/threescale-db/mysql-57-rhel7
  5. Run the following command:

    oc create -f additional-dbs-icspolicy.yml

    This command will restart all OCP cluster nodes one after another. Wait for all nodes to restart.

  6. Run the following command to see the status of each node. Every node must be in ready state.

    oc get nodes

When you are creating the threescale-registry-auth secret for the apimanager object, include the secret credentials for your bastion registry so that the 3scale operator pulls the mirrored images.

Continue with creating the apimanager object according to the Installing and configuring the 3scale operator using the OLM documentation.

Additionally, while using OCP on restricted networks, you will need to create a list of the allowed domains you intend to use in the 3scale Developer Portal. Consider the following examples:

  • Any link you intend to add to the Developer Portal.
  • SSO integrations through third party SSO providers such as GitHub.
  • Billing.
  • Webhooks that trigger an external URL.

7.2.2. Restrictions in disconnected environments

The following list outlines current restrictions in a disconnected environment for 3scale 2.9:

  • The GitHub login to the Developer Portal is not available.
  • Support links are not operational.
  • Links to external documentation are not operational.
  • The validator for the OpenAPI Specification (OAS) in the Developer Portal is not operational, affecting links to external services.
  • In the product Overview page in ActiveDocs, links to OAS are not operational.

    • It is also necessary check the option Skip swagger validations when you create a new ActiveDocs specification.

Additional resources