Chapter 7. Installing the 3scale Operator on OpenShift

Note

3scale supports the last two general availability (GA) releases of OpenShift Container Platform (OCP). For more information, see the Red Hat 3scale API Management Supported Configurations page.

This documentation shows you how to:

  • Create a new project.
  • Deploy a Red Hat 3scale API Management instance.
  • Create the threescale-registry-auth secret in the project.
  • Install the 3scale operator through Operator Lifecycle Manager (OLM).
  • Deploy the custom resources once the operator has been deployed.

Prerequisites

Warning

Deploy the 3scale operator and custom resource definitions (CRDs) in a separate newly created, empty project. If you deploy them in an existing project containing infrastructure, it could alter or delete existing elements.

To install the 3scale operator on OpenShift, perform the steps outlined in the following sections:

7.1. Creating a new OpenShift project

This procedure explains how to create a new OpenShift project named 3scale-project. Replace this project name with your own.

Procedure

To create a new OpenShift project:

  • Indicate a valid name using alphanumeric characters and dashes. As an example, run the command below to create 3scale-project:

    oc new-project 3scale-project

This creates the new OpenShift project where the operator, the APIManager custom resource (CR), and the Capabilities custom resources will be installed. The operator manages the custom resources through OLM in that project.

7.2. Installing and configuring the 3scale operator using the OLM

Use Operator Lifecycle Manager (OLM) to install the 3scale operator on an OpenShift Container Platform (OCP) 4.3 cluster through the OperatorHub in the OCP console.

Note

Prerequisites

Procedure

  1. In the OpenShift Container Platform console, log in using an account with administrator privileges.
  2. The menu structure depends on the version of OpenShift you are using:

    • Click Operators > OperatorHub
  3. In the Filter by keyword box, type 3scale operator to find the 3scale operator.
  4. Click the 3scale operator. Information about the Operator is displayed.
  5. Read the information about the operator and click Install. The Create Operator Subscription page opens.
  6. On the Create Operator Subscription page, accept all of the default selections and click Subscribe.

    Note

    The operator will only be available in the specific single namespace on the cluster that you have selected.

    The 3scale-operator details page is displayed, where you can see the Subscription Overview.

  7. Confirm that the subscription upgrade status is shown as Up to date.
  8. Verify that the 3scale operator ClusterServiceVersion (CSV) is displayed, and the Status of the operator ultimately resolves to InstallSucceeded in the project you defined in Creating a new OpenShift project:

    • Click Operators > Installed Operators. In this case, successful installation will register the APIManager CRD, and the CRDs related to the Capabilities functionality of the operator in the OpenShift API server.
  9. After successful installation, query the resource types defined by the CRDs via oc get.

    1. For example, to verify that the APIManager CRD has been correctly registered, execute the following command:

      oc get apimanagers
  10. You should see the following output:

    No resources found.

7.2.1. Allowing domains on restricted networks

Important

When configuring the 3scale operator on restricted networks, database images are missing and will not be automatically mirrored. They must be mirrored manually. Refer to the OCP documentation guide on Using Operator Lifecycle Manager on restricted networks.

To manually mirror database images, do the following:

  • Find the images you need to mirror.
  • Use the oc image mirror command to mirror the images to the bastion registry.
  • Create an imageContentSourcePolicy object in OCP to make the mirrored images recognized.

Procedure

  1. Create a file with the following contents and name it databases_images.txt:

    registry.redhat.io/rhscl/redis-32-rhel7@sha256:a9bdf52384a222635efc0284db47d12fbde8c3d0fcb66517ba8eefad1d4e9dc9=<BASTION_REGISTRY>/threescale-db/redis-32-rhel7
    
    registry.redhat.io/rhscl/postgresql-10-rhel7@sha256:de3ab628b403dc5eed986a7f392c34687bddafee7bdfccfd65cecf137ade3dfd=<BASTION_REGISTRY>/threescale-db/postgresql-10-rhel7
    
    registry.redhat.io/rhscl/mysql-57-rhel7@sha256:9a781abe7581cc141e14a7e404ec34125b3e89c008b14f4e7b41e094fd3049fe=<BASTION_REGISTRY>/threescale-db/mysql-57-rhel7

    The BASTION_REGISTRY is the address of your bastion registry concrete digest (sha256:), which may differ.

  2. Get your bastion registry concrete digest by invoking bastion registry in the OCP project where you already deployed the 3scale operator using OLM:

    oc get csv 3scale-operator.v0.6.0 -o yaml | grep 'redis-32-rhel7\|postgresql-10-rhel7\|mysql-57-rhel7'
  3. Run the command below. In this case, REG_CREDS_FILE is the file containing Docker-like formatted registry credentials for registry.redhat.io and their bastion registry.

    oc image mirror -f databases_images.txt -a <REG_CREDS_FILE>
  4. Create the following file additional-dbs-icspolicy.yml:

    apiVersion: operator.openshift.io/v1alpha1
    kind: ImageContentSourcePolicy
    metadata:
      name: additional-threescale-dbs
    spec:
      repositoryDigestMirrors:
      - mirrors:
        - <bastion registry>/threescale-db/redis-32-rhel7
        source: registry.redhat.io/rhscl/redis-32-rhel7
      - mirrors:
        - <bastion registry>/threescale-db/postgresql-10-rhel7
        source: registry.redhat.io/rhscl/postgresql-10-rhel7
      - mirrors:
        - <bastion registry>/threescale-db/mysql-57-rhel7
        source: registry.redhat.io/rhscl/mysql-57-rhel7
  5. Run the following command:

    oc create -f additional-dbs-icspolicy.yml

    This command will restart all OCP cluster nodes one after another. Wait for all nodes to restart.

  6. Run the following command to see the status of each node. Every node must be in ready state.

    oc get nodes

When you are creating the threescale-registry-auth secret for the apimanager object, include the secret credentials for your bastion registry so that the 3scale operator pulls the mirrored images.

Continue with creating the apimanager object according to the Installing and configuring the 3scale operator using the OLM documentation.

Additionally, while using OCP on restricted networks, you will need to create a list of the allowed domains you intend to use in the 3scale Developer Portal. Consider the following examples:

  • Any link you intend to add to the Developer Portal.
  • SSO integrations through third party SSO providers such as GitHub.
  • Billing.
  • Webhooks that trigger an external URL.

Additional resources