Chapter 2. Managing Fuse Online on OCP

After you install Fuse Online on OpenShift Container Platform (OCP) on-site, you can configure it to:

  • Bypass OpenShift access authorization
  • Make APIs for API provider integrations discoverable in Red Hat 3scale

As needed, you can upgrade Fuse Online, uninstall Fuse Online, or delete an OCP project that contains Fuse Online.

See the following topics for details:

2.1. Bypassing the OpenShift access authorization page

By default, when users access Fuse Online, they need to log in to OpenShift and then authorize access from Fuse Online to their OpenShift account. If you want to, you can configure OpenShift so that users bypass the page that prompts for access authorization.

To do this, a cluster administrator creates an OAuthClient resource. Then the administrator, or any user with permission to modify objects in the namespace in which Fuse Online is installed, updates the syndesis-oauthproxyDeploymentConfig resource. The update changes the container arguments to refer to the OAuth client ID and secret in the OAuthClient resource.

Prerequisites

  • Fuse Online is installed on OCP on-site.

  • A user with an OpenShift account that has the privileges that are associated with members of the system:cluster-admins group must create an OAuthClient resource. To obtain a list of the accounts that have this ability, run: 

    oc policy who-can create OAuthClient

Procedure

  1. Create an OAuthClient resource with the following content and format: 

    apiVersion: oauth.openshift.io/v1
kind: OAuthClient
grantMethod: auto
metadata:
  name: ${CLIENT_ID}
redirectURIs:
- https://${ROUTE_HOSTNAME}/oauth/callback
secret: ${SECRET}

  2. In the OAuthClient resource:

    1. Replace ${CLIENT_ID} with a unique string that distinguishes a particular Fuse Online installation. For example, you might prefix the OpenShift namespace in which Fuse Online is installed: fuse-online-proj123456.

      Or, you might specify something like fuse-online-1. Typically, a name that indicates where the resource is used is most helpful. Then when an administrator lists OAuth clients, the purpose of each client is clear.

    2. Replace ${ROUTE_HOSTNAME} with the fully qualified hostname that is configured for the Fuse Online route. For example, fuse-online.mycorp.com.

    3. Replace ${SECRET} with a sequence of random alphanumeric characters that will be used to authenticate Fuse Online requests to OpenShift.

      For example: 

    apiVersion: oauth.openshift.io/v1
kind: OAuthClient
grantMethod: auto
metadata:
  name: fuse-online-1
redirectURIs:
- https://fuse-online.mycorp.com/oauth/callback
secret: lFCbZTwrTOdZi1h86azxoixXkN7wnsUf3gjoSKbb

  3. Run the following command to update the syndesis-oauthproxy DeploymentConfig resource: 

    oc patch dc syndesis-oauthproxy --type json --patch "[{\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/0/args/1\", \"value\": \"--client-id=$CLIENT_ID\"}, {\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/0/args/2\", \"value\": \"--client-secret=$CLIENT_SECRET\"}]"

    When you installed Fuse Online, the installation script created the syndesis-oauthproxy DeploymentConfig resource. This oc patch command updates the resource so that its container arguments refer to the OAuth client ID and the OAuth secret defined in the new OAuthClient resource. For example, the updated resource looks like this: 

    apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
  name: syndesis-oauthproxy
spec:
  template:
    spec:
      containers:
      - args:
        - --client-id=fuse-online-1
        - --client-secret=lFCbZTwrTOdZi1h86azxoixXkN7wnsUf3gjoSKbb

Result

When users try to display the Fuse Online console, they log in to OpenShift and the Fuse Online console displays in the browser. The user does not have to authorize access from Fuse Online to OpenShift.

2.2. Configuring Fuse Online to enable 3scale discovery of APIs

If you create an API provider integration, you might want to enable discovery of the API for that integration in 3scale. For Fuse Online environments that are installed on OCP, a user with cluster administration permissions can enable 3scale discovery of APIs by setting a Fuse Online server configuration environment variable.

The default behavior is that APIs are not exposed for automatic discovery in 3scale. Turning on 3scale service discovery applies to all API provider integrations in your Fuse Online environment. You cannot choose which APIs are discoverable.

When 3scale service discovery is turned on:

  • Fuse Online does not provide an external URL for an API provider integration that is running.
  • The API is accessible only through 3scale. Configuration in 3scale is required to expose the endpoint. For details, see Red Hat 3scale API Management, Service Discovery.

Prerequisites

  • Fuse Online is installed on OCP on-site.
  • You have cluster administration permissions.

Procedure

Edit the syndesis-server DeploymentConfig object to set the CONTROLLERS_EXPOSE_VIA3SCALE environment variable to true. To do this, enter the following command on one line:

$ oc patch dc syndesis-server -p '{"spec":{"template":{"spec":{"containers":[{"name":"syndesis-server","env":[{"name":"CONTROLLERS_EXPOSE_VIA3SCALE","value":"true"}]}]}}}}'

2.3. Upgrading Fuse Online on OCP

To upgrade Fuse Online on OCP on-site, download the latest Fuse Online release and run the update script.

From time to time, fresh application images, which incorporate patches and security fixes, are released for Fuse Online. You are notified of these updates through Red Hat’s errata update channel. You can then upgrade your Fuse Online images.

The upgrade procedure for the following upgrades is the same:

  • From Fuse Online 7.3 to Fuse Online 7.4
  • From a Fuse Online 7.4 version to a newer Fuse Online 7.4 version

Prerequisites

  • You installed and are running version 7.3 of Fuse Online on OCP on-site. OR, you installed and are running a version of 7.4 of Fuse Online on OCP on-site and you want to upgrade to fresh application images.

    If you are running version 7.2 of Fuse Online on OCP, then you must upgrade to 7.3 and then you can upgrade to 7.4.

    If you are running version 7.1 of Fuse Online on OCP, then you must upgrade to 7.2 and then 7.3, and then you can upgrade to 7.4.

  • You installed the oc client tool and it is connected to the OCP cluster in which Fuse Online is installed.
  • A user with cluster administration permissions gave you permission to install or upgrade Fuse Online in any project that you have permission to access in the cluster.
  • If you are upgrading from 7.3 to 7.4, you have a Red Hat developer account for which you know your user name and password. The upgrade script prompts you for these credentials so it can authenticate you against https://developers.redhat.com. For details about creating an account, see Accessing and Configuring the Red Hat Registry.

Procedure

  1. Download the package containing the Fuse Online installation scripts from the following location:

    https://github.com/syndesisio/fuse-online-install/releases/tag/1.7

    Unpack the downloaded archive at a convenient location on your file system. The fuse-online-install-1.7 directory contains the scripts and supporting files for upgrading Fuse Online.

  2. Change to the directory that contains the extracted archive. For example:

    $ cd fuse-online-install-1.7

  3. Log in to OpenShift with an account that has permission to upgrade Fuse Online. For example:

    $ oc login -u developer

  4. Invoke the following command, which returns the name of the current project, to ensure that the current project is the project where Fuse Online is installed:

    $ oc project

    If you need to switch to the project where Fuse Online is installed then invoke the following command with the name of the OpenShift project that contains Fuse Online:

    $ oc project project-name

  5. To check which version you are about to upgrade to, run the update script with the --version option, as follows:

    $ bash update_ocp.sh --version

  6. Invoke the update script as follows:

    $ bash update_ocp.sh

    To learn more about the script, invoke $ bash update_ocp.sh --help.

    During and after an infrastructure upgrade, existing integrations continue to run with the older versions of Fuse Online libraries and dependencies.

  7. Upgrade Fuse Online integrations that are running as follows:

    1. In Fuse Online, select the integration that you want to upgrade.
    2. Select Edit.
    3. Select Publish to republish the integration.

    Republishing the integration forces a rebuild that uses the latest Fuse Online dependencies.

2.4. Uninstalling Fuse Online from an OCP project

You can uninstall Fuse Online from an OCP project without deleting the project nor anything else in that project. After uninstalling Fuse Online, integrations that are running continue to run but you can no longer edit or republish them.

Prerequisite

  • You have an OCP project in which Fuse Online is installed.
  • You exported any integrations that you might want to use in some other OpenShift project in which Fuse Online is installed. If necessary, see Export integrations.

Procedure

Invoke the following command:

$ oc delete syndesis app

This command deletes the Fuse Online infrastructure.

2.5. Deleting an OCP project that contains Fuse Online

Deleting an OpenShift project in which Fuse Online is installed deletes everything in the project. This includes all integrations that have been defined as well as all integrations that are running.

Prerequisites

  • You have an OCP project in which Fuse Online is installed.
  • You exported any integrations that you might want to use in some other OpenShift project in which Fuse Online is installed. If necessary, see Exporting integrations.

Procedure

Invoke the oc delete project command. For example, to delete an OpenShift project whose name is fuseonline, enter the following command:

$ oc delete project fuseonline