Getting started with Red Hat OpenShift API Management

Guide
  • Red Hat OpenShift API Management 1
  • Updated 01 December 2020
  • Published 12 February 2021

Getting started with Red Hat OpenShift API Management

Guide
Red Hat OpenShift API Management 1
  • Updated 12 February 2021
  • Published 08 December 2020

Red Hat OpenShift API Management is a managed API traffic control and program management service that is based on the Red Hat 3scale API Management platform and includes an implementation of Red Hat Single Sign-On. You can add OpenShift API Management to an existing OpenShift Dedicated cluster in the OpenShift Cluster Manager.

Introduction to Red Hat OpenShift API Management

Application Programming Interface (API) management refers to the processes of distributing, controlling, and analyzing the APIs that connect applications and data across cloud enviroments. You can streamline API management in a unified service by using Red Hat OpenShift API Management. OpenShift API Management is a managed service that is based on the Red Hat 3scale API Management platform and is available as an add-on in Red Hat OpenShift Dedicated. With OpenShift API Management you can secure, manage, and monitor APIs at every stage of the development lifecycle. Use OpenShift API Management to manage users, oversee the API gateway, and configure APIs for increased accessibility.

You can deploy Red Hat OpenShift API Management on AWS versions of OpenShift Dedicated. Red Hat OpenShift API Management includes capabilities of the following Red Hat products:

  • Red Hat Single Sign-On provides single sign-on (SSO) authentication to secure web applications.

  • Red Hat 3scale API Management is a management platform that allows users to share, secure, distribute, control, and monetize APIs. After setting up authentication and user accounts, OpenShift API Management developers (also referred to as API providers) can configure, and publish 3scale API products.

The following actions are important to understand before you use Red Hat OpenShift API Management:

  • Configuring your identity provider to provision OpenShift Dedicated and secure APIs.

    The email address and the User Principal Name (UPN) must be paired for Red Hat Single Sign-On configured with OpenID to work between OpenShift and Red Hat 3scale API Management. The UPN and email must match or the OpenID UPN and email fields must map to the username field and email field of the customer in the OpenShift IDP configuration.
  • Accessing the Red Hat OpenShift API Management service definition, to understand the features, considerations, limits, and alerts of OpenShift API Management.

  • Understanding the roles in Red Hat OpenShift API Management to recognize user permissions.

  • Accessing the workflows for Red Hat OpenShift API Management to understand how to create, secure, and publish APIs.

  • Setting the Classless Inter-Domain Routing (CIDR) block to ensure there is no overlap with any network that the Red Hat OpenShift API Management customer would like to peer with in the OpenShift cluster virtual private cloud (VPC). You can click the link in the OpenShift Cluster Manager to apply the default CIDR block, or you can provide a custom CIDR block. After submitting the initial configuration, you cannot modify the CIDR block. If you want to change the CIDR block, you must delete and reinstall Red Hat OpenShift API Management.

  • Optional: Creating a service control policy for Customer Cloud Subscription (CCS) users who must create an AWS OpenShift Dedicated cluster.

Adding OpenShift API Management to your cluster

You can add OpenShift API Management to an existing OpenShift Dedicated cluster in the OpenShift Cluster Manager to make the service available for use by API providers.

Prerequisites
  • You have provisioned an OpenShift Dedicated cluster that meets the product requirements for adding the OpenShift API Management service, as outlined in the Red Hat OpenShift API Management service definition.

  • You have configured your identity provider (IDP).

    Email addresses must match for Red Hat Single Sign-On configured with OpenID to work between OpenShift and Red Hat 3scale API Management. The User Principal Name (UPN) and email must match or the OpenID UPN and email fields must map to the username field and email field of the customer in the OpenShift IDP configuration.
Procedure
  1. Enter the following URL in a browser:

    https://cloud.redhat.com
  2. Log in to your Red Hat account.

  3. Click Open on the Red Hat OpenShift Cluster Manager option. The OpenShift Cluster Manager console is displayed.

  4. In OpenShift Cluster Manager, click Clusters in the menu. A list of clusters in the console is displayed.

  5. Select a cluster from the list of clusters.

  6. Click the Add-ons tab.

  7. Click Install on the Red Hat OpenShift API Management option.

  8. Enter the CIDR block in the CIDR Range field.

    The CIDR block must not overlap with any network you would like to peer with in the OpenShift cluster VPC. If you do not specify a CIDR block, you can click the link in the OpenShift Cluster Manager to apply the default CIDR block. After submitting the initial configuration, you cannot modify the CIDR block. If you want to change the CIDR block, you must delete and reinstall Red Hat OpenShift API Management.
  9. In the Notification Email field, enter the email address you would like to receive OpenShift API Management service notifications.

  10. Click Install.

Verification
  1. Ensure Installed and a check mark are displayed on the Red Hat OpenShift API Management option.

    The Installed status is displayed before Red Hat OpenShift API Management is completely installed. To verify installation is complete, check the operator status in the console.
  2. Click View console to see the Red Hat OpenShift API Management operator details.

Accessing OpenShift API Management in your cluster

In OpenShift API Management you can create, secure, and publish APIs. You can access OpenShift API Management from the OpenShift application launcher in the OpenShift Dedicated web console.

Prerequisites
  • Red Hat OpenShift API Management was added to your OpenShift Dedicated cluster.

Procedure
  1. Enter the following URL in a browser:

    https://cloud.redhat.com
  2. Log in to your Red Hat account.

  3. Click Open on the Red Hat OpenShift Cluster Manager option. The OpenShift Cluster Manager console opens.

  4. In the OpenShift Cluster Manager, click Clusters in the menu.

  5. Select the cluster with OpenShift API Management installed from the list of clusters.

  6. Click the Add-ons tab.

  7. On the Red Hat OpenShift API Management option, click View in console. The Red Hat OpenShift Dedicated console opens.

  8. Click the application launcher in the OpenShift Dedicated console.

  9. Select OpenShift API Management from the OpenShift Managed Services drop-down menu. A new browser tab opens.

  10. Use Red Hat Single Sign-On to authenticate your login.

Roles in OpenShift API Management

OpenShift API Management includes administrator and developer roles. These roles determine the actions a user can perform.

All OpenShift API Management users belong to the rhoam-developers group. Additionally, administrators are members of the dedicated-admins group and are granted the dedicated-admin role in OpenShift Dedicated. Administrators are managed using the dedicated-admins group in the OpenShift Dedicated cluster and have elevated privileges in OpenShift API Management.

Administrator role

An administrator has rights to view and modify resources in OpenShift API Management and can assign cluster roles to control who has various access levels and permissions in OpenShift API Management, 3scale, and Red Hat Single Sign-On. Administrators in OpenShift API Management manage users, and the API gateway, APIcast, which is the interface that handles calls to an API. The onboarding process creates an administrator with the highest level of access in OpenShift API Management and with admin privileges in 3scale.

As an administrator, you can perform the following tasks:

  • Red Hat Single Sign-On

    • Manage users and permissions in the master realm.

    • Create realms.

    • Administer user-created realms.

  • Red Hat 3scale API Management

    • Elevate permissions of developers to an administrator level.

    • Edit routes.

    • View pod logs in the 3scale namespace.

    • Create a product in the 3scale console.

Developer role

Developers have access to the services in OpenShift API Management. With the developer role, you can use the Single Sign-On instance to secure your applications and you have basic member access in 3scale. Developers, which are referred to as API providers in 3scale, make APIs accessible by adding them to OpenShift API Management, configuring their use, and publishing them.

As a developer, you can perform the following tasks:

An OpenShift API Management administrator can grant 3scale admin privileges to developers.

Granting 3scale administrator privileges to developers

As an administrator in OpenShift API Management, you also have admin privileges in 3scale. However, a user that is a developer in OpenShift API Management only has member privileges in 3scale and limited access to 3scale features.

An administrator must explicitly grant 3scale admin permissions to OpenShift API Management developers.

Prerequisites
  • You are an administrator in OpenShift API Management.

  • You have a developer you want to grant admin privileges to in 3scale.

Procedure
  1. Log in to the Red Hat 3scale API Management console Admin Portal.

  2. Click Dashboard.

  3. In the Dashboard drop-down menu, click Accounts Settings.

  4. In the menu, click Users > Listing. The Users page is displayed.

  5. Choose a user.

  6. Click Edit for the user whose permission you would like to modify. The Edit User page opens.

  7. In the ADMINISTRATIVE section of the Edit User page, choose Admin (full access) to grant admin privileges to the selected user.

  8. Click Update User.

Verification
  1. To validate, navigate to the Users page.

    1. In the menu, click Users > Listing.

  2. On the Users page, find the user whose permissions you modified.

  3. In the Role column, ensure admin is displayed in the row of the chosen user.

Additional resources

Additional resources