Adding and accessing Red Hat OpenShift API Management

Guide
  • Red Hat OpenShift API Management 1
  • Updated 26 December 2023
  • Published 08 December 2020

Topics included in this guide

Adding and accessing Red Hat OpenShift API Management

Guide
Red Hat OpenShift API Management 1
  • Updated 26 December 2023
  • Published 08 December 2020

Red Hat OpenShift API Management is a managed API traffic control and program management service based on the Red Hat 3scale API Management platform. It includes an implementation of Red Hat Single Sign-On. You can add OpenShift API Management to an existing OpenShift Dedicated or ROSA cluster in the OpenShift Cluster Manager.

Introduction to Red Hat OpenShift API Management

Application Programming Interface (API) management refers to the processes of distributing, controlling, and analyzing the APIs that connect applications and data across cloud environments. You can streamline API management in a unified service by using Red Hat OpenShift API Management.

Red Hat OpenShift API Management is a managed service that is based on the Red Hat 3scale API Management platform and is available as an add-on in Red Hat OpenShift Dedicated. With OpenShift API Management you can secure, manage, and monitor APIs at every stage of the development lifecycle. Use OpenShift API Management to manage users, oversee the API gateway, and configure APIs for increased accessibility.

You can deploy Red Hat OpenShift API Management on Amazon Web Services (AWS) versions of OpenShift Dedicated and the Red Hat OpenShift Service on AWS. OpenShift API Management includes capabilities of the following Red Hat products:

  • Red Hat Single Sign-On provides single sign-on (SSO) authentication to secure web applications.

  • Red Hat 3scale API Management is a management platform that allows users to share, secure, distribute, control, and monetize APIs. After setting up authentication and user accounts, OpenShift API Management developers, also referred to as API providers, can configure, and publish 3scale API products.

The following actions are important to understand before you use Red Hat OpenShift API Management:

  • Configuring your identity provider to provision OpenShift Dedicated and secure APIs.

    The email address and the User Principal Name (UPN) must be paired for Red Hat Single Sign-On configured with OpenID to work between OpenShift and Red Hat 3scale API Management. The UPN and email must match or the OpenID UPN and email fields must map to the username field and email field of the customer in the OpenShift IDP configuration.

  • Accessing the Red Hat OpenShift API Management service definition, to understand the features, considerations, limits, and alerts of OpenShift API Management.

  • Understanding the roles in Red Hat OpenShift API Management to recognize user permissions.

  • Accessing the workflows for Red Hat OpenShift API Management to understand how to create, secure, and publish APIs.

  • Setting the Classless Inter-Domain Routing (CIDR) block to ensure there is no overlap with any network that the Red Hat OpenShift API Management customer would like to peer with in the OpenShift cluster virtual private cloud (VPC). You can click the link in the OpenShift Cluster Manager to apply the default CIDR block, or you can provide a custom CIDR block. After submitting the initial configuration, you cannot modify the CIDR block. If you want to change the CIDR block, you must delete and reinstall Red Hat OpenShift API Management.

  • Optional: Creating a service control policy for Customer Cloud Subscription (CCS) users who must create an AWS OpenShift Dedicated cluster.

Additional resources

Adding OpenShift API Management to your cluster

Red Hat OpenShift API Management can be added to a Red Hat OpenShift Dedicated cluster or a Red Hat OpenShift Service on AWS cluster. You can use the OpenShift Cluster Manager to add OpenShift API Management to an existing Red Hat OpenShift Dedicated cluster, to make the service available for use by API providers.

Prerequisites

  • You have provisioned an OpenShift Dedicated cluster or an ROSA cluster, that meets the product requirements for adding the OpenShift API Management service, as outlined in the Red Hat OpenShift API Management service definition.

    You cannot use the Red Hat OpenShift Cluster Manager to add the Red Hat OpenShift API Management to a Red Hat OpenShift Service on AWS cluster. You must use the CLI to add Red Hat OpenShift API Management to a Red Hat OpenShift Service on AWS cluster.

  • You have configured your identity provider (IDP).

    Email addresses must match for Red Hat Single Sign-On configured with OpenID to work between OpenShift and Red Hat 3scale API Management. The User Principal Name (UPN) and email must match or the OpenID UPN and email fields must map to the username field and email field of the customer in the OpenShift IDP configuration.
Procedure

  1. Enter the following URL in a browser:

    https://console.redhat.com

  2. Log in to your Red Hat account.

  3. Click All apps and services and then click API Management from the drop-down menu. The OpenShift Cluster Manager console is displayed.

  4. In OpenShift Cluster Manager, click Clusters in the menu. A list of clusters in the console is displayed.

  5. Select a cluster from the list of clusters.

  6. Click the Add-ons tab.

  7. Select the Red Hat OpenShift API Management option.

  8. Click Install on the Red Hat OpenShift API Management option.

  9. Enter the CIDR value in the CIDR Range field.

    The CIDR prefix length range must be between /16 and /26. Only CIDR values within this range are permitted. You can use 10.1.0.0/26 as the default CIDR range.
    The CIDR range must not overlap with any network you would like to peer within the OpenShift cluster VPC. If you do not specify a CIDR value, you can click the link in the OpenShift Cluster Manager to apply the default CIDR range. After submitting the initial configuration, you cannot modify the CIDR range. If you want to change the CIDR range, you must delete and reinstall Red Hat OpenShift API Management.

  10. In the Notification Email field, enter the email address you would like to receive OpenShift API Management service notifications.

  11. In the Quota field, select a Daily Rate Limit Quota from the drop-down menu.

    You can not select a daily rate limit quota that exceeds the SKU specified and assigned during the purchase of the Red Hat OpenShift API Management service. For example, if you purchased a 10 Million SKU, you can not successfully apply a daily rate limit quota greater than 10 Million.
    The Evaluation option has a daily rate limit of 100,000 API calls and does not include production-level support. You can select the Evaluation option from the Quota drop-down menu. For more information on accessing all features of OpenShift API Management, refer to the Red Hat OpenShift API Management service definition.

  12. Optional: In the 3scale custom wildcard domain name field, enter the designated domain name.

    Adding the custom wildcard domain name is optional, but if you want to add it to your add-on service, you must configure the custom wildcard domain before installing Red Hat OpenShift API Management to the cluster using the OpenShift Cluster Manager. You cannot add or modify the domain name after installing the add-on service using the OpenShift Cluster Manager. The 3scale routes can only be modified in the 3scaleAdmin Portal after the initial configuration and installation.
    Red Hat OpenShift API Management will fail to install if the domain name is not the same as the name of the custom domain operator. You cannot use a self-signed wildcard certificate.

  13. Optional: Enter values for an SMTP configuration. Red Hat OpenShift API Management provides a default SMTP server and applies default values if you do not specify an SMTP configuration. You can enter values for the following fields:

    • Custom SMTP Mail Server Address - The remote mail server as a relay

    • Custom SMTP From Address - Email address of the outgoing mail

    • Custom SMTP Username - The mail server username

    • Custom SMTP Password - The mail server password

    • Custom SMTP Port - The port on which the mail server is listening for new connections

      To successully apply an SMTP configuration, you must enter values for all related fields. Values for all Custom SMTP fields are required, if you specify values for any of the fields.
      Entering an SMTP configuration is optional. Red Hat OpenShift API Management default values are applied if you leave the SMTP configuration fields blank.
      You can edit the SMTP configuration after installing the OpenShift API Management add-on.

  14. Click Install.

Verification

  1. Ensure Installed and a check mark are displayed on the Red Hat OpenShift API Management option.

    The Installed status is displayed before Red Hat OpenShift API Management is completely installed. To verify installation is complete, check the operator status in the console.

  2. Click Open in Console to see the Red Hat OpenShift API Management operator details.

Additional resources

Adding OpenShift API Management to your Red Hat OpenShift Service on AWS cluster

Red Hat OpenShift Service on AWS (ROSA) allows Red Hat to deploy OpenShift clusters into an existing Amazon Web Service (AWS) account.

You can add OpenShift API Management to your ROSA cluster to make the service available for use by API providers.

You can install the OpenShift API Management add-on to an ROSA cluster using the rosa CLI.

Prerequisites
Procedure

  1. Enter the following command in the rosa CLI to add the Red Hat OpenShift API Management to the Red Hat OpenShift Service on AWS cluster :

    rosa install addon --cluster=<cluster_name> managed-api-service

    • Replace <cluster_name> with the name of your cluster in ROSA.

    Interactive mode opens. In interactive mode you are prompted to enter a CIDR range and the email addresses that should receive Red Hat OpenShift API Management service notifications.

  2. Enter the CIDR range.

    The CIDR prefix length range must be between /16 and /26. Only CIDR values within this range are permitted. You can use 10.1.0.0/26 as the default CIDR range.
    The CIDR range must not overlap with any network you would like to peer with in the OpenShift cluster VPC. After submitting the initial configuration, you cannot modify the CIDR range. If you want to change the CIDR range, you must delete and reinstall Red Hat OpenShift API Management.

  3. Enter the email address you would like to receive OpenShift API Management service notifications.

    You can enter multiple email addresses to receive service notifications. Use a comma to separate multiple email addresses.
Additional resources

Adding OpenShift API Management to your STS enabled Red Hat OpenShift Service on AWS cluster

Red Hat OpenShift Service on AWS (ROSA) allows Red Hat to deploy OpenShift clusters into an existing Amazon Web Service (AWS) account. Red Hat OpenShift Service on AWS supports AWS Security Token Service (STS) for authentication with AWS APIs.

AWS STS is a global web service that provides short-term credentials for IAM or federated users. Red Hat OpenShift Service on AWS with STS is the recommended credential mode for ROSA clusters. You can use AWS STS with ROSA to allocate temporary, limited-privilege credentials for component-specific IAM roles. The service enables cluster components to make AWS API calls using secure cloud resource management practices.

You can add OpenShift API Management to your ROSA cluster to make the service available to API providers that use AWS STS for authentication. Create an AWS IAM role and policies that are required for installing OpenShift API Management onto a cluster that uses AWS STS.

Prerequisites
Procedure

  1. In the AWS CLI, create a policy for SRE Support. Enter the following:

    cat <<EOM >"rhoam-sre-support-policy.json"
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds:DescribeGlobalClusters",
                "rds:ModifyDBInstance",
                "rds:DeleteDBInstance",
                "rds:DescribeDBSnapshots",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "elasticache:DescribeReplicationGroups",
                "elasticache:ModifyReplicationGroup",
                "elasticache:DescribeSnapshots",
                "elasticache:CreateReplicationGroup",
                "elasticache:DescribeCacheClusters",
                "elasticache:DeleteReplicationGroup",
                "sts:GetCallerIdentity",
                "tag:TagResources"
            ],
            "Resource": "*"
        }
    ]
}
EOM

  2. In the AWS CLI, enter the following command to attach the Red Hat OpenShift API Management SRE policy to the OpenShift Support Role:

    aws iam put-role-policy --role-name ManagedOpenShift-Support-Role --policy-name rhoam-sre-support-policy --policy-document "file://rhoam-sre-support-policy.json"

  3. In the rosa CLI, enter the following command to add the Red Hat OpenShift API Management to the Red Hat OpenShift Service on AWS cluster:

    rosa install addon --cluster <cluster-name> managed-api-service -y --addon-resource-required true --rosa-cli-required true --billing-model standard

    • Replace <cluster_name> with the name of your cluster in ROSA.

Additional

Accessing OpenShift API Management in your cluster

In OpenShift API Management you can create, secure, and publish APIs. You can access OpenShift API Management from the OpenShift application launcher in the OpenShift Cluster Manager.

Prerequisites

  • Red Hat OpenShift API Management was added to your OpenShift Dedicated or ROSA cluster.

Procedure

  1. Enter the following URL in a browser:

    https://console.redhat.com

  2. Log in to your Red Hat account.

  3. Click All apps and services and then click API Management from the drop-down menu. The OpenShift Cluster Manager console is displayed.

  4. In the OpenShift Cluster Manager, click Clusters in the menu.

  5. Select the cluster with OpenShift API Management installed, from the list of clusters.

  6. Click the Add-ons tab.

  7. Select the Red Hat OpenShift API Management option.

  8. On the Red Hat OpenShift API Management option, click View in console. The Red Hat OpenShift Dedicated console opens.

  9. Click the application launcher in the OpenShift Dedicated console.

  10. Select OpenShift API Management from the OpenShift Managed Services drop-down menu. A new browser tab opens.

  11. Use Red Hat Single Sign-On to authenticate your login.

Supported bring-your-own VPC architectures

Red Hat OpenShift API Management supports the use of a bring-your-own virtual private cloud (BYOVPC) configuration. The following Availability Zone (AZ) scenarios represent the tested configurations. Configurations that differ from the following, may not work as expected and are not supported.

  • Single-AZ installation: The tested architecture includes a VPC with an internet gateway, an availability zone containing a public subnet, and a private subnet.

  • Multi-AZ installation: The tested architecture includes a VPC with an internet gateway, up to three availability zones (with each containing one public subnet), and a private subnet.

  • PrivateLink Multi-AZ installation: The tested architecture includes connections to clusters using AWS PrivateLink endpoints instead of public endpoints for ROSA (ROSA) or OpenShift Dedicated (OSD).

    • Outbound firewall rules are required for Red Hat OpenShift API Management} installations on clusters that have PrivateLink enabled.

    • The following domains are required and must be allowed through the firewall in order to successfully configure the Red Hat OpenShift API Management with PrivateLink:

      • echo-api.3scale.net

      • gcr.io

      • grafana.com

      • stats.grafana.org

      • .sendgrid.net

      • raw.githubusercontent.com

      • objects.githubusercontent.com

    • The following domains shoud not be blocked by the firewall:

      • cloud.redhat.com

      • aws.amazon.com

      • www.redhat.com

      • www.okd.io

      • access.redhat.com

      • observatorium.api.openshift.com

Deleting OpenShift API Management from your cluster

When you delete Red Hat OpenShift API Management from your cluster, backups of the databases are automatically created in your Amazon Web Services (AWS) account:

  • RDS for PostgreSQL: Backups are under 'Snapshots'.

  • ElastiCache for Redis: Backups are under 'Backups'.

Backups persist after Red Hat OpenShift API Management deletion and require manual removal. To change this default behavior, add the annotation skip_final_db_snapshots: 'true' to the Red Hat Managed Integration (RHMI) custom resource (CR) before deletion:

$ oc patch rhmi rhoam -n redhat-rhoam-operator --type=merge --patch '{"metadata":{"annotations": {"skip_final_db_snapshots": "true"}}}'

Failure to delete backups may result in continued storage costs.

You can delete the Red Hat OpenShift API Management add-on service from your OpenShift Dedicated cluster through the OpenShift Cluster Manager(OCM) or the OCM CLI.

To delete the add-on service using the OpenShift Cluster Manager CLI, enter the following command:

ocm delete api/clusters_mgmt/v1/clusters/<cluster_id>/addons/<addon_id>

  • Replace the <cluster_id> with the identification tag for your OpenShift Dedicated cluster.

  • Replace the <addon_id> with the identification tag for the Red Hat OpenShift API Management add-on service.

The following procedure describes how to delete a Red Hat OpenShift API Management add-on service through OCM.
Prerequisites

  • Red Hat OpenShift API Management was added to your OpenShift Dedicated cluster.

Procedure

  1. Navigate to the Clusters page in the OpenShift Cluster Manager.

  2. Select the cluster with the installed instance of Red Hat OpenShift API Management you want to delete.

  3. Click the Add-ons tab.

  4. Locate the installed OpenShift API Management service you want to delete.

  5. From the installed Red Hat OpenShift API Management option, click the main menu.

  6. Click Uninstall add-on from the drop-down menu.

  7. Enter the Red Hat OpenShift API Management name in the confirmation message that is displayed.

  8. Click Uninstall. You return to the Add-ons tab and an uninstalling state icon is displayed on the Red Hat OpenShift API Management service option you deleted.

Additional resources

Legal Notices for Trademarks