Administering OpenShift API Management

Guide
  • Red Hat OpenShift API Management 1
  • Updated 28 March 2022
  • Published 08 December 2020

Topics included in this guide

Administering OpenShift API Management

Guide
Red Hat OpenShift API Management 1
  • Updated 28 March 2022
  • Published 08 December 2020

You can perform configuration and monitoring tasks for managed services. With OpenShift API Management you can manage network configurations, define policies, monitor API usage, and update notification settings.

Overview of rate limiting, alerting, and monitoring in OpenShift API Management

Red Hat OpenShift API Management provides a limited number of API calls. The API request hard limits are set as part of your Red Hat OpenShift API Management purchase.

You are alerted to ensure you do not exceed the set API usage hard limit. OpenShift API Management uses a tiered approach for alerting customers when the API usage is close to the hard limit, to ensure request calls are not rejected and service is not interrupted.

An email notification is sent to the email address provided during the OpenShift API Management installation. The email notification includes a link to the Grafana dashboard, which provides a visualization of your API usage.

You can also access the Grafana dashboard through the OpenShift Dedicated console. To access the dashboard, click the application launcher in OpenShift Dedicated and then click API Managed Dashboards in the OpenShift Managed Services drop-down menu.

A notification is sent in the following instances:

  • If API usage is between 80% and 90% for a period of 4 hours, a notificication is sent every 4 hours.

  • If API usage is between 90% and 95% for a period of 2 hours, a notification is sent every 2 hours.

  • If API usage is over 95% for a period of 30 minutes, a notification is sent every 30 minutes.

OpenShift API Management offers you the flexibility to share rate limiting quotas across multiple environments. You can divide a purchased OpenShift API Management subscription level across multiple OpenShift Dedicated environments. For example, if a 10 Million API calls per day subscription level is selected, you can allocate 5 Million API calls per day to both a stage environment and a production environment. For more information on increasing your Red Hat OpenShift API Management subscription level, see the service definition.

Monitoring service capacity with Grafana

You can can monitor the service capacity and API usage of OpenShift API Management with Grafana. Access the Grafana dashboard from the OpenShift Dedicated console, to monitor the OpenShift API Management API rate limits for the following durations:

  • last minute

  • last 24 hours

In the dashboard, you can view, share, and inspect the data for the OpenShift API Management API requests.

Prerequisites

  • Red Hat OpenShift API Management was added to your OpenShift Dedicated cluster.

Procedure

  1. Click the application launcher in OpenShift Dedicated.

  2. Click API Managed Dashboards in the OpenShift Managed Services drop-down menu.

  3. You are prompted to log in. Click Log in with OpenShift.

  4. Enter the login credentials.

  5. Click Allow selected permissions to authorize monitoring access.

  6. In the Grafana console, click the Dashboards dropdown menu from the main menu to access the available dashboards and folders.

  7. Click Manage.

  8. Click redhat-rhoam-customer-monitoring-operator to open the folder.

  9. Click Rate Limiting to access the monitoring data.

    Alternatively, click Home to search for a dashboard by name.

Modifying the daily rate limit quota after installing the Red Hat OpenShift API Management add-on

When you exceed your daily rate limit, your Red Hat OpenShift API Management services are interrupted and API request calls are rejected. To ensure API usage does not exceed its daily limit, you can modify your daily rate limit quota.

You can change the active daily rate limit quota, previously selected during the installation of the Red Hat OpenShift API Management add-on, in the OpenShift Cluster Manager to optimize resource consumption. You must have the resources required for the modified daily rate limit, as outlined in the Red Hat OpenShift API Management service definition, to successfully update the quota.

Depending on the SKU specified during the purchase of the Red Hat OpenShift API Management service, you can choose from the following daily rate limit quotas:

  • 100 Thousand Requests (Evaluation option in OpenShift Dedicated trial clusters)

  • 1 Million Requests

  • 5 Million Requests

  • 10 Million Requests

  • 20 Million Requests

  • 50 Million Requests

You can not select a daily rate limit quota that exceeds the SKU specified and assigned during the purchase of the Red Hat OpenShift API Management service. For example, if you purchased a 10 Million SKU, you can not successfully apply a daily rate limit quota greater than 10 Million.
The Evaluation option, available in OpenShift Dedicated trial clusters, has a daily rate limit of 100,000 API calls and does not include production-level support. You can select the Evaluation option from the Quota drop-down menu. For more information on accessing all features of OpenShift API Management, refer to the Red Hat OpenShift API Management service definition.
Prerequisites

  • Red Hat OpenShift API Management was added to your OpenShift Dedicated or OpenShift Service on AWS cluster.

Procedure

  1. Enter the following URL in a browser:

    https://cloud.redhat.com

  2. Log in to your Red Hat account.

  3. Click OpenShift in the main menu. The OpenShift Cluster Manager console opens.

  4. In the OpenShift Cluster Manager, click Clusters in the menu. A list of clusters in the console is displayed.

  5. Select the cluster that you want to modify from the list of clusters.

  6. In the selected cluster, click the Add-ons tab.

  7. In the Red Hat OpenShift API Management add-on option, click the three dots in the top corner of the option.

  8. Click Configure in the drop-down menu. The Configure API Management service dialog box is displayed.

  9. In the Quota field, select a daily rate limit quota from the drop-down menu.

  10. Click Update.

Verification

  1. Click the application launcher in the OpenShift Dedicated console.

  2. Click API Managed Dashboards in the OpenShift Managed Services drop-down menu.

  3. You are prompted to log in. Click Log in with OpenShift.

  4. Enter the login credentials.

  5. Click Allow selected permissions to authorize monitoring access.

  6. In the Grafana console, click Home to access the available dashboards and folders.

  7. Click redhat-rhoam-customer-monitoring-operator to open the folder.

  8. Click Rate Limiting to access the monitoring data. Your active daily rate limit quota is displayed below the usage graph.

Deploying a self-managed APIcast API gateway

APIcast is an NGINX based API gateway used to integrate your internal and external API services with the 3scale platform.

APIcast has two deployment modes:

  • Built-in

  • Self-managed

By default, OpenShift API Management includes a built-in APIcast. The built-in APIcast is pre-configured and ready to use out-of-the-box.

If you want to modify the APIcast configuration, you can deploy a self-managed APIcast.

The Public Base URL is the URL, you can use to make requests to an API protected by 3scale. It is the URL of the the specificed APIcast instance.

With the self-managed deployment options, you can choose your own Public Base URL on the domain name you are managing. This URL should be different from the URL of your API backend. APIcast only accepts calls to the hostname specified in the Public Base URL.

Prerequisites

  • You are a member in the dedicated-admins group.

  • You have installed the OpenShift command-line Interface (CLI), commonly known as oc.

Procedure

  1. Create a new APIcast instance:

    1. Log in to OpenShift using the oc login command from the OpenShift client tools.

      oc login https://<OPENSHIFT-SERVER-IP>

      You should see Login successful. in the output.

    2. Create a new namespace for the self-managed APIcast.

      oc new-project selfmanaged-apicast

  2. Import the image.

    oc import-image 3scale-amp2/apicast-gateway-rhel8:<tag> --from=registry.redhat.io/3scale-amp2/apicast-gateway-rhel8:<tag> --confirm

    1. Navigate to the catalog.

    2. Find the image and view the available tags.

      An example <tag> name is 3scale<version>. Use the <tag> name that corresponds with the 3scale version installed on the cluster.

    3. (Optional) If you receive an error message after attempting to import the image, troubleshoot with the following steps:

      1. Create a secret with credentials to registry.redhat.io. Use the following command to create a new secret to reference your project:

        oc create secret docker-registry redhatio --docker-server=registry.redhat.io --docker-username=<username> --docker-password=<password>  --docker-email=<email>

        • Replace <username> with your Docker username.

        • Replace <password> with your Docker password.

        • Replace <email> with the email associated with your Docker account.

      2. Use the following command to list active secrets and credentials:

        oc get secrets

      3. Use the following command to configure the pull secret:

        oc secrets link default redhatio --for=pull

  3. In the terminal, clone the Example custom policy from the GitHub repository and navigate to the directory.

    git clone git@github.com:3scale/apicast-example-policy.git
cd apicast-example-policy

  4. Configure the openshift.yaml file

    apiVersion: v1
kind: Template
metadata:
  name: "apicast-example-policy"
message: "APIcast Example Policy"
objects:

- apiVersion: v1
  kind: ImageStream
  metadata:
    annotations:
    labels:
      app: apicast
    name: apicast-policy

- apiVersion: v1
  kind: BuildConfig
  metadata:
    annotations:
    labels:
      app: apicast
    name: apicast-example-policy
  spec:
    output:
      to:
        kind: ImageStreamTag
        name: apicast-policy:example
    source:
      git:
        uri: https://github.com/3scale/apicast-example-policy.git
        ref: 'master'
      type: Git
    strategy:
      type: Source
      sourceStrategy:
        from:
          kind: ImageStreamTag
          namespace: selfmanaged-apicast
          name: apicast-gateway-rhel8:<tag>

- apiVersion: v1
  kind: BuildConfig
  metadata:
    annotations:
    labels:
      app: apicast
    name: apicast-custom-policies
  spec:
    nodeSelector: null
    output:
      to:
        kind: ImageStreamTag
        namespace: selfmanaged-apicast
        name: apicast-gateway-rhel8:<tag>
    postCommit:
      args:
        - '--test'
        - '--lazy'
      command:
        - bin/apicast
    resources: {}
    runPolicy: Serial
    source:
      images:
        - from:
            kind: ImageStreamTag
            name: 'apicast-policy:example'
          paths:
            # copy policy source code into the new image
            - destinationDir: policies
              sourcePath: /opt/app-root/policies/example
            # copy also installed dependencies to the policy folder, so they are vendored
            # - destinationDir: policies/example/0.1/resty/
            #   sourcePath: /opt/app-root/src/lua_modules/share/lua/5.1/resty/iputils.lua
      type: Dockerfile
      dockerfile: |
        FROM scratch
        COPY . src
        USER root
    strategy:
      dockerStrategy:
        from:
          kind: ImageStreamTag
          namespace: selfmanaged-apicast
          name: apicast-gateway-rhel8:<tag>
      type: Docker
    triggers:
      - type: ConfigChange
      - type: ImageChange

parameters:
- name: AMP_RELEASE
  required: false
  description: AMP Version (eg. 2.2.0-GA)

  5. Create a new application for your APIcast gateway and start the deployment:

    oc new-app -f openshift.yml --param AMP_RELEASE=2.8

    You should see the following message in the output:

    --> Deploying template "sm-apicast/apicast-example-policy" for "openshift.yml" to project sm-apicast

     apicast-example-policy
     ---------
     APIcast Example Policy

     * With parameters:
        * AMP_RELEASE=

--> Creating resources ...
    imagestream.image.openshift.io "apicast-policy" created
    buildconfig.build.openshift.io "apicast-example-policy" created
    buildconfig.build.openshift.io "apicast-custom-policies" created
--> Success
    Use 'oc start-build apicast-example-policy' to start a build.
    Build scheduled, use 'oc logs -f bc/apicast-custom-policies' to track its progress.
    Run 'oc status' to view your app.

  6. Execute the custom policy builds.

    oc start-build apicast-example-policy

  7. Navigate to the OpenShift Dedicated console.

  8. Use Operator Hub to install the Red Hat Integration - 3scale APIcast gateway operator for the namespace.

    Do not use the community version.

  9. Generate the 3scale Admin Portal token.

    1. Log in to the Red Hat 3scale API Management console.

    2. Click Personal in 3scale console menu.

    3. Click Tokens in the menu.

    4. Click Add Access Token.

    5. On the New Access Token page, enter the required information in the fields.

    6. Click Create Access token.

  10. Create an adminportal-credentials secret.

    oc create secret generic adminportal-credentials --from-literal=AdminPortalURL=https://<access-token>@<url-to-3scale-admin-portal>

  11. Configure the service to use the self-managed APIcast instead of the built-in APIcast for API.

    1. Navigate to the Products section of the 3scale Admin Portal. You can use the following command to navigate to Admin Portal route:

      oc get routes --namespace redhat-rhoam-3scale | grep admin

    2. In the Products section, click APIIntegrationSettingsAPIcast Self Managed.

    3. Change the Staging Public Base URL. Replace api-3scale-apicast- with selfmanaged-.

    4. Click Update Product.

    5. Click APIConfigurationPromote to Staging and to Production.

  12. Create a self-managed APIcast.

    1. Navigate to the self-managed APIcast operator page.

    2. Click Create an APIcast.

    3. Use Edit Form to configure the APIcast.

    4. Change Admin Portal Credentials Ref secret name to adminportal-credentials.

    5. Set Configuration Load Mode to boot.

    6. Set Image to image-registry.openshift-image-registry.svc:5000/selfmanaged-apicast/apicast-policy:example

      The image registry URL depends on the namespace.

    7. Click Create.

  13. Create a new route to use with the application you plan to create.

    1. Navigate to the namespace of the self-managed APIcast in the OpenShift Dedicated web console.

    2. Click NetworkingRoutesCreate Route.

    3. Enter the requested information in the text fields:

      1. The Hostname must match the Staging Public Base URL (without protocol, without port).

      2. For Service, select the service of your APIcast.

      3. The target port is 8080 → 8080.

      4. Select the secure route, TLS termination: Edge.

      5. Click Create.

  14. Navigate to the apicast-example-policy GitHub repository to make custom-policy available in the 3scale Admin Portal.

  15. Execute the following command:

    cat policies/example/0.1/apicast-policy.json

  16. Navigate to the 3scale console.

  17. Click IntegrationConfiguration to promote the APIcast.

    1. Click ? to access the help feature.

    2. Click 3scale API docsAPIcast Policy Registry Create

  18. Enter the required information:

    1. Enter the access token.

    2. Use the name from the apicast-policy.json.

    3. Use the version from the apicast-policy.json.

    4. In the schema field, enter the apicast-policy.json content.

  19. Click Send Request.

  20. Navigate to the 3scale Admin Portal.

  21. In the console menu, click APIIntegrationPoliciesAdd Policy. The APIcast Example Policy is listed.

Verification

  1. Navigate to 3scale Admin Portal.

  2. Click APIConfiguration.

  3. Execute the command for the Staging Public Base URL with the user key.

    1. You can access the command for the Staging Public Base URL with the user key in the 3scale Admin Portal:

      1. In the console menu, click Integration.

      2. Click Configuration.

      3. Use the command in the Example curl for testing in the Staging APIcast section.

  4. The Example curl for testing output should include the following, if the APIcast proxy set up is successful:

    "HTTP HOST": https://echo-api.3scale.net
Additional resources
Legal Notices for Trademarks