IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.
Deploying 3scale API Management to ROSA and OSD
Michael McNeill
26 January 2022
This document will take you through deploying 3scale in any OSD or ROSA cluster. Review the official documentation here for more information or how to further customize or use 3scale.
Prerequisites
- An existing ROSA or OSD cluster
- Access to an AWS account with permissions to create S3 buckets, IAM users, and IAM policies
- A subscription for 3scale API Management
- A wildcard domain configured with a CNAME to your cluster’s ingress controller
Prepare AWS Account
-
Set environment variables (ensuring you update the variables appropriately!)
export S3_BUCKET=<your-bucket-name-here> export REGION=us-east-1 export S3_IAM_USER_NAME=<your-s3-user-name-here> export S3_IAM_POLICY_NAME=<your-s3-policy-name-here> export AWS_PAGER="" export PROJECT_NAME=<your-project-name-here> export WILDCARD_DOMAIN=<your-wildcard-domain-here>
For my example, I’ll be using the following variables:
export S3_BUCKET=mobb-3scale-bucket export REGION=us-east-1 export S3_IAM_USER_NAME=mobb-3scale-user export S3_IAM_POLICY_NAME=3scale-s3-access export AWS_PAGER="" export PROJECT_NAME=3scale-example export WILDCARD_DOMAIN=3scale.example.com
-
Create an S3 bucket
aws s3 mb s3://$S3_BUCKET
-
Apply the proper S3 bucket CORS configuration
aws s3api put-bucket-cors --bucket $S3_BUCKET --cors-configuration \ '{ "CORSRules": [{ "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "https://*" ] }] }'
-
Create an IAM policy for access to the S3 bucket
POLICY_ARN=$(aws iam create-policy --policy-name "$S3_IAM_POLICY_NAME" \ --output text --query "Policy.Arn" \ --policy-document \ '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::'$S3_BUCKET'", "arn:aws:s3:::'$S3_BUCKET'/*" ] } ] }')
-
Create an IAM user to access the S3 bucket
aws iam create-user --user-name $S3_IAM_USER_NAME
-
Generate an access key for the newly created S3 user
ACCESS_CREDS=$(aws iam create-access-key --user-name $S3_IAM_USER_NAME \ --output text --query "AccessKey.[AccessKeyId, SecretAccessKey]")
-
Apply the IAM policy to the newly created S3 user
aws iam attach-user-policy --user-name $S3_IAM_USER_NAME \ --policy-arn $POLICY_ARN
Install the 3Scale API Management Operator
-
Create a new project to install 3Scale API Management into.
oc new-project $PROJECT_NAME
-
Inside of the OpenShift Web Console, navigate to Operators -> OperatorHub.
-
Search for “3scale” and select the “Red Hat Integration - 3scale” Operator.
-
Click “Install” and select the project you wish to install the operator into.
For this example, I’m deploying into the “3scale-example” project that I have just created.
-
Once the 3Scale operator successfully installs, return to your terminal.
Deploy 3Scale API Management
-
Create a secret that contains the Amazon S3 configuration.
echo << EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: creationTimestamp: null name: aws-auth stringData: AWS_ACCESS_KEY_ID: "$(echo $ACCESS_CREDS | cut -f 1)" AWS_SECRET_ACCESS_KEY: "$(echo $ACCESS_CREDS | cut -f 2)" AWS_BUCKET: "$S3_BUCKET" AWS_REGION: "$REGION" type: Opaque EOF
-
Create an APIManager custom resource
cat << EOF | oc apply -f - echo 'apiVersion: apps.3scale.net/v1alpha1 kind: APIManager metadata: name: example-apimanager spec: wildcardDomain: '$WILDCARD_DOMAIN' system: fileStorage: simpleStorageService: configurationSecretRef: name: aws-auth EOF
-
Once the APIManager instance becomes available, you can login to the 3Scale Admin (located at https://3scale-admin.$WILDCARD_DOMAIN) using the credentials from the below commands:
oc get secret system-seed -o jsonpath={.data.ADMIN_USER} | base64 -d oc get secret system-seed -o jsonpath={.data.ADMIN_PASSWORD} | base64 -d
-
Congratulations! You’ve successfully deployed 3Scale API Management to ROSA/OSD.