Cloud-native API Administration with Red Hat 3scale API Management
Abstract
| Goal | Configure and customize the API gateway using standard policies. |
| Objectives |
|
| Sections |
|
After completing this section, you should be able to allow external access to your API by configuring APIcast gateways.
APIcast is an NGINX-based gateway in Red Hat 3scale API Management that is responsible for receiving and managing the incoming traffic from your APIs. The APIManager component contains information about mapping policies and rate limits and APIcast routes the traffic based on those rules.
3scale API Management provides two environments: staging and production.
By default, 3scale API Management provides an APIcast gateway for each of these environments.
Promoting the configuration of a product means propagating the changes to the specific APIcast gateway.
 |
To have full control over the APIcast gateway, you can avoid using the default gateways. You might choose to deploy a self-managed gateway if you want to manage the full lifecycle of the application.
You can replace any of the default gateways (staging and production) with your self-managed gateway.
For example, consider that you have a 3scale API Management installation, with two default gateways. Consider also that you want to deploy a self-managed gateway for the production environment in a separate network. The self-managed gateway receives the incoming requests for the production environment and must fetch the information, such as the routing policies and rate limits, from the APIManager. The following diagram illustrates this behavior.
 |
You can deploy an APIcast gateway by using a template or the official RHOCP operator. In this course, only the operator deployment is used.
The APIcast gateway Operator makes it easier to deploy and manage a self-managed APIcast gateway. The operator includes an RHOCP custom resource definition (CRD), which you can use to set several configuration parameters of the gateway.
You can install the operator by using the RHOCP OperatorHub catalog.
 |
The APIcast gateway operator includes the APICast custom resource, which you can use to deploy a new gateway.
A sample APIcast manifest displays as follows:
apiVersion: apps.3scale.net/v1alpha1 kind: APIcast metadata: name: custom-apicastspec: adminPortalCredentialsRef: name: apicast-secret
deploymentEnvironment: production
exposedHost: host: custom-apicast.apps.ocp4.example.com
tls: - {}
| Name of the gateway. |
| Name of the RHOCP secret that contains the authentication against the APIManager. This authentication is covered in detail later in this lecture. |
| Environment that the gateway replaces ( |
| RHOCP route where the gateway is accessible externally. |
The APIcast operator creates an RHOCP route with the host provided in the manifest, so that your gateway is accessible externally.
The self-managed gateway must get routing information from the APIManager. Consequently, you must authenticate the gateway by using an RHOCP secret. Because you authenticate the gateway against a specific tenant, you must include an access token and the tenant's Admin Portal URL in the RHOCP secret.
[user@host]$ oc create secret genericSECRET_NAME\ --from-literal=AdminPortalURL=https://ACCESS_TOKEN@TENANT_ADMIN_PORTAL
To create a new access token, navigate to the Account Settings page of your tenant's Admin Portal, and click → .
Then, click .
The token must include the Account Management API scope.
For example, if you want to authenticate the gateway against the default tenant, 3scale, and you have an access token 1234, then the secret displays as follows:
[user@host]$ oc create secret generic apicast-secret \ --from-literal=AdminPortalURL=https://1234@3scale-admin.apps.ocp4.example.com
Then, you authenticate your gateway by setting the spec.adminPortalCredentialsRef.name parameter in the APIcast manifest.
When you create a 3scale API Management product, the default gateways are used. If you want to use your self-managed gateway, then you must change the settings of the product.
To change the settings of a product, click → in the product's page left pane.
In the DEPLOYMENT section, select APIcast self-managed to enable a self-managed gateway for the product.
Then, you use the Staging Public Base URL and Production Public Base URL fields to provide the external URL of your gateway for the staging and production environments (respectively).
For example, if you provide the custom-apicast.apps.ocp4.example.com host in the APIcast manifest, then you use the https://custom-apicast.apps.ocp4.example.com:443 URL.
Although the main focus of this course is on deploying your self-managed gateway in RHOCP, you can use other platforms depending on your needs.
To deploy APIcast Gateway in your own server, you must install OpenResty and other dependencies. You can find a detailed installation guide in this link.
To deploy APIcast Gateway in a Docker containerized environment, you must download a ready to use container image. This image contains all the dependencies needed to run APIcast. You can find a detailed installation guide in this link.
