3scale Multitenant

Overview

This setup enables one centralized 3scale API Manager within a single OpenShift Container Platform (OCP) namespace. You only need to run this setup once for each OCP cluster. It also lets you manage (create/delete) a set number of API tenants in the 3scale API Manager.

This setup is useful in situations like:

• Instructor-Led Training, Hackathons, and Workshops: For a group of students needing access to 3scale, you can set up a single centralized 3scale API Manager, assigning each student their own tenant. Each student gets admin access to their tenant, which is often easier than having each student set up their own instance.

• Red Hat 3scale Enablement: Key goals might include demonstrating how to set up 3scale on OCP, integrating email services for user self-registration, and using the 3scale REST Admin API with OAuth2 tokens.

Prerequisites

• Use 3scale version 2.4 on OpenShift 4.8, which should be pre-installed.
• Ensure the command-line tool (oc) is authenticated as the cluster-admin for your OCP cluster.
• Install required Python modules on the host running this setup:

  dnf install python3-lxml
  dnf install python3-openshift
  

API Manager

This part of the setup uses Ansible to create a 3scale API Manager through OpenShift templates.

Known Problems

• API Manager on FIPS compliant OpenShift - Planned fix in 3scale 2.12.

Resource Requirements

The setup allows you to provision 3scale with different resource needs depending on whether it is for production or not.

• For Production (is_production = true):

  • High resource limits: 30 CPU cores and 30 GiB RAM.

• For Non-Production (is_production = false):

  • Lower resource needs: ~12 GiB RAM and 6 CPU.

SMTP Providers

You should register with an SMTP provider to enable email sending from the 3scale API Manager. Some options with free plans include:

• SocketLabs: 2000 emails per month.
• SendGrid: 100 emails per day.

Environment Variables

All environment variables are optional. If none are specified, a basic 3scale API Manager will be set up without SMTP integration, expecting at least one ReadWriteMany (RWX) Persistent Volume Claim (PVC) in the namespace 3scale-mt-api0.

Some optional variables include:

• _amp_master_passwd (Default: master)
• _master_access_token (Default: wtqhhsly)
• is_production (Default: false)
• SMTP settings (userid, host, port, etc.)

Execution

To set up the API Manager, run:

ansible-playbook playbooks/apimanager.yml

To see all API Manager routes in the namespace 3scale-mt-api0, run:

oc get route -n 3scale-mt-api0

To uninstall the API Manager, run:

ansible-playbook playbooks/apimanager.yml -e ACTION=uninstall

API Tenant

When the 3scale API Manager is set up, a default tenant is created. You can also create additional tenants using Ansible.

Environment Variables

If no variables are set, a single tenant (ocp01) will be made with admin user api01 / admin. Corresponding gateways will be created in the ocp01 namespace.

Optional variables include:

• orgName (Default: ocp01)
• _tenant_admin_user_name_base (Default: api)
• _tenantAdminPasswd (Default: admin)

Execution

To provision an API tenant, run:

ansible-playbook playbooks/api_tenant.yml

After provisioning completes, you'll find the output detailing the created tenant.

API Gateways

If the API Manager and tenants are already set up and you need specific API gateways for those tenants, this section will help.

Environment Variables

• threescale_tenant_admin_accesstoken (Required): Access token for the 3scale tenant admin.
• threescale_tenant_admin_hostname (Required): Admin route URL of the target tenant.

Execution

To deploy API gateways, run:

ansible-playbook playbooks/api_gw.yml \
      -e threescale_tenant_admin_accesstoken=$threescale_tenant_admin_accesstoken \
      -e threescale_tenant_admin_hostname=$threescale_tenant_admin_hostname

Old Setup

Ansible Setup

To install the role locally, run:

ansible-galaxy install gpe_mw_ansible.3scale_multitenant --force -p $HOME/.ansible/roles

Provision 3scale API Manager

The OCP namespace will be owned by the user specified in {{OCP_AMP_ADMIN_ID}}, which will manage the quotas for 3scale.

Named Tenants

Instead of generic tenants, you can create named tenants on an individual basis with specified parameters using Ansible.

Tenant User Credentials

Each tenant includes an admin user whose username and password are generated based on certain variables.

Stale Domain State

If the DNS of your API Manager changes, you might need to update various settings in the environment to correct issues arising from outdated configurations.