Skip to content

Instantly share code, notes, and snippets.

@kevprice83

kevprice83/README.md

Last active February 21, 2024 09:27
Show Gist options
  • Save kevprice83/0fa3841fff79dd94bd7d7f2059ff8f10 to your computer and use it in GitHub Desktop.
Save kevprice83/0fa3841fff79dd94bd7d7f2059ff8f10 to your computer and use it in GitHub Desktop.
Download ZIP
APIcast with RH SSO integration on OpenShift
Raw
README.md

RH SSO installation & configuration

download rhsso from https://access.redhat.com/jbossnetwork/restricted/softwareDownload.html?softwareId=44851

  • unzip rh-sso-7.0.0.zip
  • ./add-user-keycloak.sh -u <username>
  • From the directory rh-sso-7.0 execute bin/standalone.sh This will start up the sso instance
  • To expose the console on a public domain follow the next steps
  • wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
  • unzip ngrok-stable-linux-amd64.zip
  • From the same directory the binary is installed execute ./ngrok http 8080
  • Copy the http domain and access the console from the browser at <ngrok_domain/server_domain>/auth/admin
  • Create a new realm (different from Master)
  • Set up Tokens Policies (Realm Settings > Tokens) - e.g. to configure access token TTL
  • Set up Initial Access Tokens. This is necessary to synchronise client registrations between 3scale and Red Hat Single Sign-On.
    • Define Expiration - This will determine how long the access token used to register clients from APIcast will be valid for, so make sure to choose a long lived value unless you want to be changing this token often.
    • Define Count - This will determine how many clients can be registered using this access token, make sure to choose a large value unless you want to be changing this token often.
  • Create some test End-Users

APIcast configuration

  • oc new-app -f apicast-oidc.yml
  • oc secret new-basicauth apicast-configuration-url-secret --password=https://<access_token/provider_key>@<your_domain>-admin.3scale.net
  • Add the ENV variable RHSSO_ENDPOINT with the domain of the sso instance you just deployed to the deployment config for example: http://rh-sso.com/auth/realms/<your_realm>
  • Create a client in 3scale and make sure to add the redirect URL parameter. This could be Postman for example.
  • You will need to synchronise this client with your RH SSO instance manually. Use the follwing example API request:
curl -v -X POST \                                                                                                                                                                           
    -d '{ "clientId": "<client_id>", "secret": "<client_secret>","redirectUris":["https://www.getpostman.com/oauth2/callback"] }' \
    -H "Content-Type:application/json" \
    -H "Accept: application/json" \
    -H "Authorization: Bearer <initial_access_token>" \
    http://<rhsso_domain>/auth/realms/<your_realm>/clients-registrations/default
Raw
apicast-oidc.yml
apiVersion: v1
kind: Template
metadata:
name: 3scale-gateway
annotations:
description: "3scale API Gateway"
iconClass: "icon-load-balancer"
tags: "api,gateway,3scale"
objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: "${APICAST_NAME}"
spec:
replicas: 2
selector:
deploymentconfig: "${APICAST_NAME}"
strategy:
type: Rolling
template:
metadata:
labels:
deploymentconfig: "${APICAST_NAME}"
spec:
containers:
- env:
- name: THREESCALE_PORTAL_ENDPOINT
valueFrom:
secretKeyRef:
name: "${CONFIGURATION_URL_SECRET}"
key: password
- name: THREESCALE_CONFIG_FILE
value: "${CONFIGURATION_FILE_PATH}"
- name: RESOLVER
value: "${RESOLVER}"
- name: APICAST_SERVICES
value: "${SERVICES_LIST}"
- name: APICAST_CONFIGURATION_LOADER
value: "${CONFIGURATION_LOADER}"
- name: APICAST_LOG_LEVEL
value: "${LOG_LEVEL}"
- name: APICAST_PATH_ROUTING_ENABLED
value: "${PATH_ROUTING}"
- name: APICAST_RESPONSE_CODES
value: "${RESPONSE_CODES}"
- name: APICAST_REQUEST_LOGS
value: "${REQUEST_LOGS}"
- name: APICAST_CONFIGURATION_CACHE
value: "${CONFIGURATION_CACHE}"
- name: REDIS_HOST
value: "${REDIS_HOST}"
- name: REDIS_PORT
value: "${REDIS_PORT}"
- name: APICAST_MANAGEMENT_API
value: "${MANAGEMENT_API}"
image: "${IMAGE_NAME}"
imagePullPolicy: Always
name: "${APICAST_NAME}"
livenessProbe:
httpGet:
path: /status/live
port: management
initialDelaySeconds: 10
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /status/ready
port: management
initialDelaySeconds: 15
timeoutSeconds: 1
ports:
- name: proxy
containerPort: 8080
protocol: TCP
- name: management
containerPort: 8090
protocol: TCP
triggers:
- type: ConfigChange
- apiVersion: v1
kind: Service
metadata:
name: "${APICAST_NAME}"
spec:
ports:
- name: proxy
port: 8080
protocol: TCP
targetPort: 8080
- name: management
port: 8090
protocol: TCP
targetPort: 8090
selector:
deploymentconfig: "${APICAST_NAME}"
parameters:
- description: "Name of the secret containing the THREESCALE_PORTAL_ENDPOINT with the access-token or provider key"
value: apicast-configuration-url-secret
name: CONFIGURATION_URL_SECRET
required: true
- description: "Path to saved JSON file with configuration for the gateway. Has to be injected to the docker image as read only volume."
value:
name: CONFIGURATION_FILE_PATH
required: false
- description: "Docker image to use."
value: 'quay.io/3scale/apicast:master'
name: IMAGE_NAME
- description: "Name for the 3scale API Gateway"
value: apicast
name: APICAST_NAME
required: true
- description: "DNS Resolver for openresty, if empty it will be autodiscovered"
value:
name: RESOLVER
required: false
- description: "Subset of services to run. Use comma separated list of service ids (eg. 42,1337)"
value:
name: SERVICES_LIST
required: false
- name: CONFIGURATION_LOADER
description: "When to load configuration. If on gateway start or incoming request. Allowed values are: lazy, boot."
value: boot
required: false
- description: "Log level. One of the following: debug, info, notice, warn, error, crit, alert, or emerg."
name: LOG_LEVEL
required: false
- description: "Enable path routing. Experimental feature."
name: PATH_ROUTING
required: false
value: "false"
- description: "Enable logging response codes to 3scale."
value: "false"
name: RESPONSE_CODES
required: false
- name: CONFIGURATION_CACHE
description: "For how long to cache the downloaded configuration in seconds. Can be left empty, 0 or greater than 60."
value: ""
required: false
- description: "Redis host. Required for OAuth2 integration."
name: REDIS_HOST
required: false
- description: "Redis port. Required for OAuth2 integration."
name: REDIS_PORT
required: false
value: "6379"
- name: MANAGEMENT_API
description: "Scope of the Management API. Can be disabled, status or debug. At least status required for health checks."
required: false
value: "status"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment