RED HAT 3scale API 管理平台（ AMP ）

产品技术和部署方案说明
Red Hat 3Scale API 管理平台
Table of Contents

Features Detail on eachDetails,

Component containerDependencies, HA
and what it depends
SaaS vs On-Premise on etc..

Overview System Requirements

General scheme of where AMP fits in What resources are required to run AMP

Deployment Options Scaling

How to scale AMP to higher levels of
SaaS & On-Premise transactions

Containers Network
Different Configuration
scenarios for how network is
Containers involved in AMP and dependencies configured

Support Matrix
Support Provided
RED HAT 3SCALE API MANAGEMENT:
ARCHITECTURE OVERVIEW
 3Scale API 管理平台 Overview

API 管理平台
API 使用人 API 管理员
System
( 应用开发 ) (LOB/PM,
Developers, Writers,
API 开发者门户 配置信息 API 管理门户 Ops)
● API Provider ● Dashboard
Branded Backend ● Developer /
● API Description Application / Key
● Signup Management
● ActiveDocs (OAS) ● CMS
鉴权 & 用量报告 ● Analytics
● Billing

API Request Authorized API Request

终端应用 API 网关 API 后台业务

RED HAT 3SCALE 部署架构
SaaS 模式 :
Real Time Admin
Portal
API Backend

Config / Authorize
API API
Gateway Manager

Swagger Doc Branded Dev Portal

Mobile Apps Developer Apps

网关和管理平台全部使用 SaaS 模式提供

SaaS 混合模式 :
Real Time Admin
Portal
API Backend

Config / Authorize
API API
Gateway Manager

Swagger Doc Branded Dev Portal

Mobile Apps Developer Apps

API 网关（支持容器化部署和扩展）安装在用户自己机房，和 SaaS 上托管的管理平台通信实现完整功能

离线部署

OpenShift (OCP) Docker Native

3Scale API 管理平台所有模块都能支持容 网关（ apicast-gateway ） 下载网关 (apicast-gateway) 代
器方式运行， 可以使用模块的方式快速部署在 支持独立 docker 部署方式 码直接使用
OpenShift 容器平台之上
使用 Openresty (NGINX +
LUA) 运行
离线部署 1: All on OpenShift
Real Time Admin
Portal
API Backend

Config / Authorize
API API
Gateway Manager

Swagger Doc Branded Dev Portal

Mobile Apps Developer Apps

容器化后的客户应用 和 API 管理平台全部运行在 Openshift 容器云平台上

离线部署 2: API Backend outside OpenShift
Real Time Admin
Portal
API Backend

Config / Authorize
API API
Gateway Manager
(Openshift)

Swagger Doc Branded Dev Portal

Mobile Apps Developer Apps

客户应用使用任意方式部署
API 管理平台全部运行在 Openshift 容器云平台上
离线部署 3 : API Backend and API Gateway
outside of OpenShift
Real Time Admin
Portal
API Backend

Config / Authorize
API Gateway API
Manager
(Native/Docker)

Swagger Doc Branded Dev Portal

Mobile Apps Developer Apps

客户应用使用任意方式部署， API 网关部署在靠近应用位置（推荐容器方式）

API 管理平台（管理部分）运行在 Openshift 容器云平台上
API Gateways
使用 Openshift 模板部署 3Scale 是会同时部署 2 个 API 网关（ apicast-staging, apicast-
production ）的容器应用，同时也可以部署更多的网关连接到管理平台 AMP
3Scale 容器化产品架构
3Scale 容器

API Gateways API Manager

system-*

apicast-
production
redi mysq memcach sphinx sideki resqu pro dev
s l e q e . .
apicast-staging
backend-*

redis cron worke listener

r
容器类型
缓存服务 公共服务 索引服务 调度 异步作业队列 数据持久化

memcache
provider sphinx sidekiq system
系统

d
-redis

develope resque mysql

r
后台

backend
listener cron worker
-
redis
网关

apicast-
*
3Scale 模块功能详解（待补充）
使用 OpenShift 部署 3Scale 的推荐系统配置
 Openshift 容器平台测试推荐配置
- 3 Master 主控节点
- 2 Infra 系统节点（软负载均衡，内部容器仓库）
- 3 个或以上应用节点 Nodes
- 4~8 vCPU
- 32~64 GB Memory
- GE 网络
- 256GB vDisk
- NFS 存储（持久化数据）

18
3Scale 容量预估
AMP 2.1 on OpenShift 3.5 测试结果
OCP Cluster Definition Notes
● The vCPU numbers shown for AMP do not include vCPU dedicated to OpenShift cluster
“infrastructure”, they include just the cores for the routers and for the compute nodes where
the AMP platform is deployed
○ If you want the total number of vCPU required for the whole OCP cluster, you should
add the vCPU for the OpenShift infrastructure nodes.
● The routers could potentially be leveraged across multiple applications, but for simplicity we
have counted them as dedicated for 3scale AMP
● You may ask: “Why are the HW configs the same and it’s the system configuration that
enables higher performance between some options?”
○ The reason is that the Standard configuration is defined to allow running the solution
on minimal hardware for evaluation and POC reasons - making the OOTB experience
much simpler in those cases.
● The OCP cluster was deployed following this OpenShift Reference architecture guide
● Configuration
• HTTPS for incoming API traffic
• OCP terminating SSL in the HA Proxy routers
• No SSL for internal traffic to MySQL and Redis
• No OAuth
Test Setup
Instance Types Deployed:

Routers: c4.large = 2 vCPU

Compute: c4.2xlarge = 8 vCPU

You can use this page to find more

information on different AWS
Instance Types referenced here
https://www.ec2instances.info
AMP 2.1 on OCP 3.5 - Test Results
Request Request Router Router Compute Comput Total Teste
s per s per Nodes vCPUs Nodes e vCPUs vCPUs d RPS
day second
(max) (averag
e)

2M 23

5M 57 2x 4 1x 8 12 666
c4.large c4.2xlarge

20M 231 2x 4 1x 8 12 1859

c4.large c4.2xlarge

50M 578 2x 4 2x 16 20 2979

c4.large c4.2xlarge

2x 4 3x 24 28 4314
NOTE: These AMP 2.1 tests are run on different
c4.large instance types as those
c4.2xlarge OSD deploys, but the same
instance types as AMP 2.0 testing below - to allow a AMP 2.0 to AMP 2.1 comparison
3Scale 认证和链接建立流程（初稿）
 OIDC with 3pty IdP and RH-SSO as broker (based on OAuth authorization code flow)

3scale API
user application API gateway RH SSO 3pty IDP
manager
uses application Application requires
user data
302 Redirect
GET /authorize GET /auth

302 Redirect
GET login page
User is authenticated in
POST with login and password 3rd party IdP

302 Redirect
GET redirect_uri?code=...
POST /token

access token and id-token

302 Redirect
GET redirect_uri?code=...
/token User is authenticated in client_id is valid
RH-SSO
check credentials
Request params: client_id,
client_secret, redirect_uri, code,
grant_type=’authorization_code’ Request params: client_id

Credential are valid

/token
code is valid
User is authenticated in
application access token and id-token
access token and id-token
access_token stored in
API Gateway cache

25
RED HAT 3SCALE
组网实例
域名
API team
API Backend
Notification emails
From:
[email protected]
om
API
API calls
Manager
staging endpoint Auth calls Admin portal
Built-In api-
staging.mydomain.com
mycompany-
admin.mydomain.com
API
Gateway
Developer portal
s production endpoint
developer.mydomain.
api.mydomain.com Email Server com

API calls Outbound email

Inbound email
From:
From:
[email protected]
[email protected]
om

API Client Developers

App
典型组网配置

CLIENTS / 防火墙开发到 LB 和网关的 80 和

EXTERNAL 443 端口
NETWORK

FIREWALL

客户网络

LB

Openshift
Apicast GW Openshift Openshift
Openshift
infra-node infra-node
node
3scale-AMP 3scale-AMP
Apicast GW
router router

Openshift Openshift Openshift

node node Node

Backend System Apicast

网络隔离需求
CLIENTS / EXTERNAL
NETWORK

Open ports, 80
and 443 to the
LB.
FIREWALL
Open ports for
apicast.
DMZ
LB
(haproxy,
Apicast GW f5.. )

FIREWALL Open ports 80

and 443 to the
openshift-

Internal routers

Openshift Openshift- Openshift-

router router Additionally,
3scale-AMP 3scale-AMP openshift-
router router
routers can be
Openshift
deployed into
node
dedicated
nodes, to
Apicast GW
Openshift Openshift Openshift increase
node node Node security.
Backend System Apicast
 CLIENTS /

APIcast 网关和管理平台 EXTERNAL

NETWORK

异地部署，容灾 FIREWALL

DMZ
LB

APIcast 网关目前不支持对接多套 AMP 平台：

● 使用中间的负载均衡或者 RRDNS 实现 API 请求异地分发

● 容灾监控和切换 Apicast GW Apicast GW

docker/ docker/
native native

API LB
(haproxy,
f5.. )
RRDNS

3Scale 3Scale
AMP AMP
RED HAT 3SCALE 管理平台
官方支持的部署方式
3scale Component Platform Component Support Provided

API Manager Openshift All Full support if used

3scale AMP: Support Matrix in 3scale context

APIcast Openshift APIcast Template Full Support

Docker Docker None

APIcast Image CRS

Native OpenResty CRS

Exact supported versions of OCP can be found in this article

* CRS is Commercially Reasonable
Support
32
THANK YOU
plus.google.com/+RedHat facebook.com/redhatinc

linkedin.com/company/red-hat twitter.com/RedHatNews

youtube.com/user/
RedHatVideos
DEPLOYING ON OPENSHIFT
DEDICATED
 Deploying AMP 2.1 on OpenShift Dedicated
Constraints
- Openshift Dedicated (currently) does not support Persistent Volumes with RWX
- Due to Openshift Dedicated Security Policies Wildcard Routes are disabled.

Requirements
- Routes must be created manually
- Use Alternative Deployment Template: amp-s3.yml
- 3 Persistent Volumes (RWO permissions) are needed for Redis and MySQL persistence
- Use AWS S3 Bucket for shared storage of CMS assets
- You need AWS Account with S3 Service and Buckets

35
 Deploying AMP 2.1 on OpenShift Dedicated
New deployment variables
- FILE_UPLOAD_STORAGE: Indicates where to store the CMS uploaded files.
Possible values: filesystem or s3.
Default: filesystem.

- AWS_BUCKET: AWS Bucket name.

- AWS_ACCESS_KEY_ID: AWS Credentials ID.
- AWS_SECRET_ACCESS_KEY: AWS Credentials Secret.
- AWS_REGION: AWS Region where the bucket is located.

Observations:
- The AWS credentials are stored in the cluster as an Openshift Secret (aws-auth).
- The product has been validated on Openshift Dedicated (v3.5.5.31) Base Package.
- All the PVs and new variables are taken care by amp-s3.yml template.

36
 Deploying AMP 2.1 on OpenShift Dedicated
Deploy Command

oc new-app --file amp-s3.yml \

--param WILDCARD_DOMAIN=<a-domain-that-resolves-to-your-ocp-
cluster.com> \
--param TENANT_NAME=3scale \
--param AWS_ACCESS_KEY_ID=<aws-access-key-id> \
--param AWS_SECRET_ACCESS_KEY=<aws-access-key-secret> \
--param AWS_BUCKET=<target-bucket-name> \
--param AWS_REGION=<aws-bucket-region> \
--param FILE_UPLOAD_STORAGE=s3

[1] Details on OSD Deployment in 2.1 Internal Documentation

https://docs.google.com/a/redhat.com/document/d/1swZ7hZ8uefYiFPDIRqVQn6YIpEtDhSnulvQ7tkY02iQ/
[2] Internal Red Hat Cluster
https://console.engint.openshift.com/console
37
[3] Internal Red Hat Cluster: WILDCARD_DOMAIN=e8ca.engint.openshiftapps.com
 Deploying AMP 2.1 on OpenShift Dedicated
AWS ACCESS KEYS - REQUIRED IAM POLICY

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::targetBucketName",
"arn:aws:s3:::targetBucketName/*"
]
}
]
38 }
 Deploying AMP 2.1 on OpenShift Dedicated
S3 Deployment Verification

1. Go to the Developer Portal section in 3scale administration dashboard

2. Click on Upload Files
3. Click on "Choose File" select a file on your local filesystem and then click create file.
4. Inspect the uploaded file URL, you should see a URL like this:

● https://<aws-region>.amazonaws.com/<aws-bucket-name>/provider-name/2017/09/27/random-
file.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<aws-secret-id>
%2F20170927%2F<aws-region>%2Fs3%2Faws4_request&X-Amz-Date=20170927T133221Z&X-
Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-
Signature=626850e5fec0ce62bd6a1ac6e47d81ab52642a52b3a1518bc780959e2c916b90

39