Launch new channels with Contract First Approach - Instructions

Access the Workshop Deployer browser tab and check if the Launch new channels using Contract-First approach has turned green. This indicates that the module has been fully deployed and is ready to use.

Access OpenShift Dev Spaces as {user_name}

Ensure you are logged in to OpenShift as {user_name}

In a browser window, navigate to the browser tab pointing to the Developer perspective of the OpenShift cluster. If you don’t have a browser tab open on the console, click on {openshift_cluster_console}[OpenShift Console, window="console"] to launch the console. If needed login with your username and password ({user_name}/{user_password}).

On the top menu of the console, click on the icon, and in the drop-down box, select Red Hat OpenShift Dev Spaces.

Figure 3. Access Red Hat Dev Spaces

Login in with your OpenShift credentials ({user_name}/{user_password}). If this is the first time you access Dev Spaces, you have to authorize Dev Spaces to access your account. In the Authorize Access window click on Allow selected permissions.

Figure 4. Red Hat Dev Spaces - Allow selected permissions

You are directed to the Dev Spaces overview page, which shows the workspaces you have access to. You should see a single workspace, called cloud-architecture-workshop. The workspace needs a couple of seconds to start up.

Figure 5. Red Hat Dev Spaces - cloud-architecture-workshop

Click on the Open link of the workspace.

Figure 6. Red Hat Dev Spaces - Open cloud-architecture-workshop

This opens the workspace, which will look pretty familiar if you are used to working with VS Code. Before opening the workspace, a pop-up might appear asking if you trust the contents of the workspace. Click Yes, I trust the authors to continue.

Figure 7. Red Hat Dev Spaces - Agree to trust the authors

The workspace contains all the resources you are going to use during the workshop. In the project explorer on the left of the workspace, open the workshop/module-apim folder as shown in the screenshot below

Figure 8. Red Hat Dev Spaces - API Module

You can deploy the various resources needed in this workshop to the OpenShift cluster directly from Dev Spaces. To do so, you will need access to the built-in Terminal. Click on the icon on the top of the left menu, and select Terminal → New Terminal from the drop-down menu.

Figure 9. Red Hat Dev Spaces - New terminal

This opens a terminal in the bottom half of the workspace.

Figure 10. Red Hat Dev Spaces - Open terminal

The OpenShift Dev Spaces environment has access to a plethora of command line tools, including oc, the OpenShift command line interface. Through OpenShift Dev Spaces you are automatically logged in into the OpenShift cluster. You can verify this with the command oc whoami.

oc whoami

{user_name}

oc logout
oc login -u {user_name} -p {user_password} {openshift_api_internal}

You will be working in the globex-apim-{user_name} namespace. So run this following command to start using that particular project

oc project globex-apim-{user_name}

Figure 11. Red Hat Devspace - Verify that you are using the globex-apim-<username> namespace

Keep this browser tab open because you will refer to draft content, scripts and YAML files for creating objects on OpenShift

Import a draft OpenAPI specification for Mobile App into an API Designer

Edit the draft OpenAPI specification to add OpenID Security Schemes and include Keycloak’s OpenID Provider Configuration

Govern the Mobile OpenAPI with Red Hat Service Registry

Launch API Designer by clicking on this link {api_designer_url}[API Designer^, window=api_designer]

Click on the New API button.

Figure 15. Red Hat API Designer - New API

Click on the Source Tab on the New API page, and delete the entire content in the window.

To get the Mobile OpenAPI draft, navigate to the browser tab with Dev Spaces that you have earlier opened.

In Dev Spaces, navigate to the folder workshop/module-apim/mobile/activedoc, and open the file mobile-activedoc-draft.yaml

Copy the entire contents from this file (Ctrl+A and Ctrl+C)

Figure 18. Copy Mobile OpenAPI draft from Dev Spaces

Now paste the copied content (draft OpenAPI) from the above step into the API designer’s Source Tab replacing all of the existing content. Click on Save button as highlighted in the screenshot below.

Figure 19. API Designer: Paste Mobile Draft OpenAPI

Navigate back to the Design Tab

Figure 20. API Designer: Design Tab

You will now need to update the security scheme. Under the SECURITY SCHEMES section, click on Add a security scheme link

Figure 21. API Designer: Add a security scheme

You are presented with the Define the Security Scheme page. Provide the following values in the form, and click on Save

You are directed back to the homepage. Verify that you can see the SECURITY SCHEMES has been updated with your configuration

Figure 23. API Designer: Verify openid-connect Security Scheme added

The OpenAPI specification is now ready to be downloaded. Click on the down arrow button adjacent to Save As.. and then choose Save as YAML button found on top-right of the page. The file gets saved automatically in the Downloads folder of your computer.

Figure 24. API Designer: Save API as YAML in your computer

You can now close this browser tab.

The Mobile OpenAPI spec is ready to be governed with a Service Registry.

Launch Service Registry by accessing {service_registry_url}[Service Registry^, window="service_registry_url"]

Figure 25. Service Registry: Landing Page

Click on the Upload artifact button as shown in the above screenshot. You will be presented with a Upload Artifact wizard

Figure 26. Service Registry: Upload Artifact wizard

In the wizard, enter the following details, and click on the Upload button.

Note that the Globex Mobile API Gateway artifact has been uploaded and stored within Service Registry

Figure 28. Service Registry: Globex Mobile API Gateway artifact has been uploaded

You can share this OpenAPI schema with others via this OpenAPI Schema’s endpoint : {service_registry_url}/apis/registry/v2/groups/globex/artifacts/mobileapi

You can now close the Service Registry’s browser tab.

This schema can be used for generating Quarkus code for both Clients and Server-side using maven plugins. (Note that the Globex Mobile App is NodeJS + Angular in this module)

setup Red Hat build of Keycloak to provide single sign-on (SSO) capabilities for users signing into Mobile App

setup Keycloak to secure Mobile Gateway API endpoints using OpenID Connect

manage Mobile Gateway APIs with Red Hat 3scale API Management

access Red Hat 3scale API Management’s Developer Portal as a Mobile Developer to sign up for access of API

Click to launch {sso_tenant_console}[Keycloak^, window="sso"] and login using username and password ({user_name}/{user_password}).

Click on Clients from the left-hand navigation. And, then click on the Create client button on the right side as shown below

Figure 29. Keycloak: Clients listing

In the Step 1 of the Create Client wizard, enter the following details and click on the Next button.

Figure 30. Keycloak: Create Client wizard - Step 1: General Settings

In the Step 2 of the Create Client wizard, choose the following details and click on the Next button.

In the Step 3 of the Create Client wizard, leave the fields as they are and click on the Save button. We will update some of these options later.

You will be shown the Settings tab of client-manager client.

Figure 31. Keycloak: View client-manager Settings

The next step is to configure this client-manager so that 3scale can synchronize with Keycloak, and Keycloak can manage other clients (create, amend and delete) on behalf of 3scale API Management

Choose the manage-clients option, and click on Assign button

Figure 33. Assign manage-clients role

The newly assigned role will now be displayed

Figure 34. New manage-clients role is assigned

You can view the credentials of this client-id from the Credentials tab. You will need this when setting up the 3scale products

Navigate to 3scale’s Audience → Developer Portal → Settings by clicking on {3scale_tenant}/site/dns[Settings → Domains & Access section^, window="3scale"]

The Developer Portal Access Code hides the site from the world till you are ready.

Remove the value in the textfield below the label Developer Portal Access Code as shown below. Click on the Update Account button. This opens up the Developer Portal to public access without the need for an Access Code.

Figure 48. Remove Developer Portal Access Code

The next step is to allow a Developer to access Multiple APIs (Services) and signup for Multiple Applications

Navigate to {3scale_tenant}/p/admin/cms/switches[Developer Portal → Feature Visibility section, window="3scale"]

Click on the Show button against the features Multiple Services and Multiple Applications. The changes are auto-saved.

Figure 49. Feature Visibility section

After updating the settings, this page should be seen as per the screenshot below.

Figure 50. Feature Visibility settings altered

The Globex Developer Portal is fully setup now for Mobile developers to signup.

Launch the Globex Developer Portal by clicking on {globex_developer_portal}[Developer Portal^, window="devportal"]

Figure 51. Developer Portal

Click on the SIGN IN link found on top-right.

Sign in as one of the user you created in the previous section with

Navigate to Applications Listing by choosing the APPLICATIONS menu on the top of the page.

Figure 53. Developer Portal Landing Page

In the Applications page you are invited to Create Application. Click on the Create new application button seen against globex-mobile-gateway-product

Figure 54. Developer Portal: Create new application

Click on Subscribe to globex-mobile-gateway-product link

Figure 55. Subscribe to globex-mobile-gateway-product

You are successfully subscribed to the service

Figure 56. Successfully subscribed to the service

Navigate back to the APPLICATIONS tab found on the top menu and click globex-mobile-gateway-product’s > Create new application link

Figure 57. Developer Portal: Create new application (again)

Give the plan a Name and a Description and click on Create Application

Figure 58. Developer Portal: New application

An application is created successfully. Make a note of the Client ID and Client Secret. You will be using this in the Mobile App setup. Scratchpad can be used for this as well.

Enter the value asterisk (*) in the REDIRECT URL field and click on the Submit button. This is to setup the right Redirect URL for OAuth using Keycloak.

Copy the Client ID from this page which will be used to setup Mobile App

In Dev Spaces open the file: workshop/module-apim/mobile/mobile-env-patch.sh

Back in the Developer Portal click on DOCUMENTATION navigation on the top of the page.

The Documentation page displays all the available APIs including the default API as well as globex-mobile-gateway-product

Figure 61. Developer Portal: Documentation Page

In the same file update the <replace-me> tags for the SSO_AUTHORITY and SSO_REDIRECT_LOGOUT_URI fields with the following variables

Figure 63. Update SSO details into mobile-env-patch file

Finally the mobile-env-patch.sh file should look like this. Save the file by Ctrl+S

Figure 64. Fully updated mobile-env-patch file

Execute this script in the Terminal by running the following command in Dev spaces' Terminal

oc project globex-apim-{user_name}
sh /projects/workshop-devspaces/workshop/module-apim/mobile/mobile-env-patch.sh

deployment.apps/globex-mobile updated

The Mobile App Deployment is patched with the necessary variables. You can view this navigating to {openshift_cluster_console}/k8s/ns/globex-apim-{user_name}/deployments/globex-mobile/environment[globex-mobile deployment, window="console"]

Figure 65. globex-mobile deployment on OpenShift

Navigate to the {globex_developer_portal}/buyer/stats[Globex Developer Portal Statistics^, window="devportal"]

From the dropdown indicated in this screenshot, choose the Mobile Gateway API’s application plan (which is basic-plan in this case).

You will be presented with the statistics graph of the calls made to this gateway by the Partner Developer’s access.

The user asilva you logged into the Mobile App as, is authenticated using Keycloak.

Once the user logs in, a token is generated by Keycloak using the Client ID, SSO Authority details that you passed to the Mobile App to setup the configuration

This token is authenticated by 3scale to ensure the Client ID indeed has access to that particular API

The token is also passed onto the backend service running on OpenShift, which checks for validity of the token.

The REST endpoints is supplied with the SSO URL information as part of the application.properties

The endpoints are protected with @Authenticated which in this case looks for a valid token being present.

Figure 71. REST endpoint is annotated with @Authenticated

If you don’t have a browser tab open with OpenShift Dev Spaces, click on {devspaces_dashboard}[Dev Spaces IDE^, window="devspaces"], choose your workspace. If needed login with your username and password ({user_name}/{user_password}).

In Dev Spaces, navigate to the folder workshop/module-apim/partner/activedoc, and open the file partner-activedoc-draft.json.

Scroll to the bottom of the page where you can see the securitySchemes section

Figure 72. Partner OpenAPI Security Schemes section

Substitute <replace-me> with the Keycloak’s OpenID Provider Configuration shown below

https://sso.{openshift_subdomain}/realms/globex-{user_name}/.well-known/openid-configuration

Figure 73. Updated Security Scheme

Execute the following command from the Dev Spaces’s Terminal.

The following JSON is returned back by Service Registry confirming creation

{"name":"Globex Partners API Gateway","description":"Globex APIs made accessible to global partners to view Globex's catalog and products","createdBy":"","createdOn":"2023-05-05T22:51:01+0000","modifiedBy":"","modifiedOn":"2023-05-05T22:51:01+0000","id":"partnerapi","version":"1","type":"OPENAPI","globalId":2,"state":"ENABLED","groupId":"globex","contentId":2,"references":[]}workshop-devspaces (main)

You can view the newly created OpenAPI specification {service_registry_url}/ui/artifacts/globex/partnerapi/versions/latest[here^, window="serviceregistry"]

In Dev Spaces, navigate to the folder workshop/module-apim/partners/activedoc, open the file create-partner-activedoc.yaml

Replace the <replace-me> placeholder with the Service Registry OpenAPI endpoint for Partner API show below

{service_registry_url}/apis/registry/v2/groups/globex/artifacts/partnerapi

Create this Active Doc by running the following command in the Dev Spaces Terminal

oc apply -f /projects/workshop-devspaces/workshop/module-apim/partners/activedoc/create-partner-activedoc.yaml -n globex-apim-{user_name}

activedoc.capabilities.3scale.net/partner-gateway-activedoc created

Navigate to the {3scale_tenant}[3scale admin portal^, window="3scale"] and login using your username and password ({user_name}/{user_password}).

Figure 78. Launch 3scale

You will notice that the Partner Product and Backend have been created.

Click on globex-partner-gateway-product under APIs → Products section.

You are presented with the Product overview page for the Partner API Product you created.

Navigate to Integration → Configuration and click on the Promote to v.x Staging APIcast and then Promote to v.x Production APIcast to promote all the config changes

Figure 79. Promote Staging and Production APIcast

Navigate to the Developer Portal {globex_developer_portal}[Globex Developer Portal^, window="devportal"]

If you are not already signed in, login using username and password as (john/123456)

Navigate to Applications Listing by choosing the APPLICATIONS menu on the top of the page.

Figure 80. Developer Portal Landing Page

In the Applications page you are invited to Create Application. Click on the Create new application button seen against globex-partner-gateway-product

Figure 81. Developer Portal: Create new application

Click on Subscribe to globex-partner-gateway-product link

Figure 82. Subscribe to globex-mobile-gateway-product

You are successfully subscribed to the service

Figure 83. Successfully subscribed to the service

Navigate back to the APPLICATIONS tab via the top menu.

Under globex-partner-gateway-product’s, click on the Create new application button

Figure 84. Developer Portal: Create new application (again)

In the NEW APPLICATION page, give the plan a Name and a Description and click on Create Application.

Figure 85. Developer Portal: New application

An application is created successfully. Make a note of the Client ID and Client Secret. You will be using this in the Partner Web Portal setup.

Enter the value asterisk (*) in the REDIRECT URL field and click on the Submit button. This is to setup the right Redirect URL for OAuth using Keycloak

Figure 86. Update REDIRECT URL in the Application

In the previous section, you signed up for access as a Partner Developer and gained credentials to access the APIs Globex exposes.

To update the Partner Web application you need these values

These values are part of {openshift_cluster_console}/k8s/ns/globex-apim-{user_name}/deployments/globex-partner-web/environment[globex-partner-web deployment, window="console"] and are highlighted in the screenshot below

Figure 87. globex-partner-web Deployment

The Client ID (api-client-id) and Client Secret (api-client-secret) with values as placeholders are predeployed as a Kubernetes Secret called secret.yaml.

Update Token URL (api-token-url) with the following value

https://sso.{openshift_subdomain}/realms/globex-{user_name}/protocol/openid-connect/token

Figure 90. Updated secret.yaml

In the Dev Spaces Terminal apply changes made to the secret.yaml by running the following command

oc apply -f /projects/workshop-devspaces/workshop/module-apim/partners/partner-web/secret.yaml -n globex-apim-{user_name}

secret/globex-partner-web configured

The final step is to patch the Partner Web portal with the Partner Gateway API’s endpoint.

Navigate to the {globex_developer_portal}/buyer/stats[Globex Developer Portal Statistics^, window="devportal"]

From the dropdown indicated in this screenshot, choose the Partner Gateway API’s application plan (which is partner-basic in this case).

You will be presented with the statistics graph of the calls made to this gateway by the Partner Developer’s access.

The user partner that you logged into the Partner App as, is not authenticated using Keycloak. In fact it is not authenticated at all.

In this scenario we use Client Credentials authentication, because the backend NodeJS server authenticates itself with Client ID and Credentials obtained by the Partner Developer while signing up for an Application via 3scale Developer Portal

The token generated by NodeJS is then exchanged with 3scale to ensure the Client ID indeed has access to that particular API