Setting up APIcast in Docker

58 views
Skip to first unread message

4integ...@gmail.com

unread,
Feb 27, 2018, 5:25:36 AM2/27/18
to 3Scale API Management by Red Hat
Hi,

I am preparing for our first production setup of APIcast - initially 2 gateways in Docker in two different VMs with load balancer (round robin). 

In order to support OAuth2 we will also setup Redis.

Should Redis be shared between the two gateways or should they have their own Redis?

/ Joacim

4integ...@gmail.com

unread,
Mar 7, 2018, 8:11:34 AM3/7/18
to 3Scale API Management by Red Hat
Any comments/thoughts?

/ Joacim

pim.g...@gmail.com

unread,
Mar 8, 2018, 10:50:32 AM3/8/18
to 3Scale API Management by Red Hat
The redis cache is used to store the tokens. They are retrieved by the APIcast gateway. When using Round robin it is not certain on which APICast the request comes in so ideally they should both be able to access the Redis cache. However when this is not the case you would experience more cache misses from Redis (because the token is cached in the other Redis) and refetched from SSO and then cached in the second Redis.

Op dinsdag 27 februari 2018 11:25:36 UTC+1 schreef 4integ...@gmail.com:

4integ...@gmail.com

unread,
Mar 13, 2018, 6:24:42 AM3/13/18
to 3Scale API Management by Red Hat
Thanks Pim for your answer.
For your info I also created a support case at Red Hat about this question.
Their answer:


In this case the Redis is only used for the OAuth handshake and therefore it doesn't need to be distributed.

 

In terms of the easiest way to implement the OAuth flows with APIcast I would recommend using the Red Hat Single Sign-On integration that we offer [1]. This is extremely easy to configure and integrate and is a much more scalable solution in my opinion. You can test this integration even using the community supported version [2] if you don't already have the productized version. Using this integration means that the whole OAuth handshake is separated from the gateway layer, all the token management is done on the keycloak server and there is no need to manage any Redis instances. The same keycloak server can then be used for other integrations such as [3] & [4] which makes managing user identities far easier as everything is centralised and from user experience point of view is much nicer because one set of credentials can be used for multiple domain logins.

 

If you try this integration just let us know if you need any help with that.

 

[1] https://access.redhat.com/documentation/en-us/red_hat_3scale/2.saas/html/api_authentication/rhsso

[2] http://www.keycloak.org/downloads.html

[3] https://access.redhat.com/documentation/en-us/red_hat_3scale/2.saas/html/developer_portal/authentication#enabling_and_disabling_authentication_via_red_hat_single_sign_on_7_0

[4] https://access.redhat.com/documentation/en-us/red_hat_3scale/2.saas/html/accounts/admin-portal-sso#step_1_enable_red_hat_sso_or_auth0_member_authentication

 

/ Joacim
Reply all
Reply to author
Forward
0 new messages