Administering Red Hat Managed Integration 2

This document provides instructions for cluster administrators to:

Manage cluster security
Grant developers sufficient access to develop and deploy cloud-native, integrated applications
Configure systems for production scenarios

Permissions of Managed Integration cluster administrators

Typically, a cluster administrator uses the OpenShift CLI tools on a local machine to interact with a Red Hat Managed Integration cluster. The client is available from the download page.

A cluster administrator can:

Manage the OpenShift cluster as described in Administering a cluster
Create another cluster administrator
Manage 3scale and give a developer admin rights in 3scale
Administer the Customer Application SSO instance and give a developer administration privileges on the master realm
Manage any realms created by a developer
View the managed services projects in the OpenShift console

Do not delete the admin user in the master realm of the Customer Application SSO instance. Red Hat manages this service using this user.

Introduction to the Customer Application SSO instance

Managed Integration includes an instance of Red Hat Single Sign-On to enable you to protect any applications you deploy on your cluster.

You can navigate to the Customer Application SSO instance from the Protect customer applications item in the Solution Explorer.

Red Hat manages this instance; however, all cluster administrators have admin level privileges to configure this instance.

A user named admin manages this instance. Do not delete this user.

A cluster administrator typically uses this instance to:

Create users in the master realm.
Create and manage new realms.

A developer can create new realms and a cluster administrator can administer these realms.

Additional resources

For more information about Red Hat Single Sign-On, see Red Hat Single Sign-On Product Documentation.

Disabling realm creation for developers

By default, a developer can create a realm in the Customer Application SSO instance. This section describes how to disable this permission. You might want to disable this permission in a production cluster.

Prerequisites

You are a cluster administrator.

Procedure

Log in to the Solution Explorer.
Navigate to the Customer Application SSO instance from the Protect customer applications item in the Solution Explorer.
When prompted, choose the Administration Console.
Choose Groups from the menu for the Master realm.
Select the rhmi-developers group.
Click Edit from the User Groups menu.
Choose the Role Mappings tab.
Select create-realm in the Assigned Roles panel.
Click Remove selected to remove that role from the rhmi-developers group.
To verify the change, log into the Customer Application SSO instance as a developer and make sure you cannot create a realm.

Configuring GitHub OAuth for CodeReady Workspaces

Red Hat Managed Integration provides a full developer workspace server and cloud IDE with CodeReady Workspaces, allowing you to pull and push to GitHub projects. You must configure a GitHub OAuth app before developers can create a repository, pull, and push GitHub projects. The GitHub OAuth app allows users to import projects into CodeReady Workspaces by using SSH addresses (git@). Users can then push to repositories and use the pull request panel.

This procedure enables automatic SSH key upload to GitHub.

Prerequisites

You must have prior experience using GitHub.
You are a cluster administrator.

Procedure

Register an application on GitHub:
- To add a new application, log in to GitHub and go to OAuth applications in your developer settings. Click Settings → Developer settings → OAuth Apps → Register a new OAuth application.
- For GitHub Enterprise, go to your GitHub Enterprise homepage and then click Settings → Developer settings → Register a new application.
Enter an application name, for example, CodeReady Workspaces.
For the homepage URL, enter the CodeReady Workspaces URL.
```
https://codeready-redhat-rhmi-codeready-workspaces.apps.<cluster-suffix>
```
where <cluster-suffix> is the unique sub-domain for your cluster. For example, example.u7y2.s1.openshift.com
Enter the authorization callback URL:
```
https://keycloak-edge-redhat-rhmi-rhsso.apps.<cluster-suffix>/auth/realms/openshift/broker/github/endpoint
```
where <cluster-suffix> is the unique sub-domain for your cluster. For example, example.u7y2.s1.openshift.com
Click Register application.
Note the GitHub Client ID and GitHub Client Secret. You require these values later in the procedure.
Log in to the OpenShift console as a cluster administrator.
Navigate to the following URL in your browser:
```
https://console-openshift-console.apps.<cluster-suffix>/k8s/ns/redhat-rhmi-operator/secrets/github-oauth-secret
```
where <cluster-suffix> is the unique sub-domain for your cluster. For example, example.u7y2.s1.openshift.com
Select the Edit Secret option from the Actions menu.
Enter the GitHub Client ID and Client Secret that you previously noted:
1. Enter the GitHub Client ID for the value of Client ID.
2. Enter the GitHub Client Secret for the value of Secret.
Click Save.
To validate, request that a developer creates a workspace and connects to GitHub:
1. Log in to Solution Explorer.
2. Navigate to CodeReady Workspaces.
3. Create a workspace as described in Creating and configuring a new CodeReady Workspaces 2.0 workspace.
4. Click Add or Import Project → GitHub → Connect your GitHub account → Authorize.
5. Check that a list of projects is displayed in the Import Projects panel. If projects are not displayed, verify that you followed each step in this procedure.

Configuring AMQ Online for production

If you plan to use AMQ Online in Managed Integration, you need to create an AMQ Online configuration for production. You must edit and apply YAML files using the command line (CLI) tools to configure AMQ Online.

This section provides general guidance on configuring AMQ Online for production usage in Managed Integration.

Prerequisites

You are a cluster administrator with the OpenShift CLI (oc) installed locally.
Experience with configuring AMQ Online.

Procedure

Configure AMQ Online in Managed Integration as described in Configuring AMQ Online.
- The name of the AMQ Online project in your cluster is redhat-rhmi-amq-online.
- You must log in as a cluster administrator.
Configure your address space to use an external authentication service as shown in the address space example using an external authentication service.

The authentication services are configured by the AMQ Online service operator and are specified when creating an address space.

Network policies

A Managed Integration cluster hosts two types of projects:

Projects associated with managed services, for example, the redhat-rhmi-amq-online project is associated with AMQ Online. These projects support inbound and outbound connections.
User projects, for example a web app. These projects support communication from the managed services mentioned above. If you want to disable that communication, see [disabling-communications_admin-guide].

See the Networking documentation for an introduction to OpenShift Dedicated networking.

In OpenShift, there are two approaches to enabling communications:

Using network policies
Using the join-project option of the oc command

In Managed Integration, you can enable communications using network policies. You cannot use the join-projects option of the oc command with managed services projects.

Enabling communication between projects in your cluster

By default, when you create projects in a cluster, communication between the projects is disabled.

This procedure describes enabling communication for a project.

Prerequisite

You are a cluster administrator.

Procedure

Log in to the cluster using the oc login command.
Change project:
```
$ oc project <project_name>
```
where <project_name> is the name of a project that you want to accept communications from other projects.
Create a NetworkPolicy object as described in Creating a NetworkPolicy object with the following content:
```
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-all
spec:
  podSelector:
  ingress:
  - {}
```
This policy configuration enables this project to communicate with all projects in the cluster.

Additional resources

Understanding Networking in a Managed Integration cluster

3scale user management

Red Hat 3scale API Management allows you to manage APIs for internal or external users.

You can navigate to the 3scale console from the Manage APIs item in the Solution Explorer.

User management with 3scale in Managed Integration can be summarized as follows:

All users with access to the cluster can log in to 3scale API Management.
All cluster administrators have administrator privileges in 3scale.
Only a cluster administrator or a developer with 3scale administrator privileges can create new products.
Only a cluster administrator can grant 3scale administrator privileges to any cluster user.

The Portal Admin Guide describes how to administer users in 3scale. However, you cannot delete a user from 3scale in Managed Integration. You must revoke the cluster privileges of that user. If a user is removed from the cluster, the user is also removed from 3scale.

Additional resources

For more information on managing 3scale users, see the Portal Admin Guide.