Using the API Product Kubernetes resource

API Product Kubernetes resources (API Product resources) are used to define and manage API Products in an API Manager. This Kubernetes resource is managed by the Cloud Pak for Integration operator, which communicates with an instance of an API Manager to create, update, and delete your API Products declaratively by using YAML Kubernetes objects. For more information about Products, see Working with Products in the API Connect documentation.

You can create an API Product resource by using the IBM Cloud Pak Platform UI or the CLI.

For more information on the end-to-end usage of the API and API Product Kubernetes resources, see Using the API and API Product Kubernetes resources.

Creating an API Product resource by using the Platform UI

  1. Log in to Platform UI.

  2. On the Instances page, click Create an instance.

  3. On the "Create an instance" page, select the API Product tile, then click Next.

  4. On the "Create an API Product" page, enter values for the required fields. For more information, see Custom resource values.

  5. (Optional) If you're not ready to deploy your instance, save a draft version of it. Click the overflow menu (three-dot icon), then click Save as draft. The configuration for the instance is stored in the Platform UI. You can continue editing the draft version until you are ready to create the instance from it.

  6. Click Create to initiate deployment. You are redirected to the home page. The API Product resource begins deployment and is initially in the Pending state. Click Pending to confirm the progress of the deployment. When the deployment is complete, the status changes to Ready.

Creating an API Product resource by using the CLI

  1. Log in to your OpenShift cluster with your OpenShift user credentials:

    oc login

  2. Create a product YAML file. For example, create a file called product.yaml with the following example configuration. Update the values as indicated:

    • For metadata.namespace, enter your project (namespace) name.

    • For spec.state, specify a lifecycle state. For more information, see The Product lifecycle.

    • For spec.apis, specify a list of APIs and integration runtimes that you want to be included in this product.

      • spec.apis.apis - specify an array with the names of API Kubernetes resources that you want this API Product resource to consume. For more information, see Using the API Kubernetes resource.

      • spec.apis.integrationRuntimes - specify an array with the names of IntegrationRuntime resources that you want this product to consume. For more information, see Custom resource values.

    • For spec.share.apim:

      • credentialsSecret - the name created in the Create a secret with your API Manager credentials section.

      • providerOrg - the name of the API Manager provider organization to which this product should be added.

      • catalog - the name of the API Manager catalog to which this product should be added.

    • Set any other configuration values as required, such as defining the properties of the product under spec.definition. For example:

      apiVersion: apiconnect.ibm.com/v1beta1
kind: Product
metadata:
  name: example-product
  namespace: <namespace>
spec:
  state: Published
  definition:
    product: 1.0.0
    info:
      title: Example
      name: test-https-routes-noauth
      version: '1.0'
    plans:
      default-plan:
        rate-limits:
          default:
            value: 100/1hour
        title: Default Plan
        description: Default Plan
        approval: false
  apis:
    integrationRuntimes:
      - name: test-https-routes-noauth
    apis:
      - name: example-api-resource
  share:
    apim:
      credentialsSecret: apim-credentials
      providerOrg: main-demo
      catalog: main-demo-catalog

  3. Apply the YAML file to the OpenShift cluster:

    oc apply -f product.yaml

  4. Check the status of the Product by running the following command in the project (namespace) where it is deployed:

    oc get product

Create a secret with your API Manager credentials

Create a secret that contains the credentials for the API Manager that you want the API Product resource to use.

You can have multiple secrets in the same namespace, and also have API Product resources that reference different secrets.

  1. Complete the prerequisites for authentication with an API Manager.

    Authenticating with an API Manager by using an API key is the default authentication method. This method has the benefit of being easier and more flexible, given that you can access another system without a dependency on engaging the user. However, if you need to use basic authentication credentials (username and password), you can do so by using the API Connect local user registry. API keys are associated with a user account, and therefore inherit only the permissions of that user.

    • To use an API key, generate a key by following the instructions in Managing platform REST API keys in the IBM API Connect documentation. (If the API Manager is set up with more than one provider realm, you can use a key with the value of 'realm'.)

    • You need to configure your API key as a multi-use API key. For more information, see Configuring API key settings.

    For more information on using an API key and API Connect REST APIs, see apic login and API Connect REST APIs in the API Connect documentation.

  2. Create the secret:

cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: apim-credentials
type: Opaque
stringData:
  base_url: https://<api-connect-base-url>
  username: <username>
  password: <password>
  trusted_cert: |-
    <certificate>
EOF

If you are using an API key, replace <credentials> with the following section, adding your own value for the API key:

grant_type: api_key
api_key: <api_key_value>

If you are using basic authentication, replace <credentials> with the following section, adding your own values for the username and password:

 username: <username>
 password: <password>

  1. To get the values you need to use within the secret, run the following command in the namespace where the API Manager is installed, replacing <instance-name> with the name of the API Manager instance:

    oc get ManagementCluster <instance-name>-mgmt -o json | jq -r '.status.endpoints[] | select(.name=="platformApi")'

    This returns a JSON object with the following structure, where <api-secret-name>, and <api-connect-base-url>, are values that change depending on the name of your API Manager instance.

    {
  "name": "platformApi",
  "type": "API",
  "secretName: "<api-secret-name>",
  "uri": "<api-connect-base-url>"
}

  2. Replace the values in the secret with the returned values, as follows:

    • <api-connect-base-url> - use the values that were generated in the previous command.

    • <certificate> - use the certificate content for a cert that the API Manager trusts. On OpenShift, get this content by running the following command in the namespace where the API Manager is installed, replacing <api-secret-name>, with the value that was generated in the previous step:

      oc get secret <api-secret-name> -o json | jq -r '.data["ca.crt"]' | base64 --decode

    • Replace <username> with the username that you want to use.

    • Replace <password> with the password for that username.

Custom resource values

The following table lists the configurable parameters and default values for the Kubernetes resource.

Parameter Description Default
apiVersion The API version that specifies which schema is used for this API Product resource.
kind The resource type. Product
metadata.name A name by which the API Product resource can be identified.
metadata.namespace The namespace in which the API Product resource is created.
spec.state The required state for the product: Staged, Published, Deprecated, or Retired.
spec.migrateSubscriptions Defaults to true if omitted. If true, when the API Product Kubernetes resource is modified to create a new version of the product, the subscriptions are migrated from the old version to the new version. If the old and new products need to be supported concurrently, a new Product CR should be created for the new version, and the old Product CR should be left unchanged. true
spec.share This object is configured to add the Product to an API Manager and transition to the required state.
spec.share.apim Adds the API Product to an API Manager.
spec.share.apim.credentialsSecret The name of the secret that contains the credentials needed to connect to the API Manager. The secret is in the same namespace as the resource for the Product. For more information, see Create a secret with your API Manager credentials.
spec.share.apim.providerOrg The provider organization in which the Product is created.
spec.share.apim.catalog The catalog in which the Product is created.
spec.share.apim.space If specified, the space in which the Product is created. If not specified, the Product is added to <provider_organization>/<catalog> rather than <provider_organization>/<catalog>/<space> .
spec.definition Defines the product. This matches the format of the Product's YAML or JSON specification that is used by an API Manager.
spec.apis Specifies which APIs to add to the Product's YAML or JSON specification before it is passed to the API Manager.
spec.apis.apis Specifies the names of API CRs that you want to be selected.
spec.apis.apis[].name The name of the API resource in the same namespace as this API Product resource. Add the API resource to the Product resource in the api section. Use the name of the API resource as the key and the name:version of the API specification in the referenced API as the value.
spec.apis.integrationRuntimes Specify which REST API document to retrieve from running IntegrationRuntimes that are in the same namespace as this Product.
spec.apis.integrationRuntimes[].name An array of names of Integration runtimes that are in the same namespace as this API Product resource.
spec.apis.integrationRuntimes[].security If specified, this value overrides the security specification in the OpenApi specification (optional).
spec.apis.integrationRuntimes[].security.type Specify one of the following values:
  • NoOp - Leaves the security definitions unchanged
  • ClientID - Adds the required securityDefinitions and security to require the "X-IBM-Client-Id" header parameter on all operations
  • "ClientIDSecret" - adds the required securityDefinitions and security to require the "X-IBM-Client-Id" and "X-IBM-Client-Secret" header parameters on all operations.
 ClientID
spec.apis.integrationRuntimes[].restApis If specified, only the REST APIs listed in this array are imported. If not specified, all REST APIs from the integration runtime are imported.
spec.apis.integrationRuntimes[].restApis[].name The name of the REST API to use.
spec.apis.integrationRuntimes[].restApis[].security If specified, overrides the configuration for spec.apis.integrationRuntimes[].security. Enables fine-grained security configuration for APIs and runtimes.
spec.apis.integrationRuntimes[].restApis[].security.type Configures the security type. Use one of the following values:
  • NoOp - Leaves the security definitions unchanged
  • ClientID - Adds the required securityDefinitions and security so that the X-IBM-Client-Id header parameter is required on all operations
  • ClientIDSecret- Adds the required securityDefinitions and security so that the X-IBM-Client-Id and X-IBM-Client-Secret header parameters are required on all operations.
status.conditions Returns information on the current condition of the API Product resource.
status.metadata Returns metadata for the API Product resource.