Explore the 3scale Environment (Migration Source)
In this module you will inspect the two applications deployed with Red Hat 3scale API Management. These are the migration source. Understanding exactly how they are configured is critical for planning the migration to Connectivity Link.
Part 1 — Neuralbank on 3scale (OIDC Authentication)
The neuralbank-3scale namespace contains the Neuralbank banking API protected by a 3scale Product with OIDC authentication via Keycloak.
1.1 Inspect the running pods
oc get pods -n neuralbank-3scale| Pod | Role |
|---|---|
|
Quarkus REST API ( |
|
Web SPA (credit visualization) |
|
PostgreSQL database with seed data |
1.2 Inspect the 3scale Product (OIDC)
The Product is the central 3scale resource. It defines the public API endpoint, authentication method, backend references, and application plans.
oc get product -n 3scale-system | grep neuralbank
oc get product neuralbank-oidc-product -n 3scale-system -o yamlHere is the actual Product configuration deployed in the cluster:
apiVersion: capabilities.3scale.net/v1beta1
kind: Product
metadata:
name: neuralbank-oidc-product
namespace: 3scale-system
spec:
name: "Neuralbank API (OIDC)"
systemName: neuralbank-oidc
backendUsages:
neuralbank-backend-api:
path: /
deployment:
apicastHosted:
authentication:
oidc:
issuerType: keycloak
issuerEndpoint: "https://rhbk.{cluster_domain}/realms/neuralbank"
jwtClaimWithClientID: azp
jwtClaimWithClientIDType: plain
authenticationFlow:
standardFlowEnabled: true
implicitFlowEnabled: false
serviceAccountsEnabled: true
directAccessGrantsEnabled: true
applicationPlans:
basic:
name: "Basic Plan"
limits:
- period: minute
value: 60
metricMethodRef:
systemName: hits
premium:
name: "Premium Plan"
limits:
- period: minute
value: 300
metricMethodRef:
systemName: hitsKey configuration points:
-
deployment.apicastHosted.authentication.oidc— tells APIcast to validate JWT tokens against Keycloak -
issuerEndpoint— the Keycloak realm URL that APIcast uses to discover OIDC endpoints -
jwtClaimWithClientID: azp— the JWT claim used to identify the API consumer -
authenticationFlow— enables standard (browser redirect) and direct access grants (password flow for CLI) -
applicationPlans— two tiers: basic (60 req/min) and premium (300 req/min) -
backendUsages— links to the Backend resource that defines the internal service URL
1.3 Inspect the 3scale Backend
The Backend resource defines the private base URL (the internal Kubernetes Service) and the MappingRules that map URL patterns to metrics:
oc get backend -n 3scale-system | grep neuralbank
oc get backend neuralbank-backend-api -n 3scale-system -o yamlapiVersion: capabilities.3scale.net/v1beta1
kind: Backend
metadata:
name: neuralbank-backend-api
namespace: 3scale-system
spec:
name: "Neuralbank Backend API"
systemName: neuralbank-backend-api
privateBaseURL: "http://neuralbank-backend-svc.neuralbank-3scale.svc.cluster.local:8080"
mappingRules:
- httpMethod: GET
pattern: "/api/v1/customers$"
metricMethodRef: hits
increment: 1
- httpMethod: GET
pattern: "/api/v1/customers/{id}$"
metricMethodRef: hits
increment: 1
- httpMethod: POST
pattern: "/api/v1/customers$"
metricMethodRef: hits
increment: 1
- httpMethod: GET
pattern: "/q/openapi$"
metricMethodRef: hits
increment: 1
- httpMethod: GET
pattern: "/q/swagger-ui"
metricMethodRef: hits
increment: 1
metrics:
hits:
friendlyName: Hits
unit: hit
description: Number of API hitsKey configuration points:
-
privateBaseURL— the internal K8s Service URL that APIcast forwards traffic to -
mappingRules— each rule maps an HTTP method + URL pattern to a metric; this is how 3scale tracks and limits API usage -
Every API call increments the
hitsmetric, which is used by the Application Plans to enforce rate limits
1.4 Inspect the ActiveDoc
The ActiveDoc attaches an OpenAPI specification to the Product:
oc get activedoc -n 3scale-system | grep neuralbankapiVersion: capabilities.3scale.net/v1beta1
kind: ActiveDoc
metadata:
name: neuralbank-activedoc
namespace: 3scale-system
spec:
name: "Neuralbank Credit Management API"
productSystemName: neuralbank-oidc
activeDocOpenAPIRef:
url: "https://neuralbank-3scale.{cluster_domain}/q/openapi"
published: true1.5 How it all fits together (Neuralbank OIDC)
Client → OpenShift Route → APIcast Gateway
│
┌─────────┴──────────┐
│ Product Config: │
│ - OIDC auth │
│ - Keycloak issuer │
│ - Application Plan │
│ (60 or 300/min) │
└─────────┬──────────┘
│
┌─────────┴──────────┐
│ Backend Config: │
│ - MappingRules │
│ - privateBaseURL │
└─────────┬──────────┘
│
neuralbank-backend-svc:8080
(neuralbank-3scale namespace)
Part 2 — NFL Wallet on 3scale (API Key Authentication)
The nfl-wallet-3scale namespace contains the NFL Wallet API protected by a 3scale Product with API Key (user_key) authentication.
2.2 Inspect the 3scale Product (API Key)
oc get product -n 3scale-system | grep nfl-wallet
oc get product nfl-wallet-apikey-product -n 3scale-system -o yamlapiVersion: capabilities.3scale.net/v1beta1
kind: Product
metadata:
name: nfl-wallet-apikey-product
namespace: 3scale-system
spec:
name: "NFL Wallet API (API Key)"
systemName: nfl-wallet-apikey
backendUsages:
nfl-wallet-backend-api:
path: /
deployment:
apicastHosted:
authentication:
userkey:
authUserKey: user_key
credentials: query
applicationPlans:
basic:
name: "Basic Plan"
limits:
- period: minute
value: 120
metricMethodRef:
systemName: hits
premium:
name: "Premium Plan"
limits:
- period: minute
value: 600
metricMethodRef:
systemName: hitsKey differences from the Neuralbank Product:
-
authentication.userkey— uses auser_keyquery parameter instead of OIDC tokens -
credentials: query— the key is passed as a URL query parameter (e.g.?user_key=abc123) -
Applications get a static
user_keyvalue when subscribing to a plan -
APIcast validates the key against the 3scale internal database (Redis)
2.3 Inspect the Backend (MappingRules)
oc get backend nfl-wallet-backend-api -n 3scale-system -o yamlapiVersion: capabilities.3scale.net/v1beta1
kind: Backend
metadata:
name: nfl-wallet-backend-api
namespace: 3scale-system
spec:
name: "NFL Wallet Backend API"
systemName: nfl-wallet-backend-api
privateBaseURL: "http://nfl-wallet-api.nfl-wallet-3scale.svc.cluster.local:8080"
mappingRules:
- httpMethod: GET
pattern: "/api/v1/customers$"
metricMethodRef: hits
increment: 1
- httpMethod: GET
pattern: "/api/v1/customers/{id}$"
metricMethodRef: hits
increment: 1
- httpMethod: POST
pattern: "/api/v1/customers$"
metricMethodRef: hits
increment: 1
metrics:
hits:
friendlyName: Hits
unit: hit
description: Number of API hits3scale resource summary
| Resource | Neuralbank (OIDC) | NFL Wallet (API Key) |
|---|---|---|
Product |
|
|
Backend |
|
|
Auth Type |
OIDC ( |
user_key ( |
Application Plans |
basic (60/min), premium (300/min) |
basic (120/min), premium (600/min) |
MappingRules |
5 rules (GET/POST customers, openapi, swagger) |
3 rules (GET/POST customers) |
ActiveDoc |
|
|
App Namespace |
|
|
CRDs Namespace |
|
|
Notice that 3scale CRDs (Product, Backend, ActiveDoc) live in 3scale-system, separate from the application namespace. This is a key architectural difference — in Connectivity Link, all policies live in the same namespace as the application.
|
What to look for during migration
When migrating from 3scale, extract these values from the Product and Backend:
| 3scale Value | Where to Find | Maps to in Connectivity Link |
|---|---|---|
Auth type (OIDC or API Key) |
|
AuthPolicy type (jwt or apiKey) |
Keycloak issuer URL |
|
AuthPolicy |
Backend service URL |
|
HTTPRoute |
MappingRules patterns |
|
HTTPRoute |
Rate limits |
|
RateLimitPolicy |
Plan tiers |
|
PlanPolicy |
OpenAPI spec URL |
|
APIProduct |
This mapping is exactly what the "Migrate from 3scale to Connectivity Link" Software Template automates. In the next modules you will explore the Connectivity Link equivalents, and then run the migration template.