demos/api7-demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for existing Secrets and External Secrets Operator
Some checks failed
Helm Chart Build / lint-only (push) Has been skipped
Details
Helm Chart Build / build-helm (push) Failing after 9s
Details
Build and Deploy / build-api (push) Successful in 51s
Details
Build and Deploy / build-web (push) Successful in 1m3s
Details

Browse Source 
Enhanced secret management for API7 Gateway credentials with support
for existing Secrets and External Secrets Operator integration.

Changes:

1. Secret Configuration:
   - Added api7.gateway.existingSecret parameter for using existing secrets
   - Added api7.gateway.existingSecretKeys for custom key names
   - Modified secret-api7.yaml to only create secret if existingSecret is empty
   - Updated job-adc-sync.yaml to reference configurable secret name

2. Values.yaml Documentation:
   - Added comprehensive documentation for secret configuration options
   - Documented two approaches: inline config (dev) vs existing secret (prod)
   - Added example kubectl command for creating secrets manually
   - Included instructions for obtaining admin key from API7 EE

3. External Secrets Support:
   - Created externalsecret-api7.yaml.example with complete examples
   - Included examples for AWS Secrets Manager and HashiCorp Vault
   - Documented SecretStore configuration patterns

4. Documentation:
   - Created SECRET-MANAGEMENT.md comprehensive guide
   - Covered all secret management options (inline, manual, external)
   - Added security best practices and troubleshooting guide
   - Included examples for External Secrets Operator setup

Benefits:
- Improved security: Secrets not stored in values.yaml
- Flexibility: Support for any secret management tool
- Production-ready: Works with External Secrets Operator
- Better practices: Clear separation of config vs secrets

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
d.viti
2025-10-09 15:53:38 +02:00
parent f5a4071b71
commit 694709ae9a
5 changed files with 370 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
helm/api7ee-demo-k8s/values.yaml
View File

@@ -258,6 +258,40 @@ api7:
# API7 Gateway Connection Settings
gateway:
# ========================================================================
# Secret Configuration
# ========================================================================
# Option 1: Use existing Secret (recommended for production)
# Provide the name of an existing Kubernetes Secret containing credentials.
# This is useful when using External Secrets Operator, Sealed Secrets,
# or manually managed secrets for better security.
#
# The secret must contain these keys (or customize with existingSecretKeys):
# - admin-url: Dashboard admin API URL
# - admin-key: Dashboard admin API key
# - gateway-group: Gateway group name
#
# Example: Create secret manually:
# kubectl create secret generic api7-credentials \
# --from-literal=admin-url=https://api7ee3-0-1759339083-dashboard:7443 \
# --from-literal=admin-key=YOUR_ADMIN_KEY \
# --from-literal=gateway-group=default \
# -n api7ee
existingSecret: "" # Name of existing secret (leave empty to create new secret)
# Custom key names for existing secret (optional)
# Only needed if your existing secret uses different key names
existingSecretKeys:
adminUrl: admin-url # Key name for admin URL
adminKey: admin-key # Key name for admin key
group: gateway-group # Key name for gateway group
# ========================================================================
# Option 2: Inline Configuration (for development only)
# ========================================================================
# When existingSecret is empty, a Secret will be created with these values.
# NOT RECOMMENDED for production - use existingSecret instead!
# Dashboard Admin API URL (HTTPS required for API7 Enterprise)
# The dashboard service exposes the admin API on port 7443
adminUrl: https://api7ee3-0-1759339083-dashboard:7443
@@ -269,6 +303,9 @@ api7:
# Gateway group name (logical grouping of gateway instances)
group: default
# ========================================================================
# Gateway Service Configuration
# ========================================================================
# Gateway service name (for traffic routing)
# This is the Kubernetes service that routes traffic to APISIX data plane
gatewayService: gateway-0-1759393614-gateway