Service discovery requires Service Registry to be configured in
API7 Enterprise Dashboard first. Until the registry is configured,
ADC sync fails with: 'service registry not found'
Disabling service discovery to use static upstream nodes instead.
To re-enable:
1. Configure Service Registry in API7 Dashboard
2. Set api7.serviceDiscovery.enabled: true
3. Redeploy
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed service discovery configuration to use correct ADC syntax.
The namespace should be included in the service_name, not as a
separate namespace_id field.
Error:
✖ Unrecognized key: "namespace_id"
→ at services[0].upstream
Fix:
- Changed from: service_name: my-service + namespace_id: namespace
- Changed to: service_name: namespace/my-service
This matches the ADC/API7 expected format for Kubernetes service
discovery: "namespace/service-name"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reorganized documentation to be part of MkDocs site with three new
comprehensive guides covering API7 Gateway configuration.
Changes:
1. Documentation Structure:
- Moved SECRET-MANAGEMENT.md from helm/ to web/docs/
- Created service-discovery.md with complete guide
- Created ingress-routing.md with routing architecture
- Moved externalsecret examples to web/docs/examples/
2. New Documentation - Service Discovery:
- How service discovery works (architecture diagram)
- Benefits vs static configuration
- Configuration examples
- RBAC requirements
- Advanced use cases (auto-scaling, rolling updates)
- Load balancing algorithms
- Monitoring and troubleshooting
- Best practices
3. New Documentation - Ingress & Routing:
- Complete traffic flow architecture
- Ingress configuration explained
- Gateway routing rules and priority
- URI matching patterns (prefix, exact, regex)
- TLS/SSL with cert-manager
- Advanced routing scenarios:
* Multiple domains
* Path-based routing
* Header-based routing
* Method-based routing
- Configuration examples (microservices, WebSocket, canary)
- Monitoring and debugging
- Troubleshooting common issues
4. MkDocs Navigation:
- Updated mkdocs.yml with new pages in Configuration section
- Added: Ingress & Routing
- Added: Service Discovery
- Added: Secret Management
5. Examples Directory:
- Created web/docs/examples/ for configuration examples
- Moved ExternalSecret examples with multiple providers:
* AWS Secrets Manager
* HashiCorp Vault
* Azure Key Vault
* GCP Secret Manager
All documentation now integrated into MkDocs site with proper
navigation, cross-references, and Material theme styling.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced secret management for API7 Gateway credentials with support
for existing Secrets and External Secrets Operator integration.
Changes:
1. Secret Configuration:
- Added api7.gateway.existingSecret parameter for using existing secrets
- Added api7.gateway.existingSecretKeys for custom key names
- Modified secret-api7.yaml to only create secret if existingSecret is empty
- Updated job-adc-sync.yaml to reference configurable secret name
2. Values.yaml Documentation:
- Added comprehensive documentation for secret configuration options
- Documented two approaches: inline config (dev) vs existing secret (prod)
- Added example kubectl command for creating secrets manually
- Included instructions for obtaining admin key from API7 EE
3. External Secrets Support:
- Created externalsecret-api7.yaml.example with complete examples
- Included examples for AWS Secrets Manager and HashiCorp Vault
- Documented SecretStore configuration patterns
4. Documentation:
- Created SECRET-MANAGEMENT.md comprehensive guide
- Covered all secret management options (inline, manual, external)
- Added security best practices and troubleshooting guide
- Included examples for External Secrets Operator setup
Benefits:
- Improved security: Secrets not stored in values.yaml
- Flexibility: Support for any secret management tool
- Production-ready: Works with External Secrets Operator
- Better practices: Clear separation of config vs secrets
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced values.yaml with comprehensive documentation and better organization:
Documentation improvements:
- Added detailed inline comments for all API7 Gateway configuration sections
- Documented Ingress routing behavior (gateway vs direct service routing)
- Explained Service Discovery benefits and requirements
- Added detailed plugin configuration documentation (rate limiting, CORS, auth)
- Included usage examples and production recommendations
Configuration enhancements:
- Added gateway.gatewayNamespace for better organization
- Added TLS certificate configuration options (duration, renewBefore, algorithm, size)
- Added ADC resource limits configuration
- Improved CORS and rate limiting documentation with parameter explanations
- Added consumer/authentication documentation
Template updates:
- Updated certificate.yaml to use configurable TLS parameters
- Updated job-adc-sync.yaml to use configurable ADC resources
The values.yaml now serves as comprehensive documentation for all
API7 Gateway features and configuration options, making it easier
for users to understand and customize their deployment.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Configured API7 Gateway to use Kubernetes Service Discovery instead of
static upstream nodes. This enables dynamic discovery of backend Pods
through the Kubernetes API.
Benefits:
- Automatic scaling: New Pods are automatically added to upstream pool
- Health checks: Only healthy Pods receive traffic
- Zero downtime: Automatic updates during deployments and rollouts
- No manual upstream configuration needed
Changes:
- Updated configmap-adc.yaml to use discovery_type: kubernetes
- Service discovery queries Kubernetes API for Pod endpoints
- Falls back to static nodes if serviceDiscovery.enabled is false
- Added documentation in values.yaml explaining the feature
The RBAC permissions (services, endpoints watch) were already configured
in rbac-adc.yaml, so no additional permissions are needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Modified Ingress configuration to route all traffic through the API7
Gateway (gateway-0-1759393614-gateway) instead of directly to application
services. This enables API7's advanced routing, rate limiting, CORS, and
other gateway features.
Changes:
- Updated ingress.yaml template to support gateway backend routing
- Modified values.yaml to route traffic to API7 Gateway service
- Disabled web and api services (now optional) as routing is handled by API7
- Removed nginx.ingress.kubernetes.io/rewrite-target annotation
- Maintained backward compatibility with legacy service-based routing
The Ingress now directs traffic to the API7 Gateway which handles all
routing logic defined in the ADC configuration.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Made the global_rules section conditional on logging being enabled.
Previously, when logging was disabled, global_rules was rendered as
an empty object (null), causing a lint error:
"Invalid input: expected record, received null at global_rules"
Now the entire global_rules section is only included when there are
actual rules to add.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed the prometheus-metrics global rule configuration which was
causing "custom plugin (prometheus-metrics) not found" error.
API7 Enterprise doesn't support prometheus as a global rule plugin
in this configuration format. Prometheus metrics can be configured
differently if needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed CORS plugin array values to comma-separated strings:
- allow_origins: from JSON array to comma-separated string
- allow_methods: from JSON array to comma-separated string
- allow_headers: from JSON array to comma-separated string
- expose_headers: from JSON array to comma-separated string
API7 Enterprise expects string values with comma-separated items,
not JSON arrays. This fixes the validation error:
"Invalid type. Expected: string, given: array"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed adminUrl to use HTTPS instead of HTTP:
- Before: http://api7ee3-0-1759339083-dashboard:7080
- After: https://api7ee3-0-1759339083-dashboard:7443
Also enabled tlsSkipVerify for the dashboard's self-signed certificate.
Testing revealed that:
- Port 7080 HTTP doesn't work (pod listens on 7081 localhost only)
- Port 7443 HTTPS is the correct admin API endpoint
- Self-signed certificate requires TLS verification skip
This fixes the ADC sync job 404 errors.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added conditional --tls-skip-verify flag to ADC sync job arguments.
This flag is controlled by .Values.api7.adc.tlsSkipVerify and allows
ADC to connect to API7 Enterprise dashboard with self-signed certificates.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed adminUrl from dp-manager:7900 to dashboard:7080 for API7
Enterprise backend. The dp-manager service is for APISIX, while
API7EE requires the dashboard service which exposes the admin API.
This fixes the 404 errors when ADC tries to fetch configuration:
- GET /api/version
- GET /api/gateway_groups
- GET /api/schema/core
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed global_rules from array format (- id: name) to object format
(name:) to match ADC schema requirements. This fixes the lint error:
"Invalid input: expected record, received array at global_rules"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added OpenAI-compatible LLM endpoints to API backend - Introduced web
frontend with Jinja2 templates and static assets - Implemented API proxy
routes in web service - Added sample db.json data for items, users,
orders, reviews, categories, llm_requests - Updated ADC and Helm configs
for separate AI and standard rate limiting - Upgraded FastAPI, Uvicorn,
and added httpx, Jinja2, python-multipart dependencies - Added API
configuration modal and client-side JS for web app
- Changed chart name from api7ee to api7ee-demo-k8s in Chart.yaml
- Renamed helm/api7ee directory to helm/api7ee-demo-k8s
- Updated all references in build.yml workflow
- Updated all references in helm-release.yml workflow
- Updated main README.md with new chart name
- Updated Helm chart README with new chart name
- Verified all old references have been replaced
- Chart packages correctly as api7ee-demo-k8s-{version}.tgz
- Updated values.yaml to use gitea.repository placeholder
- Modified build.yml workflow to replace repository path dynamically
- Modified helm-release.yml workflow to replace repository path
- This allows the Helm chart to work with any Gitea repository structure
- Image paths are now built as: registry/gitea.repository/component
- Updated API7 gateway admin URL to use actual DP Manager service
- Changed hosts to api7-demo.commandware.it (matching wildcard ingress)
- Updated cert-manager issuer to cloudflare-acme-prod (existing in cluster)
- Added gatewayService reference to actual gateway service name
- Configured development values with API7 disabled for local testing
- Enhanced production values with proper domains and security settings
- Added support for multiple production domains
- Configured proper rate limits and auth for production
- Added ADC (API7 Declarative CLI) post-install job for automatic gateway setup
- Created ConfigMap with complete API7 routing and service configuration
- Integrated cert-manager for automatic TLS certificate management
- Added support for Kubernetes service discovery
- Implemented auto-publish feature for routes after deployment
- Added comprehensive API7 plugin configurations (rate limiting, CORS, auth)
- Created RBAC resources for ADC job to access cluster resources
- Secured admin credentials using Kubernetes secrets
- Updated values.yaml with extensive API7 configuration options
- Enhanced documentation with API7 setup and troubleshooting guides
- Updated Helm repository URL to use git.commandware.com
- Fixed production values to use git.commandware.com as image registry
- Corrected domain references to match actual infrastructure
- Created complete Helm chart with deployments, services, and ingress
- Added support for both web frontend and API backend components
- Included autoscaling (HPA) for both components
- Added pod disruption budgets for high availability
- Configured security contexts and best practices
- Created helper templates and configuration management
- Added production and development value files
- Included comprehensive README with installation instructions
