Enhanced API Swagger documentation and improved web interface navigation
with dropdown menus and better organization.
API Changes (api/main.py):
==========================
- Enhanced FastAPI app description with architecture diagram
- Added detailed rate limiting information
- Added server configurations (production + local)
- Added contact and license information
- Enhanced all endpoint descriptions with:
* Detailed parameter descriptions
* Response descriptions
* Error responses
* Rate limit information
* Usage examples
- Added Field descriptions to all Pydantic models
- Added schema examples for better Swagger UI
- Enhanced LLM endpoints with AI rate limiting details
- Added status codes (201, 404, 429, 500) to endpoints
- Improved startup message with docs URLs
Swagger UI Improvements:
- Better organized endpoint groups (Root, Health, Items, Users, LLM)
- Detailed request/response schemas
- Interactive examples for all endpoints
- Rate limiting documentation
- Architecture overview in description
Web Changes (web/templates/base.html):
======================================
- Added dropdown menu for API documentation with:
* API Root (/)
* Swagger UI (/docs)
* ReDoc (/redoc)
* OpenAPI JSON (/openapi.json)
- Added emoji icons to all menu items for better UX
- Added tooltips (title attributes) to all links
- Renamed "API Config" to "Settings" for clarity
- Added CSS for dropdown menu functionality
- Improved footer text
- Better visual hierarchy with icons
Navigation Menu:
- 🏠 Home
- 📦 Items
- 👥 Users
- 🤖 LLM Chat
- 📚 API Docs (dropdown with 4 options)
- ⚙️ Settings
All endpoints now have comprehensive documentation visible in Swagger UI
at https://commandware.it/api/docs🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added proxy-rewrite plugin to strip /api prefix from requests before
forwarding to backend API microservice. The API service is a standalone
microservice that expects requests without the /api prefix.
Changes:
- Added proxy-rewrite plugin to both API routes:
* /api/llm/* route (priority 20)
* /api/* route (priority 10)
- Uses regex_uri to rewrite: /api/endpoint -> /endpoint
Example transformations:
- /api/health -> /health
- /api/users/123 -> /users/123
- /api/llm/chat -> /llm/chat
Plugin configuration:
proxy-rewrite:
regex_uri:
- "^/api/(.*)"
- "/$1"
This allows the API microservice to work independently without
needing to handle the /api prefix in its routes.
Reference: https://docs.api7.ai/hub/proxy-rewrite/🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Service discovery requires Service Registry to be configured in
API7 Enterprise Dashboard first. Until the registry is configured,
ADC sync fails with: 'service registry not found'
Disabling service discovery to use static upstream nodes instead.
To re-enable:
1. Configure Service Registry in API7 Dashboard
2. Set api7.serviceDiscovery.enabled: true
3. Redeploy
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed service discovery configuration to use correct ADC syntax.
The namespace should be included in the service_name, not as a
separate namespace_id field.
Error:
✖ Unrecognized key: "namespace_id"
→ at services[0].upstream
Fix:
- Changed from: service_name: my-service + namespace_id: namespace
- Changed to: service_name: namespace/my-service
This matches the ADC/API7 expected format for Kubernetes service
discovery: "namespace/service-name"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added Secret template for API7 Gateway credentials management
and improved .gitignore to prevent credential leaks.
Changes:
1. Secret Template (api7-credentials.yaml.template):
- Template for creating API7 Gateway admin credentials Secret
- Clear instructions for getting admin key from cluster
- Examples for both stringData and base64 encoded data
- Must be copied and filled in, then applied to cluster
2. .gitignore Updates:
- Added api7-credentials.yaml to ignore actual secrets
- Added wildcard *-credentials.yaml for any credential files
- Excluded templates (!*-credentials.yaml.template)
- Improved comments for clarity
3. README.md:
- Comprehensive quick start guide
- Features overview
- Installation steps with Secret creation
- Documentation links
- Basic troubleshooting
Security:
- Prevents committing actual credentials
- Clear separation between templates and actual secrets
- Instructions for secure credential management
Users should:
1. Copy api7-credentials.yaml.template
2. Fill in actual credentials
3. Apply to cluster
4. Never commit filled secrets to git
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reorganized documentation to be part of MkDocs site with three new
comprehensive guides covering API7 Gateway configuration.
Changes:
1. Documentation Structure:
- Moved SECRET-MANAGEMENT.md from helm/ to web/docs/
- Created service-discovery.md with complete guide
- Created ingress-routing.md with routing architecture
- Moved externalsecret examples to web/docs/examples/
2. New Documentation - Service Discovery:
- How service discovery works (architecture diagram)
- Benefits vs static configuration
- Configuration examples
- RBAC requirements
- Advanced use cases (auto-scaling, rolling updates)
- Load balancing algorithms
- Monitoring and troubleshooting
- Best practices
3. New Documentation - Ingress & Routing:
- Complete traffic flow architecture
- Ingress configuration explained
- Gateway routing rules and priority
- URI matching patterns (prefix, exact, regex)
- TLS/SSL with cert-manager
- Advanced routing scenarios:
* Multiple domains
* Path-based routing
* Header-based routing
* Method-based routing
- Configuration examples (microservices, WebSocket, canary)
- Monitoring and debugging
- Troubleshooting common issues
4. MkDocs Navigation:
- Updated mkdocs.yml with new pages in Configuration section
- Added: Ingress & Routing
- Added: Service Discovery
- Added: Secret Management
5. Examples Directory:
- Created web/docs/examples/ for configuration examples
- Moved ExternalSecret examples with multiple providers:
* AWS Secrets Manager
* HashiCorp Vault
* Azure Key Vault
* GCP Secret Manager
All documentation now integrated into MkDocs site with proper
navigation, cross-references, and Material theme styling.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced secret management for API7 Gateway credentials with support
for existing Secrets and External Secrets Operator integration.
Changes:
1. Secret Configuration:
- Added api7.gateway.existingSecret parameter for using existing secrets
- Added api7.gateway.existingSecretKeys for custom key names
- Modified secret-api7.yaml to only create secret if existingSecret is empty
- Updated job-adc-sync.yaml to reference configurable secret name
2. Values.yaml Documentation:
- Added comprehensive documentation for secret configuration options
- Documented two approaches: inline config (dev) vs existing secret (prod)
- Added example kubectl command for creating secrets manually
- Included instructions for obtaining admin key from API7 EE
3. External Secrets Support:
- Created externalsecret-api7.yaml.example with complete examples
- Included examples for AWS Secrets Manager and HashiCorp Vault
- Documented SecretStore configuration patterns
4. Documentation:
- Created SECRET-MANAGEMENT.md comprehensive guide
- Covered all secret management options (inline, manual, external)
- Added security best practices and troubleshooting guide
- Included examples for External Secrets Operator setup
Benefits:
- Improved security: Secrets not stored in values.yaml
- Flexibility: Support for any secret management tool
- Production-ready: Works with External Secrets Operator
- Better practices: Clear separation of config vs secrets
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced values.yaml with comprehensive documentation and better organization:
Documentation improvements:
- Added detailed inline comments for all API7 Gateway configuration sections
- Documented Ingress routing behavior (gateway vs direct service routing)
- Explained Service Discovery benefits and requirements
- Added detailed plugin configuration documentation (rate limiting, CORS, auth)
- Included usage examples and production recommendations
Configuration enhancements:
- Added gateway.gatewayNamespace for better organization
- Added TLS certificate configuration options (duration, renewBefore, algorithm, size)
- Added ADC resource limits configuration
- Improved CORS and rate limiting documentation with parameter explanations
- Added consumer/authentication documentation
Template updates:
- Updated certificate.yaml to use configurable TLS parameters
- Updated job-adc-sync.yaml to use configurable ADC resources
The values.yaml now serves as comprehensive documentation for all
API7 Gateway features and configuration options, making it easier
for users to understand and customize their deployment.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Configured API7 Gateway to use Kubernetes Service Discovery instead of
static upstream nodes. This enables dynamic discovery of backend Pods
through the Kubernetes API.
Benefits:
- Automatic scaling: New Pods are automatically added to upstream pool
- Health checks: Only healthy Pods receive traffic
- Zero downtime: Automatic updates during deployments and rollouts
- No manual upstream configuration needed
Changes:
- Updated configmap-adc.yaml to use discovery_type: kubernetes
- Service discovery queries Kubernetes API for Pod endpoints
- Falls back to static nodes if serviceDiscovery.enabled is false
- Added documentation in values.yaml explaining the feature
The RBAC permissions (services, endpoints watch) were already configured
in rbac-adc.yaml, so no additional permissions are needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Modified Ingress configuration to route all traffic through the API7
Gateway (gateway-0-1759393614-gateway) instead of directly to application
services. This enables API7's advanced routing, rate limiting, CORS, and
other gateway features.
Changes:
- Updated ingress.yaml template to support gateway backend routing
- Modified values.yaml to route traffic to API7 Gateway service
- Disabled web and api services (now optional) as routing is handled by API7
- Removed nginx.ingress.kubernetes.io/rewrite-target annotation
- Maintained backward compatibility with legacy service-based routing
The Ingress now directs traffic to the API7 Gateway which handles all
routing logic defined in the ADC configuration.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Made the global_rules section conditional on logging being enabled.
Previously, when logging was disabled, global_rules was rendered as
an empty object (null), causing a lint error:
"Invalid input: expected record, received null at global_rules"
Now the entire global_rules section is only included when there are
actual rules to add.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed the prometheus-metrics global rule configuration which was
causing "custom plugin (prometheus-metrics) not found" error.
API7 Enterprise doesn't support prometheus as a global rule plugin
in this configuration format. Prometheus metrics can be configured
differently if needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed CORS plugin array values to comma-separated strings:
- allow_origins: from JSON array to comma-separated string
- allow_methods: from JSON array to comma-separated string
- allow_headers: from JSON array to comma-separated string
- expose_headers: from JSON array to comma-separated string
API7 Enterprise expects string values with comma-separated items,
not JSON arrays. This fixes the validation error:
"Invalid type. Expected: string, given: array"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed adminUrl to use HTTPS instead of HTTP:
- Before: http://api7ee3-0-1759339083-dashboard:7080
- After: https://api7ee3-0-1759339083-dashboard:7443
Also enabled tlsSkipVerify for the dashboard's self-signed certificate.
Testing revealed that:
- Port 7080 HTTP doesn't work (pod listens on 7081 localhost only)
- Port 7443 HTTPS is the correct admin API endpoint
- Self-signed certificate requires TLS verification skip
This fixes the ADC sync job 404 errors.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added conditional --tls-skip-verify flag to ADC sync job arguments.
This flag is controlled by .Values.api7.adc.tlsSkipVerify and allows
ADC to connect to API7 Enterprise dashboard with self-signed certificates.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed adminUrl from dp-manager:7900 to dashboard:7080 for API7
Enterprise backend. The dp-manager service is for APISIX, while
API7EE requires the dashboard service which exposes the admin API.
This fixes the 404 errors when ADC tries to fetch configuration:
- GET /api/version
- GET /api/gateway_groups
- GET /api/schema/core
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed global_rules from array format (- id: name) to object format
(name:) to match ADC schema requirements. This fixes the lint error:
"Invalid input: expected record, received array at global_rules"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added OpenAI-compatible LLM endpoints to API backend - Introduced web
frontend with Jinja2 templates and static assets - Implemented API proxy
routes in web service - Added sample db.json data for items, users,
orders, reviews, categories, llm_requests - Updated ADC and Helm configs
for separate AI and standard rate limiting - Upgraded FastAPI, Uvicorn,
and added httpx, Jinja2, python-multipart dependencies - Added API
configuration modal and client-side JS for web app
- vars.PACKAGES_REGISTRY contains only the domain (e.g., git.commandware.com)
- Added https:// prefix to all registry URLs
- Fixed curl command to properly construct the API endpoint URL
- Use vars.PACKAGES_REGISTRY with fallback to gitea.server_url
- Consistent with build.yml pattern for registry URLs
- Fixed curl command URL construction issue
- Applied same pattern to all registry references in the workflow
- Removed tag-based triggers and release creation
- Renamed workflow from helm-release.yml to helm-build.yml
- Simplified to always build and publish on main branch push
- Version always comes from Chart.yaml (no modifications)
- Removed all release-related logic and conditions
- Kept PR linting for validation
- Cleaner and simpler workflow focused on continuous delivery
- Updated README to reflect the new workflow structure
- Removed automatic version generation from tags or timestamps
- Always use version directly from Chart.yaml (single source of truth)
- Tag triggers now only determine if it's a release (not version)
- Release is triggered when tag matches Chart.yaml version
- Manual dispatch version is now for validation only
- Removed version modification during packaging
- Simplified packaging process to use Chart's own version
- Removed --devel flag as all versions are now stable
- Better separation: version managed in Chart.yaml, release triggered by tags
- Removed build-helm job from build.yml (Docker builds only now)
- Created comprehensive helm-release.yml that handles:
- Development builds on main branch pushes (with dev suffix)
- Release builds on version tags (v*.*.*)
- Manual releases via workflow_dispatch
- PR linting without publishing
- Added intelligent version detection:
- Development versions get timestamp suffix
- Release versions use clean semver
- Manual dispatch can specify custom version
- Improved release process with proper Gitea API integration
- Added conditional release creation only for tagged versions
- Updated README to document the new workflow structure
- Separated concerns: build.yml for Docker, helm-release.yml for Helm
- Changed chart name from api7ee to api7ee-demo-k8s in Chart.yaml
- Renamed helm/api7ee directory to helm/api7ee-demo-k8s
- Updated all references in build.yml workflow
- Updated all references in helm-release.yml workflow
- Updated main README.md with new chart name
- Updated Helm chart README with new chart name
- Verified all old references have been replaced
- Chart packages correctly as api7ee-demo-k8s-{version}.tgz
- Removed unnecessary helm dependency update (no dependencies defined)
- Modified packaging to use a temporary copy of the chart
- This prevents sed modifications from affecting the lint step
- Ensures Chart.yaml version field remains intact
- Added debug output for chart version verification
