# Default values for api7ee. # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: # Global image registry to use for all images imageRegistry: "" # Image pull secrets for all images imagePullSecrets: [] # Configuration for the Web component web: enabled: false # Disabled when using API7 Gateway routing replicaCount: 2 image: registry: gitea.server_url # Will be replaced with actual Gitea URL repository: gitea.repository/web # Will be replaced with actual repository path pullPolicy: IfNotPresent tag: "main" # Override with specific version service: type: ClusterIP port: 8000 targetPort: 8000 annotations: {} resources: limits: cpu: 500m memory: 512Mi requests: cpu: 250m memory: 256Mi autoscaling: enabled: false minReplicas: 2 maxReplicas: 10 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} # Additional environment variables env: [] # Liveness and readiness probes healthProbes: enabled: true # Set to false to disable both probes livenessProbe: enabled: true # Set to false to disable liveness probe httpGet: path: /docs port: http initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: enabled: true # Set to false to disable readiness probe httpGet: path: /docs port: http initialDelaySeconds: 10 periodSeconds: 5 # Configuration for the API component api: enabled: false # Disabled when using API7 Gateway routing replicaCount: 3 image: registry: gitea.server_url # Will be replaced with actual Gitea URL repository: gitea.repository/api # Will be replaced with actual repository path pullPolicy: IfNotPresent tag: "main" # Override with specific version service: type: ClusterIP port: 8080 targetPort: 8080 annotations: {} resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 500m memory: 512Mi autoscaling: enabled: true minReplicas: 3 maxReplicas: 20 targetCPUUtilizationPercentage: 70 targetMemoryUtilizationPercentage: 75 nodeSelector: {} tolerations: [] affinity: {} # Additional environment variables env: - name: LOG_LEVEL value: "info" # Liveness and readiness probes healthProbes: enabled: true # Set to false to disable both probes livenessProbe: enabled: true # Set to false to disable liveness probe httpGet: path: /health port: http initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: enabled: true # Set to false to disable readiness probe httpGet: path: /ready port: http initialDelaySeconds: 10 periodSeconds: 5 # Ingress Configuration # Routes external traffic to the API7 Gateway, which then applies routing rules, # plugins (rate limiting, CORS, authentication), and forwards to backend services ingress: enabled: true className: "nginx" # Ingress controller class (nginx, traefik, etc.) annotations: cert-manager.io/cluster-issuer: "cloudflare-acme-prod" # Add custom annotations as needed: # nginx.ingress.kubernetes.io/proxy-body-size: "10m" # nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" # Gateway routing configuration # All traffic is routed through API7 Gateway for advanced features: # - Dynamic routing based on ADC configuration # - Rate limiting (standard and AI-based) # - CORS policies # - Authentication/Authorization # - Request/Response transformation hosts: - host: commandware.it paths: - path: / pathType: Prefix # Route to API7 Gateway (recommended for production) gateway: serviceName: gateway-0-1759393614-gateway # API7 Gateway service name port: 80 # Gateway HTTP port (443 for HTTPS) namespace: api7ee # Gateway service namespace # Direct service routing (legacy, not recommended) # Only use this if you need to bypass API7 Gateway # - path: / # pathType: Prefix # service: web # Routes directly to web service # - path: /api # pathType: Prefix # service: api # Routes directly to API service # TLS/SSL Configuration tls: - secretName: api7ee-tls # Certificate secret name (created by cert-manager) hosts: - commandware.it # ServiceAccount configuration serviceAccount: create: true annotations: {} name: "" # Pod Security Context podSecurityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 # Security Context for containers securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 # Network Policies networkPolicy: enabled: false policyTypes: - Ingress - Egress ingress: [] egress: [] # Pod Disruption Budget podDisruptionBudget: enabled: true minAvailable: 1 # maxUnavailable: 1 # Monitoring and metrics metrics: enabled: false serviceMonitor: enabled: false interval: 30s path: /metrics labels: {} # ConfigMap for shared configuration configMap: data: {} # Secrets for sensitive data secrets: create: false data: {} # ============================================================================ # API7 Gateway Configuration # ============================================================================ # API7 Enterprise provides advanced API Gateway features including: # - Dynamic routing with service discovery # - Rate limiting (standard and AI-based for LLM endpoints) # - CORS policies # - Authentication/Authorization # - Request/Response transformation # - Observability and metrics api7: enabled: true # Enable API7 ADC (API Declarative Configuration) sync # ADC Container Settings # ADC syncs declarative configuration from ConfigMap to API7 Gateway adc: image: ghcr.io/api7/adc:latest # ADC container image imagePullPolicy: IfNotPresent verbose: true # Enable verbose logging for debugging tlsSkipVerify: true # Skip TLS verification (required for self-signed dashboard certificates) # Resources for ADC sync job resources: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 128Mi # API7 Gateway Connection Settings gateway: # ======================================================================== # Secret Configuration # ======================================================================== # Option 1: Use existing Secret (recommended for production) # Provide the name of an existing Kubernetes Secret containing credentials. # This is useful when using External Secrets Operator, Sealed Secrets, # or manually managed secrets for better security. # # The secret must contain these keys (or customize with existingSecretKeys): # - admin-url: Dashboard admin API URL # - admin-key: Dashboard admin API key # - gateway-group: Gateway group name # # Example: Create secret manually: # kubectl create secret generic api7-credentials \ # --from-literal=admin-url=https://api7ee3-0-1759339083-dashboard:7443 \ # --from-literal=admin-key=YOUR_ADMIN_KEY \ # --from-literal=gateway-group=default \ # -n api7ee existingSecret: "" # Name of existing secret (leave empty to create new secret) # Custom key names for existing secret (optional) # Only needed if your existing secret uses different key names existingSecretKeys: adminUrl: admin-url # Key name for admin URL adminKey: admin-key # Key name for admin key group: gateway-group # Key name for gateway group # ======================================================================== # Option 2: Inline Configuration (for development only) # ======================================================================== # When existingSecret is empty, a Secret will be created with these values. # NOT RECOMMENDED for production - use existingSecret instead! # Dashboard Admin API URL (HTTPS required for API7 Enterprise) # The dashboard service exposes the admin API on port 7443 adminUrl: https://api7ee3-0-1759339083-dashboard:7443 # Admin API key (CHANGE THIS IN PRODUCTION!) # Obtain from: kubectl get secret -n api7ee api7ee3-0-1759339083 -o jsonpath='{.data.admin_key}' | base64 -d adminKey: "" # Gateway group name (logical grouping of gateway instances) group: default # ======================================================================== # Gateway Service Configuration # ======================================================================== # Gateway service name (for traffic routing) # This is the Kubernetes service that routes traffic to APISIX data plane gatewayService: gateway-0-1759393614-gateway gatewayNamespace: api7ee # Gateway service namespace # Backend Type # - api7ee: API7 Enterprise (includes all enterprise features) # - apisix: Open source APISIX (limited features) backend: api7ee # Auto-publish Routes # When true, routes are automatically published after ADC sync # When false, routes must be manually published via dashboard autoPublish: true # Domain Hosts # List of domains that API7 Gateway will handle # Must match Ingress hosts for proper routing hosts: - commandware.it # TLS/SSL Configuration tls: enabled: true # Enable HTTPS for API7 Gateway # Option 1: Use cert-manager (Recommended) # Automatically provisions and renews certificates certManager: enabled: true issuer: cloudflare-acme-prod # ClusterIssuer/Issuer name issuerKind: ClusterIssuer # ClusterIssuer or Issuer # Private key settings privateKey: rotationPolicy: Always # Always or Never (cert-manager >= v1.18.0) algorithm: RSA # RSA or ECDSA size: 2048 # Key size in bits # Certificate lifetime duration: 2160h # 90 days renewBefore: 720h # Renew 30 days before expiry # Option 2: Use existing TLS secret secretName: "" # Leave empty to auto-generate name # Option 3: Provide certificates directly (NOT recommended for production) certificate: "" key: "" # ============================================================================ # Service Discovery Configuration # ============================================================================ # When enabled, API7 Gateway dynamically discovers backend Pods through # Kubernetes API instead of using static upstream node configuration. # # Benefits: # - Automatic scaling: New Pods are automatically added to upstream pool # - Health checks: Only healthy/ready Pods receive traffic # - Zero downtime: Seamless updates during deployments and rollouts # - No manual configuration: Eliminates need to specify Pod IPs/hostnames # # Requirements: # - RBAC permissions for services, endpoints (already configured in rbac-adc.yaml) # - Service must exist in Kubernetes serviceDiscovery: enabled: true # Enable Kubernetes service discovery namespace: "" # Leave empty to use release namespace # ============================================================================ # API7 Plugins Configuration # ============================================================================ # Plugins provide advanced features like rate limiting, CORS, auth, etc. # Each plugin can be enabled/disabled and configured independently plugins: # Standard Rate Limiting # Applied to /api routes (except /api/llm) # Limits requests per IP address rateLimit: enabled: true count: 100 # Max requests per time window timeWindow: 60 # Time window in seconds rejectedCode: 429 # HTTP status code for rejected requests keyType: "var" # Key type: "var", "var_combination", "constant" key: "remote_addr" # Variable name for key (client IP) # AI Rate Limiting # Applied to /api/llm routes # Specialized rate limiting for LLM/AI endpoints based on token usage aiRateLimit: enabled: true limit: 100 # Max tokens per time window timeWindow: 60 # Time window in seconds rejectedCode: 429 # HTTP status code limitStrategy: "total_tokens" # Strategy: "total_tokens", "input_tokens", "output_tokens" # CORS (Cross-Origin Resource Sharing) # Enables browser-based applications to access the API cors: enabled: true allowOrigins: ["*"] # Allowed origins (use specific domains in production) allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"] allowHeaders: ["*"] # Allowed headers exposeHeaders: ["*"] # Headers exposed to browser maxAge: 3600 # Preflight cache duration (seconds) allowCredentials: false # Allow credentials (cookies, auth headers) # Authentication # Key-based authentication for API access auth: enabled: false # Enable to require API keys header: X-API-Key # Header name for API key # Prometheus Metrics # Exposes metrics for monitoring and observability prometheus: enabled: true # Metrics endpoint: http://:9091/apisix/prometheus/metrics # Request Logging # Sends request logs to external logging service logging: enabled: false # Enable to send logs to external service endpoint: http://logging-service:8080/logs # Logging service URL batchMaxSize: 1000 # Max batch size before sending inactiveTimeout: 5 # Max wait time (seconds) before sending batch # ============================================================================ # API Consumers # ============================================================================ # Consumers represent API clients with authentication credentials # Used with auth plugin (when auth.enabled: true) consumers: - username: demo-user apiKey: demo-key-12345 # Change in production! - username: admin apiKey: admin-key-67890 # Change in production!