694709ae9a
Enhanced secret management for API7 Gateway credentials with support for existing Secrets and External Secrets Operator integration. Changes: 1. Secret Configuration: - Added api7.gateway.existingSecret parameter for using existing secrets - Added api7.gateway.existingSecretKeys for custom key names - Modified secret-api7.yaml to only create secret if existingSecret is empty - Updated job-adc-sync.yaml to reference configurable secret name 2. Values.yaml Documentation: - Added comprehensive documentation for secret configuration options - Documented two approaches: inline config (dev) vs existing secret (prod) - Added example kubectl command for creating secrets manually - Included instructions for obtaining admin key from API7 EE 3. External Secrets Support: - Created externalsecret-api7.yaml.example with complete examples - Included examples for AWS Secrets Manager and HashiCorp Vault - Documented SecretStore configuration patterns 4. Documentation: - Created SECRET-MANAGEMENT.md comprehensive guide - Covered all secret management options (inline, manual, external) - Added security best practices and troubleshooting guide - Included examples for External Secrets Operator setup Benefits: - Improved security: Secrets not stored in values.yaml - Flexibility: Support for any secret management tool - Production-ready: Works with External Secrets Operator - Better practices: Clear separation of config vs secrets 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
446 lines
14 KiB
YAML
446 lines
14 KiB
YAML
# Default values for api7ee.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
global:
|
|
# Global image registry to use for all images
|
|
imageRegistry: ""
|
|
# Image pull secrets for all images
|
|
imagePullSecrets: []
|
|
|
|
# Configuration for the Web component
|
|
web:
|
|
enabled: false # Disabled when using API7 Gateway routing
|
|
replicaCount: 2
|
|
|
|
image:
|
|
registry: gitea.server_url # Will be replaced with actual Gitea URL
|
|
repository: gitea.repository/web # Will be replaced with actual repository path
|
|
pullPolicy: IfNotPresent
|
|
tag: "main" # Override with specific version
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8000
|
|
targetPort: 8000
|
|
annotations: {}
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 2
|
|
maxReplicas: 10
|
|
targetCPUUtilizationPercentage: 80
|
|
targetMemoryUtilizationPercentage: 80
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
# Additional environment variables
|
|
env: []
|
|
|
|
# Liveness and readiness probes
|
|
healthProbes:
|
|
enabled: true # Set to false to disable both probes
|
|
livenessProbe:
|
|
enabled: true # Set to false to disable liveness probe
|
|
httpGet:
|
|
path: /docs
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
|
|
readinessProbe:
|
|
enabled: true # Set to false to disable readiness probe
|
|
httpGet:
|
|
path: /docs
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
|
|
# Configuration for the API component
|
|
api:
|
|
enabled: false # Disabled when using API7 Gateway routing
|
|
replicaCount: 3
|
|
|
|
image:
|
|
registry: gitea.server_url # Will be replaced with actual Gitea URL
|
|
repository: gitea.repository/api # Will be replaced with actual repository path
|
|
pullPolicy: IfNotPresent
|
|
tag: "main" # Override with specific version
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
targetPort: 8080
|
|
annotations: {}
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
autoscaling:
|
|
enabled: true
|
|
minReplicas: 3
|
|
maxReplicas: 20
|
|
targetCPUUtilizationPercentage: 70
|
|
targetMemoryUtilizationPercentage: 75
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
# Additional environment variables
|
|
env:
|
|
- name: LOG_LEVEL
|
|
value: "info"
|
|
|
|
# Liveness and readiness probes
|
|
healthProbes:
|
|
enabled: true # Set to false to disable both probes
|
|
livenessProbe:
|
|
enabled: true # Set to false to disable liveness probe
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
|
|
readinessProbe:
|
|
enabled: true # Set to false to disable readiness probe
|
|
httpGet:
|
|
path: /ready
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
|
|
# Ingress Configuration
|
|
# Routes external traffic to the API7 Gateway, which then applies routing rules,
|
|
# plugins (rate limiting, CORS, authentication), and forwards to backend services
|
|
ingress:
|
|
enabled: true
|
|
className: "nginx" # Ingress controller class (nginx, traefik, etc.)
|
|
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: "cloudflare-acme-prod"
|
|
# Add custom annotations as needed:
|
|
# nginx.ingress.kubernetes.io/proxy-body-size: "10m"
|
|
# nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
|
|
|
|
# Gateway routing configuration
|
|
# All traffic is routed through API7 Gateway for advanced features:
|
|
# - Dynamic routing based on ADC configuration
|
|
# - Rate limiting (standard and AI-based)
|
|
# - CORS policies
|
|
# - Authentication/Authorization
|
|
# - Request/Response transformation
|
|
hosts:
|
|
- host: commandware.it
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
# Route to API7 Gateway (recommended for production)
|
|
gateway:
|
|
serviceName: gateway-0-1759393614-gateway # API7 Gateway service name
|
|
port: 80 # Gateway HTTP port (443 for HTTPS)
|
|
namespace: api7ee # Gateway service namespace
|
|
|
|
# Direct service routing (legacy, not recommended)
|
|
# Only use this if you need to bypass API7 Gateway
|
|
# - path: /
|
|
# pathType: Prefix
|
|
# service: web # Routes directly to web service
|
|
# - path: /api
|
|
# pathType: Prefix
|
|
# service: api # Routes directly to API service
|
|
|
|
# TLS/SSL Configuration
|
|
tls:
|
|
- secretName: api7ee-tls # Certificate secret name (created by cert-manager)
|
|
hosts:
|
|
- commandware.it
|
|
|
|
# ServiceAccount configuration
|
|
serviceAccount:
|
|
create: true
|
|
annotations: {}
|
|
name: ""
|
|
|
|
# Pod Security Context
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
fsGroup: 1000
|
|
|
|
# Security Context for containers
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
|
|
# Network Policies
|
|
networkPolicy:
|
|
enabled: false
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress: []
|
|
egress: []
|
|
|
|
# Pod Disruption Budget
|
|
podDisruptionBudget:
|
|
enabled: true
|
|
minAvailable: 1
|
|
# maxUnavailable: 1
|
|
|
|
# Monitoring and metrics
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
interval: 30s
|
|
path: /metrics
|
|
labels: {}
|
|
|
|
# ConfigMap for shared configuration
|
|
configMap:
|
|
data: {}
|
|
|
|
# Secrets for sensitive data
|
|
secrets:
|
|
create: false
|
|
data: {}
|
|
|
|
# ============================================================================
|
|
# API7 Gateway Configuration
|
|
# ============================================================================
|
|
# API7 Enterprise provides advanced API Gateway features including:
|
|
# - Dynamic routing with service discovery
|
|
# - Rate limiting (standard and AI-based for LLM endpoints)
|
|
# - CORS policies
|
|
# - Authentication/Authorization
|
|
# - Request/Response transformation
|
|
# - Observability and metrics
|
|
api7:
|
|
enabled: true # Enable API7 ADC (API Declarative Configuration) sync
|
|
|
|
# ADC Container Settings
|
|
# ADC syncs declarative configuration from ConfigMap to API7 Gateway
|
|
adc:
|
|
image: ghcr.io/api7/adc:latest # ADC container image
|
|
imagePullPolicy: IfNotPresent
|
|
verbose: true # Enable verbose logging for debugging
|
|
tlsSkipVerify: true # Skip TLS verification (required for self-signed dashboard certificates)
|
|
# Resources for ADC sync job
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# API7 Gateway Connection Settings
|
|
gateway:
|
|
# ========================================================================
|
|
# Secret Configuration
|
|
# ========================================================================
|
|
# Option 1: Use existing Secret (recommended for production)
|
|
# Provide the name of an existing Kubernetes Secret containing credentials.
|
|
# This is useful when using External Secrets Operator, Sealed Secrets,
|
|
# or manually managed secrets for better security.
|
|
#
|
|
# The secret must contain these keys (or customize with existingSecretKeys):
|
|
# - admin-url: Dashboard admin API URL
|
|
# - admin-key: Dashboard admin API key
|
|
# - gateway-group: Gateway group name
|
|
#
|
|
# Example: Create secret manually:
|
|
# kubectl create secret generic api7-credentials \
|
|
# --from-literal=admin-url=https://api7ee3-0-1759339083-dashboard:7443 \
|
|
# --from-literal=admin-key=YOUR_ADMIN_KEY \
|
|
# --from-literal=gateway-group=default \
|
|
# -n api7ee
|
|
existingSecret: "" # Name of existing secret (leave empty to create new secret)
|
|
|
|
# Custom key names for existing secret (optional)
|
|
# Only needed if your existing secret uses different key names
|
|
existingSecretKeys:
|
|
adminUrl: admin-url # Key name for admin URL
|
|
adminKey: admin-key # Key name for admin key
|
|
group: gateway-group # Key name for gateway group
|
|
|
|
# ========================================================================
|
|
# Option 2: Inline Configuration (for development only)
|
|
# ========================================================================
|
|
# When existingSecret is empty, a Secret will be created with these values.
|
|
# NOT RECOMMENDED for production - use existingSecret instead!
|
|
|
|
# Dashboard Admin API URL (HTTPS required for API7 Enterprise)
|
|
# The dashboard service exposes the admin API on port 7443
|
|
adminUrl: https://api7ee3-0-1759339083-dashboard:7443
|
|
|
|
# Admin API key (CHANGE THIS IN PRODUCTION!)
|
|
# Obtain from: kubectl get secret -n api7ee api7ee3-0-1759339083 -o jsonpath='{.data.admin_key}' | base64 -d
|
|
adminKey: ""
|
|
|
|
# Gateway group name (logical grouping of gateway instances)
|
|
group: default
|
|
|
|
# ========================================================================
|
|
# Gateway Service Configuration
|
|
# ========================================================================
|
|
# Gateway service name (for traffic routing)
|
|
# This is the Kubernetes service that routes traffic to APISIX data plane
|
|
gatewayService: gateway-0-1759393614-gateway
|
|
gatewayNamespace: api7ee # Gateway service namespace
|
|
|
|
# Backend Type
|
|
# - api7ee: API7 Enterprise (includes all enterprise features)
|
|
# - apisix: Open source APISIX (limited features)
|
|
backend: api7ee
|
|
|
|
# Auto-publish Routes
|
|
# When true, routes are automatically published after ADC sync
|
|
# When false, routes must be manually published via dashboard
|
|
autoPublish: true
|
|
|
|
# Domain Hosts
|
|
# List of domains that API7 Gateway will handle
|
|
# Must match Ingress hosts for proper routing
|
|
hosts:
|
|
- commandware.it
|
|
|
|
# TLS/SSL Configuration
|
|
tls:
|
|
enabled: true # Enable HTTPS for API7 Gateway
|
|
|
|
# Option 1: Use cert-manager (Recommended)
|
|
# Automatically provisions and renews certificates
|
|
certManager:
|
|
enabled: true
|
|
issuer: cloudflare-acme-prod # ClusterIssuer/Issuer name
|
|
issuerKind: ClusterIssuer # ClusterIssuer or Issuer
|
|
|
|
# Private key settings
|
|
privateKey:
|
|
rotationPolicy: Always # Always or Never (cert-manager >= v1.18.0)
|
|
algorithm: RSA # RSA or ECDSA
|
|
size: 2048 # Key size in bits
|
|
|
|
# Certificate lifetime
|
|
duration: 2160h # 90 days
|
|
renewBefore: 720h # Renew 30 days before expiry
|
|
|
|
# Option 2: Use existing TLS secret
|
|
secretName: "" # Leave empty to auto-generate name
|
|
|
|
# Option 3: Provide certificates directly (NOT recommended for production)
|
|
certificate: ""
|
|
key: ""
|
|
|
|
# ============================================================================
|
|
# Service Discovery Configuration
|
|
# ============================================================================
|
|
# When enabled, API7 Gateway dynamically discovers backend Pods through
|
|
# Kubernetes API instead of using static upstream node configuration.
|
|
#
|
|
# Benefits:
|
|
# - Automatic scaling: New Pods are automatically added to upstream pool
|
|
# - Health checks: Only healthy/ready Pods receive traffic
|
|
# - Zero downtime: Seamless updates during deployments and rollouts
|
|
# - No manual configuration: Eliminates need to specify Pod IPs/hostnames
|
|
#
|
|
# Requirements:
|
|
# - RBAC permissions for services, endpoints (already configured in rbac-adc.yaml)
|
|
# - Service must exist in Kubernetes
|
|
serviceDiscovery:
|
|
enabled: true # Enable Kubernetes service discovery
|
|
namespace: "" # Leave empty to use release namespace
|
|
|
|
# ============================================================================
|
|
# API7 Plugins Configuration
|
|
# ============================================================================
|
|
# Plugins provide advanced features like rate limiting, CORS, auth, etc.
|
|
# Each plugin can be enabled/disabled and configured independently
|
|
|
|
plugins:
|
|
# Standard Rate Limiting
|
|
# Applied to /api routes (except /api/llm)
|
|
# Limits requests per IP address
|
|
rateLimit:
|
|
enabled: true
|
|
count: 100 # Max requests per time window
|
|
timeWindow: 60 # Time window in seconds
|
|
rejectedCode: 429 # HTTP status code for rejected requests
|
|
keyType: "var" # Key type: "var", "var_combination", "constant"
|
|
key: "remote_addr" # Variable name for key (client IP)
|
|
|
|
# AI Rate Limiting
|
|
# Applied to /api/llm routes
|
|
# Specialized rate limiting for LLM/AI endpoints based on token usage
|
|
aiRateLimit:
|
|
enabled: true
|
|
limit: 100 # Max tokens per time window
|
|
timeWindow: 60 # Time window in seconds
|
|
rejectedCode: 429 # HTTP status code
|
|
limitStrategy: "total_tokens" # Strategy: "total_tokens", "input_tokens", "output_tokens"
|
|
|
|
# CORS (Cross-Origin Resource Sharing)
|
|
# Enables browser-based applications to access the API
|
|
cors:
|
|
enabled: true
|
|
allowOrigins: ["*"] # Allowed origins (use specific domains in production)
|
|
allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"]
|
|
allowHeaders: ["*"] # Allowed headers
|
|
exposeHeaders: ["*"] # Headers exposed to browser
|
|
maxAge: 3600 # Preflight cache duration (seconds)
|
|
allowCredentials: false # Allow credentials (cookies, auth headers)
|
|
|
|
# Authentication
|
|
# Key-based authentication for API access
|
|
auth:
|
|
enabled: false # Enable to require API keys
|
|
header: X-API-Key # Header name for API key
|
|
|
|
# Prometheus Metrics
|
|
# Exposes metrics for monitoring and observability
|
|
prometheus:
|
|
enabled: true
|
|
# Metrics endpoint: http://<gateway>:9091/apisix/prometheus/metrics
|
|
|
|
# Request Logging
|
|
# Sends request logs to external logging service
|
|
logging:
|
|
enabled: false # Enable to send logs to external service
|
|
endpoint: http://logging-service:8080/logs # Logging service URL
|
|
batchMaxSize: 1000 # Max batch size before sending
|
|
inactiveTimeout: 5 # Max wait time (seconds) before sending batch
|
|
|
|
# ============================================================================
|
|
# API Consumers
|
|
# ============================================================================
|
|
# Consumers represent API clients with authentication credentials
|
|
# Used with auth plugin (when auth.enabled: true)
|
|
consumers:
|
|
- username: demo-user
|
|
apiKey: demo-key-12345 # Change in production!
|
|
- username: admin
|
|
apiKey: admin-key-67890 # Change in production!
|