f5a4071b71
Enhanced values.yaml with comprehensive documentation and better organization: Documentation improvements: - Added detailed inline comments for all API7 Gateway configuration sections - Documented Ingress routing behavior (gateway vs direct service routing) - Explained Service Discovery benefits and requirements - Added detailed plugin configuration documentation (rate limiting, CORS, auth) - Included usage examples and production recommendations Configuration enhancements: - Added gateway.gatewayNamespace for better organization - Added TLS certificate configuration options (duration, renewBefore, algorithm, size) - Added ADC resource limits configuration - Improved CORS and rate limiting documentation with parameter explanations - Added consumer/authentication documentation Template updates: - Updated certificate.yaml to use configurable TLS parameters - Updated job-adc-sync.yaml to use configurable ADC resources The values.yaml now serves as comprehensive documentation for all API7 Gateway features and configuration options, making it easier for users to understand and customize their deployment. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
409 lines
12 KiB
YAML
409 lines
12 KiB
YAML
# Default values for api7ee.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
global:
|
|
# Global image registry to use for all images
|
|
imageRegistry: ""
|
|
# Image pull secrets for all images
|
|
imagePullSecrets: []
|
|
|
|
# Configuration for the Web component
|
|
web:
|
|
enabled: false # Disabled when using API7 Gateway routing
|
|
replicaCount: 2
|
|
|
|
image:
|
|
registry: gitea.server_url # Will be replaced with actual Gitea URL
|
|
repository: gitea.repository/web # Will be replaced with actual repository path
|
|
pullPolicy: IfNotPresent
|
|
tag: "main" # Override with specific version
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8000
|
|
targetPort: 8000
|
|
annotations: {}
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 2
|
|
maxReplicas: 10
|
|
targetCPUUtilizationPercentage: 80
|
|
targetMemoryUtilizationPercentage: 80
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
# Additional environment variables
|
|
env: []
|
|
|
|
# Liveness and readiness probes
|
|
healthProbes:
|
|
enabled: true # Set to false to disable both probes
|
|
livenessProbe:
|
|
enabled: true # Set to false to disable liveness probe
|
|
httpGet:
|
|
path: /docs
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
|
|
readinessProbe:
|
|
enabled: true # Set to false to disable readiness probe
|
|
httpGet:
|
|
path: /docs
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
|
|
# Configuration for the API component
|
|
api:
|
|
enabled: false # Disabled when using API7 Gateway routing
|
|
replicaCount: 3
|
|
|
|
image:
|
|
registry: gitea.server_url # Will be replaced with actual Gitea URL
|
|
repository: gitea.repository/api # Will be replaced with actual repository path
|
|
pullPolicy: IfNotPresent
|
|
tag: "main" # Override with specific version
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
targetPort: 8080
|
|
annotations: {}
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
autoscaling:
|
|
enabled: true
|
|
minReplicas: 3
|
|
maxReplicas: 20
|
|
targetCPUUtilizationPercentage: 70
|
|
targetMemoryUtilizationPercentage: 75
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
# Additional environment variables
|
|
env:
|
|
- name: LOG_LEVEL
|
|
value: "info"
|
|
|
|
# Liveness and readiness probes
|
|
healthProbes:
|
|
enabled: true # Set to false to disable both probes
|
|
livenessProbe:
|
|
enabled: true # Set to false to disable liveness probe
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
|
|
readinessProbe:
|
|
enabled: true # Set to false to disable readiness probe
|
|
httpGet:
|
|
path: /ready
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
|
|
# Ingress Configuration
|
|
# Routes external traffic to the API7 Gateway, which then applies routing rules,
|
|
# plugins (rate limiting, CORS, authentication), and forwards to backend services
|
|
ingress:
|
|
enabled: true
|
|
className: "nginx" # Ingress controller class (nginx, traefik, etc.)
|
|
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: "cloudflare-acme-prod"
|
|
# Add custom annotations as needed:
|
|
# nginx.ingress.kubernetes.io/proxy-body-size: "10m"
|
|
# nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
|
|
|
|
# Gateway routing configuration
|
|
# All traffic is routed through API7 Gateway for advanced features:
|
|
# - Dynamic routing based on ADC configuration
|
|
# - Rate limiting (standard and AI-based)
|
|
# - CORS policies
|
|
# - Authentication/Authorization
|
|
# - Request/Response transformation
|
|
hosts:
|
|
- host: commandware.it
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
# Route to API7 Gateway (recommended for production)
|
|
gateway:
|
|
serviceName: gateway-0-1759393614-gateway # API7 Gateway service name
|
|
port: 80 # Gateway HTTP port (443 for HTTPS)
|
|
namespace: api7ee # Gateway service namespace
|
|
|
|
# Direct service routing (legacy, not recommended)
|
|
# Only use this if you need to bypass API7 Gateway
|
|
# - path: /
|
|
# pathType: Prefix
|
|
# service: web # Routes directly to web service
|
|
# - path: /api
|
|
# pathType: Prefix
|
|
# service: api # Routes directly to API service
|
|
|
|
# TLS/SSL Configuration
|
|
tls:
|
|
- secretName: api7ee-tls # Certificate secret name (created by cert-manager)
|
|
hosts:
|
|
- commandware.it
|
|
|
|
# ServiceAccount configuration
|
|
serviceAccount:
|
|
create: true
|
|
annotations: {}
|
|
name: ""
|
|
|
|
# Pod Security Context
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
fsGroup: 1000
|
|
|
|
# Security Context for containers
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
|
|
# Network Policies
|
|
networkPolicy:
|
|
enabled: false
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress: []
|
|
egress: []
|
|
|
|
# Pod Disruption Budget
|
|
podDisruptionBudget:
|
|
enabled: true
|
|
minAvailable: 1
|
|
# maxUnavailable: 1
|
|
|
|
# Monitoring and metrics
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
interval: 30s
|
|
path: /metrics
|
|
labels: {}
|
|
|
|
# ConfigMap for shared configuration
|
|
configMap:
|
|
data: {}
|
|
|
|
# Secrets for sensitive data
|
|
secrets:
|
|
create: false
|
|
data: {}
|
|
|
|
# ============================================================================
|
|
# API7 Gateway Configuration
|
|
# ============================================================================
|
|
# API7 Enterprise provides advanced API Gateway features including:
|
|
# - Dynamic routing with service discovery
|
|
# - Rate limiting (standard and AI-based for LLM endpoints)
|
|
# - CORS policies
|
|
# - Authentication/Authorization
|
|
# - Request/Response transformation
|
|
# - Observability and metrics
|
|
api7:
|
|
enabled: true # Enable API7 ADC (API Declarative Configuration) sync
|
|
|
|
# ADC Container Settings
|
|
# ADC syncs declarative configuration from ConfigMap to API7 Gateway
|
|
adc:
|
|
image: ghcr.io/api7/adc:latest # ADC container image
|
|
imagePullPolicy: IfNotPresent
|
|
verbose: true # Enable verbose logging for debugging
|
|
tlsSkipVerify: true # Skip TLS verification (required for self-signed dashboard certificates)
|
|
# Resources for ADC sync job
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# API7 Gateway Connection Settings
|
|
gateway:
|
|
# Dashboard Admin API URL (HTTPS required for API7 Enterprise)
|
|
# The dashboard service exposes the admin API on port 7443
|
|
adminUrl: https://api7ee3-0-1759339083-dashboard:7443
|
|
|
|
# Admin API key (CHANGE THIS IN PRODUCTION!)
|
|
# Obtain from: kubectl get secret -n api7ee api7ee3-0-1759339083 -o jsonpath='{.data.admin_key}' | base64 -d
|
|
adminKey: ""
|
|
|
|
# Gateway group name (logical grouping of gateway instances)
|
|
group: default
|
|
|
|
# Gateway service name (for traffic routing)
|
|
# This is the Kubernetes service that routes traffic to APISIX data plane
|
|
gatewayService: gateway-0-1759393614-gateway
|
|
gatewayNamespace: api7ee # Gateway service namespace
|
|
|
|
# Backend Type
|
|
# - api7ee: API7 Enterprise (includes all enterprise features)
|
|
# - apisix: Open source APISIX (limited features)
|
|
backend: api7ee
|
|
|
|
# Auto-publish Routes
|
|
# When true, routes are automatically published after ADC sync
|
|
# When false, routes must be manually published via dashboard
|
|
autoPublish: true
|
|
|
|
# Domain Hosts
|
|
# List of domains that API7 Gateway will handle
|
|
# Must match Ingress hosts for proper routing
|
|
hosts:
|
|
- commandware.it
|
|
|
|
# TLS/SSL Configuration
|
|
tls:
|
|
enabled: true # Enable HTTPS for API7 Gateway
|
|
|
|
# Option 1: Use cert-manager (Recommended)
|
|
# Automatically provisions and renews certificates
|
|
certManager:
|
|
enabled: true
|
|
issuer: cloudflare-acme-prod # ClusterIssuer/Issuer name
|
|
issuerKind: ClusterIssuer # ClusterIssuer or Issuer
|
|
|
|
# Private key settings
|
|
privateKey:
|
|
rotationPolicy: Always # Always or Never (cert-manager >= v1.18.0)
|
|
algorithm: RSA # RSA or ECDSA
|
|
size: 2048 # Key size in bits
|
|
|
|
# Certificate lifetime
|
|
duration: 2160h # 90 days
|
|
renewBefore: 720h # Renew 30 days before expiry
|
|
|
|
# Option 2: Use existing TLS secret
|
|
secretName: "" # Leave empty to auto-generate name
|
|
|
|
# Option 3: Provide certificates directly (NOT recommended for production)
|
|
certificate: ""
|
|
key: ""
|
|
|
|
# ============================================================================
|
|
# Service Discovery Configuration
|
|
# ============================================================================
|
|
# When enabled, API7 Gateway dynamically discovers backend Pods through
|
|
# Kubernetes API instead of using static upstream node configuration.
|
|
#
|
|
# Benefits:
|
|
# - Automatic scaling: New Pods are automatically added to upstream pool
|
|
# - Health checks: Only healthy/ready Pods receive traffic
|
|
# - Zero downtime: Seamless updates during deployments and rollouts
|
|
# - No manual configuration: Eliminates need to specify Pod IPs/hostnames
|
|
#
|
|
# Requirements:
|
|
# - RBAC permissions for services, endpoints (already configured in rbac-adc.yaml)
|
|
# - Service must exist in Kubernetes
|
|
serviceDiscovery:
|
|
enabled: true # Enable Kubernetes service discovery
|
|
namespace: "" # Leave empty to use release namespace
|
|
|
|
# ============================================================================
|
|
# API7 Plugins Configuration
|
|
# ============================================================================
|
|
# Plugins provide advanced features like rate limiting, CORS, auth, etc.
|
|
# Each plugin can be enabled/disabled and configured independently
|
|
|
|
plugins:
|
|
# Standard Rate Limiting
|
|
# Applied to /api routes (except /api/llm)
|
|
# Limits requests per IP address
|
|
rateLimit:
|
|
enabled: true
|
|
count: 100 # Max requests per time window
|
|
timeWindow: 60 # Time window in seconds
|
|
rejectedCode: 429 # HTTP status code for rejected requests
|
|
keyType: "var" # Key type: "var", "var_combination", "constant"
|
|
key: "remote_addr" # Variable name for key (client IP)
|
|
|
|
# AI Rate Limiting
|
|
# Applied to /api/llm routes
|
|
# Specialized rate limiting for LLM/AI endpoints based on token usage
|
|
aiRateLimit:
|
|
enabled: true
|
|
limit: 100 # Max tokens per time window
|
|
timeWindow: 60 # Time window in seconds
|
|
rejectedCode: 429 # HTTP status code
|
|
limitStrategy: "total_tokens" # Strategy: "total_tokens", "input_tokens", "output_tokens"
|
|
|
|
# CORS (Cross-Origin Resource Sharing)
|
|
# Enables browser-based applications to access the API
|
|
cors:
|
|
enabled: true
|
|
allowOrigins: ["*"] # Allowed origins (use specific domains in production)
|
|
allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"]
|
|
allowHeaders: ["*"] # Allowed headers
|
|
exposeHeaders: ["*"] # Headers exposed to browser
|
|
maxAge: 3600 # Preflight cache duration (seconds)
|
|
allowCredentials: false # Allow credentials (cookies, auth headers)
|
|
|
|
# Authentication
|
|
# Key-based authentication for API access
|
|
auth:
|
|
enabled: false # Enable to require API keys
|
|
header: X-API-Key # Header name for API key
|
|
|
|
# Prometheus Metrics
|
|
# Exposes metrics for monitoring and observability
|
|
prometheus:
|
|
enabled: true
|
|
# Metrics endpoint: http://<gateway>:9091/apisix/prometheus/metrics
|
|
|
|
# Request Logging
|
|
# Sends request logs to external logging service
|
|
logging:
|
|
enabled: false # Enable to send logs to external service
|
|
endpoint: http://logging-service:8080/logs # Logging service URL
|
|
batchMaxSize: 1000 # Max batch size before sending
|
|
inactiveTimeout: 5 # Max wait time (seconds) before sending batch
|
|
|
|
# ============================================================================
|
|
# API Consumers
|
|
# ============================================================================
|
|
# Consumers represent API clients with authentication credentials
|
|
# Used with auth plugin (when auth.enabled: true)
|
|
consumers:
|
|
- username: demo-user
|
|
apiKey: demo-key-12345 # Change in production!
|
|
- username: admin
|
|
apiKey: admin-key-67890 # Change in production!
|