Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/gateway/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
appVersion: "11.2.2"
description: This Helm Chart deploys the Layer7 Gateway in Kubernetes.
name: gateway
version: 3.1.3
version: 3.1.4
type: application
home: https://github.com/CAAPIM/apim-charts
maintainers:
Expand Down
18 changes: 17 additions & 1 deletion charts/gateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The Bitnami subCharts have now been fully removed from the Gateway Helm Chart. P
The included MySQL Statefulset is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database.

## Release notes
- Current Chart Version 3.1.2
- Current Chart Version 3.1.4

- Please review release notes [here](./release-notes.md)

Expand Down Expand Up @@ -184,6 +184,7 @@ The following table lists the configurable parameters of the Gateway chart and t
| `database.password` | Database Password | `mypassword` |
| `database.liquibaseLogLevel` | Liquibase log level | `off` |
| `database.name` | Database name | `ssg` |
| `database.type` | Embedded database type (`h2` or empty for Derby). Only used when `database.enabled: false`. | `""` |
| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` |
| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` |
| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` |
Expand Down Expand Up @@ -1916,6 +1917,21 @@ admin.pass=mypassword
node.db.type=derby
node.db.config.main.user=gateway
```

##### H2 Embedded Database (Alternative to Derby)
When running in ephemeral mode (`database.enabled: false`), you can use H2 as the embedded database instead of Derby by setting `database.type: "h2"` in your values file.

The chart automatically sets `node.db.type=h2` in node.properties and the `SSG_DATABASE_TYPE` environment variable (when `disklessConfig.enabled: true`).

Example values.yaml configuration:
```yaml
database:
enabled: false
create: false
type: "h2"
```

> **Note:** `database.type` cannot be set when `database.enabled: true`. Using an embedded database alongside an external MySQL database is not supported and will cause `helm install`/`helm upgrade` to fail at render time.
Unlike interactive password changes in Policy Manager, the container startup scripts validate the following username and password against a restricted character set (for parsing/scripting safety):
```
admin.user, admin.pass, node.db.config.main.user, node.db.config.main.pass
Expand Down
6 changes: 5 additions & 1 deletion charts/gateway/production-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -652,7 +652,7 @@ database:
# This pre-upgrade job executes any pending database schema updates and exits. The job executes before the rollout of new Gateways.
# Ensure the requirements are met before enabling.
# Requirement: The Gateway must be 11.2.2 or newer which supports applying db schema changes and exiting without starting Gateway.
# Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case
# Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case
# the lock must be manually removed before a retry can be attempted.
migrationJob:
# Opt-in: set to true only when running helm upgrade against a Gateway 11.2.2+ image.
Expand All @@ -667,6 +667,10 @@ database:
clearLocks: false
# The maximum duration (in seconds) the job is allowed to run before being terminated.
activeDeadlineSeconds: 300
# Embedded database type selection. Leave empty to use the default (derby).
# Set to "h2" to use the H2 embedded database. Requires database.enabled: false.
# type: "h2"
type: ""

## If loading a TLS Key/Pair
# This key will become the default ssl key. Can only have one.
Expand Down
6 changes: 6 additions & 0 deletions charts/gateway/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ The Layer7 API Gateway is now running with Java 21 with the release of v11.2.0.

If you use Policy Manager, you will need to update to v11.2.0.

## 3.1.4 H2 Embedded Database Support
- Added support for the H2 embedded database as an alternative to the default Derby embedded database.
- Set `database.type: "h2"` in your values file to enable H2. Requires `database.enabled: false`.
- Leave `database.type` empty (default) to continue using Derby.
- The `SSG_DATABASE_TYPE` environment variable is set automatically when `database.type` is configured.

## 3.1.3 Database Migration Job (Pre-Upgrade Schema Updates)

Requires Gateway image **11.2.2 or newer**.
Expand Down
7 changes: 7 additions & 0 deletions charts/gateway/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Copyright (c) 2026 Broadcom Inc. and its subsidiaries. All Rights Reserved.
{{- if and .Values.database.type .Values.database.enabled }}
{{ fail "database.type requires database.enabled: false — an embedded database cannot be used alongside an external database" }}
{{- end }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down Expand Up @@ -34,6 +38,9 @@ data:
SSG_DATABASE_JDBC_URL: {{ .Values.database.jdbcURL }}
{{- end }}
{{- end }}
{{- if .Values.database.type }}
SSG_DATABASE_TYPE: {{ .Values.database.type | lower | quote }}
{{- end }}
{{- end }}
{{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }}
EXTRA_JAVA_ARGS: {{ template "gateway.javaArgs" . }} -Dcom.l7tech.server.extension.sharedCounterProvider=externalhazelcast -Dcom.l7tech.server.extension.sharedKeyValueStoreProvider=externalhazelcast -Dcom.l7tech.server.extension.sharedClusterInfoProvider=externalhazelcast
Expand Down
6 changes: 5 additions & 1 deletion charts/gateway/templates/node-properties-secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@ stringData:
node.db.config.main.user={{ .Values.database.username }}
node.db.config.main.pass={{ .Values.database.password }}
{{- else }}
{{- if and .Values.database.type (eq (.Values.database.type | lower) "h2") }}
node.db.type=h2
{{- else }}
node.db.type=derby
{{- end }}
node.db.config.main.user={{ default "gateway" .Values.database.username }}
{{- end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/gateway/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,10 @@ database:
clearLocks: false
# The maximum duration (in seconds) the job is allowed to run before being terminated.
activeDeadlineSeconds: 300
# Embedded database type selection. Leave empty to use the default (derby).
# Set to "h2" to use the H2 embedded database. Requires database.enabled: false.
# type: "h2"
type: ""

## If loading a TLS Key/Pair
# This key will become the default ssl key. Can only have one.
Expand Down