From 97710fdf8edc3bd3d6a0d7f6fcac763a1818582f Mon Sep 17 00:00:00 2001 From: jc660465 Date: Tue, 9 Jun 2026 10:08:12 -0700 Subject: [PATCH 01/20] Provide database migration job as part of the helm update. It requires Container Gateway 11.2.2 or newer db schema startup options to use. --- charts/gateway/production-values.yaml | 13 +++ charts/gateway/templates/NOTES.txt | 14 +++ .../gateway/templates/db-migration-job.yaml | 92 +++++++++++++++++++ charts/gateway/values.yaml | 13 +++ 4 files changed, 132 insertions(+) create mode 100644 charts/gateway/templates/db-migration-job.yaml diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 3d913493..1eeec4d4 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -648,6 +648,19 @@ database: # severe/warning/info/fine(debug)/off liquibaseLogLevel: "off" name: ssg + # Configure an opt-in pre-upgrade database migration job. + # This job will use gateway.db.schema-update.mode=liquibase-only-with-unlock to clear + # any stuck locks before attempting schema updates. + # + # IMPORTANT: After the migration job completes (if you have Gateway 11.2.2 or newer), + # you can start up the main Gateway containers with -Dgateway.db.schema-update.mode=skip. + # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the + # Gateway will startup skipping the liquibase schema check entirely. + migrationJob: + enabled: false + # Mandatory: Provide the direct primary JDBC URL here + jdbcUrl: "" + hookWeight: "-5" ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. diff --git a/charts/gateway/templates/NOTES.txt b/charts/gateway/templates/NOTES.txt index 2c1071d5..49e964e6 100644 --- a/charts/gateway/templates/NOTES.txt +++ b/charts/gateway/templates/NOTES.txt @@ -26,3 +26,17 @@ Gateway Helm Chart Readme Thinking in Kubernetes - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html#thinkingk8s + +{{- if .Values.database.migrationJob.enabled }} + +---------------------------------------------------------------------------------- +IMPORTANT: DB Migration Job Enabled +---------------------------------------------------------------------------------- +A pre-upgrade database migration job has been deployed to safely apply schema updates. +If you have Gateway version 11.2.2 or newer, you can now start your main Gateway deployments with: + javaArgs: + - "-Dgateway.db.schema-update.mode=skip" + +This ensures that the Gateway will start up quickly by skipping the liquibase schema check entirely, +regardless of whether the DATABASECHANGELOGLOCK is locked. +{{- end }} diff --git a/charts/gateway/templates/db-migration-job.yaml b/charts/gateway/templates/db-migration-job.yaml new file mode 100644 index 00000000..1a646788 --- /dev/null +++ b/charts/gateway/templates/db-migration-job.yaml @@ -0,0 +1,92 @@ +# Copyright (c) 2026 Broadcom Inc. and its subsidiaries. All Rights Reserved. +{{- if .Values.database.migrationJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "gateway.fullname" . }}-db-migration + annotations: + chartversion: {{ .Chart.AppVersion | quote }} + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": {{ .Values.database.migrationJob.hookWeight | quote }} + {{- if .Values.database.migrationJob.annotations }} + {{- range $key, $val := .Values.database.migrationJob.annotations }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} + labels: + app: {{ template "gateway.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 1 + template: + metadata: + labels: + app: {{ template "gateway.fullname" . }}-db-migration + release: {{ .Release.Name }} + {{- if .Values.database.migrationJob.podAnnotations }} + annotations: {{- toYaml .Values.database.migrationJob.podAnnotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecret.enabled }} + imagePullSecrets: + - name: {{ template "gateway.imagePullSecret" . }} + {{- end }} + containers: + - name: db-migration + image: {{.Values.image.registry}}/{{.Values.image.repository}}:{{.Values.image.tag}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.containerSecurityContext }} + securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ template "gateway.fullname" . }}-configmap + - secretRef: + name: {{ template "gateway.secretName" . }} + env: + - name: SSG_DATABASE_JDBC_URL + value: {{ required "A direct primary database JDBC URL (database.migrationJob.jdbcUrl) is REQUIRED when the migration job is enabled to bypass proxies." .Values.database.migrationJob.jdbcUrl | quote }} + - name: EXTRA_JAVA_ARGS + value: "-Dgateway.db.schema-update.mode=liquibase-only-with-unlock" + volumeMounts: + - name: {{ template "gateway.fullname" . }}-license-xml + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/license.xml + subPath: license.xml + {{- if (not .Values.disklessConfig.enabled) }} + {{- if (not .Values.disklessConfig.setSecretByInitContainer) }} + - name: {{ template "gateway.fullname" . }}-node-properties + mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties + subPath: node.properties + {{- else }} + - name: shared-secret + mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties + subPath: node.properties + {{- end }} + {{- end }} + volumes: + - name: {{ template "gateway.fullname" . }}-license-xml + secret: + secretName: {{ template "gateway.license" . }} + items: + - key: license + path: license.xml + {{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.setSecretByInitContainer) }} + - name: {{ template "gateway.fullname" . }}-node-properties + {{- if .Values.disklessConfig.existingSecret.csi }} + csi: {{ toYaml .Values.disklessConfig.existingSecret.csi | nindent 12 }} + {{- else }} + secret: + secretName: {{ template "gateway.node.properties" . }} + items: + - key: node.properties + path: node.properties + {{- end }} + {{- end }} + restartPolicy: "Never" +{{- end }} \ No newline at end of file diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index f06ba481..e43f545d 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -646,6 +646,19 @@ database: # severe/warning/info/fine(debug)/off liquibaseLogLevel: "off" name: ssg + # Configure an opt-in pre-upgrade database migration job. + # This job will use gateway.db.schema-update.mode=liquibase-only-with-unlock to clear + # any stuck locks before attempting schema updates. + # + # IMPORTANT: After the migration job completes (if you have Gateway 11.2.2 or newer), + # you can start up the main Gateway containers with -Dgateway.db.schema-update.mode=skip. + # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the + # Gateway will startup skipping the liquibase schema check entirely. + migrationJob: + enabled: false + # Mandatory: Provide the direct primary JDBC URL here + jdbcUrl: "" + hookWeight: "-5" ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. From f2f0e01bc0f2debf38ba703f237e6da228332c97 Mon Sep 17 00:00:00 2001 From: jc660465 Date: Thu, 11 Jun 2026 17:17:31 -0700 Subject: [PATCH 02/20] The db migration job should start Gateway using liquibase-only. --- charts/gateway/templates/db-migration-job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gateway/templates/db-migration-job.yaml b/charts/gateway/templates/db-migration-job.yaml index 1a646788..5d299a43 100644 --- a/charts/gateway/templates/db-migration-job.yaml +++ b/charts/gateway/templates/db-migration-job.yaml @@ -53,7 +53,7 @@ spec: - name: SSG_DATABASE_JDBC_URL value: {{ required "A direct primary database JDBC URL (database.migrationJob.jdbcUrl) is REQUIRED when the migration job is enabled to bypass proxies." .Values.database.migrationJob.jdbcUrl | quote }} - name: EXTRA_JAVA_ARGS - value: "-Dgateway.db.schema-update.mode=liquibase-only-with-unlock" + value: "-Dgateway.db.schema-update.mode=liquibase-only volumeMounts: - name: {{ template "gateway.fullname" . }}-license-xml mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/license.xml From 74e4b24c366637265dc1e86f84377104d3ed5391 Mon Sep 17 00:00:00 2001 From: jc660465 Date: Thu, 11 Jun 2026 17:29:16 -0700 Subject: [PATCH 03/20] Fix lint errors. --- charts/gateway/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index e43f545d..07f44e04 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -649,10 +649,10 @@ database: # Configure an opt-in pre-upgrade database migration job. # This job will use gateway.db.schema-update.mode=liquibase-only-with-unlock to clear # any stuck locks before attempting schema updates. - # + # # IMPORTANT: After the migration job completes (if you have Gateway 11.2.2 or newer), # you can start up the main Gateway containers with -Dgateway.db.schema-update.mode=skip. - # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the + # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the # Gateway will startup skipping the liquibase schema check entirely. migrationJob: enabled: false From 7a0d72b326b827fbcdb65420a2e55faaa0b2fcd5 Mon Sep 17 00:00:00 2001 From: jc660465 Date: Thu, 11 Jun 2026 17:35:46 -0700 Subject: [PATCH 04/20] Update the version --- charts/gateway/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml index 9d972b3e..0e3b4b6a 100644 --- a/charts/gateway/Chart.yaml +++ b/charts/gateway/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "11.2.1" +appVersion: "11.2.2" description: This Helm Chart deploys the Layer7 Gateway in Kubernetes. name: gateway -version: 3.1.1 +version: 3.1.2 type: application home: https://github.com/CAAPIM/apim-charts maintainers: From c85f989ede581eaa9a9d5ddca65f2a5e137c3906 Mon Sep 17 00:00:00 2001 From: jc660465 Date: Fri, 12 Jun 2026 21:27:53 -0700 Subject: [PATCH 05/20] Modify the db-migration-job.yaml hook to be pre-upgrade only. Will not work with pre-install as it requires resources like license file that hasn't been mounted yet. There is no need to run migrate job on new install as there is no contention. Also display the DB Migration job enabled note only if it was enabled. --- charts/gateway/templates/NOTES.txt | 2 +- charts/gateway/templates/db-migration-job.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gateway/templates/NOTES.txt b/charts/gateway/templates/NOTES.txt index 49e964e6..43a79c41 100644 --- a/charts/gateway/templates/NOTES.txt +++ b/charts/gateway/templates/NOTES.txt @@ -27,7 +27,7 @@ Gateway Helm Chart Readme Thinking in Kubernetes - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html#thinkingk8s -{{- if .Values.database.migrationJob.enabled }} +{{- if and .Values.database.migrationJob.enabled .Release.IsUpgrade }} ---------------------------------------------------------------------------------- IMPORTANT: DB Migration Job Enabled diff --git a/charts/gateway/templates/db-migration-job.yaml b/charts/gateway/templates/db-migration-job.yaml index 5d299a43..86619e96 100644 --- a/charts/gateway/templates/db-migration-job.yaml +++ b/charts/gateway/templates/db-migration-job.yaml @@ -6,7 +6,7 @@ metadata: name: {{ template "gateway.fullname" . }}-db-migration annotations: chartversion: {{ .Chart.AppVersion | quote }} - "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook": pre-upgrade "helm.sh/hook-weight": {{ .Values.database.migrationJob.hookWeight | quote }} {{- if .Values.database.migrationJob.annotations }} {{- range $key, $val := .Values.database.migrationJob.annotations }} From 7d1e3e8304626f8ed07caa7c69ebbfb20dfd1fa1 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Wed, 17 Jun 2026 10:05:22 -0700 Subject: [PATCH 06/20] Renamed the db-migration-job.yaml to gw-db-upgrade-job.yaml. Added ability to force unlock when running the db upgrade job. Revised some comments. --- charts/gateway/production-values.yaml | 25 ++++++++++--------- ...ration-job.yaml => gw-db-upgrade-job.yaml} | 6 ++++- charts/gateway/values.yaml | 2 ++ 3 files changed, 20 insertions(+), 13 deletions(-) rename charts/gateway/templates/{db-migration-job.yaml => gw-db-upgrade-job.yaml} (95%) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 1eeec4d4..b4e34851 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -216,6 +216,7 @@ config: - -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties - -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true - -Dcom.l7tech.security.ssl.hostAllowWildcard=true + - -Dgateway.db.schema-update.mode=default # - -Djava.net.preferIPv4Stack=false # - -Djava.net.preferIPv6Addresses=true log: @@ -638,7 +639,7 @@ database: enabled: true # A MySQL Database is configured with this Chart, set to false and set jdbcURL to use your own DB server # Do not use this demo database in production!!! - create: false + create: true # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. username: gateway @@ -648,19 +649,19 @@ database: # severe/warning/info/fine(debug)/off liquibaseLogLevel: "off" name: ssg - # Configure an opt-in pre-upgrade database migration job. - # This job will use gateway.db.schema-update.mode=liquibase-only-with-unlock to clear - # any stuck locks before attempting schema updates. - # - # IMPORTANT: After the migration job completes (if you have Gateway 11.2.2 or newer), - # you can start up the main Gateway containers with -Dgateway.db.schema-update.mode=skip. - # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the - # Gateway will startup skipping the liquibase schema check entirely. + # This pre-upgrade job executes any pending database schema updates and exits. The job executes before the rollout of new Gateways. + # Ensure the requirements are met before enabling. + # Requirement: The Gateway must be 11.2.2 or newer which supports applying db schema changes and exiting without starting Gateway. + # Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case + # the lock must be manually removed before a retry can be attempted. migrationJob: - enabled: false - # Mandatory: Provide the direct primary JDBC URL here - jdbcUrl: "" + enabled: true + # Provide the jdbcUrl to apply the database schema update. Recommended to specify the primary writer endpoint. + jdbcUrl: "jdbc:mysql://my-gateway-mysql:3306/ssg" hookWeight: "-5" + # Set to true to force release any stuck Liquibase locks before running the schema updates. + # Warning: use with caution as another simultaneous db schema udpate may corrupt the db schema. + clearStuckLocks: false ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. diff --git a/charts/gateway/templates/db-migration-job.yaml b/charts/gateway/templates/gw-db-upgrade-job.yaml similarity index 95% rename from charts/gateway/templates/db-migration-job.yaml rename to charts/gateway/templates/gw-db-upgrade-job.yaml index 86619e96..1d286616 100644 --- a/charts/gateway/templates/db-migration-job.yaml +++ b/charts/gateway/templates/gw-db-upgrade-job.yaml @@ -53,7 +53,11 @@ spec: - name: SSG_DATABASE_JDBC_URL value: {{ required "A direct primary database JDBC URL (database.migrationJob.jdbcUrl) is REQUIRED when the migration job is enabled to bypass proxies." .Values.database.migrationJob.jdbcUrl | quote }} - name: EXTRA_JAVA_ARGS - value: "-Dgateway.db.schema-update.mode=liquibase-only + {{- if .Values.database.migrationJob.clearStuckLocks }} + value: "-Dgateway.db.schema-update.mode=liquibase-only-with-unlock" + {{- else }} + value: "-Dgateway.db.schema-update.mode=liquibase-only" + {{- end }} volumeMounts: - name: {{ template "gateway.fullname" . }}-license-xml mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/license.xml diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 07f44e04..7c312bda 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -659,6 +659,8 @@ database: # Mandatory: Provide the direct primary JDBC URL here jdbcUrl: "" hookWeight: "-5" + # Set to true to force release any stuck Liquibase locks before running the schema updates + clearStuckLocks: false ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. From b5438f4bfe1dd2fd4f23c4e98c4ab7ee0c9b6afc Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Wed, 17 Jun 2026 13:49:01 -0700 Subject: [PATCH 07/20] Update comment for clearStuckLocks. --- charts/gateway/production-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index b4e34851..988a77e1 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -659,8 +659,8 @@ database: # Provide the jdbcUrl to apply the database schema update. Recommended to specify the primary writer endpoint. jdbcUrl: "jdbc:mysql://my-gateway-mysql:3306/ssg" hookWeight: "-5" - # Set to true to force release any stuck Liquibase locks before running the schema updates. - # Warning: use with caution as another simultaneous db schema udpate may corrupt the db schema. + # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. + # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. clearStuckLocks: false ## If loading a TLS Key/Pair From a7146f8cc43cc42aebfed5a1e2318de36bfaa921 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Wed, 17 Jun 2026 14:07:12 -0700 Subject: [PATCH 08/20] Revert --- charts/gateway/production-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 988a77e1..e909d798 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -639,7 +639,7 @@ database: enabled: true # A MySQL Database is configured with this Chart, set to false and set jdbcURL to use your own DB server # Do not use this demo database in production!!! - create: true + create: false # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. username: gateway From e4408c861c1e3fbb6c079755184a3a9ef2b80e21 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Wed, 17 Jun 2026 14:12:17 -0700 Subject: [PATCH 09/20] Update with latest comments. --- charts/gateway/values.yaml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 7c312bda..415631a7 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -646,20 +646,18 @@ database: # severe/warning/info/fine(debug)/off liquibaseLogLevel: "off" name: ssg - # Configure an opt-in pre-upgrade database migration job. - # This job will use gateway.db.schema-update.mode=liquibase-only-with-unlock to clear - # any stuck locks before attempting schema updates. - # - # IMPORTANT: After the migration job completes (if you have Gateway 11.2.2 or newer), - # you can start up the main Gateway containers with -Dgateway.db.schema-update.mode=skip. - # This means that regardless if the DATABASECHANGELOGLOCK is locked or not, the - # Gateway will startup skipping the liquibase schema check entirely. + # This pre-upgrade job executes any pending database schema updates and exits. The job executes before the rollout of new Gateways. + # Ensure the requirements are met before enabling. + # Requirement: The Gateway must be 11.2.2 or newer which supports applying db schema changes and exiting without starting Gateway. + # Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case + # the lock must be manually removed before a retry can be attempted. migrationJob: - enabled: false - # Mandatory: Provide the direct primary JDBC URL here - jdbcUrl: "" + enabled: true + # Provide the jdbcUrl to apply the database schema update. Recommended to specify the primary writer endpoint. + jdbcUrl: "jdbc:mysql://my-gateway-mysql:3306/ssg" hookWeight: "-5" - # Set to true to force release any stuck Liquibase locks before running the schema updates + # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. + # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. clearStuckLocks: false ## If loading a TLS Key/Pair From 213200920105a4e49f83dcb07e8e10b36aa5101f Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Wed, 17 Jun 2026 23:51:47 -0700 Subject: [PATCH 10/20] Renamed to clearLocks. Add a timeout for db migration job. --- charts/gateway/production-values.yaml | 4 +++- charts/gateway/templates/gw-db-upgrade-job.yaml | 5 ++++- charts/gateway/values.yaml | 4 +++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index e909d798..cc99be36 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -661,7 +661,9 @@ database: hookWeight: "-5" # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. - clearStuckLocks: false + clearLocks: false + # The maximum duration (in seconds) the job is allowed to run before being terminated. + activeDeadlineSeconds: 300 ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. diff --git a/charts/gateway/templates/gw-db-upgrade-job.yaml b/charts/gateway/templates/gw-db-upgrade-job.yaml index 1d286616..a6240880 100644 --- a/charts/gateway/templates/gw-db-upgrade-job.yaml +++ b/charts/gateway/templates/gw-db-upgrade-job.yaml @@ -29,6 +29,9 @@ spec: annotations: {{- toYaml .Values.database.migrationJob.podAnnotations | nindent 8 }} {{- end }} spec: + {{- if .Values.database.migrationJob.activeDeadlineSeconds }} + activeDeadlineSeconds: {{ .Values.database.migrationJob.activeDeadlineSeconds }} + {{- end }} serviceAccountName: {{ include "gateway.serviceAccountName" . }} {{- if .Values.podSecurityContext }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -53,7 +56,7 @@ spec: - name: SSG_DATABASE_JDBC_URL value: {{ required "A direct primary database JDBC URL (database.migrationJob.jdbcUrl) is REQUIRED when the migration job is enabled to bypass proxies." .Values.database.migrationJob.jdbcUrl | quote }} - name: EXTRA_JAVA_ARGS - {{- if .Values.database.migrationJob.clearStuckLocks }} + {{- if .Values.database.migrationJob.clearLocks }} value: "-Dgateway.db.schema-update.mode=liquibase-only-with-unlock" {{- else }} value: "-Dgateway.db.schema-update.mode=liquibase-only" diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 415631a7..ce048e57 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -658,7 +658,9 @@ database: hookWeight: "-5" # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. - clearStuckLocks: false + clearLocks: false + # The maximum duration (in seconds) the job is allowed to run before being terminated. + activeDeadlineSeconds: 300 ## If loading a TLS Key/Pair # This key will become the default ssl key. Can only have one. From 28bd251a2279afa1137d5e3ad4f72e3dac7e61df Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Thu, 18 Jun 2026 13:55:30 -0700 Subject: [PATCH 11/20] Hide helm.sh/hook-weight from user. Make the database migration jdbcUrl optional and use main jdbcUrl by default. --- charts/gateway/production-values.yaml | 7 ++++--- charts/gateway/templates/gw-db-upgrade-job.yaml | 9 +++++++-- charts/gateway/values.yaml | 7 ++++--- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index cc99be36..48ecbdaa 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -656,9 +656,10 @@ database: # the lock must be manually removed before a retry can be attempted. migrationJob: enabled: true - # Provide the jdbcUrl to apply the database schema update. Recommended to specify the primary writer endpoint. - jdbcUrl: "jdbc:mysql://my-gateway-mysql:3306/ssg" - hookWeight: "-5" + # Optional: Override the JDBC URL used by the migration job. Recommended to specify the primary writer endpoint + # to avoid routing through a load balancer or proxy during schema updates. If not set, falls back to database.jdbcURL. + jdbcUrl: "" + # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. clearLocks: false diff --git a/charts/gateway/templates/gw-db-upgrade-job.yaml b/charts/gateway/templates/gw-db-upgrade-job.yaml index a6240880..a386e342 100644 --- a/charts/gateway/templates/gw-db-upgrade-job.yaml +++ b/charts/gateway/templates/gw-db-upgrade-job.yaml @@ -7,7 +7,7 @@ metadata: annotations: chartversion: {{ .Chart.AppVersion | quote }} "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": {{ .Values.database.migrationJob.hookWeight | quote }} + "helm.sh/hook-weight": "-5" {{- if .Values.database.migrationJob.annotations }} {{- range $key, $val := .Values.database.migrationJob.annotations }} {{ $key }}: "{{ $val }}" @@ -53,8 +53,13 @@ spec: - secretRef: name: {{ template "gateway.secretName" . }} env: + {{- if .Values.database.migrationJob.jdbcUrl }} - name: SSG_DATABASE_JDBC_URL - value: {{ required "A direct primary database JDBC URL (database.migrationJob.jdbcUrl) is REQUIRED when the migration job is enabled to bypass proxies." .Values.database.migrationJob.jdbcUrl | quote }} + value: {{ .Values.database.migrationJob.jdbcUrl | quote }} + {{- else if .Values.database.jdbcURL }} + - name: SSG_DATABASE_JDBC_URL + value: {{ .Values.database.jdbcURL | quote }} + {{- end }} - name: EXTRA_JAVA_ARGS {{- if .Values.database.migrationJob.clearLocks }} value: "-Dgateway.db.schema-update.mode=liquibase-only-with-unlock" diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index ce048e57..7c7af208 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -653,9 +653,10 @@ database: # the lock must be manually removed before a retry can be attempted. migrationJob: enabled: true - # Provide the jdbcUrl to apply the database schema update. Recommended to specify the primary writer endpoint. - jdbcUrl: "jdbc:mysql://my-gateway-mysql:3306/ssg" - hookWeight: "-5" + # Optional: Override the JDBC URL used by the migration job. Recommended to specify the primary writer endpoint + # to avoid routing through a load balancer or proxy during schema updates. If not set, falls back to database.jdbcURL. + jdbcUrl: "" + # Set to true to force release of any stuck Liquibase db schema locks before running the schema updates. # Warning: use with caution as another simultaneous db schema update may corrupt the db schema. clearLocks: false From 0ab35e33000f87c27c15da937a1a4f2355a03991 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Thu, 18 Jun 2026 19:11:23 -0700 Subject: [PATCH 12/20] Updated README.md --- charts/gateway/README.md | 1462 +++++++++++++++++++++++--------------- 1 file changed, 877 insertions(+), 585 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 6d2afdd5..6bba300d 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -1,18 +1,22 @@ # Layer7 API Gateway + This Chart deploys the API Gateway v11.x onward with the following `optional` subchart: hazelcast. This Chart also includes basic MySQL and Redis statefulsets for trying out the Chart; these are example only and do not represent production ready configurations. ## Bitnami Public Catalog Removal + The Bitnami subCharts have now been fully removed from the Gateway Helm Chart. Please read the release notes for [Gateway v3.0.45](./release-notes.md#3039-bitnami-subchart-removal) for more details. ### Important Note + The included MySQL Statefulset is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. ## Release notes -- Current Chart Version 3.1.1 +- Current Chart Version 3.1.1 - Please review release notes [here](./release-notes.md) ## Prerequisites + - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support - Helm v3.x @@ -20,26 +24,34 @@ The included MySQL Statefulset is enabled by default to make trying this chart o - Gateway v10.x or v11.x License #### Note + It's important that your Kubernetes Client and Server versions are compatible. You can verify this by running the following + ``` kubectl version ``` + output + ``` Client Version: v1.29.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.27.6+b49f9d1 WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1 ``` + The above message indicates that the client version (kubectl) is greater than the server version by more than 1 minor version. This may cause unforseen errors when using Kubectl or Helm. Please also check your Helm version against [this](https://helm.sh/docs/topics/version_skew/#supported-version-skew) compatibility matrix + ``` helm version ``` + output + ``` version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.21.5"} @@ -48,75 +60,89 @@ Helm Version Supported Kubernetes Versions ``` ## Optional + - Persistent Volume Provisioner (if using PVC for the Demo MySQL or Redis Statefulset) ## Recommended + - [An Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) ### Production + - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) if you would like to enable autoscaling. #### MySQL/Database Backed Gateways + - [A dedicated external MySQL 8.0.22/8.0.26 server](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/install-configure-upgrade/using-mysql-8-0-with-gateway-10.html) ### Advanced Configuration -* [Additional Guides](#additional-guides) -* [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) + +- [Additional Guides](#additional-guides) +- [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) #### Getting Started + ***If you are using a previous version of this Chart please read the updates section before you upgrade.*** -* [Install the Chart](#installing-the-chart) -* [Upgrade the Chart](#upgrading-the-chart) -* [Uninstall the Chart](#uninstalling-the-chart) -## Additional Guides -* [Configuration](#configuration) -* [Service Configuration](#port-configuration) -* [Gateway Application Ports](#gateway-application-ports) -* [OTK Install or Upgrade](#otk-install-or-upgrade) -* [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) -* [Ingress Configuration](#ingress-configuration) -* [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) -* [PM Tagger Configuration](#pm-tagger-configuration) -* [Shared State Preview Features](#shared-state-preview-features) -* [Redis Configuration](#redis-configuration) -* [Redis StatefulSet](#redis-statefulset-developmenttesting-only) -* [GemFire Configuration](#gemfire-configuration-1113) -* [Shared State Provider Configuration](#shared-state-provider-config) -* [OpenTelemetry Configuration](#opentelemetry-configuration) -* [Database Configuration](#database-configuration) -* [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) -* [Cluster-Wide Properties](#cluster-wide-properties) -* [Enable DualStack(IPv4/IPv6)](#enable-dualstack) -* [Java Args](#java-args) -* [System Properties](#system-properties) -* [Diskless Configuration](#diskless-configuration) -* [Gateway Bundles](#bundle-configuration) -* [Bootstrap Script](#bootstrap-script) -* [Custom Health Checks](#custom-health-checks) -* [Custom Configuration Files](#custom-configuration-files) -* [Logs & Audit Configuration](#logs--audit-configuration) -* [Graceful Termination](#graceful-termination) -* [Autoscaling](#autoscaling) -* [Pod Disruption Budgets](#pod-disruption-budgets) -* [RBAC Parameters](#rbac-parameters) -* [SubChart Configuration](#subchart-configuration) +- [Install the Chart](#installing-the-chart) +- [Upgrade the Chart](#upgrading-the-chart) +- [Uninstall the Chart](#uninstalling-the-chart) +## Additional Guides +- [Configuration](#configuration) +- [Service Configuration](#port-configuration) +- [Gateway Application Ports](#gateway-application-ports) +- [OTK Install or Upgrade](#otk-install-or-upgrade) +- [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) +- [Ingress Configuration](#ingress-configuration) +- [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) +- [PM Tagger Configuration](#pm-tagger-configuration) +- [Shared State Preview Features](#shared-state-preview-features) +- [Redis Configuration](#redis-configuration) +- [Redis StatefulSet](#redis-statefulset-developmenttesting-only) +- [GemFire Configuration](#gemfire-configuration-1113) +- [Shared State Provider Configuration](#shared-state-provider-config) +- [OpenTelemetry Configuration](#opentelemetry-configuration) +- [Database Configuration](#database-configuration) +- [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) +- [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) +- [Cluster-Wide Properties](#cluster-wide-properties) +- [Enable DualStack(IPv4/IPv6)](#enable-dualstack) +- [Java Args](#java-args) +- [System Properties](#system-properties) +- [Diskless Configuration](#diskless-configuration) +- [Gateway Bundles](#bundle-configuration) +- [Bootstrap Script](#bootstrap-script) +- [Custom Health Checks](#custom-health-checks) +- [Custom Configuration Files](#custom-configuration-files) +- [Logs & Audit Configuration](#logs--audit-configuration) +- [Graceful Termination](#graceful-termination) +- [Autoscaling](#autoscaling) +- [Pod Disruption Budgets](#pod-disruption-budgets) +- [RBAC Parameters](#rbac-parameters) +- [SubChart Configuration](#subchart-configuration) ## Installing the Chart + Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction + ``` $ helm repo add layer7 https://caapim.github.io/apim-charts/ $ helm repo update $ helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` + ## Upgrading the Chart + To upgrade your Gateway Release + ``` $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` + ## Uninstalling the Chart + To uninstall the Gateway Chart ``` @@ -124,12 +150,15 @@ $ helm uninstall -n ``` ## Custom values + To make sure that your custom values don't get overwritten by a pull, create your own values.yaml (myvalues.yaml..) then specify -f myvalues.yaml when deploying/upgrading ## Note on custom values + You only need to include the values you wish to change in your myvalues.yaml For example, you wish to deploy the Gateway Chart as is without a database. Your myvalues.yaml would then contain the following + ``` database: enabled: false @@ -137,160 +166,165 @@ database: ``` ## Configuration + The following table lists the configurable parameters of the Gateway chart and their default values. See values.yaml for additional parameters and info -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `nameOverride` | Name override | `nil` | -| `fullnameOverride` | Full name override | `nil` | -| `global.schedulerName` | Override the default scheduler | `nil` | -| `license.value` | Gateway license file | `nil` | -| `license.accept` | Accept Gateway license EULA | `false` | -| `disklessConfig.enabled` | Enable diskless configuration | `true` | -| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | -| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | -| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | -| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | -| `image.registry` | Image Registry | `docker.io` | -| `image.repository` | Image Repository | `caapim/gateway` | -| `image.tag` | Image tag | `11.0.00` | -| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | -| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | -| `imagePullSecret.username` | Registry Username | `nil` | -| `imagePullSecret.password` | Registry Password | `nil` | -| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | -| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | -| `podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `replicas` | Number of Gateway replicas | `1` | -| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | -| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | -| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | -| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | -| `management.enabled` | Enable/Disable Policy Manager access | `true` | -| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | -| `management.username` | Policy Manager Username | `admin` | -| `management.password` | Policy Manager Password | `mypassword` | -| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | -| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | -| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | -| `database.username` | Database Username | `gateway` | -| `database.password` | Database Password | `mypassword` | -| `database.liquibaseLogLevel` | Liquibase log level | `off` | -| `database.name` | Database name | `ssg` | -| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | -| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | -| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | -| `tls.pass` | p12 container password - this cannot be empty | `nil` | -| `config.heapSize` | Java Heap Size | `2g` | -| `config.minHeapSize` | Java Min Heap Size | `1g` | -| `config.maxHeapSize` | Java Max Heap Size | `3g` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | -| `config.log.override` | Override the standard log configuration | `true` | -| `config.log.properties` | Custom logging properties | `see values.yaml` | -| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | -| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | -| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | -| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | -| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | -| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | -| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | -| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | -| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | -| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | -| `service.type` | Service Type | `LoadBalancer` | -| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | -| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | -| `service.annotations` | Additional annotations to add to the service | {} | -| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | -| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | -| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | -| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | -| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | -| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | -| `ingress.annotations` | ingress annotations | `{}` | -| `ingress.labels` | additional ingress labels | `{}` | -| `ingress.ingressClassName` | Ingress Class Name | `nginx` | -| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | -| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | -| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | -| `startupProbe.enabled` | Enable/Disable | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay | `60` | -| `startupProbe.timeoutSeconds` | Timeout | `1` | -| `startupProbe.periodSeconds` | Frequency | `10` | -| `startupProbe.successThreshold` | Success Threshold | `1` | -| `startupProbe.failureThreshold` | Failure Threshold | `10` | -| `livenessProbe.enabled` | Enable/Disable | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | -| `livenessProbe.timeoutSeconds` | Timeout | `1` | -| `livenessProbe.periodSeconds` | Frequency | `10` | -| `livenessProbe.successThreshold` | Success Threshold | `1` | -| `livenessProbe.failureThreshold` | Failure Threshold | `10` | -| `readinessProbe.enabled` | Enable/Disable | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | -| `readinessProbe.timeoutSeconds` | Timeout | `1` | -| `readinessProbe.periodSeconds` | Frequency | `10` | -| `readinessProbe.successThreshold` | Success Threshold | `1` | -| `readinessProbe.failureThreshold` | Failure Threshold | `10` | -| `resources.limits` | Resource Limits | `{}` | -| `resources.requests` | Resource Requests | `{}` | -| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | -| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | + +| Parameter | Description | Default | +| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | +| `nameOverride` | Name override | `nil` | +| `fullnameOverride` | Full name override | `nil` | +| `global.schedulerName` | Override the default scheduler | `nil` | +| `license.value` | Gateway license file | `nil` | +| `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | +| `image.registry` | Image Registry | `docker.io` | +| `image.repository` | Image Repository | `caapim/gateway` | +| `image.tag` | Image tag | `11.0.00` | +| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | +| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | +| `imagePullSecret.username` | Registry Username | `nil` | +| `imagePullSecret.password` | Registry Password | `nil` | +| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | +| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | +| `podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `replicas` | Number of Gateway replicas | `1` | +| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | +| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | +| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | +| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | +| `management.enabled` | Enable/Disable Policy Manager access | `true` | +| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | +| `management.username` | Policy Manager Username | `admin` | +| `management.password` | Policy Manager Password | `mypassword` | +| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | +| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | +| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | +| `database.username` | Database Username | `gateway` | +| `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | +| `database.name` | Database name | `ssg` | +| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | +| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | +| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | +| `tls.pass` | p12 container password - this cannot be empty | `nil` | +| `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | +| `config.log.override` | Override the standard log configuration | `true` | +| `config.log.properties` | Custom logging properties | `see values.yaml` | +| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | +| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | +| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | +| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | +| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | +| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | +| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | +| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | +| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | +| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | +| `service.type` | Service Type | `LoadBalancer` | +| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | +| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | +| `service.annotations` | Additional annotations to add to the service | {} | +| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | +| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | +| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | +| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | +| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | +| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | +| `ingress.annotations` | ingress annotations | `{}` | +| `ingress.labels` | additional ingress labels | `{}` | +| `ingress.ingressClassName` | Ingress Class Name | `nginx` | +| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | +| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | +| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | +| `startupProbe.enabled` | Enable/Disable | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay | `60` | +| `startupProbe.timeoutSeconds` | Timeout | `1` | +| `startupProbe.periodSeconds` | Frequency | `10` | +| `startupProbe.successThreshold` | Success Threshold | `1` | +| `startupProbe.failureThreshold` | Failure Threshold | `10` | +| `livenessProbe.enabled` | Enable/Disable | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | +| `livenessProbe.timeoutSeconds` | Timeout | `1` | +| `livenessProbe.periodSeconds` | Frequency | `10` | +| `livenessProbe.successThreshold` | Success Threshold | `1` | +| `livenessProbe.failureThreshold` | Failure Threshold | `10` | +| `readinessProbe.enabled` | Enable/Disable | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | +| `readinessProbe.timeoutSeconds` | Timeout | `1` | +| `readinessProbe.periodSeconds` | Frequency | `10` | +| `readinessProbe.successThreshold` | Success Threshold | `1` | +| `readinessProbe.failureThreshold` | Failure Threshold | `10` | +| `resources.limits` | Resource Limits | `{}` | +| `resources.requests` | Resource Requests | `{}` | +| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | [Back to Additional Guides](#additional-guides) ## Port Configuration + There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways ### Container/Service Level Ports ### Default Gateway Service + Sample entry that exposes 8443 which is one of the default TLS port on the API Gateway using service type LoadBalancer. + ``` service: type: LoadBalancer @@ -303,6 +337,7 @@ service: ``` ### Production Values Default + Sample entry that exposes 8443 which is one of the default TLS ports on the API Gateway Note that the service type is ClusterIP which does not receive an external IP address. We can make this service accessible by configuring an [ingress resource](#ingress-configuration). @@ -316,7 +351,9 @@ service: external: 8443 protocol: TCP ``` + ### Gateway Management Service + The Gateway Management Service is primarily used to expose Gateway Ports that you wish to use for Internal Management Access for tools like Policy Manager. This Service requires the [PM Tagger](#pm-tagger) to function correctly. ``` @@ -338,20 +375,23 @@ management: [Back to Additional Guides](#additional-guides) ### OTK Compatibility with Gateway 11.2 + These below information is relevant for those who are upgrading their Gateway to version 11.2 and utilizing the OAuth Toolkit (OTK) + 1. **OTK 4.6.4 & OTK 4.7.0 ** are presently the only versions that provides seamless support for Gateway versions 11.2 & greater 2. Upgrading to 4.6.4 & 4.7.0 should be tested & validated in a lower environment prior to production rollout 3. For older versions (< OTK 4.6.4), the below steps have to be followed to ensure smooth transition to Gateway 11.2 - * After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: - * 4.6.0.1 - * 4.6.1.1 - * 4.6.2.1 - * 4.6.3.1 - * It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. - * This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) - * In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) + - After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: + - 4.6.0.1 + - 4.6.1.1 + - 4.6.2.1 + - 4.6.3.1 + - It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. + - This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) + - In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ### OTK install or upgrade + OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. - On a database backed gateway, once gateway is healthy, k8s kind/job is used to install OTK using Restman ([OTK Headless installation](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/install-the-oauth-solution-kit/headless-installation-of-otk-solution-kit.html)) @@ -359,16 +399,21 @@ OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types - On a Ephemeral or database backed gateway, before the start of gateway, k8s job to used to install/update the OTK database (Cassandra database is not supported and should be upgraded [manually](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database.html)) ***NOTE:*** + 1. When installing or Upgrading Gateway with OTK enabled, add timeout with the helm command to ensure OTK install job waits for Gateway to be ready + ``` Example: The timeout of 900s is recommended for helm upgrade since it takes additional time to complete helm install otk layer7/gateway --set-file "license.value=path/license.xml" \ --set "license.accept=true,management.restman.enabled=true,otk.enabled=true" --timeout 900s ``` -2. In dual gateway installation, restart the pods after OTK install or upgrade is required. + +1. In dual gateway installation, restart the pods after OTK install or upgrade is required. Prerequisites: -* Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. + +- Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. + ``` config: cwp: @@ -379,8 +424,10 @@ config: - name: otk.dbsystem value: mysql ``` -* Restman is enabled. Can be disabled once the install/upgrage is complete. - * This is not applicable for ephemeral GW + +- Restman is enabled. Can be disabled once the install/upgrage is complete. + - This is not applicable for ephemeral GW + ``` management: restman: @@ -388,125 +435,131 @@ management: ``` Limitations: -* OTK Instance modifiers are not supported. -* Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. -* The Cassandra install scripts have to executed manually for new install scenario -* The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario -* Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. -* OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) + +- OTK Instance modifiers are not supported. +- Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. +- The Cassandra install scripts have to executed manually for new install scenario +- The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario +- Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. +- OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) OTK Deployment examples can be found [here](/examples/otk) -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | -| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` -| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false -| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` -| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ
Internal Gateway:
- #OTK Client Context Variables
- #OTK id_token configuration
DMZ Gateway:
- #OTK OVP Configuration
- #OTK Storage Configuration | `false` -| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools.
The Oauth Manager & Oauth Test Client will not be installed | `false` -| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ| -| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ| -| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL| -| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `16` | -| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `240.224.2.1` | -| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | -| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | -| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | -| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | -| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | -| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | -| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | -| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | -| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | -| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL| -| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | -| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` -| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` -| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` -| `otk.job.image.labels` | Job lables | {} -| `otk.job.image.nodeSelector` | Job Node selector | {} -| `otk.job.image.tolerations` | Job tolerations | [] -| `otk.job.podLabels` | OTK Job podLabels | {} -| `otk.job.podAnnotations` | OTK Job podAnnotations | {} -| `otk.job.resources` | OTK Job resources | {} -| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit`| OTK db maintenance scheduled job success history limit | `1` | -| `otk.job.scheduledTasksFailedJobsHistoryLimit`| OTK db maintenance scheduled job failed history limit | `1` | -| `otk.bootstrapDir`| The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | -| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` -| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60`| -| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade| `true` | -| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | -| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | -| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: https://test.com:8443) Required if createTestClients is `true` | | -| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true.
This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false`| -| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true`| -| `otk.database.connectionName` | OTK database connection name | `OAuth` -| `otk.database.existingSecretName` | Point to an existing OTK database Secret | -| `otk.database.username` | OTK database user name | -| `otk.database.password` | OTK database password | -| `otk.database.properties` | OTK database additional properties | `{}` -| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | -| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | -| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` -| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | -| `otk.database.sql.jdbcDriverClass`| OTK database sql driver class name (oracle/mysql) | -| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | -| `otk.database.sql.connectionProperties`| OTK database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | -| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | -| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | -| `otk.database.readOnlyConnection.username` | OTK read only database user name| -| `otk.database.readOnlyConnection.password` | OTK read only database password | -| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | -| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | -| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | -| `otk.database.readOnlyConnection.connectionProperties`| OTK read only database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | -| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | -| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | -| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | -| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | -| `otk.database.clientReadConnection.password` | OTK Client Read only database password | -| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | -| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | -| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | -| `otk.database.clientReadConnection.connectionProperties`| OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | -| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | -| `otk.database.cassandra.port` | OTK database cassandra connection port | -| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | -| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` -| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` -| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` -| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` -| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` -| `otk.livenessProbe.type` | | `httpGet` -| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` -| `otk.livenessProbe.httpGet.port` | | `8443` -| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` -| `otk.readinessProbe.type` | | `httpGet` -| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` -| `otk.readinessProbe.httpGet.port` | | `8443` +| Parameter | Description | Default | +| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | +| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | +| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` | +| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false | +| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` | +| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ Internal Gateway: - #OTK Client Context Variables - #OTK id_token configuration DMZ Gateway: - #OTK OVP Configuration - #OTK Storage Configuration | `false` | +| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools. The Oauth Manager & Oauth Test Client will not be installed | `false` | +| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ | | +| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ | | +| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL | | +| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `16` | +| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `240.224.2.1` | +| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | | +| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | | +| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | | +| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | | +| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | | +| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | | +| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | | +| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | | +| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | +| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL | | +| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | | +| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` | +| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` | +| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `otk.job.image.labels` | Job lables | {} | +| `otk.job.image.nodeSelector` | Job Node selector | {} | +| `otk.job.image.tolerations` | Job tolerations | [] | +| `otk.job.podLabels` | OTK Job podLabels | {} | +| `otk.job.podAnnotations` | OTK Job podAnnotations | {} | +| `otk.job.resources` | OTK Job resources | {} | +| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit` | OTK db maintenance scheduled job success history limit | `1` | +| `otk.job.scheduledTasksFailedJobsHistoryLimit` | OTK db maintenance scheduled job failed history limit | `1` | +| `otk.bootstrapDir` | The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | +| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` | +| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60` | +| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade | `true` | +| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | +| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | +| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: [https://test.com:8443](https://test.com:8443)) Required if createTestClients is `true` | | +| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true. This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false` | +| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true` | +| `otk.database.connectionName` | OTK database connection name | `OAuth` | +| `otk.database.existingSecretName` | Point to an existing OTK database Secret | | +| `otk.database.username` | OTK database user name | | +| `otk.database.password` | OTK database password | | +| `otk.database.properties` | OTK database additional properties | `{}` | +| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | | +| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | | +| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` | +| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | | +| `otk.database.sql.jdbcDriverClass` | OTK database sql driver class name (oracle/mysql) | | +| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | | +| `otk.database.sql.connectionProperties` | OTK database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | +| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | +| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | | +| `otk.database.readOnlyConnection.username` | OTK read only database user name | | +| `otk.database.readOnlyConnection.password` | OTK read only database password | | +| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | +| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | | +| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | | +| `otk.database.readOnlyConnection.connectionProperties` | OTK read only database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | | +| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | +| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | +| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | | +| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | | +| `otk.database.clientReadConnection.password` | OTK Client Read only database password | | +| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | +| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | | +| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | | +| `otk.database.clientReadConnection.connectionProperties` | OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | | +| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | | +| `otk.database.cassandra.port` | OTK database cassandra connection port | | +| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | | +| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` | +| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` | +| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` | +| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` | +| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | +| `otk.livenessProbe.type` | | `httpGet` | +| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` | +| `otk.livenessProbe.httpGet.port` | | `8443` | +| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | +| `otk.readinessProbe.type` | | `httpGet` | +| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` | +| `otk.readinessProbe.httpGet.port` | | `8443` | + #### Note: -* In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option + +- In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option [Back to Additional Guides](#additional-guides) ### Gateway Application Ports + Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* This configuration creates and mounts a gateway bundle, if you wish to maintain Gateway ports outside of the Gateway Chart you can either use Policy Manager or create and mount your own bundle in the existingBundle section. By default the following ports are created + - 8080 (HTTP - disabled) - 8443 (HTTPS - Published service message input only) - 9443 (HTTPS - Published service message input only, Administrative access, Browser-based administration, Built-in services) Things to note before you get started: + - If you are deploying the Gateway with a fresh MySQL database - This port configuration will replace the defaults. - If you are using an existing database @@ -586,9 +639,11 @@ config: [Back to Additional Guides](#additional-guides) ### Ingress Configuration + The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. If your ingress controller is private and you would like to create an ingress record/route for the management service you can use the following configuration + ``` ... rules: @@ -606,6 +661,7 @@ If your ingress controller is private and you would like to create an ingress re ``` New Ingress Configuration Gateway Chart >= 3.0.31 (openshift route support) + ``` ingress: # Set to true to create ingress or route object @@ -656,6 +712,7 @@ ingress: ``` New Ingress Configuration Gateway Chart >= 3.0.0 + ``` ingress: enabled: true @@ -694,6 +751,7 @@ ingress: ``` This represents the ingress configuration for Gateway Chart < 3.0.0 you need to configure an Ingress Resource for the API Gateway + ``` ingress: enabled: true @@ -716,9 +774,11 @@ ingress: [Back to Additional Guides](#additional-guides) ### Kubernetes Gateway API Configuration + The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) as an alternative to Ingress. The implementation is controller-agnostic and has been tested with [Contour](https://projectcontour.io/) and [Envoy Gateway](https://gateway.envoyproxy.io/). See [examples/ingress](../../examples/ingress) for controller installation instructions. **Requirements:** + - Gateway API CRDs must be installed. These are typically bundled with your Gateway controller (e.g. Contour, Envoy Gateway). To install them separately, see the [Gateway API releases](https://github.com/kubernetes-sigs/gateway-api/releases) - A `GatewayClass` must be available on the cluster (e.g. `contour`, `envoy-gateway`) @@ -729,12 +789,14 @@ The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api **Route Modes:** The chart supports two route modes: + - **HTTPRoute** (default) -- TLS is terminated at the Kubernetes Gateway and re-encrypted to the Layer7 Gateway backend. Requires `backendTLSPolicy` to be enabled so the Gateway controller can validate the backend certificate. - **TLSRoute** -- TLS passthrough via SNI-based routing. The Kubernetes Gateway does not terminate TLS. The Layer7 Gateway handles TLS directly. **Gateway Resource:** The chart supports two modes for the Gateway resource: + - **Create a new Gateway** -- set `kubernetesGateway.gateway.create: true` with a `gatewayClassName`. The chart creates a Gateway with auto-generated listeners from route hostnames. - **Use an existing Gateway** -- set `kubernetesGateway.gateway.create: false` and provide `kubernetesGateway.gateway.existingRef.name` / `.namespace`. Routes attach to the existing Gateway via `parentRefs`. This is useful when sharing a Gateway across charts. See [Shared Gateway](../../examples/ingress#shared-gateway) for details. @@ -745,6 +807,7 @@ When using HTTPRoute, the Layer7 Gateway backend speaks HTTPS. Since the Gateway **Management Service Routing:** To route management traffic through the same Gateway, set `backend: management` on a rule: + ``` kubernetesGateway: enabled: true @@ -771,71 +834,78 @@ kubernetesGateway: enabled: true ``` -| Parameter | Description | Default | -|---|---|---| -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | + +| Parameter | Description | Default | +| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | + [Back to Additional Guides](#additional-guides) ### PM Tagger Configuration + [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `pmtagger.enabled` | Enable pm-tagger | `false` | -| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | -| `pmtagger.image.registry` | Image Registry | `docker.io` | -| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | -| `pmtagger.image.tag` | Image Tag | `1.0.3` | -| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | -| `pmtagger.resources` | Resources | `see values.yaml` | -| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | + +| Parameter | Description | Default | +| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `pmtagger.enabled` | Enable pm-tagger | `false` | +| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | +| `pmtagger.image.registry` | Image Registry | `docker.io` | +| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | +| `pmtagger.image.tag` | Image Tag | `1.0.3` | +| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | +| `pmtagger.resources` | Resources | `see values.yaml` | +| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | + [Back to Additional Guides](#additional-guides) ### OpenTelemetry Configuration + The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. This feature is a ***preview feature*** for v11.1.00 and is ***intentionally disabled*** by default. As with any integration that generates telemetry, there is a performance drop when turning on the OpenTelemetry integration with all of the features enabled. There is an integration example available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway. + - You are ***not required*** to use the observability stack that we provide as an example. - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) @@ -843,11 +913,13 @@ There is an integration example available [here](https://github.com/Layer7-Commu ***NOTE: *** In our example we inject the OpenTelemetry Java Agent to the Container Gateway, this emits additional telemetry like JVM metrics. The Gateway has the OpenTelemetry SDK built-in making the OpenTelemetry Java Agent Optional, the key difference between the built-in SDK and the OTel Agent is that the SDK only captures Gateway application level traces and metrics, things like JVM metrics will not be captured in this mode. #### Gateway OTel Configuration + OpenTelemetry is configured on the Gateway in two places, system properties and cluster-wide Properties. The configuration below represents the minimal settings required to enable the built-in SDK and configure the Gateway to send telemetry to an OpenTelemetry Collector. These can be configured in values.yaml. See the section below to view examples of how and where to configure this. - config.otel + ``` config: ... @@ -863,8 +935,8 @@ config: # - test1=someEnvValue1 ``` - - system.properties + ``` otel.sdk.disabled=false otel.java.global-autoconfigure.enabled=true @@ -874,14 +946,18 @@ otel.traces.exporter=otlp otel.metrics.exporter=otlp otel.logs.exporter=none ``` + - cluster-wide properties + ``` otel.enabled=true otel.serviceMetricEnabled=true otel.traceEnabled=true (if tracing is required) otel.traceConfig=(default {}) ``` + example otel.traceConfig + ``` { "services": [ @@ -905,23 +981,29 @@ example otel.traceConfig [Back to Additional Guides](#additional-guides) ##### Gateway OTel Examples (with or without the Optional Agent) + The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. + - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) [Back to Additional Guides](#additional-guides) ### Shared State Preview Features + There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. + - [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) - [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast + ``` # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast + ``` # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID @@ -930,54 +1012,63 @@ To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.co [Back to Additional Guides](#additional-guides) ### Redis Configuration + This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. **Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` + Uncomment the following + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | -| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | -| `config.redis.groupName` | Redis Group name | `l7GW` | -| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | -| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | -| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | -| `config.redis.auth.enabled` | Use auth for Redis | `false` | -| `config.redis.auth.username` | Redis username | `` | -| `config.redis.auth.password.encoded` | Password is encoded | `false` | -| `config.redis.auth.password.value` | Redis password | `mypassword` | -| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | -| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | -| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | -| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | -| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | -| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | -| `config.redis.tls.verifyPeer` | Verify Peer | `true` | -| `config.redis.tls.redisCrt` | Redis Public Cert | `` | + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `config.redis.enabled` | Enable redis configuration | `false` | +| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | +| `config.redis.groupName` | Redis Group name | `l7GW` | +| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | +| `config.redis.auth.enabled` | Use auth for Redis | `false` | +| `config.redis.auth.username` | Redis username | `` | +| `config.redis.auth.password.encoded` | Password is encoded | `false` | +| `config.redis.auth.password.value` | Redis password | `mypassword` | +| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | +| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | +| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | +| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | +| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | +| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | +| `config.redis.tls.verifyPeer` | Verify Peer | `true` | +| `config.redis.tls.redisCrt` | Redis Public Cert | `` | #### Creating your own Redis Configuration + Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note + The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) ##### Redis Sentinel (11.1.1) + sharedstate_client.yaml + ``` redis: default: @@ -1001,7 +1092,9 @@ redis: ``` ##### Redis Standalone (11.1.1) + sharedstate_client.yaml + ``` redis: default: @@ -1023,7 +1116,9 @@ redis: ``` ##### Redis Sentinel (11.0.00_CR2 and 11.1.00) + redis.properties + ``` # Redis type can be sentinel or standalone redis.type=sentinel @@ -1040,13 +1135,15 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Redis Standalone (11.1.00) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties + ``` # Redis type can be sentinel or standalone redis.type=standalone @@ -1063,13 +1160,15 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Redis Standalone (11.0.00_CR2) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties + ``` # Redis type can be sentinel or standalone # standalone does not support SSL or Auth @@ -1078,13 +1177,16 @@ redis.properties redis.port=6379 redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Create a secret from this configuration (11.1.1) + ``` kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml ``` + my-values.yaml + ``` config: sharedStateClient: @@ -1093,11 +1195,15 @@ config: ``` ##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. + ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` + my-values.yaml + ``` redis: enabled: true @@ -1107,6 +1213,7 @@ redis: [Back to Additional Guides](#additional-guides) ### Redis StatefulSet (Development/Testing Only) + **Important Note:** This is a simple Redis StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external Redis server or Redis cluster. The Redis StatefulSet provides standalone Redis functionality with optional authentication and TLS support. @@ -1115,58 +1222,61 @@ The Redis StatefulSet provides standalone Redis functionality with optional auth #### Configuration -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `redis.image.repository` | Redis image repository | `redis` | -| `redis.image.tag` | Redis image tag | `7.4-alpine` | -| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `redis.auth.enabled` | Enable Redis authentication | `false` | -| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | -| `redis.auth.password` | Redis password | `mypassword` | -| `redis.auth.existingSecret` | Use existing secret for credentials | `` | -| `redis.service.type` | Redis service type | `ClusterIP` | -| `redis.service.port` | Redis service port | `6379` | -| `redis.service.annotations` | Annotations for the Redis service | `{}` | -| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | -| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `redis.pdb.minAvailable` | Minimum available pods | `` | -| `redis.persistence.enabled` | Enable persistence using PVC | `false` | -| `redis.persistence.storageClass` | Storage class for PVC | `` | -| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `redis.persistence.size` | PVC size | `8Gi` | -| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `redis.persistence.existingClaim`| Use existing PVC | `` | -| `redis.maxmemory` | Redis max memory limit | `256mb` | -| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | -| `redis.appendonly` | Enable AOF persistence | `false` | -| `redis.tls.enabled` | Enable TLS | `true` | -| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | -| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | -| `redis.configuration` | Custom Redis configuration | `` | -| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | -| `redis.resources` | Resource requests and limits | `{}` | -| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | -| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | -| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | -| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | -| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | -| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | -| `redis.startupProbe.enabled` | Enable startup probe | `false` | -| `redis.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.affinity` | Affinity settings | `{}` | -| `redis.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.podSecurityContext` | Pod security context | `{}` | -| `redis.containerSecurityContext` | Container security context | `{}` | -| `redis.podAnnotations` | Pod annotations | `{}` | -| `redis.podLabels` | Pod labels | `{}` | + +| Parameter | Description | Default | +| ------------------------------------------ | --------------------------------------------- | ----------------- | +| `redis.image.repository` | Redis image repository | `redis` | +| `redis.image.tag` | Redis image tag | `7.4-alpine` | +| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `redis.auth.enabled` | Enable Redis authentication | `false` | +| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | +| `redis.auth.password` | Redis password | `mypassword` | +| `redis.auth.existingSecret` | Use existing secret for credentials | `` | +| `redis.service.type` | Redis service type | `ClusterIP` | +| `redis.service.port` | Redis service port | `6379` | +| `redis.service.annotations` | Annotations for the Redis service | `{}` | +| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | +| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `redis.pdb.minAvailable` | Minimum available pods | `` | +| `redis.persistence.enabled` | Enable persistence using PVC | `false` | +| `redis.persistence.storageClass` | Storage class for PVC | `` | +| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `redis.persistence.size` | PVC size | `8Gi` | +| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `redis.persistence.existingClaim` | Use existing PVC | `` | +| `redis.maxmemory` | Redis max memory limit | `256mb` | +| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | +| `redis.appendonly` | Enable AOF persistence | `false` | +| `redis.tls.enabled` | Enable TLS | `true` | +| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | +| `redis.configuration` | Custom Redis configuration | `` | +| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | +| `redis.resources` | Resource requests and limits | `{}` | +| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | +| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | +| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | +| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | +| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | +| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | +| `redis.startupProbe.enabled` | Enable startup probe | `false` | +| `redis.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.affinity` | Affinity settings | `{}` | +| `redis.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.podSecurityContext` | Pod security context | `{}` | +| `redis.containerSecurityContext` | Container security context | `{}` | +| `redis.podAnnotations` | Pod annotations | `{}` | +| `redis.podLabels` | Pod labels | `{}` | + #### Example Configuration Enable Redis with basic settings (no auth, no TLS): + ```yaml config: redis: @@ -1184,6 +1294,7 @@ redis: ``` With authentication and TLS enabled: + ```yaml config: redis: @@ -1212,6 +1323,7 @@ redis: ``` With custom memory and eviction policy: + ```yaml config: redis: @@ -1228,12 +1340,14 @@ redis: #### TLS Certificates When `redis.tls.autoGenerated` is `true`, the chart automatically generates self-signed TLS certificates that include the following Subject Alternative Names (SANs): + - StatefulSet pod FQDN (e.g., `ssg-gateway-redis-0.ssg-gateway-redis-headless.namespace.svc.cluster.local`) - Headless service names in all variations - Regular service names - `localhost` and `127.0.0.1` To use your own certificates, set `redis.tls.autoGenerated: false` and provide your own secret: + ```yaml redis: tls: @@ -1243,6 +1357,7 @@ redis: ``` The secret must contain the following keys: + - `tls.crt` - Server certificate - `tls.key` - Server private key - `ca.crt` - CA certificate @@ -1250,17 +1365,22 @@ The secret must contain the following keys: [Back to Additional Guides](#additional-guides) ### GemFire Configuration (11.1.3) + Gemfire as shared data provider is supported with Gateway v11.1.3 onwards. Prerequisites: -* ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer + +- ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer To configure gemfire as data provider comment out existing system properties + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` + Set the following system properties as needed + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire # com.l7tech.server.extension.sharedCounterProvider=embeddedgemfire/externalgemfire @@ -1268,48 +1388,54 @@ Set the following system properties as needed # com.l7tech.server.extension.sharedSortedSetProvider=embeddedgemfire/externalgemfire # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire ``` -| Parameter | Description | Default | -|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| -| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | -| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | -| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | -| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | -| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | -| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | -| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | -| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided.
Takes priority over certificate issuer. | `` | -| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted.
If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | -| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | -| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | -| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | -| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | -| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | -| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | -| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | -| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | -| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | -| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | -| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | -| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | -| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | -| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | -| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | -| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | -| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | -| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | -| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | -| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | + + +| Parameter | Description | Default | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | +| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | +| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | +| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | +| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | +| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | +| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | +| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided. Takes priority over certificate issuer. | `` | +| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted. If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | +| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | +| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | +| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | +| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | +| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | +| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | +| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | +| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | +| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | +| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | +| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | +| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | +| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | +| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | +| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | +| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | +| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | +| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | +| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | +| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | + #### Creating your own Configuration + Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/connect-to-a-gemfire-datastore.html) for more context on the available configuration options #### Embedded GemFire + Embedded gemfire will have external locators but gemfire cache servers are inside gateway container. + ``` config: gemfire: @@ -1320,10 +1446,13 @@ config: embedded: enabled: true ``` + #### External GemFire + Gateway as client connect to external gemfire cluster. Shared State Provider Config is used to configure gemfire. External gemfire is deployed by GemFire Kubernetes Operator, override-values.yaml: + ``` config: gemfire: @@ -1349,7 +1478,9 @@ config: sharedStateClient: enabled: true ``` + External gemfire, override-values.yaml: + ``` config: gemfire: @@ -1373,9 +1504,11 @@ config: sharedStateClient: enabled: true ``` + Providing custom sharedstate_client.yaml from a secret override-values.yaml + ``` config: gemfire: @@ -1395,7 +1528,9 @@ config: enabled: true existingConfigSecret: shared-state-client-secret ``` + sharedstate_client.yaml from secret + ``` gemfire: testOnStart: true @@ -1420,18 +1555,23 @@ gemfire: [Back to Additional Guides](#additional-guides) ### Shared State Provider Config + Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. In order for this configuration to take effect config.redis.enabled must also be set to true. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | -| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | -| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | + +| Parameter | Description | Default | +| ----------------------------------------------- | --------------------------------------------------------------------------------- | --------------------------- | +| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | +| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | + [Back to Additional Guides](#additional-guides) ### Database Configuration + You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: + ``` database: enabled: true @@ -1442,9 +1582,11 @@ database: liquibaseLogLevel: "off" name: ssg ``` + In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: + - jdbcURL - username - password @@ -1452,11 +1594,13 @@ When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-con The values will come from node.properties instead. See [External MySQL](#external-mysql) section. More info on the JDBC URL: -- Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html -- Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html -- Configuration properties: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html + +- Connection URL syntax: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html) +- Failover config: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html) +- Configuration properties: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) Configuring SSL/TLS: the following parameters can be added to enable secure communication between the Gateway and an external MySQL Database + - useSSL=true - requireSSL=true - verifyServerCertificate=false @@ -1465,65 +1609,142 @@ Configuring SSL/TLS: the following parameters can be added to enable secure comm jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=true&requireSSL=true&verifyServerCertificate=false ``` -In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges +In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: [https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges](https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges) + +[Back to Additional Guides](#additional-guides) + +### Database Migration Job (Pre-Upgrade Schema Updates) + +Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. This decouples the schema upgrade from the Gateway startup process, preventing stuck `DATABASECHANGELOGLOCK` entries from blocking pod startup during rolling upgrades. + +> **Requirements:** Gateway connected to external MySQL The target Gateway image must be **11.2.2 or newer**. + +#### How it works + +When `database.migrationJob.enabled: true`, a short-lived `db-migration` Job pod is created as a Helm `pre-upgrade` hook. It runs the Gateway container image configured with a special startup mode that applies all pending schema changes and then exits — without starting the Gateway JVM. Once the Job completes successfully, Helm proceeds to roll out the main Gateway Deployment. + +The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. + +#### Upgrade workflow + +**Step 1 – Enable the migration job and run `helm upgrade`** + +```yaml +database: + enabled: true + jdbcURL: jdbc:mysql://myprimaryserver:3306/ssg + + migrationJob: + enabled: true + # Optional: specify the primary writer endpoint directly. + # If omitted, falls back to database.jdbcURL above. + jdbcUrl: "jdbc:mysql://myprimaryserver:3306/ssg" +``` + +```bash +helm upgrade my-release layer7/gateway -f values.yaml +``` + +The `db-migration` job will run, apply the schema, and exit. Helm then rolls out the new Gateway pods. + +**Step 2 – Configure Gateway pods to skip Liquibase** + +After the migration completes, add the following to ensure normal Gateway pods start fast and are immune to lock contention: + +```yaml +javaArgs: + - "-Dgateway.db.schema-update.mode=skip" +``` + +#### Recovering from a stuck lock + +If a previous upgrade left the `DATABASECHANGELOGLOCK` locked (e.g. due to a crashed Gateway pod), set `clearLocks: true`. The migration job will forcefully release the stuck lock before applying schema changes. + +```yaml +database: + migrationJob: + enabled: true + clearLocks: true +``` + +> **Warning:** Use `clearLocks: true` with caution. Forcefully releasing the lock while another process is actively updating the schema can corrupt the database. + +#### Configuration + + +| Parameter | Description | Default | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------- | +| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job | `false` | +| `database.migrationJob.jdbcUrl` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly. Falls back to `database.jdbcURL` if not set. | `""` | +| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | +| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | + + +#### Retry behaviour + +The Job is configured with `backoffLimit: 1`. If the first pod fails or times out, Kubernetes creates exactly one retry pod. If the retry also fails, the Job is marked `Failed` and Helm aborts the upgrade, leaving the existing Gateway pods untouched. [Back to Additional Guides](#additional-guides) ### MySQL StatefulSet (Development/Testing Only) + **Important Note:** This is a simple MySQL StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external MySQL database. #### Configuration -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | -| `mysql.image.tag` | MySQL image tag | `8.4.5` | -| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | -| `mysql.auth.database` | Database name to create | `ssg` | -| `mysql.auth.username` | MySQL user (optional) | `gateway` | -| `mysql.auth.password` | MySQL user password | `mypassword` | -| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | -| `mysql.service.type` | MySQL service type | `ClusterIP` | -| `mysql.service.port` | MySQL service port | `3306` | -| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | -| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | -| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `mysql.pdb.minAvailable` | Minimum available pods | `` | -| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | -| `mysql.persistence.storageClass` | Storage class for PVC | `` | -| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `mysql.persistence.size` | PVC size | `8Gi` | -| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `mysql.persistence.existingClaim`| Use existing PVC | `` | -| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | -| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | -| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | -| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | -| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | -| `mysql.resources` | Resource requests and limits | `{}` | -| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | -| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | -| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | -| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | -| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | -| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | -| `mysql.startupProbe.enabled` | Enable startup probe | `false` | -| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | -| `mysql.affinity` | Affinity settings | `{}` | -| `mysql.tolerations` | Tolerations for pod assignment | `[]` | -| `mysql.podSecurityContext` | Pod security context | `{}` | -| `mysql.containerSecurityContext` | Container security context | `{}` | -| `mysql.podAnnotations` | Pod annotations | `{}` | -| `mysql.podLabels` | Pod labels | `{}` | + +| Parameter | Description | Default | +| ------------------------------------------ | ------------------------------------------------------------------- | ----------------- | +| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | +| `mysql.image.tag` | MySQL image tag | `8.4.5` | +| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | +| `mysql.auth.database` | Database name to create | `ssg` | +| `mysql.auth.username` | MySQL user (optional) | `gateway` | +| `mysql.auth.password` | MySQL user password | `mypassword` | +| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | +| `mysql.service.type` | MySQL service type | `ClusterIP` | +| `mysql.service.port` | MySQL service port | `3306` | +| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | +| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | +| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `mysql.pdb.minAvailable` | Minimum available pods | `` | +| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | +| `mysql.persistence.storageClass` | Storage class for PVC | `` | +| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `mysql.persistence.size` | PVC size | `8Gi` | +| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `mysql.persistence.existingClaim` | Use existing PVC | `` | +| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | +| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | +| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | +| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | +| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | +| `mysql.resources` | Resource requests and limits | `{}` | +| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | +| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | +| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | +| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | +| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `mysql.startupProbe.enabled` | Enable startup probe | `false` | +| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | +| `mysql.affinity` | Affinity settings | `{}` | +| `mysql.tolerations` | Tolerations for pod assignment | `[]` | +| `mysql.podSecurityContext` | Pod security context | `{}` | +| `mysql.containerSecurityContext` | Container security context | `{}` | +| `mysql.podAnnotations` | Pod annotations | `{}` | +| `mysql.podLabels` | Pod labels | `{}` | + #### Example Configuration Enable MySQL with basic settings: + ```yaml database: create: true # Enables the MySQL StatefulSet @@ -1540,6 +1761,7 @@ mysql: ``` With Helm hooks for pre-install: + ```yaml database: create: true @@ -1557,6 +1779,7 @@ mysql: ``` With custom configuration: + ```yaml database: create: true @@ -1570,6 +1793,7 @@ mysql: ``` With init scripts: + ```yaml database: create: true @@ -1588,6 +1812,7 @@ mysql: #### Connecting the Gateway to MySQL When using the MySQL StatefulSet, configure the Gateway's database connection: + ```yaml database: enabled: true @@ -1602,6 +1827,7 @@ The Gateway will automatically connect to the MySQL service at `-g #### OTK Demo Database Integration When `otk.database.useDemoDb` is set to `true` and `database.create` is `true`, the MySQL StatefulSet will automatically: + - Apply Helm hook annotations (`helm.sh/hook: pre-install,post-upgrade`) to ensure MySQL is created before OTK installation - Mount the OTK database initialization scripts from the `otk-db-scripts-cm` ConfigMap - Initialize the OTK database schema during MySQL startup @@ -1629,14 +1855,18 @@ mysql: [Back to Additional Guides](#additional-guides) ### Cluster Wide Properties + You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | -| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | + +| Parameter | Description | Default | +| ----------------------- | --------------------------------------------------- | ----------------- | +| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | +| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | + The default cluster-wide properties are as follows + ``` config: ... @@ -1659,15 +1889,17 @@ config: [Back to Additional Guides](#additional-guides) ### Enable DualStack(IPv4/IPv6) + To enable dual stack, you need to add or uncomment the given Java arguments, which can be configured in the values.yaml file. Gateway v11.1.3 supports dual stack. -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true -| Java Argument | Description | Default | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------| -| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | -| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | + +| Java Argument | Description | Default | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | +| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | ``` @@ -1690,27 +1922,32 @@ config: Gateway and Management Service can optionally configure it as dual stack. -| Parameter | Description | Default | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------|-----------------| -| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | -| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- | +| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | [Back to Additional Guides](#additional-guides) ### Java Args + Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | -| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | -| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | + +| Parameter | Description | Default | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | +| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | + The default Java Args are as follows + ``` config: heapSize: "2g" @@ -1730,11 +1967,14 @@ config: [Back to Additional Guides](#additional-guides) ### System Properties + Additional System Properties as may be recommended by support can be configured in values.yaml -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.systemProperties` | Gateway System Properties | `see values.yaml` | + +| Parameter | Description | Default | +| ------------------------- | ------------------------- | ----------------- | +| `config.systemProperties` | Gateway System Properties | `see values.yaml` | + The default systemProperties represent what is currently in the base Gateway image with one added flag @@ -1744,6 +1984,7 @@ com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 ``` The full default is this + ``` systemProperties: |- # Default Gateway system properties @@ -1765,13 +2006,16 @@ The full default is this [Back to Additional Guides](#additional-guides) ### Diskless Configuration + Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. **DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. + - **disklessConfig.enabled: true** - Default, No changes. + ``` disklessConfig: enabled: true @@ -1779,11 +2023,13 @@ disklessConfig: # name: gateway-secret # csi: {} ``` + - **disklessConfig.enabled: false** - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. - Creates a secret with node.properties by default - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. + ``` disklessConfig: enabled: false @@ -1795,9 +2041,11 @@ disklessConfig: #### Creating a node.properties file ##### External MySQL + - Make sure the database configuration matches what is in node.properties Example: node.properties with MySQL database configuration + ``` node.cluster.pass=mypassword admin.user=admin @@ -1810,9 +2058,11 @@ l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306 See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. ##### Gateway running in Ephemeral Mode (no external MySQL) + - To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties Example: node.properties with Derby configuration + ``` node.cluster.pass=mypassword admin.user=admin @@ -1820,24 +2070,31 @@ admin.pass=mypassword node.db.type=derby node.db.config.main.user=gateway ``` + Unlike interactive password changes in Policy Manager, the container startup scripts validate the following username and password against a restricted character set (for parsing/scripting safety): + ``` admin.user, admin.pass, node.db.config.main.user, node.db.config.main.pass ``` + They may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %. Do NOT use space characters. ##### Update values.yaml + Update your values file to use the new node.properties file. This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. Note that the key name is node.properties. This is required. + ``` kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties ``` + values.yaml + ``` disklessConfig: enabled: false @@ -1849,6 +2106,7 @@ disklessConfig: # volumeAttributes: # secretProviderClass: "secret-provider-class-name" ``` + #### Set up node.properties secret by InitContainer From Gateway v11.2.0 onwards, node.properties support secrets provided in different format by different third party secret managers using InitContainer. @@ -1857,6 +2115,7 @@ Gateway container mounts only /opt/docker/custom/custom-properties/node.properti InitContainer volumeMounts name has to be **shared-secret** values.yaml + ``` disklessConfig: enabled: false @@ -1884,21 +2143,26 @@ initContainers: yum install -y jq jq -r 'to_entries | map("\(.key)=\(.value)") |.[]' /opt/docker/config/node.json > /opt/docker/config/node.properties ``` + More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Bundle Configuration + There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `existingBundle.enabled` | Enable bundle mounts | `false` | -| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | -| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | + +| Parameter | Description | Default | +| --------------------------- | --------------------------------- | ----------------- | +| `existingBundle.enabled` | Enable bundle mounts | `false` | +| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | +| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | + This example shows 1 secret and 1 configmap configured - you can also use the secrets-store.csi.k8s.io driver for bundles that contain sensitive information. + ``` # Bundles that contain sensitive information can be mounted using the Kubernetes CSI Driver existingBundle: @@ -1921,9 +2185,11 @@ existingBundle: [Back to Additional Guides](#additional-guides) ### Bootstrap Script + To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. The following configuration enables the script + ``` bootstrap: script: @@ -1931,36 +2197,37 @@ bootstrap: cleanup: false <== set this to true if you'd like to clear the /opt/docker/custom folder after it has run. ``` -The bootstrap script scans files in ```/opt/docker/custom```. This folder is populated by an initContainer. +The bootstrap script scans files in `/opt/docker/custom`. This folder is populated by an initContainer. The following folder stucture must be maintained - Restman Bundles (.bundle) - - Source ```/opt/docker/custom/bundles``` - - Target ```/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle``` + - Source `/opt/docker/custom/bundles` + - Target `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle` - Custom Assertions (.jar) - - Source ```/opt/docker/custom/custom-assertions``` - - Target ```/opt/SecureSpan/Gateway/runtime/modules/lib/``` + - Source `/opt/docker/custom/custom-assertions` + - Target `/opt/SecureSpan/Gateway/runtime/modules/lib/` - Modular Assertions (.aar) - - Source ```/opt/docker/custom/modular-assertions``` - - Target ```/opt/SecureSpan/Gateway/runtime/modules/assertions``` + - Source `/opt/docker/custom/modular-assertions` + - Target `/opt/SecureSpan/Gateway/runtime/modules/assertions` - Properties (.properties) - - Source ```/opt/docker/custom/properties``` - - Target ```/opt/SecureSpan/Gateway/node/default/etc/conf/``` - + - Source `/opt/docker/custom/properties` + - Target `/opt/SecureSpan/Gateway/node/default/etc/conf/` More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Custom Health Checks -You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. + +You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to `/opt/docker/rc.d/diagnostic/health_check` where they are run by `/opt/docker/rc.d/diagnostic/health_check.sh`. - Limited to a single configmap or secret. - ConfigMaps and Secrets can hold multiple scripts. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ***NOTE: if you set a configMap and a Secret only one of them will be applied to your API Gateway.*** + ``` existingHealthCheck: enabled: false @@ -1980,9 +2247,11 @@ existingHealthCheck: [Back to Additional Guides](#additional-guides) ### Custom Configuration Files + Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) + ``` customConfig: enabled: false @@ -2000,13 +2269,15 @@ customConfig: [Back to Additional Guides](#additional-guides) ### Graceful Termination + During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. This functionality delays Kubernetes sending a SIGTERM to the container gateway while connections remain open. This works in conjunction with terminationGracePeriodSeconds which should always be higher than preStopScript.timeoutSeconds. If preStopScript.timeoutSeconds is exceeded, the script will exit 0 and normal pod termination will resume. -The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. +The preStop script will monitor connections to **inbound (not outbound)** Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. + - 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. @@ -2016,32 +2287,38 @@ While there aren't any explicit limits on preStopScript.timeoutSeconds and termi The graceful termination (preStop script) is disabled by default. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | -| `preStopScript.enabled` | Enable the preStop script | `false` | -| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | -| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | -| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | -| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | + +| Parameter | Description | Default | +| ------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------- | +| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | +| `preStopScript.enabled` | Enable the preStop script | `false` | +| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | +| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | +| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | +| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | + [Back to Additional Guides](#additional-guides) ### Autoscaling + Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources We do not recommend setting MaxReplicas for a MySQL backed API Gateway above 8. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `autoscaling.enabled` | Enable autoscaling | `false` | -| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | -| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | -| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | -| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | + +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------------- | ----------------- | +| `autoscaling.enabled` | Enable autoscaling | `false` | +| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | +| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | +| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | +| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | + Here is an example of a configured autoscaling section. + ``` autoscaling: enabled: true @@ -2073,14 +2350,19 @@ autoscaling: [Back to Additional Guides](#additional-guides) ### Pod Disruption Budgets + [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | -| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | -| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | + + +| Parameter | Description | Default | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | +| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | +| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | +| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | + Example - note that only ***maxUnavailable*** or ***minAvailable*** can be set - both values ***cannot*** be set at the same time. + ``` pdb: create: true @@ -2091,16 +2373,20 @@ pdb: [Back to Additional Guides](#additional-guides) ### RBAC Parameters + PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `serviceAccount.create` | Create a service account for the Gateway | `true` | -| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | -| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | + +| Parameter | Description | Default | +| ----------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | +| `serviceAccount.create` | Create a service account for the Gateway | `true` | +| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | +| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | + If you would like to create and use your own service account the Gateway with PM Tagger will require the following role to function correctly. ***This should NOT be a cluster role*** + ``` rules: - apiGroups: [""] @@ -2111,6 +2397,7 @@ rules: [Back to Additional Guides](#additional-guides) ### Logs & Audit Configuration + The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: - System properties in the default template for the `config.javaArgs` value configure the log and audit behaviour: @@ -2119,32 +2406,37 @@ The API Gateway containers are configured to output logs and audits as JSON even - Default log output configuration is overridden by specifying an alternative configuration properties file: `-Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties` - The alternative log configuration properties file `log-override.properties` is mounted on the container, via ConfigMap. - System property to include well known Certificate Authorities Trust Anchors - - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) - configure following property to true - - Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) + - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) + configure following property to true - + Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) - Allow wildcards when verifying hostnames (true/false) - - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) + - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) [Back to Additional Guides](#additional-guides) ## Subchart Configuration + ***these do not represent production configurations*** For Production implementations, please see the Chart links for recommended settings. The best approach would be deploying each independently ## Hazelcast -The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | -| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | -| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | -| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | -| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | -| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | +The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail [https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml](https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml) + + +| Parameter | Description | Default | +| ------------------------------- | --------------------------------------------------------------------------- | ---------------------------- | +| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | +| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | +| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | +| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | +| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | +| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | + ### Subcharts -* Hazelcast (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast -[Back to Additional Guides](#additional-guides) +- Hazelcast (default: disabled) ==> [https://github.com/helm/charts/tree/master/stable/hazelcast](https://github.com/helm/charts/tree/master/stable/hazelcast) + +[Back to Additional Guides](#additional-guides) \ No newline at end of file From 417b554685e025f69e084f91f46fa780dac4eb29 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Fri, 19 Jun 2026 09:32:54 -0700 Subject: [PATCH 13/20] Address feedback, renamed back to db-migration-job.yaml. --- .../templates/{gw-db-upgrade-job.yaml => db-migration-job.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename charts/gateway/templates/{gw-db-upgrade-job.yaml => db-migration-job.yaml} (100%) diff --git a/charts/gateway/templates/gw-db-upgrade-job.yaml b/charts/gateway/templates/db-migration-job.yaml similarity index 100% rename from charts/gateway/templates/gw-db-upgrade-job.yaml rename to charts/gateway/templates/db-migration-job.yaml From f6b506e71ee69c6571dc463dcba529f2dcee8c4f Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Mon, 22 Jun 2026 11:25:29 -0700 Subject: [PATCH 14/20] reduce the changes to the README --- charts/gateway/README.md | 33 ++++++++++++++++------- examples/README.md | 57 +++------------------------------------- 2 files changed, 27 insertions(+), 63 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 6bba300d..45c09dfc 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -1617,7 +1617,9 @@ In order the create the database on the remote server, the provided user in the Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. This decouples the schema upgrade from the Gateway startup process, preventing stuck `DATABASECHANGELOGLOCK` entries from blocking pod startup during rolling upgrades. -> **Requirements:** Gateway connected to external MySQL The target Gateway image must be **11.2.2 or newer**. +> **Requirements:** Gateway must be connected to an external MySQL database. The target Gateway image must be **11.2.2 or newer**. + +> **Important — for upgrades only:** The `db-migration` job is a `pre-upgrade` Helm hook. It runs **only during `helm upgrade`**, never during `helm install`. Likewise, `-Dgateway.db.schema-update.mode=skip` must **not** be set during a fresh installation — if Liquibase is skipped on first install, the `ssg` database schema will never be populated and the Gateway will fail to start. Only add `skip` mode after the schema has been fully initialised by either a previous `helm install` (default mode) or a successful migration job. #### How it works @@ -1625,6 +1627,14 @@ When `database.migrationJob.enabled: true`, a short-lived `db-migration` Job pod The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. +#### Fresh install vs upgrade + +| Operation | `skip` mode | Migration job | Expected behaviour | +|---|---|---|---| +| `helm install` (first time) | Not set (default) | Not applicable (`pre-upgrade` only) | Gateway populates the `ssg` schema on first boot — **correct** | +| `helm install` (first time) | Set | Not applicable | Gateway skips Liquibase — **schema never populated, Gateway broken** | +| `helm upgrade` | Set | Enabled | Migration job populates schema and exits, Gateway pods start fast — **correct** | + #### Upgrade workflow **Step 1 – Enable the migration job and run `helm upgrade`** @@ -1632,13 +1642,14 @@ The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema ```yaml database: enabled: true + create: false jdbcURL: jdbc:mysql://myprimaryserver:3306/ssg migrationJob: enabled: true # Optional: specify the primary writer endpoint directly. # If omitted, falls back to database.jdbcURL above. - jdbcUrl: "jdbc:mysql://myprimaryserver:3306/ssg" + jdbcURL: "jdbc:mysql://myprimaryserver:3306/ssg" ``` ```bash @@ -1654,6 +1665,10 @@ After the migration completes, add the following to ensure normal Gateway pods s ```yaml javaArgs: - "-Dgateway.db.schema-update.mode=skip" + +database: + migrationJob: + enabled: false # disable now that migration is complete ``` #### Recovering from a stuck lock @@ -1671,14 +1686,12 @@ database: #### Configuration - -| Parameter | Description | Default | -| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------- | -| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job | `false` | -| `database.migrationJob.jdbcUrl` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly. Falls back to `database.jdbcURL` if not set. | `""` | -| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | -| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | - +| Parameter | Description | Default | +|---|---|---| +| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job. For upgrades only — do not enable on `helm install`. | `false` | +| `database.migrationJob.jdbcURL` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly to bypass load balancers or proxies. Falls back to `database.jdbcURL` if not set. | `""` | +| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | +| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | #### Retry behaviour diff --git a/examples/README.md b/examples/README.md index 90d2d658..61f39b33 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,60 +1,11 @@ # Examples -This folder contains information on how to deploy the various apim-charts with different configurations. +This folder contains information on how to deploy the Gateway and Portal Charts with different configurations. ## Prerequisite: * Helm 3.x * The Kubernetes CLI (kubectl) * A Gateway license - not required for Portal examples. - -## Gateway Examples -The Gateway Chart is comprised of the base Layer7 API Gateway, MySQL, Hazelcast, InfluxDb and Grafana. It contains a reference implementation that you can use -as an example to get a feel for what's possible and where to start when externalising Hazelcast or Offboxing Service Metrics to InfluxDb and visualising them in Grafana. - -Start by cloning [values.yaml](../charts/gateway/values.yaml) onto a machine that has Helm v3.x and kubectl installed with access to a kubernetes cluster. You can also use ```curl``` to do this - -```$ curl https://raw.githubusercontent.com/CAAPIM/apim-charts/stable/charts/gateway/values.yaml > my-values.yaml``` - -Next add the layer7 Helm Chart Repository if you haven't already - -``` $ helm repo add layer7 https://caapim.github.io/apim-charts/``` - -``` $ helm repo update ``` - -* [Gateway with Sub-Charts](#gateway-with-subcharts) -* [Gateway with Ingress Controller (nginx)](#gateway-with-ingress-controller) - - -### Gateway with SubCharts -Here we'll enable all of the Gateway sub-charts, you can pick and choose which you'd like to try. - -***Note:*** Offboxing Service Metrics requires InfluxDb, Grafana and ServiceMetrics to be enabled. Hazelcast does not require any of these. - -1. Open the ***my-values.yaml*** that you saved earlier - - Update the following values in this file. - ``` - management.restman.enabled: true ==> this optionally enables restman, you can skip this if you don't need it - management.username: admin ==> default PM username - management.password: mypassword ==> default PM password - serviceMetrics.enabled: true ==> this deploys an example service metrics policy to your Gateway [click here for more info](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/learning-center/overview-of-the-policy-manager/gateway-dashboard/configure-gateway-for-external-service-metrics.html) - hazelcast.enabled: true ==> deploys a pre-configured hazelcast - influxdb.enabled: true ==> deploys influxdb - grafana.enabled: true ==> deploys grafana - grafana.customDashboard.value ==> use --set-file to specify your own grafana dashboard (optional) - ``` -2. Install the Gateway Chart - - ```$ helm install --set license.accept=true --set-file license.value=/path/to/license.xml -f /path/to/my-values.yaml -n layer7/gateway``` - -3. Get the Gateway IP Address for Policy Manager (admin/mypassword are the default login credentials) - - ```$ kubectl get svc -n | grep ``` ==> you should see an EXTERNAL-IP (if using minikube see ingress settings or use minikube proxy) -4. Open Policy Manager v10 and connect to your new Gateway. -5. Create a dummy API and access via curl or your browser. -4. Connect to Grafana and view your service metrics - - ```$ kubectl port-forward svc -grafana 3000:3000 -n ``` -5. Open a browser and navigate to http://localhost:3000 - - ```username: admin``` ===> these default credentials can be updated in values.yaml - - ```password: password``` - - -### Gateway with Ingress Controller -Coming Soon. \ No newline at end of file +### [Deploying the Portal Helm Chart on Openshift](./portal/openshift/README.md) +### [Deploying the Gateway Helm Chart with the OAuth Toolkit](./otk/README.md) +### [Upgrading the Gateway Helm Chart with the Database Migration Job](./gateway/db-migration/README.md) \ No newline at end of file From 93c33db59f5e0bc2f6f620024ca51bd50c81d193 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Mon, 22 Jun 2026 11:32:40 -0700 Subject: [PATCH 15/20] reduce the changes to the README --- charts/gateway/README.md | 1565 ++++++++++++++++---------------------- 1 file changed, 673 insertions(+), 892 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 45c09dfc..9e16cf30 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -1,22 +1,18 @@ # Layer7 API Gateway - This Chart deploys the API Gateway v11.x onward with the following `optional` subchart: hazelcast. This Chart also includes basic MySQL and Redis statefulsets for trying out the Chart; these are example only and do not represent production ready configurations. ## Bitnami Public Catalog Removal - The Bitnami subCharts have now been fully removed from the Gateway Helm Chart. Please read the release notes for [Gateway v3.0.45](./release-notes.md#3039-bitnami-subchart-removal) for more details. ### Important Note - The included MySQL Statefulset is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. ## Release notes - - Current Chart Version 3.1.1 + - Please review release notes [here](./release-notes.md) ## Prerequisites - - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support - Helm v3.x @@ -24,34 +20,26 @@ The included MySQL Statefulset is enabled by default to make trying this chart o - Gateway v10.x or v11.x License #### Note - It's important that your Kubernetes Client and Server versions are compatible. You can verify this by running the following - ``` kubectl version ``` - output - ``` Client Version: v1.29.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.27.6+b49f9d1 WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1 ``` - The above message indicates that the client version (kubectl) is greater than the server version by more than 1 minor version. This may cause unforseen errors when using Kubectl or Helm. Please also check your Helm version against [this](https://helm.sh/docs/topics/version_skew/#supported-version-skew) compatibility matrix - ``` helm version ``` - output - ``` version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.21.5"} @@ -60,89 +48,76 @@ Helm Version Supported Kubernetes Versions ``` ## Optional - - Persistent Volume Provisioner (if using PVC for the Demo MySQL or Redis Statefulset) ## Recommended - - [An Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) ### Production - - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) if you would like to enable autoscaling. #### MySQL/Database Backed Gateways - - [A dedicated external MySQL 8.0.22/8.0.26 server](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/install-configure-upgrade/using-mysql-8-0-with-gateway-10.html) ### Advanced Configuration - -- [Additional Guides](#additional-guides) -- [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) +* [Additional Guides](#additional-guides) +* [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) #### Getting Started - ***If you are using a previous version of this Chart please read the updates section before you upgrade.*** - -- [Install the Chart](#installing-the-chart) -- [Upgrade the Chart](#upgrading-the-chart) -- [Uninstall the Chart](#uninstalling-the-chart) +* [Install the Chart](#installing-the-chart) +* [Upgrade the Chart](#upgrading-the-chart) +* [Uninstall the Chart](#uninstalling-the-chart) ## Additional Guides +* [Configuration](#configuration) +* [Service Configuration](#port-configuration) +* [Gateway Application Ports](#gateway-application-ports) +* [OTK Install or Upgrade](#otk-install-or-upgrade) +* [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) +* [Ingress Configuration](#ingress-configuration) +* [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) +* [PM Tagger Configuration](#pm-tagger-configuration) +* [Shared State Preview Features](#shared-state-preview-features) +* [Redis Configuration](#redis-configuration) +* [Redis StatefulSet](#redis-statefulset-developmenttesting-only) +* [GemFire Configuration](#gemfire-configuration-1113) +* [Shared State Provider Configuration](#shared-state-provider-config) +* [OpenTelemetry Configuration](#opentelemetry-configuration) +* [Database Configuration](#database-configuration) +* [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) +* [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) +* [Cluster-Wide Properties](#cluster-wide-properties) +* [Enable DualStack(IPv4/IPv6)](#enable-dualstack) +* [Java Args](#java-args) +* [System Properties](#system-properties) +* [Diskless Configuration](#diskless-configuration) +* [Gateway Bundles](#bundle-configuration) +* [Bootstrap Script](#bootstrap-script) +* [Custom Health Checks](#custom-health-checks) +* [Custom Configuration Files](#custom-configuration-files) +* [Logs & Audit Configuration](#logs--audit-configuration) +* [Graceful Termination](#graceful-termination) +* [Autoscaling](#autoscaling) +* [Pod Disruption Budgets](#pod-disruption-budgets) +* [RBAC Parameters](#rbac-parameters) +* [SubChart Configuration](#subchart-configuration) -- [Configuration](#configuration) -- [Service Configuration](#port-configuration) -- [Gateway Application Ports](#gateway-application-ports) -- [OTK Install or Upgrade](#otk-install-or-upgrade) -- [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) -- [Ingress Configuration](#ingress-configuration) -- [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) -- [PM Tagger Configuration](#pm-tagger-configuration) -- [Shared State Preview Features](#shared-state-preview-features) -- [Redis Configuration](#redis-configuration) -- [Redis StatefulSet](#redis-statefulset-developmenttesting-only) -- [GemFire Configuration](#gemfire-configuration-1113) -- [Shared State Provider Configuration](#shared-state-provider-config) -- [OpenTelemetry Configuration](#opentelemetry-configuration) -- [Database Configuration](#database-configuration) -- [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) -- [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) -- [Cluster-Wide Properties](#cluster-wide-properties) -- [Enable DualStack(IPv4/IPv6)](#enable-dualstack) -- [Java Args](#java-args) -- [System Properties](#system-properties) -- [Diskless Configuration](#diskless-configuration) -- [Gateway Bundles](#bundle-configuration) -- [Bootstrap Script](#bootstrap-script) -- [Custom Health Checks](#custom-health-checks) -- [Custom Configuration Files](#custom-configuration-files) -- [Logs & Audit Configuration](#logs--audit-configuration) -- [Graceful Termination](#graceful-termination) -- [Autoscaling](#autoscaling) -- [Pod Disruption Budgets](#pod-disruption-budgets) -- [RBAC Parameters](#rbac-parameters) -- [SubChart Configuration](#subchart-configuration) -## Installing the Chart +## Installing the Chart Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction - ``` $ helm repo add layer7 https://caapim.github.io/apim-charts/ $ helm repo update $ helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` - ## Upgrading the Chart - To upgrade your Gateway Release - ``` $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` - ## Uninstalling the Chart - To uninstall the Gateway Chart ``` @@ -150,15 +125,12 @@ $ helm uninstall -n ``` ## Custom values - To make sure that your custom values don't get overwritten by a pull, create your own values.yaml (myvalues.yaml..) then specify -f myvalues.yaml when deploying/upgrading ## Note on custom values - You only need to include the values you wish to change in your myvalues.yaml For example, you wish to deploy the Gateway Chart as is without a database. Your myvalues.yaml would then contain the following - ``` database: enabled: false @@ -166,165 +138,160 @@ database: ``` ## Configuration - The following table lists the configurable parameters of the Gateway chart and their default values. See values.yaml for additional parameters and info - -| Parameter | Description | Default | -| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | -| `nameOverride` | Name override | `nil` | -| `fullnameOverride` | Full name override | `nil` | -| `global.schedulerName` | Override the default scheduler | `nil` | -| `license.value` | Gateway license file | `nil` | -| `license.accept` | Accept Gateway license EULA | `false` | -| `disklessConfig.enabled` | Enable diskless configuration | `true` | -| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | -| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | -| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | -| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | -| `image.registry` | Image Registry | `docker.io` | -| `image.repository` | Image Repository | `caapim/gateway` | -| `image.tag` | Image tag | `11.0.00` | -| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | -| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | -| `imagePullSecret.username` | Registry Username | `nil` | -| `imagePullSecret.password` | Registry Password | `nil` | -| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | -| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | -| `podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `replicas` | Number of Gateway replicas | `1` | -| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | -| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | -| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | -| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | -| `management.enabled` | Enable/Disable Policy Manager access | `true` | -| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | -| `management.username` | Policy Manager Username | `admin` | -| `management.password` | Policy Manager Password | `mypassword` | -| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | -| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | -| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | -| `database.username` | Database Username | `gateway` | -| `database.password` | Database Password | `mypassword` | -| `database.liquibaseLogLevel` | Liquibase log level | `off` | -| `database.name` | Database name | `ssg` | -| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | -| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | -| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | -| `tls.pass` | p12 container password - this cannot be empty | `nil` | -| `config.heapSize` | Java Heap Size | `2g` | -| `config.minHeapSize` | Java Min Heap Size | `1g` | -| `config.maxHeapSize` | Java Max Heap Size | `3g` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | -| `config.log.override` | Override the standard log configuration | `true` | -| `config.log.properties` | Custom logging properties | `see values.yaml` | -| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | -| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | -| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | -| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | -| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | -| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | -| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | -| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | -| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | -| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | -| `service.type` | Service Type | `LoadBalancer` | -| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | -| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | -| `service.annotations` | Additional annotations to add to the service | {} | -| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | -| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | -| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | -| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | -| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | -| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | -| `ingress.annotations` | ingress annotations | `{}` | -| `ingress.labels` | additional ingress labels | `{}` | -| `ingress.ingressClassName` | Ingress Class Name | `nginx` | -| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | -| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | -| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | -| `startupProbe.enabled` | Enable/Disable | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay | `60` | -| `startupProbe.timeoutSeconds` | Timeout | `1` | -| `startupProbe.periodSeconds` | Frequency | `10` | -| `startupProbe.successThreshold` | Success Threshold | `1` | -| `startupProbe.failureThreshold` | Failure Threshold | `10` | -| `livenessProbe.enabled` | Enable/Disable | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | -| `livenessProbe.timeoutSeconds` | Timeout | `1` | -| `livenessProbe.periodSeconds` | Frequency | `10` | -| `livenessProbe.successThreshold` | Success Threshold | `1` | -| `livenessProbe.failureThreshold` | Failure Threshold | `10` | -| `readinessProbe.enabled` | Enable/Disable | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | -| `readinessProbe.timeoutSeconds` | Timeout | `1` | -| `readinessProbe.periodSeconds` | Frequency | `10` | -| `readinessProbe.successThreshold` | Success Threshold | `1` | -| `readinessProbe.failureThreshold` | Failure Threshold | `10` | -| `resources.limits` | Resource Limits | `{}` | -| `resources.requests` | Resource Requests | `{}` | -| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | -| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `nameOverride` | Name override | `nil` | +| `fullnameOverride` | Full name override | `nil` | +| `global.schedulerName` | Override the default scheduler | `nil` | +| `license.value` | Gateway license file | `nil` | +| `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | +| `image.registry` | Image Registry | `docker.io` | +| `image.repository` | Image Repository | `caapim/gateway` | +| `image.tag` | Image tag | `11.0.00` | +| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | +| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | +| `imagePullSecret.username` | Registry Username | `nil` | +| `imagePullSecret.password` | Registry Password | `nil` | +| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | +| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | +| `podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `replicas` | Number of Gateway replicas | `1` | +| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | +| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | +| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | +| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | +| `management.enabled` | Enable/Disable Policy Manager access | `true` | +| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | +| `management.username` | Policy Manager Username | `admin` | +| `management.password` | Policy Manager Password | `mypassword` | +| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | +| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | +| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | +| `database.username` | Database Username | `gateway` | +| `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | +| `database.name` | Database name | `ssg` | +| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | +| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | +| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | +| `tls.pass` | p12 container password - this cannot be empty | `nil` | +| `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | +| `config.log.override` | Override the standard log configuration | `true` | +| `config.log.properties` | Custom logging properties | `see values.yaml` | +| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | +| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | +| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | +| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | +| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | +| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | +| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | +| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | +| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | +| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | +| `service.type` | Service Type | `LoadBalancer` | +| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | +| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | +| `service.annotations` | Additional annotations to add to the service | {} | +| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | +| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | +| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | +| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | +| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | +| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | +| `ingress.annotations` | ingress annotations | `{}` | +| `ingress.labels` | additional ingress labels | `{}` | +| `ingress.ingressClassName` | Ingress Class Name | `nginx` | +| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | +| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | +| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | +| `startupProbe.enabled` | Enable/Disable | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay | `60` | +| `startupProbe.timeoutSeconds` | Timeout | `1` | +| `startupProbe.periodSeconds` | Frequency | `10` | +| `startupProbe.successThreshold` | Success Threshold | `1` | +| `startupProbe.failureThreshold` | Failure Threshold | `10` | +| `livenessProbe.enabled` | Enable/Disable | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | +| `livenessProbe.timeoutSeconds` | Timeout | `1` | +| `livenessProbe.periodSeconds` | Frequency | `10` | +| `livenessProbe.successThreshold` | Success Threshold | `1` | +| `livenessProbe.failureThreshold` | Failure Threshold | `10` | +| `readinessProbe.enabled` | Enable/Disable | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | +| `readinessProbe.timeoutSeconds` | Timeout | `1` | +| `readinessProbe.periodSeconds` | Frequency | `10` | +| `readinessProbe.successThreshold` | Success Threshold | `1` | +| `readinessProbe.failureThreshold` | Failure Threshold | `10` | +| `resources.limits` | Resource Limits | `{}` | +| `resources.requests` | Resource Requests | `{}` | +| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | [Back to Additional Guides](#additional-guides) ## Port Configuration - There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways ### Container/Service Level Ports ### Default Gateway Service - Sample entry that exposes 8443 which is one of the default TLS port on the API Gateway using service type LoadBalancer. - ``` service: type: LoadBalancer @@ -337,7 +304,6 @@ service: ``` ### Production Values Default - Sample entry that exposes 8443 which is one of the default TLS ports on the API Gateway Note that the service type is ClusterIP which does not receive an external IP address. We can make this service accessible by configuring an [ingress resource](#ingress-configuration). @@ -351,9 +317,7 @@ service: external: 8443 protocol: TCP ``` - ### Gateway Management Service - The Gateway Management Service is primarily used to expose Gateway Ports that you wish to use for Internal Management Access for tools like Policy Manager. This Service requires the [PM Tagger](#pm-tagger) to function correctly. ``` @@ -375,23 +339,19 @@ management: [Back to Additional Guides](#additional-guides) ### OTK Compatibility with Gateway 11.2 - These below information is relevant for those who are upgrading their Gateway to version 11.2 and utilizing the OAuth Toolkit (OTK) - -1. **OTK 4.6.4 & OTK 4.7.0 ** are presently the only versions that provides seamless support for Gateway versions 11.2 & greater -2. Upgrading to 4.6.4 & 4.7.0 should be tested & validated in a lower environment prior to production rollout -3. For older versions (< OTK 4.6.4), the below steps have to be followed to ensure smooth transition to Gateway 11.2 - - After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: - - 4.6.0.1 - - 4.6.1.1 - - 4.6.2.1 - - 4.6.3.1 - - It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. - - This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) - - In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) +1. **OTK 4.6.4** is presently the only version that provides seamless support for Gateway 11.2 +2. For older versions (< OTK 4.6.4), the below steps have to be followed to ensure smooth transition to Gateway 11.2 + * After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: + * 4.6.0.1 + * 4.6.1.1 + * 4.6.2.1 + * 4.6.3.1 + * It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. + * This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) + * In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ### OTK install or upgrade - OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. - On a database backed gateway, once gateway is healthy, k8s kind/job is used to install OTK using Restman ([OTK Headless installation](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/install-the-oauth-solution-kit/headless-installation-of-otk-solution-kit.html)) @@ -399,21 +359,16 @@ OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types - On a Ephemeral or database backed gateway, before the start of gateway, k8s job to used to install/update the OTK database (Cassandra database is not supported and should be upgraded [manually](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database.html)) ***NOTE:*** - 1. When installing or Upgrading Gateway with OTK enabled, add timeout with the helm command to ensure OTK install job waits for Gateway to be ready - ``` Example: The timeout of 900s is recommended for helm upgrade since it takes additional time to complete helm install otk layer7/gateway --set-file "license.value=path/license.xml" \ --set "license.accept=true,management.restman.enabled=true,otk.enabled=true" --timeout 900s ``` - -1. In dual gateway installation, restart the pods after OTK install or upgrade is required. +2. In dual gateway installation, restart the pods after OTK install or upgrade is required. Prerequisites: - -- Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. - +* Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. ``` config: cwp: @@ -424,10 +379,8 @@ config: - name: otk.dbsystem value: mysql ``` - -- Restman is enabled. Can be disabled once the install/upgrage is complete. - - This is not applicable for ephemeral GW - +* Restman is enabled. Can be disabled once the install/upgrage is complete. + * This is not applicable for ephemeral GW ``` management: restman: @@ -435,131 +388,125 @@ management: ``` Limitations: - -- OTK Instance modifiers are not supported. -- Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. -- The Cassandra install scripts have to executed manually for new install scenario -- The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario -- Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. -- OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) +* OTK Instance modifiers are not supported. +* Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. +* The Cassandra install scripts have to executed manually for new install scenario +* The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario +* Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. +* OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) OTK Deployment examples can be found [here](/examples/otk) -| Parameter | Description | Default | -| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | -| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | -| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` | -| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false | -| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` | -| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ Internal Gateway: - #OTK Client Context Variables - #OTK id_token configuration DMZ Gateway: - #OTK OVP Configuration - #OTK Storage Configuration | `false` | -| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools. The Oauth Manager & Oauth Test Client will not be installed | `false` | -| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ | | -| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ | | -| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL | | -| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `16` | -| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `240.224.2.1` | -| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | | -| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | | -| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | | -| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | | -| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | | -| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | | -| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | | -| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | | -| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | -| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL | | -| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | | -| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` | -| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` | -| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `otk.job.image.labels` | Job lables | {} | -| `otk.job.image.nodeSelector` | Job Node selector | {} | -| `otk.job.image.tolerations` | Job tolerations | [] | -| `otk.job.podLabels` | OTK Job podLabels | {} | -| `otk.job.podAnnotations` | OTK Job podAnnotations | {} | -| `otk.job.resources` | OTK Job resources | {} | -| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit` | OTK db maintenance scheduled job success history limit | `1` | -| `otk.job.scheduledTasksFailedJobsHistoryLimit` | OTK db maintenance scheduled job failed history limit | `1` | -| `otk.bootstrapDir` | The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | -| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` | -| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60` | -| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade | `true` | -| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | -| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | -| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: [https://test.com:8443](https://test.com:8443)) Required if createTestClients is `true` | | -| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true. This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false` | -| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true` | -| `otk.database.connectionName` | OTK database connection name | `OAuth` | -| `otk.database.existingSecretName` | Point to an existing OTK database Secret | | -| `otk.database.username` | OTK database user name | | -| `otk.database.password` | OTK database password | | -| `otk.database.properties` | OTK database additional properties | `{}` | -| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | | -| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | | -| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` | -| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | | -| `otk.database.sql.jdbcDriverClass` | OTK database sql driver class name (oracle/mysql) | | -| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | | -| `otk.database.sql.connectionProperties` | OTK database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | -| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | -| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | | -| `otk.database.readOnlyConnection.username` | OTK read only database user name | | -| `otk.database.readOnlyConnection.password` | OTK read only database password | | -| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | -| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | | -| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | | -| `otk.database.readOnlyConnection.connectionProperties` | OTK read only database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | | -| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | -| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | -| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | | -| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | | -| `otk.database.clientReadConnection.password` | OTK Client Read only database password | | -| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | -| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | | -| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | | -| `otk.database.clientReadConnection.connectionProperties` | OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | | -| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | | -| `otk.database.cassandra.port` | OTK database cassandra connection port | | -| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | | -| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` | -| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` | -| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` | -| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` | -| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | -| `otk.livenessProbe.type` | | `httpGet` | -| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` | -| `otk.livenessProbe.httpGet.port` | | `8443` | -| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | -| `otk.readinessProbe.type` | | `httpGet` | -| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` | -| `otk.readinessProbe.httpGet.port` | | `8443` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | +| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` +| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false +| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` +| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ
Internal Gateway:
- #OTK Client Context Variables
- #OTK id_token configuration
DMZ Gateway:
- #OTK OVP Configuration
- #OTK Storage Configuration | `false` +| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools.
The Oauth Manager & Oauth Test Client will not be installed | `false` +| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ| +| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ| +| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL| +| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `16` | +| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `240.224.2.1` | +| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | +| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | +| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | +| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | +| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | +| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | +| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | +| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | +| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | +| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL| +| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | +| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` +| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` +| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` +| `otk.job.image.labels` | Job lables | {} +| `otk.job.image.nodeSelector` | Job Node selector | {} +| `otk.job.image.tolerations` | Job tolerations | [] +| `otk.job.podLabels` | OTK Job podLabels | {} +| `otk.job.podAnnotations` | OTK Job podAnnotations | {} +| `otk.job.resources` | OTK Job resources | {} +| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit`| OTK db maintenance scheduled job success history limit | `1` | +| `otk.job.scheduledTasksFailedJobsHistoryLimit`| OTK db maintenance scheduled job failed history limit | `1` | +| `otk.bootstrapDir`| The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | +| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` +| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60`| +| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade| `true` | +| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | +| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | +| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: https://test.com:8443) Required if createTestClients is `true` | | +| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true.
This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false`| +| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true`| +| `otk.database.connectionName` | OTK database connection name | `OAuth` +| `otk.database.existingSecretName` | Point to an existing OTK database Secret | +| `otk.database.username` | OTK database user name | +| `otk.database.password` | OTK database password | +| `otk.database.properties` | OTK database additional properties | `{}` +| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | +| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | +| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` +| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | +| `otk.database.sql.jdbcDriverClass`| OTK database sql driver class name (oracle/mysql) | +| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | +| `otk.database.sql.connectionProperties`| OTK database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | +| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | +| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | +| `otk.database.readOnlyConnection.username` | OTK read only database user name| +| `otk.database.readOnlyConnection.password` | OTK read only database password | +| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | +| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | +| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | +| `otk.database.readOnlyConnection.connectionProperties`| OTK read only database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | +| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | +| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | +| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | +| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | +| `otk.database.clientReadConnection.password` | OTK Client Read only database password | +| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | +| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | +| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | +| `otk.database.clientReadConnection.connectionProperties`| OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | +| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | +| `otk.database.cassandra.port` | OTK database cassandra connection port | +| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | +| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` +| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` +| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` +| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` +| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` +| `otk.livenessProbe.type` | | `httpGet` +| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` +| `otk.livenessProbe.httpGet.port` | | `8443` +| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` +| `otk.readinessProbe.type` | | `httpGet` +| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` +| `otk.readinessProbe.httpGet.port` | | `8443` #### Note: - -- In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option +* In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option [Back to Additional Guides](#additional-guides) ### Gateway Application Ports - Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* This configuration creates and mounts a gateway bundle, if you wish to maintain Gateway ports outside of the Gateway Chart you can either use Policy Manager or create and mount your own bundle in the existingBundle section. By default the following ports are created - - 8080 (HTTP - disabled) - 8443 (HTTPS - Published service message input only) - 9443 (HTTPS - Published service message input only, Administrative access, Browser-based administration, Built-in services) Things to note before you get started: - - If you are deploying the Gateway with a fresh MySQL database - This port configuration will replace the defaults. - If you are using an existing database @@ -639,11 +586,9 @@ config: [Back to Additional Guides](#additional-guides) ### Ingress Configuration - The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. If your ingress controller is private and you would like to create an ingress record/route for the management service you can use the following configuration - ``` ... rules: @@ -661,7 +606,6 @@ If your ingress controller is private and you would like to create an ingress re ``` New Ingress Configuration Gateway Chart >= 3.0.31 (openshift route support) - ``` ingress: # Set to true to create ingress or route object @@ -712,7 +656,6 @@ ingress: ``` New Ingress Configuration Gateway Chart >= 3.0.0 - ``` ingress: enabled: true @@ -751,7 +694,6 @@ ingress: ``` This represents the ingress configuration for Gateway Chart < 3.0.0 you need to configure an Ingress Resource for the API Gateway - ``` ingress: enabled: true @@ -774,11 +716,9 @@ ingress: [Back to Additional Guides](#additional-guides) ### Kubernetes Gateway API Configuration - The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) as an alternative to Ingress. The implementation is controller-agnostic and has been tested with [Contour](https://projectcontour.io/) and [Envoy Gateway](https://gateway.envoyproxy.io/). See [examples/ingress](../../examples/ingress) for controller installation instructions. **Requirements:** - - Gateway API CRDs must be installed. These are typically bundled with your Gateway controller (e.g. Contour, Envoy Gateway). To install them separately, see the [Gateway API releases](https://github.com/kubernetes-sigs/gateway-api/releases) - A `GatewayClass` must be available on the cluster (e.g. `contour`, `envoy-gateway`) @@ -789,14 +729,12 @@ The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api **Route Modes:** The chart supports two route modes: - - **HTTPRoute** (default) -- TLS is terminated at the Kubernetes Gateway and re-encrypted to the Layer7 Gateway backend. Requires `backendTLSPolicy` to be enabled so the Gateway controller can validate the backend certificate. - **TLSRoute** -- TLS passthrough via SNI-based routing. The Kubernetes Gateway does not terminate TLS. The Layer7 Gateway handles TLS directly. **Gateway Resource:** The chart supports two modes for the Gateway resource: - - **Create a new Gateway** -- set `kubernetesGateway.gateway.create: true` with a `gatewayClassName`. The chart creates a Gateway with auto-generated listeners from route hostnames. - **Use an existing Gateway** -- set `kubernetesGateway.gateway.create: false` and provide `kubernetesGateway.gateway.existingRef.name` / `.namespace`. Routes attach to the existing Gateway via `parentRefs`. This is useful when sharing a Gateway across charts. See [Shared Gateway](../../examples/ingress#shared-gateway) for details. @@ -807,7 +745,6 @@ When using HTTPRoute, the Layer7 Gateway backend speaks HTTPS. Since the Gateway **Management Service Routing:** To route management traffic through the same Gateway, set `backend: management` on a rule: - ``` kubernetesGateway: enabled: true @@ -834,78 +771,71 @@ kubernetesGateway: enabled: true ``` - -| Parameter | Description | Default | -| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | - +| Parameter | Description | Default | +|---|---|---| +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | [Back to Additional Guides](#additional-guides) ### PM Tagger Configuration - [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. - -| Parameter | Description | Default | -| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `pmtagger.enabled` | Enable pm-tagger | `false` | -| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | -| `pmtagger.image.registry` | Image Registry | `docker.io` | -| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | -| `pmtagger.image.tag` | Image Tag | `1.0.3` | -| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | -| `pmtagger.resources` | Resources | `see values.yaml` | -| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `pmtagger.enabled` | Enable pm-tagger | `false` | +| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | +| `pmtagger.image.registry` | Image Registry | `docker.io` | +| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | +| `pmtagger.image.tag` | Image Tag | `1.0.3` | +| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | +| `pmtagger.resources` | Resources | `see values.yaml` | +| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | [Back to Additional Guides](#additional-guides) ### OpenTelemetry Configuration - The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. This feature is a ***preview feature*** for v11.1.00 and is ***intentionally disabled*** by default. As with any integration that generates telemetry, there is a performance drop when turning on the OpenTelemetry integration with all of the features enabled. There is an integration example available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway. - - You are ***not required*** to use the observability stack that we provide as an example. - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) @@ -913,13 +843,11 @@ There is an integration example available [here](https://github.com/Layer7-Commu ***NOTE: *** In our example we inject the OpenTelemetry Java Agent to the Container Gateway, this emits additional telemetry like JVM metrics. The Gateway has the OpenTelemetry SDK built-in making the OpenTelemetry Java Agent Optional, the key difference between the built-in SDK and the OTel Agent is that the SDK only captures Gateway application level traces and metrics, things like JVM metrics will not be captured in this mode. #### Gateway OTel Configuration - OpenTelemetry is configured on the Gateway in two places, system properties and cluster-wide Properties. The configuration below represents the minimal settings required to enable the built-in SDK and configure the Gateway to send telemetry to an OpenTelemetry Collector. These can be configured in values.yaml. See the section below to view examples of how and where to configure this. - config.otel - ``` config: ... @@ -935,8 +863,8 @@ config: # - test1=someEnvValue1 ``` -- system.properties +- system.properties ``` otel.sdk.disabled=false otel.java.global-autoconfigure.enabled=true @@ -946,18 +874,14 @@ otel.traces.exporter=otlp otel.metrics.exporter=otlp otel.logs.exporter=none ``` - - cluster-wide properties - ``` otel.enabled=true otel.serviceMetricEnabled=true otel.traceEnabled=true (if tracing is required) otel.traceConfig=(default {}) ``` - example otel.traceConfig - ``` { "services": [ @@ -981,29 +905,23 @@ example otel.traceConfig [Back to Additional Guides](#additional-guides) ##### Gateway OTel Examples (with or without the Optional Agent) - The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. - - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) [Back to Additional Guides](#additional-guides) ### Shared State Preview Features - There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. - - [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) - [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast - ``` # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast - ``` # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID @@ -1012,63 +930,54 @@ To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.co [Back to Additional Guides](#additional-guides) ### Redis Configuration - This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. **Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` - Uncomment the following - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` - -| Parameter | Description | Default | -| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | -| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | -| `config.redis.groupName` | Redis Group name | `l7GW` | -| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | -| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | -| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | -| `config.redis.auth.enabled` | Use auth for Redis | `false` | -| `config.redis.auth.username` | Redis username | `` | -| `config.redis.auth.password.encoded` | Password is encoded | `false` | -| `config.redis.auth.password.value` | Redis password | `mypassword` | -| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | -| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | -| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | -| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | -| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | -| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | -| `config.redis.tls.verifyPeer` | Verify Peer | `true` | -| `config.redis.tls.redisCrt` | Redis Public Cert | `` | +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.redis.enabled` | Enable redis configuration | `false` | +| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | +| `config.redis.groupName` | Redis Group name | `l7GW` | +| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | +| `config.redis.auth.enabled` | Use auth for Redis | `false` | +| `config.redis.auth.username` | Redis username | `` | +| `config.redis.auth.password.encoded` | Password is encoded | `false` | +| `config.redis.auth.password.value` | Redis password | `mypassword` | +| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | +| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | +| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | +| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | +| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | +| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | +| `config.redis.tls.verifyPeer` | Verify Peer | `true` | +| `config.redis.tls.redisCrt` | Redis Public Cert | `` | #### Creating your own Redis Configuration - Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note - The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) ##### Redis Sentinel (11.1.1) - sharedstate_client.yaml - ``` redis: default: @@ -1092,9 +1001,7 @@ redis: ``` ##### Redis Standalone (11.1.1) - sharedstate_client.yaml - ``` redis: default: @@ -1116,9 +1023,7 @@ redis: ``` ##### Redis Sentinel (11.0.00_CR2 and 11.1.00) - redis.properties - ``` # Redis type can be sentinel or standalone redis.type=sentinel @@ -1135,15 +1040,13 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Redis Standalone (11.1.00) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties - ``` # Redis type can be sentinel or standalone redis.type=standalone @@ -1160,15 +1063,13 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Redis Standalone (11.0.00_CR2) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties - ``` # Redis type can be sentinel or standalone # standalone does not support SSL or Auth @@ -1177,16 +1078,13 @@ redis.properties redis.port=6379 redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Create a secret from this configuration (11.1.1) - ``` kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml ``` - my-values.yaml - ``` config: sharedStateClient: @@ -1195,15 +1093,11 @@ config: ``` ##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. - ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` - my-values.yaml - ``` redis: enabled: true @@ -1213,7 +1107,6 @@ redis: [Back to Additional Guides](#additional-guides) ### Redis StatefulSet (Development/Testing Only) - **Important Note:** This is a simple Redis StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external Redis server or Redis cluster. The Redis StatefulSet provides standalone Redis functionality with optional authentication and TLS support. @@ -1222,61 +1115,58 @@ The Redis StatefulSet provides standalone Redis functionality with optional auth #### Configuration - -| Parameter | Description | Default | -| ------------------------------------------ | --------------------------------------------- | ----------------- | -| `redis.image.repository` | Redis image repository | `redis` | -| `redis.image.tag` | Redis image tag | `7.4-alpine` | -| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `redis.auth.enabled` | Enable Redis authentication | `false` | -| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | -| `redis.auth.password` | Redis password | `mypassword` | -| `redis.auth.existingSecret` | Use existing secret for credentials | `` | -| `redis.service.type` | Redis service type | `ClusterIP` | -| `redis.service.port` | Redis service port | `6379` | -| `redis.service.annotations` | Annotations for the Redis service | `{}` | -| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | -| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `redis.pdb.minAvailable` | Minimum available pods | `` | -| `redis.persistence.enabled` | Enable persistence using PVC | `false` | -| `redis.persistence.storageClass` | Storage class for PVC | `` | -| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `redis.persistence.size` | PVC size | `8Gi` | -| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `redis.persistence.existingClaim` | Use existing PVC | `` | -| `redis.maxmemory` | Redis max memory limit | `256mb` | -| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | -| `redis.appendonly` | Enable AOF persistence | `false` | -| `redis.tls.enabled` | Enable TLS | `true` | -| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | -| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | -| `redis.configuration` | Custom Redis configuration | `` | -| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | -| `redis.resources` | Resource requests and limits | `{}` | -| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | -| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | -| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | -| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | -| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | -| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | -| `redis.startupProbe.enabled` | Enable startup probe | `false` | -| `redis.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.affinity` | Affinity settings | `{}` | -| `redis.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.podSecurityContext` | Pod security context | `{}` | -| `redis.containerSecurityContext` | Container security context | `{}` | -| `redis.podAnnotations` | Pod annotations | `{}` | -| `redis.podLabels` | Pod labels | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `redis.image.repository` | Redis image repository | `redis` | +| `redis.image.tag` | Redis image tag | `7.4-alpine` | +| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `redis.auth.enabled` | Enable Redis authentication | `false` | +| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | +| `redis.auth.password` | Redis password | `mypassword` | +| `redis.auth.existingSecret` | Use existing secret for credentials | `` | +| `redis.service.type` | Redis service type | `ClusterIP` | +| `redis.service.port` | Redis service port | `6379` | +| `redis.service.annotations` | Annotations for the Redis service | `{}` | +| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | +| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `redis.pdb.minAvailable` | Minimum available pods | `` | +| `redis.persistence.enabled` | Enable persistence using PVC | `false` | +| `redis.persistence.storageClass` | Storage class for PVC | `` | +| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `redis.persistence.size` | PVC size | `8Gi` | +| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `redis.persistence.existingClaim`| Use existing PVC | `` | +| `redis.maxmemory` | Redis max memory limit | `256mb` | +| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | +| `redis.appendonly` | Enable AOF persistence | `false` | +| `redis.tls.enabled` | Enable TLS | `true` | +| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | +| `redis.configuration` | Custom Redis configuration | `` | +| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | +| `redis.resources` | Resource requests and limits | `{}` | +| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | +| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | +| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | +| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | +| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | +| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | +| `redis.startupProbe.enabled` | Enable startup probe | `false` | +| `redis.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.affinity` | Affinity settings | `{}` | +| `redis.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.podSecurityContext` | Pod security context | `{}` | +| `redis.containerSecurityContext` | Container security context | `{}` | +| `redis.podAnnotations` | Pod annotations | `{}` | +| `redis.podLabels` | Pod labels | `{}` | #### Example Configuration Enable Redis with basic settings (no auth, no TLS): - ```yaml config: redis: @@ -1294,7 +1184,6 @@ redis: ``` With authentication and TLS enabled: - ```yaml config: redis: @@ -1323,7 +1212,6 @@ redis: ``` With custom memory and eviction policy: - ```yaml config: redis: @@ -1340,14 +1228,12 @@ redis: #### TLS Certificates When `redis.tls.autoGenerated` is `true`, the chart automatically generates self-signed TLS certificates that include the following Subject Alternative Names (SANs): - - StatefulSet pod FQDN (e.g., `ssg-gateway-redis-0.ssg-gateway-redis-headless.namespace.svc.cluster.local`) - Headless service names in all variations - Regular service names - `localhost` and `127.0.0.1` To use your own certificates, set `redis.tls.autoGenerated: false` and provide your own secret: - ```yaml redis: tls: @@ -1357,7 +1243,6 @@ redis: ``` The secret must contain the following keys: - - `tls.crt` - Server certificate - `tls.key` - Server private key - `ca.crt` - CA certificate @@ -1365,22 +1250,17 @@ The secret must contain the following keys: [Back to Additional Guides](#additional-guides) ### GemFire Configuration (11.1.3) - Gemfire as shared data provider is supported with Gateway v11.1.3 onwards. Prerequisites: - -- ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer +* ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer To configure gemfire as data provider comment out existing system properties - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` - Set the following system properties as needed - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire # com.l7tech.server.extension.sharedCounterProvider=embeddedgemfire/externalgemfire @@ -1388,54 +1268,48 @@ Set the following system properties as needed # com.l7tech.server.extension.sharedSortedSetProvider=embeddedgemfire/externalgemfire # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire ``` - - -| Parameter | Description | Default | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | -| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | -| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | -| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | -| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | -| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | -| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | -| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided. Takes priority over certificate issuer. | `` | -| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted. If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | -| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | -| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | -| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | -| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | -| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | -| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | -| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | -| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | -| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | -| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | -| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | -| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | -| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | -| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | -| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | -| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | -| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | -| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | -| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | -| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | - +| Parameter | Description | Default | +|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| +| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | +| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | +| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | +| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | +| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | +| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | +| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | +| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided.
Takes priority over certificate issuer. | `` | +| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted.
If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | +| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | +| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | +| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | +| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | +| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | +| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | +| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | +| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | +| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | +| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | +| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | +| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | +| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | +| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | +| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | +| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | +| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | +| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | +| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | +| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | #### Creating your own Configuration - Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/connect-to-a-gemfire-datastore.html) for more context on the available configuration options #### Embedded GemFire - Embedded gemfire will have external locators but gemfire cache servers are inside gateway container. - ``` config: gemfire: @@ -1446,13 +1320,10 @@ config: embedded: enabled: true ``` - #### External GemFire - Gateway as client connect to external gemfire cluster. Shared State Provider Config is used to configure gemfire. External gemfire is deployed by GemFire Kubernetes Operator, override-values.yaml: - ``` config: gemfire: @@ -1478,9 +1349,7 @@ config: sharedStateClient: enabled: true ``` - External gemfire, override-values.yaml: - ``` config: gemfire: @@ -1504,11 +1373,9 @@ config: sharedStateClient: enabled: true ``` - Providing custom sharedstate_client.yaml from a secret override-values.yaml - ``` config: gemfire: @@ -1528,9 +1395,7 @@ config: enabled: true existingConfigSecret: shared-state-client-secret ``` - sharedstate_client.yaml from secret - ``` gemfire: testOnStart: true @@ -1555,23 +1420,18 @@ gemfire: [Back to Additional Guides](#additional-guides) ### Shared State Provider Config - Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. In order for this configuration to take effect config.redis.enabled must also be set to true. - -| Parameter | Description | Default | -| ----------------------------------------------- | --------------------------------------------------------------------------------- | --------------------------- | -| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | -| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | -| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | +| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | [Back to Additional Guides](#additional-guides) ### Database Configuration - You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: - ``` database: enabled: true @@ -1582,11 +1442,9 @@ database: liquibaseLogLevel: "off" name: ssg ``` - In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: - - jdbcURL - username - password @@ -1594,13 +1452,11 @@ When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-con The values will come from node.properties instead. See [External MySQL](#external-mysql) section. More info on the JDBC URL: - -- Connection URL syntax: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html) -- Failover config: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html) -- Configuration properties: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) +- Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html +- Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html +- Configuration properties: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html Configuring SSL/TLS: the following parameters can be added to enable secure communication between the Gateway and an external MySQL Database - - useSSL=true - requireSSL=true - verifyServerCertificate=false @@ -1609,155 +1465,65 @@ Configuring SSL/TLS: the following parameters can be added to enable secure comm jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=true&requireSSL=true&verifyServerCertificate=false ``` -In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: [https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges](https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges) - -[Back to Additional Guides](#additional-guides) - -### Database Migration Job (Pre-Upgrade Schema Updates) - -Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. This decouples the schema upgrade from the Gateway startup process, preventing stuck `DATABASECHANGELOGLOCK` entries from blocking pod startup during rolling upgrades. - -> **Requirements:** Gateway must be connected to an external MySQL database. The target Gateway image must be **11.2.2 or newer**. - -> **Important — for upgrades only:** The `db-migration` job is a `pre-upgrade` Helm hook. It runs **only during `helm upgrade`**, never during `helm install`. Likewise, `-Dgateway.db.schema-update.mode=skip` must **not** be set during a fresh installation — if Liquibase is skipped on first install, the `ssg` database schema will never be populated and the Gateway will fail to start. Only add `skip` mode after the schema has been fully initialised by either a previous `helm install` (default mode) or a successful migration job. - -#### How it works - -When `database.migrationJob.enabled: true`, a short-lived `db-migration` Job pod is created as a Helm `pre-upgrade` hook. It runs the Gateway container image configured with a special startup mode that applies all pending schema changes and then exits — without starting the Gateway JVM. Once the Job completes successfully, Helm proceeds to roll out the main Gateway Deployment. - -The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. - -#### Fresh install vs upgrade - -| Operation | `skip` mode | Migration job | Expected behaviour | -|---|---|---|---| -| `helm install` (first time) | Not set (default) | Not applicable (`pre-upgrade` only) | Gateway populates the `ssg` schema on first boot — **correct** | -| `helm install` (first time) | Set | Not applicable | Gateway skips Liquibase — **schema never populated, Gateway broken** | -| `helm upgrade` | Set | Enabled | Migration job populates schema and exits, Gateway pods start fast — **correct** | - -#### Upgrade workflow - -**Step 1 – Enable the migration job and run `helm upgrade`** - -```yaml -database: - enabled: true - create: false - jdbcURL: jdbc:mysql://myprimaryserver:3306/ssg - - migrationJob: - enabled: true - # Optional: specify the primary writer endpoint directly. - # If omitted, falls back to database.jdbcURL above. - jdbcURL: "jdbc:mysql://myprimaryserver:3306/ssg" -``` - -```bash -helm upgrade my-release layer7/gateway -f values.yaml -``` - -The `db-migration` job will run, apply the schema, and exit. Helm then rolls out the new Gateway pods. - -**Step 2 – Configure Gateway pods to skip Liquibase** - -After the migration completes, add the following to ensure normal Gateway pods start fast and are immune to lock contention: - -```yaml -javaArgs: - - "-Dgateway.db.schema-update.mode=skip" - -database: - migrationJob: - enabled: false # disable now that migration is complete -``` - -#### Recovering from a stuck lock - -If a previous upgrade left the `DATABASECHANGELOGLOCK` locked (e.g. due to a crashed Gateway pod), set `clearLocks: true`. The migration job will forcefully release the stuck lock before applying schema changes. - -```yaml -database: - migrationJob: - enabled: true - clearLocks: true -``` - -> **Warning:** Use `clearLocks: true` with caution. Forcefully releasing the lock while another process is actively updating the schema can corrupt the database. - -#### Configuration - -| Parameter | Description | Default | -|---|---|---| -| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job. For upgrades only — do not enable on `helm install`. | `false` | -| `database.migrationJob.jdbcURL` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly to bypass load balancers or proxies. Falls back to `database.jdbcURL` if not set. | `""` | -| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | -| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | - -#### Retry behaviour - -The Job is configured with `backoffLimit: 1`. If the first pod fails or times out, Kubernetes creates exactly one retry pod. If the retry also fails, the Job is marked `Failed` and Helm aborts the upgrade, leaving the existing Gateway pods untouched. +In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges [Back to Additional Guides](#additional-guides) ### MySQL StatefulSet (Development/Testing Only) - **Important Note:** This is a simple MySQL StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external MySQL database. #### Configuration - -| Parameter | Description | Default | -| ------------------------------------------ | ------------------------------------------------------------------- | ----------------- | -| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | -| `mysql.image.tag` | MySQL image tag | `8.4.5` | -| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | -| `mysql.auth.database` | Database name to create | `ssg` | -| `mysql.auth.username` | MySQL user (optional) | `gateway` | -| `mysql.auth.password` | MySQL user password | `mypassword` | -| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | -| `mysql.service.type` | MySQL service type | `ClusterIP` | -| `mysql.service.port` | MySQL service port | `3306` | -| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | -| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | -| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `mysql.pdb.minAvailable` | Minimum available pods | `` | -| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | -| `mysql.persistence.storageClass` | Storage class for PVC | `` | -| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `mysql.persistence.size` | PVC size | `8Gi` | -| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `mysql.persistence.existingClaim` | Use existing PVC | `` | -| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | -| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | -| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | -| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | -| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | -| `mysql.resources` | Resource requests and limits | `{}` | -| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | -| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | -| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | -| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | -| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | -| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | -| `mysql.startupProbe.enabled` | Enable startup probe | `false` | -| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | -| `mysql.affinity` | Affinity settings | `{}` | -| `mysql.tolerations` | Tolerations for pod assignment | `[]` | -| `mysql.podSecurityContext` | Pod security context | `{}` | -| `mysql.containerSecurityContext` | Container security context | `{}` | -| `mysql.podAnnotations` | Pod annotations | `{}` | -| `mysql.podLabels` | Pod labels | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | +| `mysql.image.tag` | MySQL image tag | `8.4.5` | +| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | +| `mysql.auth.database` | Database name to create | `ssg` | +| `mysql.auth.username` | MySQL user (optional) | `gateway` | +| `mysql.auth.password` | MySQL user password | `mypassword` | +| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | +| `mysql.service.type` | MySQL service type | `ClusterIP` | +| `mysql.service.port` | MySQL service port | `3306` | +| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | +| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | +| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `mysql.pdb.minAvailable` | Minimum available pods | `` | +| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | +| `mysql.persistence.storageClass` | Storage class for PVC | `` | +| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `mysql.persistence.size` | PVC size | `8Gi` | +| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `mysql.persistence.existingClaim`| Use existing PVC | `` | +| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | +| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | +| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | +| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | +| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | +| `mysql.resources` | Resource requests and limits | `{}` | +| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | +| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | +| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | +| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | +| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `mysql.startupProbe.enabled` | Enable startup probe | `false` | +| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | +| `mysql.affinity` | Affinity settings | `{}` | +| `mysql.tolerations` | Tolerations for pod assignment | `[]` | +| `mysql.podSecurityContext` | Pod security context | `{}` | +| `mysql.containerSecurityContext` | Container security context | `{}` | +| `mysql.podAnnotations` | Pod annotations | `{}` | +| `mysql.podLabels` | Pod labels | `{}` | #### Example Configuration Enable MySQL with basic settings: - ```yaml database: create: true # Enables the MySQL StatefulSet @@ -1774,7 +1540,6 @@ mysql: ``` With Helm hooks for pre-install: - ```yaml database: create: true @@ -1792,7 +1557,6 @@ mysql: ``` With custom configuration: - ```yaml database: create: true @@ -1806,7 +1570,6 @@ mysql: ``` With init scripts: - ```yaml database: create: true @@ -1825,7 +1588,6 @@ mysql: #### Connecting the Gateway to MySQL When using the MySQL StatefulSet, configure the Gateway's database connection: - ```yaml database: enabled: true @@ -1840,7 +1602,6 @@ The Gateway will automatically connect to the MySQL service at `-g #### OTK Demo Database Integration When `otk.database.useDemoDb` is set to `true` and `database.create` is `true`, the MySQL StatefulSet will automatically: - - Apply Helm hook annotations (`helm.sh/hook: pre-install,post-upgrade`) to ensure MySQL is created before OTK installation - Mount the OTK database initialization scripts from the `otk-db-scripts-cm` ConfigMap - Initialize the OTK database schema during MySQL startup @@ -1867,19 +1628,101 @@ mysql: [Back to Additional Guides](#additional-guides) -### Cluster Wide Properties +### Database Migration Job (Pre-Upgrade Schema Updates) -You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. +Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. This decouples the schema upgrade from the Gateway startup process, preventing stuck `DATABASECHANGELOGLOCK` entries from blocking pod startup during rolling upgrades. +> **Requirements:** Gateway must be connected to an external MySQL database. The target Gateway image must be **11.2.2 or newer**. -| Parameter | Description | Default | -| ----------------------- | --------------------------------------------------- | ----------------- | -| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | -| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | +> **Important — for upgrades only:** The `db-migration` job is a `pre-upgrade` Helm hook. It runs **only during `helm upgrade`**, never during `helm install`. Likewise, `-Dgateway.db.schema-update.mode=skip` must **not** be set during a fresh installation — if Liquibase is skipped on first install, the `ssg` database schema will never be populated and the Gateway will fail to start. Only add `skip` mode after the schema has been fully initialised by either a previous `helm install` (default mode) or a successful migration job. +#### How it works -The default cluster-wide properties are as follows +When `database.migrationJob.enabled: true`, a short-lived `db-migration` Job pod is created as a Helm `pre-upgrade` hook. It runs the Gateway container image configured with a special startup mode that applies all pending schema changes and then exits — without starting the Gateway JVM. Once the Job completes successfully, Helm proceeds to roll out the main Gateway Deployment. + +The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. + +#### Fresh install vs upgrade + +| Operation | `skip` mode | Migration job | Expected behaviour | +|---|---|---|---| +| `helm install` (first time) | Not set (default) | Not applicable (`pre-upgrade` only) | Gateway populates the `ssg` schema on first boot — **correct** | +| `helm install` (first time) | Set | Not applicable | Gateway skips Liquibase — **schema never populated, Gateway broken** | +| `helm upgrade` | Set | Enabled | Migration job populates schema and exits, Gateway pods start fast — **correct** | + +#### Upgrade workflow + +**Step 1 – Enable the migration job and run `helm upgrade`** + +```yaml +database: + enabled: true + create: false + jdbcURL: jdbc:mysql://myprimaryserver:3306/ssg + migrationJob: + enabled: true + # Optional: specify the primary writer endpoint directly. + # If omitted, falls back to database.jdbcURL above. + jdbcURL: "jdbc:mysql://myprimaryserver:3306/ssg" +``` + +```bash +helm upgrade my-release layer7/gateway -f values.yaml +``` + +The `db-migration` job will run, apply the schema, and exit. Helm then rolls out the new Gateway pods. + +**Step 2 – Configure Gateway pods to skip Liquibase** + +After the migration completes, add the following to ensure normal Gateway pods start fast and are immune to lock contention: + +```yaml +javaArgs: + - "-Dgateway.db.schema-update.mode=skip" + +database: + migrationJob: + enabled: false # disable now that migration is complete +``` + +#### Recovering from a stuck lock + +If a previous upgrade left the `DATABASECHANGELOGLOCK` locked (e.g. due to a crashed Gateway pod), set `clearLocks: true`. The migration job will forcefully release the stuck lock before applying schema changes. + +```yaml +database: + migrationJob: + enabled: true + clearLocks: true +``` + +> **Warning:** Use `clearLocks: true` with caution. Forcefully releasing the lock while another process is actively updating the schema can corrupt the database. + +#### Configuration + +| Parameter | Description | Default | +|---|---|---| +| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job. For upgrades only — do not enable on `helm install`. | `false` | +| `database.migrationJob.jdbcURL` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly to bypass load balancers or proxies. Falls back to `database.jdbcURL` if not set. | `""` | +| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | +| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | + +#### Retry behaviour + +The Job is configured with `backoffLimit: 1`. If the first pod fails or times out, Kubernetes creates exactly one retry pod. If the retry also fails, the Job is marked `Failed` and Helm aborts the upgrade, leaving the existing Gateway pods untouched. + +[Back to Additional Guides](#additional-guides) + +### Cluster Wide Properties +You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. + +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | +| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | + +The default cluster-wide properties are as follows ``` config: ... @@ -1902,17 +1745,15 @@ config: [Back to Additional Guides](#additional-guides) ### Enable DualStack(IPv4/IPv6) - To enable dual stack, you need to add or uncomment the given Java arguments, which can be configured in the values.yaml file. Gateway v11.1.3 supports dual stack. -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true - -| Java Argument | Description | Default | -| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | -| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | +| Java Argument | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------| +| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | +| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | ``` @@ -1935,32 +1776,27 @@ config: Gateway and Management Service can optionally configure it as dual stack. - -| Parameter | Description | Default | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- | -| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | -| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| Parameter | Description | Default | +|-------------------------------------|----------------------------------------------------------------------------------------------------------------------|-----------------| +| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | [Back to Additional Guides](#additional-guides) ### Java Args - Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. - -| Parameter | Description | Default | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | -| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | -| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | -| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | The default Java Args are as follows - ``` config: heapSize: "2g" @@ -1980,14 +1816,11 @@ config: [Back to Additional Guides](#additional-guides) ### System Properties - Additional System Properties as may be recommended by support can be configured in values.yaml - -| Parameter | Description | Default | -| ------------------------- | ------------------------- | ----------------- | -| `config.systemProperties` | Gateway System Properties | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.systemProperties` | Gateway System Properties | `see values.yaml` | The default systemProperties represent what is currently in the base Gateway image with one added flag @@ -1997,7 +1830,6 @@ com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 ``` The full default is this - ``` systemProperties: |- # Default Gateway system properties @@ -2019,16 +1851,13 @@ The full default is this [Back to Additional Guides](#additional-guides) ### Diskless Configuration - Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. **DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. - - **disklessConfig.enabled: true** - Default, No changes. - ``` disklessConfig: enabled: true @@ -2036,13 +1865,11 @@ disklessConfig: # name: gateway-secret # csi: {} ``` - - **disklessConfig.enabled: false** - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. - Creates a secret with node.properties by default - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. - ``` disklessConfig: enabled: false @@ -2054,11 +1881,9 @@ disklessConfig: #### Creating a node.properties file ##### External MySQL - - Make sure the database configuration matches what is in node.properties Example: node.properties with MySQL database configuration - ``` node.cluster.pass=mypassword admin.user=admin @@ -2071,11 +1896,9 @@ l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306 See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. ##### Gateway running in Ephemeral Mode (no external MySQL) - - To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties Example: node.properties with Derby configuration - ``` node.cluster.pass=mypassword admin.user=admin @@ -2083,31 +1906,24 @@ admin.pass=mypassword node.db.type=derby node.db.config.main.user=gateway ``` - Unlike interactive password changes in Policy Manager, the container startup scripts validate the following username and password against a restricted character set (for parsing/scripting safety): - ``` admin.user, admin.pass, node.db.config.main.user, node.db.config.main.pass ``` - They may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %. Do NOT use space characters. ##### Update values.yaml - Update your values file to use the new node.properties file. This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. Note that the key name is node.properties. This is required. - ``` kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties ``` - values.yaml - ``` disklessConfig: enabled: false @@ -2119,7 +1935,6 @@ disklessConfig: # volumeAttributes: # secretProviderClass: "secret-provider-class-name" ``` - #### Set up node.properties secret by InitContainer From Gateway v11.2.0 onwards, node.properties support secrets provided in different format by different third party secret managers using InitContainer. @@ -2128,7 +1943,6 @@ Gateway container mounts only /opt/docker/custom/custom-properties/node.properti InitContainer volumeMounts name has to be **shared-secret** values.yaml - ``` disklessConfig: enabled: false @@ -2156,26 +1970,21 @@ initContainers: yum install -y jq jq -r 'to_entries | map("\(.key)=\(.value)") |.[]' /opt/docker/config/node.json > /opt/docker/config/node.properties ``` - More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Bundle Configuration - There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. - -| Parameter | Description | Default | -| --------------------------- | --------------------------------- | ----------------- | -| `existingBundle.enabled` | Enable bundle mounts | `false` | -| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | -| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `existingBundle.enabled` | Enable bundle mounts | `false` | +| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | +| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | This example shows 1 secret and 1 configmap configured - you can also use the secrets-store.csi.k8s.io driver for bundles that contain sensitive information. - ``` # Bundles that contain sensitive information can be mounted using the Kubernetes CSI Driver existingBundle: @@ -2198,11 +2007,9 @@ existingBundle: [Back to Additional Guides](#additional-guides) ### Bootstrap Script - To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. The following configuration enables the script - ``` bootstrap: script: @@ -2210,37 +2017,36 @@ bootstrap: cleanup: false <== set this to true if you'd like to clear the /opt/docker/custom folder after it has run. ``` -The bootstrap script scans files in `/opt/docker/custom`. This folder is populated by an initContainer. +The bootstrap script scans files in ```/opt/docker/custom```. This folder is populated by an initContainer. The following folder stucture must be maintained - Restman Bundles (.bundle) - - Source `/opt/docker/custom/bundles` - - Target `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle` + - Source ```/opt/docker/custom/bundles``` + - Target ```/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle``` - Custom Assertions (.jar) - - Source `/opt/docker/custom/custom-assertions` - - Target `/opt/SecureSpan/Gateway/runtime/modules/lib/` + - Source ```/opt/docker/custom/custom-assertions``` + - Target ```/opt/SecureSpan/Gateway/runtime/modules/lib/``` - Modular Assertions (.aar) - - Source `/opt/docker/custom/modular-assertions` - - Target `/opt/SecureSpan/Gateway/runtime/modules/assertions` + - Source ```/opt/docker/custom/modular-assertions``` + - Target ```/opt/SecureSpan/Gateway/runtime/modules/assertions``` - Properties (.properties) - - Source `/opt/docker/custom/properties` - - Target `/opt/SecureSpan/Gateway/node/default/etc/conf/` + - Source ```/opt/docker/custom/properties``` + - Target ```/opt/SecureSpan/Gateway/node/default/etc/conf/``` + More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Custom Health Checks - -You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to `/opt/docker/rc.d/diagnostic/health_check` where they are run by `/opt/docker/rc.d/diagnostic/health_check.sh`. +You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. - Limited to a single configmap or secret. - ConfigMaps and Secrets can hold multiple scripts. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ***NOTE: if you set a configMap and a Secret only one of them will be applied to your API Gateway.*** - ``` existingHealthCheck: enabled: false @@ -2260,11 +2066,9 @@ existingHealthCheck: [Back to Additional Guides](#additional-guides) ### Custom Configuration Files - Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - ``` customConfig: enabled: false @@ -2282,15 +2086,13 @@ customConfig: [Back to Additional Guides](#additional-guides) ### Graceful Termination - During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. This functionality delays Kubernetes sending a SIGTERM to the container gateway while connections remain open. This works in conjunction with terminationGracePeriodSeconds which should always be higher than preStopScript.timeoutSeconds. If preStopScript.timeoutSeconds is exceeded, the script will exit 0 and normal pod termination will resume. -The preStop script will monitor connections to **inbound (not outbound)** Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. +The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. - - 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. @@ -2300,38 +2102,32 @@ While there aren't any explicit limits on preStopScript.timeoutSeconds and termi The graceful termination (preStop script) is disabled by default. - -| Parameter | Description | Default | -| ------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------- | -| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | -| `preStopScript.enabled` | Enable the preStop script | `false` | -| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | -| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | -| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | -| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | +| `preStopScript.enabled` | Enable the preStop script | `false` | +| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | +| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | +| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | +| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | [Back to Additional Guides](#additional-guides) ### Autoscaling - Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources We do not recommend setting MaxReplicas for a MySQL backed API Gateway above 8. - -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------------- | ----------------- | -| `autoscaling.enabled` | Enable autoscaling | `false` | -| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | -| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | -| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | -| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `autoscaling.enabled` | Enable autoscaling | `false` | +| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | +| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | +| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | +| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | Here is an example of a configured autoscaling section. - ``` autoscaling: enabled: true @@ -2363,19 +2159,14 @@ autoscaling: [Back to Additional Guides](#additional-guides) ### Pod Disruption Budgets - [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. - - -| Parameter | Description | Default | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | -| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | -| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | -| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | +| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | +| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | Example - note that only ***maxUnavailable*** or ***minAvailable*** can be set - both values ***cannot*** be set at the same time. - ``` pdb: create: true @@ -2386,20 +2177,16 @@ pdb: [Back to Additional Guides](#additional-guides) ### RBAC Parameters - PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. - -| Parameter | Description | Default | -| ----------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | -| `serviceAccount.create` | Create a service account for the Gateway | `true` | -| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | -| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `serviceAccount.create` | Create a service account for the Gateway | `true` | +| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | +| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | If you would like to create and use your own service account the Gateway with PM Tagger will require the following role to function correctly. ***This should NOT be a cluster role*** - ``` rules: - apiGroups: [""] @@ -2410,7 +2197,6 @@ rules: [Back to Additional Guides](#additional-guides) ### Logs & Audit Configuration - The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: - System properties in the default template for the `config.javaArgs` value configure the log and audit behaviour: @@ -2419,37 +2205,32 @@ The API Gateway containers are configured to output logs and audits as JSON even - Default log output configuration is overridden by specifying an alternative configuration properties file: `-Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties` - The alternative log configuration properties file `log-override.properties` is mounted on the container, via ConfigMap. - System property to include well known Certificate Authorities Trust Anchors - - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) - configure following property to true - - Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) + - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) + configure following property to true - + Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) - Allow wildcards when verifying hostnames (true/false) - - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) + - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) [Back to Additional Guides](#additional-guides) ## Subchart Configuration - ***these do not represent production configurations*** For Production implementations, please see the Chart links for recommended settings. The best approach would be deploying each independently ## Hazelcast +The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml -The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail [https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml](https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml) - - -| Parameter | Description | Default | -| ------------------------------- | --------------------------------------------------------------------------- | ---------------------------- | -| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | -| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | -| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | -| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | -| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | -| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | +| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | +| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | +| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | +| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | +| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | ### Subcharts +* Hazelcast (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast -- Hazelcast (default: disabled) ==> [https://github.com/helm/charts/tree/master/stable/hazelcast](https://github.com/helm/charts/tree/master/stable/hazelcast) - -[Back to Additional Guides](#additional-guides) \ No newline at end of file +[Back to Additional Guides](#additional-guides) From cc2f2d9177c8691a3ded238ef8b3fe62f75715c0 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Mon, 22 Jun 2026 11:47:54 -0700 Subject: [PATCH 16/20] revert --- examples/README.md | 57 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 4 deletions(-) diff --git a/examples/README.md b/examples/README.md index 61f39b33..90d2d658 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,11 +1,60 @@ # Examples -This folder contains information on how to deploy the Gateway and Portal Charts with different configurations. +This folder contains information on how to deploy the various apim-charts with different configurations. ## Prerequisite: * Helm 3.x * The Kubernetes CLI (kubectl) * A Gateway license - not required for Portal examples. -### [Deploying the Portal Helm Chart on Openshift](./portal/openshift/README.md) -### [Deploying the Gateway Helm Chart with the OAuth Toolkit](./otk/README.md) -### [Upgrading the Gateway Helm Chart with the Database Migration Job](./gateway/db-migration/README.md) \ No newline at end of file + +## Gateway Examples +The Gateway Chart is comprised of the base Layer7 API Gateway, MySQL, Hazelcast, InfluxDb and Grafana. It contains a reference implementation that you can use +as an example to get a feel for what's possible and where to start when externalising Hazelcast or Offboxing Service Metrics to InfluxDb and visualising them in Grafana. + +Start by cloning [values.yaml](../charts/gateway/values.yaml) onto a machine that has Helm v3.x and kubectl installed with access to a kubernetes cluster. You can also use ```curl``` to do this + +```$ curl https://raw.githubusercontent.com/CAAPIM/apim-charts/stable/charts/gateway/values.yaml > my-values.yaml``` + +Next add the layer7 Helm Chart Repository if you haven't already + +``` $ helm repo add layer7 https://caapim.github.io/apim-charts/``` + +``` $ helm repo update ``` + +* [Gateway with Sub-Charts](#gateway-with-subcharts) +* [Gateway with Ingress Controller (nginx)](#gateway-with-ingress-controller) + + +### Gateway with SubCharts +Here we'll enable all of the Gateway sub-charts, you can pick and choose which you'd like to try. + +***Note:*** Offboxing Service Metrics requires InfluxDb, Grafana and ServiceMetrics to be enabled. Hazelcast does not require any of these. + +1. Open the ***my-values.yaml*** that you saved earlier + - Update the following values in this file. + ``` + management.restman.enabled: true ==> this optionally enables restman, you can skip this if you don't need it + management.username: admin ==> default PM username + management.password: mypassword ==> default PM password + serviceMetrics.enabled: true ==> this deploys an example service metrics policy to your Gateway [click here for more info](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/learning-center/overview-of-the-policy-manager/gateway-dashboard/configure-gateway-for-external-service-metrics.html) + hazelcast.enabled: true ==> deploys a pre-configured hazelcast + influxdb.enabled: true ==> deploys influxdb + grafana.enabled: true ==> deploys grafana + grafana.customDashboard.value ==> use --set-file to specify your own grafana dashboard (optional) + ``` +2. Install the Gateway Chart + - ```$ helm install --set license.accept=true --set-file license.value=/path/to/license.xml -f /path/to/my-values.yaml -n layer7/gateway``` + +3. Get the Gateway IP Address for Policy Manager (admin/mypassword are the default login credentials) + - ```$ kubectl get svc -n | grep ``` ==> you should see an EXTERNAL-IP (if using minikube see ingress settings or use minikube proxy) +4. Open Policy Manager v10 and connect to your new Gateway. +5. Create a dummy API and access via curl or your browser. +4. Connect to Grafana and view your service metrics + - ```$ kubectl port-forward svc -grafana 3000:3000 -n ``` +5. Open a browser and navigate to http://localhost:3000 + - ```username: admin``` ===> these default credentials can be updated in values.yaml + - ```password: password``` + + +### Gateway with Ingress Controller +Coming Soon. \ No newline at end of file From 1bed93103e7d8049825b75cd65e8fef8ae1b68b6 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Mon, 22 Jun 2026 19:18:54 -0700 Subject: [PATCH 17/20] Changing back the migration job to be opt-in as it should be. --- charts/gateway/production-values.yaml | 4 +++- charts/gateway/values.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 48ecbdaa..3feaba0a 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -655,7 +655,9 @@ database: # Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case # the lock must be manually removed before a retry can be attempted. migrationJob: - enabled: true + # Opt-in: set to true only when running helm upgrade against a Gateway 11.2.2+ image. + # This job does not run on helm install (it is a pre-upgrade hook only). + enabled: false # Optional: Override the JDBC URL used by the migration job. Recommended to specify the primary writer endpoint # to avoid routing through a load balancer or proxy during schema updates. If not set, falls back to database.jdbcURL. jdbcUrl: "" diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 7c7af208..bf560766 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -652,7 +652,9 @@ database: # Warning, if this job fails, it may leave the DATABASECHANGELOGLOCK locked in which case # the lock must be manually removed before a retry can be attempted. migrationJob: - enabled: true + # Opt-in: set to true only when running helm upgrade against a Gateway 11.2.2+ image. + # This job does not run on helm install (it is a pre-upgrade hook only). + enabled: false # Optional: Override the JDBC URL used by the migration job. Recommended to specify the primary writer endpoint # to avoid routing through a load balancer or proxy during schema updates. If not set, falls back to database.jdbcURL. jdbcUrl: "" From 52ffd503c3769814d3da818b6767287fb4c6e751 Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Tue, 23 Jun 2026 00:23:39 -0700 Subject: [PATCH 18/20] Improved the README.md and updated release-notes.md --- charts/gateway/README.md | 1453 ++++++++++++++++++------------- charts/gateway/release-notes.md | 209 +++-- 2 files changed, 990 insertions(+), 672 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 9e16cf30..bb015d2c 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -1,18 +1,22 @@ # Layer7 API Gateway + This Chart deploys the API Gateway v11.x onward with the following `optional` subchart: hazelcast. This Chart also includes basic MySQL and Redis statefulsets for trying out the Chart; these are example only and do not represent production ready configurations. ## Bitnami Public Catalog Removal + The Bitnami subCharts have now been fully removed from the Gateway Helm Chart. Please read the release notes for [Gateway v3.0.45](./release-notes.md#3039-bitnami-subchart-removal) for more details. ### Important Note + The included MySQL Statefulset is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. ## Release notes -- Current Chart Version 3.1.1 +- Current Chart Version 3.1.1 - Please review release notes [here](./release-notes.md) ## Prerequisites + - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support - Helm v3.x @@ -20,26 +24,34 @@ The included MySQL Statefulset is enabled by default to make trying this chart o - Gateway v10.x or v11.x License #### Note + It's important that your Kubernetes Client and Server versions are compatible. You can verify this by running the following + ``` kubectl version ``` + output + ``` Client Version: v1.29.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.27.6+b49f9d1 WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1 ``` + The above message indicates that the client version (kubectl) is greater than the server version by more than 1 minor version. This may cause unforseen errors when using Kubectl or Helm. Please also check your Helm version against [this](https://helm.sh/docs/topics/version_skew/#supported-version-skew) compatibility matrix + ``` helm version ``` + output + ``` version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.21.5"} @@ -48,76 +60,89 @@ Helm Version Supported Kubernetes Versions ``` ## Optional + - Persistent Volume Provisioner (if using PVC for the Demo MySQL or Redis Statefulset) ## Recommended + - [An Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) ### Production + - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) if you would like to enable autoscaling. #### MySQL/Database Backed Gateways + - [A dedicated external MySQL 8.0.22/8.0.26 server](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/install-configure-upgrade/using-mysql-8-0-with-gateway-10.html) ### Advanced Configuration -* [Additional Guides](#additional-guides) -* [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) + +- [Additional Guides](#additional-guides) +- [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) #### Getting Started + ***If you are using a previous version of this Chart please read the updates section before you upgrade.*** -* [Install the Chart](#installing-the-chart) -* [Upgrade the Chart](#upgrading-the-chart) -* [Uninstall the Chart](#uninstalling-the-chart) -## Additional Guides -* [Configuration](#configuration) -* [Service Configuration](#port-configuration) -* [Gateway Application Ports](#gateway-application-ports) -* [OTK Install or Upgrade](#otk-install-or-upgrade) -* [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) -* [Ingress Configuration](#ingress-configuration) -* [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) -* [PM Tagger Configuration](#pm-tagger-configuration) -* [Shared State Preview Features](#shared-state-preview-features) -* [Redis Configuration](#redis-configuration) -* [Redis StatefulSet](#redis-statefulset-developmenttesting-only) -* [GemFire Configuration](#gemfire-configuration-1113) -* [Shared State Provider Configuration](#shared-state-provider-config) -* [OpenTelemetry Configuration](#opentelemetry-configuration) -* [Database Configuration](#database-configuration) -* [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) -* [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) -* [Cluster-Wide Properties](#cluster-wide-properties) -* [Enable DualStack(IPv4/IPv6)](#enable-dualstack) -* [Java Args](#java-args) -* [System Properties](#system-properties) -* [Diskless Configuration](#diskless-configuration) -* [Gateway Bundles](#bundle-configuration) -* [Bootstrap Script](#bootstrap-script) -* [Custom Health Checks](#custom-health-checks) -* [Custom Configuration Files](#custom-configuration-files) -* [Logs & Audit Configuration](#logs--audit-configuration) -* [Graceful Termination](#graceful-termination) -* [Autoscaling](#autoscaling) -* [Pod Disruption Budgets](#pod-disruption-budgets) -* [RBAC Parameters](#rbac-parameters) -* [SubChart Configuration](#subchart-configuration) +- [Install the Chart](#installing-the-chart) +- [Upgrade the Chart](#upgrading-the-chart) +- [Uninstall the Chart](#uninstalling-the-chart) +## Additional Guides +- [Configuration](#configuration) +- [Service Configuration](#port-configuration) +- [Gateway Application Ports](#gateway-application-ports) +- [OTK Install or Upgrade](#otk-install-or-upgrade) +- [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) +- [Ingress Configuration](#ingress-configuration) +- [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) +- [PM Tagger Configuration](#pm-tagger-configuration) +- [Shared State Preview Features](#shared-state-preview-features) +- [Redis Configuration](#redis-configuration) +- [Redis StatefulSet](#redis-statefulset-developmenttesting-only) +- [GemFire Configuration](#gemfire-configuration-1113) +- [Shared State Provider Configuration](#shared-state-provider-config) +- [OpenTelemetry Configuration](#opentelemetry-configuration) +- [Database Configuration](#database-configuration) +- [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) +- [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) +- [Cluster-Wide Properties](#cluster-wide-properties) +- [Enable DualStack(IPv4/IPv6)](#enable-dualstack) +- [Java Args](#java-args) +- [System Properties](#system-properties) +- [Diskless Configuration](#diskless-configuration) +- [Gateway Bundles](#bundle-configuration) +- [Bootstrap Script](#bootstrap-script) +- [Custom Health Checks](#custom-health-checks) +- [Custom Configuration Files](#custom-configuration-files) +- [Logs & Audit Configuration](#logs--audit-configuration) +- [Graceful Termination](#graceful-termination) +- [Autoscaling](#autoscaling) +- [Pod Disruption Budgets](#pod-disruption-budgets) +- [RBAC Parameters](#rbac-parameters) +- [SubChart Configuration](#subchart-configuration) ## Installing the Chart + Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction + ``` $ helm repo add layer7 https://caapim.github.io/apim-charts/ $ helm repo update $ helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` + ## Upgrading the Chart + To upgrade your Gateway Release + ``` $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` + ## Uninstalling the Chart + To uninstall the Gateway Chart ``` @@ -125,12 +150,15 @@ $ helm uninstall -n ``` ## Custom values + To make sure that your custom values don't get overwritten by a pull, create your own values.yaml (myvalues.yaml..) then specify -f myvalues.yaml when deploying/upgrading ## Note on custom values + You only need to include the values you wish to change in your myvalues.yaml For example, you wish to deploy the Gateway Chart as is without a database. Your myvalues.yaml would then contain the following + ``` database: enabled: false @@ -138,160 +166,165 @@ database: ``` ## Configuration + The following table lists the configurable parameters of the Gateway chart and their default values. See values.yaml for additional parameters and info -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `nameOverride` | Name override | `nil` | -| `fullnameOverride` | Full name override | `nil` | -| `global.schedulerName` | Override the default scheduler | `nil` | -| `license.value` | Gateway license file | `nil` | -| `license.accept` | Accept Gateway license EULA | `false` | -| `disklessConfig.enabled` | Enable diskless configuration | `true` | -| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | -| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | -| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | -| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | -| `image.registry` | Image Registry | `docker.io` | -| `image.repository` | Image Repository | `caapim/gateway` | -| `image.tag` | Image tag | `11.0.00` | -| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | -| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | -| `imagePullSecret.username` | Registry Username | `nil` | -| `imagePullSecret.password` | Registry Password | `nil` | -| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | -| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | -| `podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `replicas` | Number of Gateway replicas | `1` | -| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | -| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | -| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | -| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | -| `management.enabled` | Enable/Disable Policy Manager access | `true` | -| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | -| `management.username` | Policy Manager Username | `admin` | -| `management.password` | Policy Manager Password | `mypassword` | -| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | -| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | -| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | -| `database.username` | Database Username | `gateway` | -| `database.password` | Database Password | `mypassword` | -| `database.liquibaseLogLevel` | Liquibase log level | `off` | -| `database.name` | Database name | `ssg` | -| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | -| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | -| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | -| `tls.pass` | p12 container password - this cannot be empty | `nil` | -| `config.heapSize` | Java Heap Size | `2g` | -| `config.minHeapSize` | Java Min Heap Size | `1g` | -| `config.maxHeapSize` | Java Max Heap Size | `3g` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | -| `config.log.override` | Override the standard log configuration | `true` | -| `config.log.properties` | Custom logging properties | `see values.yaml` | -| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | -| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | -| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | -| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | -| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | -| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | -| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | -| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | -| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | -| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | -| `service.type` | Service Type | `LoadBalancer` | -| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | -| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | -| `service.annotations` | Additional annotations to add to the service | {} | -| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | -| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | -| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | -| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | -| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | -| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | -| `ingress.annotations` | ingress annotations | `{}` | -| `ingress.labels` | additional ingress labels | `{}` | -| `ingress.ingressClassName` | Ingress Class Name | `nginx` | -| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | -| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | -| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | -| `startupProbe.enabled` | Enable/Disable | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay | `60` | -| `startupProbe.timeoutSeconds` | Timeout | `1` | -| `startupProbe.periodSeconds` | Frequency | `10` | -| `startupProbe.successThreshold` | Success Threshold | `1` | -| `startupProbe.failureThreshold` | Failure Threshold | `10` | -| `livenessProbe.enabled` | Enable/Disable | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | -| `livenessProbe.timeoutSeconds` | Timeout | `1` | -| `livenessProbe.periodSeconds` | Frequency | `10` | -| `livenessProbe.successThreshold` | Success Threshold | `1` | -| `livenessProbe.failureThreshold` | Failure Threshold | `10` | -| `readinessProbe.enabled` | Enable/Disable | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | -| `readinessProbe.timeoutSeconds` | Timeout | `1` | -| `readinessProbe.periodSeconds` | Frequency | `10` | -| `readinessProbe.successThreshold` | Success Threshold | `1` | -| `readinessProbe.failureThreshold` | Failure Threshold | `10` | -| `resources.limits` | Resource Limits | `{}` | -| `resources.requests` | Resource Requests | `{}` | -| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | -| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | + +| Parameter | Description | Default | +| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | +| `nameOverride` | Name override | `nil` | +| `fullnameOverride` | Full name override | `nil` | +| `global.schedulerName` | Override the default scheduler | `nil` | +| `license.value` | Gateway license file | `nil` | +| `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | +| `image.registry` | Image Registry | `docker.io` | +| `image.repository` | Image Repository | `caapim/gateway` | +| `image.tag` | Image tag | `11.0.00` | +| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | +| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | +| `imagePullSecret.username` | Registry Username | `nil` | +| `imagePullSecret.password` | Registry Password | `nil` | +| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | +| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | +| `podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `replicas` | Number of Gateway replicas | `1` | +| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | +| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | +| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | +| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | +| `management.enabled` | Enable/Disable Policy Manager access | `true` | +| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | +| `management.username` | Policy Manager Username | `admin` | +| `management.password` | Policy Manager Password | `mypassword` | +| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | +| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | +| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | +| `database.username` | Database Username | `gateway` | +| `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | +| `database.name` | Database name | `ssg` | +| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | +| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | +| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | +| `tls.pass` | p12 container password - this cannot be empty | `nil` | +| `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | +| `config.log.override` | Override the standard log configuration | `true` | +| `config.log.properties` | Custom logging properties | `see values.yaml` | +| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | +| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | +| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | +| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | +| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | +| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | +| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | +| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | +| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | +| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | +| `service.type` | Service Type | `LoadBalancer` | +| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | +| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | +| `service.annotations` | Additional annotations to add to the service | {} | +| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | +| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | +| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | +| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | +| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | +| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | +| `ingress.annotations` | ingress annotations | `{}` | +| `ingress.labels` | additional ingress labels | `{}` | +| `ingress.ingressClassName` | Ingress Class Name | `nginx` | +| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | +| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | +| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | +| `startupProbe.enabled` | Enable/Disable | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay | `60` | +| `startupProbe.timeoutSeconds` | Timeout | `1` | +| `startupProbe.periodSeconds` | Frequency | `10` | +| `startupProbe.successThreshold` | Success Threshold | `1` | +| `startupProbe.failureThreshold` | Failure Threshold | `10` | +| `livenessProbe.enabled` | Enable/Disable | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | +| `livenessProbe.timeoutSeconds` | Timeout | `1` | +| `livenessProbe.periodSeconds` | Frequency | `10` | +| `livenessProbe.successThreshold` | Success Threshold | `1` | +| `livenessProbe.failureThreshold` | Failure Threshold | `10` | +| `readinessProbe.enabled` | Enable/Disable | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | +| `readinessProbe.timeoutSeconds` | Timeout | `1` | +| `readinessProbe.periodSeconds` | Frequency | `10` | +| `readinessProbe.successThreshold` | Success Threshold | `1` | +| `readinessProbe.failureThreshold` | Failure Threshold | `10` | +| `resources.limits` | Resource Limits | `{}` | +| `resources.requests` | Resource Requests | `{}` | +| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | [Back to Additional Guides](#additional-guides) ## Port Configuration + There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways ### Container/Service Level Ports ### Default Gateway Service + Sample entry that exposes 8443 which is one of the default TLS port on the API Gateway using service type LoadBalancer. + ``` service: type: LoadBalancer @@ -304,6 +337,7 @@ service: ``` ### Production Values Default + Sample entry that exposes 8443 which is one of the default TLS ports on the API Gateway Note that the service type is ClusterIP which does not receive an external IP address. We can make this service accessible by configuring an [ingress resource](#ingress-configuration). @@ -317,7 +351,9 @@ service: external: 8443 protocol: TCP ``` + ### Gateway Management Service + The Gateway Management Service is primarily used to expose Gateway Ports that you wish to use for Internal Management Access for tools like Policy Manager. This Service requires the [PM Tagger](#pm-tagger) to function correctly. ``` @@ -339,19 +375,22 @@ management: [Back to Additional Guides](#additional-guides) ### OTK Compatibility with Gateway 11.2 + These below information is relevant for those who are upgrading their Gateway to version 11.2 and utilizing the OAuth Toolkit (OTK) + 1. **OTK 4.6.4** is presently the only version that provides seamless support for Gateway 11.2 2. For older versions (< OTK 4.6.4), the below steps have to be followed to ensure smooth transition to Gateway 11.2 - * After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: - * 4.6.0.1 - * 4.6.1.1 - * 4.6.2.1 - * 4.6.3.1 - * It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. - * This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) - * In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) + - After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: + - 4.6.0.1 + - 4.6.1.1 + - 4.6.2.1 + - 4.6.3.1 + - It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. + - This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) + - In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ### OTK install or upgrade + OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. - On a database backed gateway, once gateway is healthy, k8s kind/job is used to install OTK using Restman ([OTK Headless installation](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/install-the-oauth-solution-kit/headless-installation-of-otk-solution-kit.html)) @@ -359,16 +398,21 @@ OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types - On a Ephemeral or database backed gateway, before the start of gateway, k8s job to used to install/update the OTK database (Cassandra database is not supported and should be upgraded [manually](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database.html)) ***NOTE:*** + 1. When installing or Upgrading Gateway with OTK enabled, add timeout with the helm command to ensure OTK install job waits for Gateway to be ready + ``` Example: The timeout of 900s is recommended for helm upgrade since it takes additional time to complete helm install otk layer7/gateway --set-file "license.value=path/license.xml" \ --set "license.accept=true,management.restman.enabled=true,otk.enabled=true" --timeout 900s ``` -2. In dual gateway installation, restart the pods after OTK install or upgrade is required. + +1. In dual gateway installation, restart the pods after OTK install or upgrade is required. Prerequisites: -* Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. + +- Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. + ``` config: cwp: @@ -379,8 +423,10 @@ config: - name: otk.dbsystem value: mysql ``` -* Restman is enabled. Can be disabled once the install/upgrage is complete. - * This is not applicable for ephemeral GW + +- Restman is enabled. Can be disabled once the install/upgrage is complete. + - This is not applicable for ephemeral GW + ``` management: restman: @@ -388,125 +434,131 @@ management: ``` Limitations: -* OTK Instance modifiers are not supported. -* Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. -* The Cassandra install scripts have to executed manually for new install scenario -* The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario -* Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. -* OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) + +- OTK Instance modifiers are not supported. +- Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. +- The Cassandra install scripts have to executed manually for new install scenario +- The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario +- Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. +- OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) OTK Deployment examples can be found [here](/examples/otk) -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | -| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` -| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false -| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` -| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ
Internal Gateway:
- #OTK Client Context Variables
- #OTK id_token configuration
DMZ Gateway:
- #OTK OVP Configuration
- #OTK Storage Configuration | `false` -| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools.
The Oauth Manager & Oauth Test Client will not be installed | `false` -| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ| -| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ| -| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL| -| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `16` | -| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `240.224.2.1` | -| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | -| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | -| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | -| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | -| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | -| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | -| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | -| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | -| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | -| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL| -| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | -| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` -| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` -| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` -| `otk.job.image.labels` | Job lables | {} -| `otk.job.image.nodeSelector` | Job Node selector | {} -| `otk.job.image.tolerations` | Job tolerations | [] -| `otk.job.podLabels` | OTK Job podLabels | {} -| `otk.job.podAnnotations` | OTK Job podAnnotations | {} -| `otk.job.resources` | OTK Job resources | {} -| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit`| OTK db maintenance scheduled job success history limit | `1` | -| `otk.job.scheduledTasksFailedJobsHistoryLimit`| OTK db maintenance scheduled job failed history limit | `1` | -| `otk.bootstrapDir`| The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | -| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` -| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60`| -| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade| `true` | -| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | -| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | -| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: https://test.com:8443) Required if createTestClients is `true` | | -| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true.
This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false`| -| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true`| -| `otk.database.connectionName` | OTK database connection name | `OAuth` -| `otk.database.existingSecretName` | Point to an existing OTK database Secret | -| `otk.database.username` | OTK database user name | -| `otk.database.password` | OTK database password | -| `otk.database.properties` | OTK database additional properties | `{}` -| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | -| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | -| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` -| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | -| `otk.database.sql.jdbcDriverClass`| OTK database sql driver class name (oracle/mysql) | -| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | -| `otk.database.sql.connectionProperties`| OTK database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | -| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | -| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | -| `otk.database.readOnlyConnection.username` | OTK read only database user name| -| `otk.database.readOnlyConnection.password` | OTK read only database password | -| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | -| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | -| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | -| `otk.database.readOnlyConnection.connectionProperties`| OTK read only database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | -| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | -| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | -| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | -| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | -| `otk.database.clientReadConnection.password` | OTK Client Read only database password | -| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | -| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | -| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | -| `otk.database.clientReadConnection.connectionProperties`| OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` -| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | -| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | -| `otk.database.cassandra.port` | OTK database cassandra connection port | -| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | -| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` -| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` -| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` -| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` -| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` -| `otk.livenessProbe.type` | | `httpGet` -| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` -| `otk.livenessProbe.httpGet.port` | | `8443` -| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` -| `otk.readinessProbe.type` | | `httpGet` -| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` -| `otk.readinessProbe.httpGet.port` | | `8443` +| Parameter | Description | Default | +| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | +| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | +| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` | +| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false | +| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` | +| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ Internal Gateway: - #OTK Client Context Variables - #OTK id_token configuration DMZ Gateway: - #OTK OVP Configuration - #OTK Storage Configuration | `false` | +| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools. The Oauth Manager & Oauth Test Client will not be installed | `false` | +| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ | | +| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ | | +| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL | | +| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `16` | +| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `240.224.2.1` | +| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | | +| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | | +| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | | +| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | | +| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | | +| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | | +| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | | +| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | | +| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | +| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL | | +| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | | +| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` | +| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` | +| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `otk.job.image.labels` | Job lables | {} | +| `otk.job.image.nodeSelector` | Job Node selector | {} | +| `otk.job.image.tolerations` | Job tolerations | [] | +| `otk.job.podLabels` | OTK Job podLabels | {} | +| `otk.job.podAnnotations` | OTK Job podAnnotations | {} | +| `otk.job.resources` | OTK Job resources | {} | +| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit` | OTK db maintenance scheduled job success history limit | `1` | +| `otk.job.scheduledTasksFailedJobsHistoryLimit` | OTK db maintenance scheduled job failed history limit | `1` | +| `otk.bootstrapDir` | The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | +| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` | +| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60` | +| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade | `true` | +| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | +| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | +| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: [https://test.com:8443](https://test.com:8443)) Required if createTestClients is `true` | | +| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true. This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false` | +| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true` | +| `otk.database.connectionName` | OTK database connection name | `OAuth` | +| `otk.database.existingSecretName` | Point to an existing OTK database Secret | | +| `otk.database.username` | OTK database user name | | +| `otk.database.password` | OTK database password | | +| `otk.database.properties` | OTK database additional properties | `{}` | +| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | | +| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | | +| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` | +| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | | +| `otk.database.sql.jdbcDriverClass` | OTK database sql driver class name (oracle/mysql) | | +| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | | +| `otk.database.sql.connectionProperties` | OTK database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | +| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | +| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | | +| `otk.database.readOnlyConnection.username` | OTK read only database user name | | +| `otk.database.readOnlyConnection.password` | OTK read only database password | | +| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | +| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | | +| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | | +| `otk.database.readOnlyConnection.connectionProperties` | OTK read only database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | | +| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | +| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | +| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | | +| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | | +| `otk.database.clientReadConnection.password` | OTK Client Read only database password | | +| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | +| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | | +| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | | +| `otk.database.clientReadConnection.connectionProperties` | OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` | +| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | | +| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | | +| `otk.database.cassandra.port` | OTK database cassandra connection port | | +| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | | +| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` | +| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` | +| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` | +| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` | +| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | +| `otk.livenessProbe.type` | | `httpGet` | +| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` | +| `otk.livenessProbe.httpGet.port` | | `8443` | +| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | +| `otk.readinessProbe.type` | | `httpGet` | +| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` | +| `otk.readinessProbe.httpGet.port` | | `8443` | + #### Note: -* In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option + +- In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option [Back to Additional Guides](#additional-guides) ### Gateway Application Ports + Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* This configuration creates and mounts a gateway bundle, if you wish to maintain Gateway ports outside of the Gateway Chart you can either use Policy Manager or create and mount your own bundle in the existingBundle section. By default the following ports are created + - 8080 (HTTP - disabled) - 8443 (HTTPS - Published service message input only) - 9443 (HTTPS - Published service message input only, Administrative access, Browser-based administration, Built-in services) Things to note before you get started: + - If you are deploying the Gateway with a fresh MySQL database - This port configuration will replace the defaults. - If you are using an existing database @@ -586,9 +638,11 @@ config: [Back to Additional Guides](#additional-guides) ### Ingress Configuration + The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. If your ingress controller is private and you would like to create an ingress record/route for the management service you can use the following configuration + ``` ... rules: @@ -606,6 +660,7 @@ If your ingress controller is private and you would like to create an ingress re ``` New Ingress Configuration Gateway Chart >= 3.0.31 (openshift route support) + ``` ingress: # Set to true to create ingress or route object @@ -656,6 +711,7 @@ ingress: ``` New Ingress Configuration Gateway Chart >= 3.0.0 + ``` ingress: enabled: true @@ -694,6 +750,7 @@ ingress: ``` This represents the ingress configuration for Gateway Chart < 3.0.0 you need to configure an Ingress Resource for the API Gateway + ``` ingress: enabled: true @@ -716,9 +773,11 @@ ingress: [Back to Additional Guides](#additional-guides) ### Kubernetes Gateway API Configuration + The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) as an alternative to Ingress. The implementation is controller-agnostic and has been tested with [Contour](https://projectcontour.io/) and [Envoy Gateway](https://gateway.envoyproxy.io/). See [examples/ingress](../../examples/ingress) for controller installation instructions. **Requirements:** + - Gateway API CRDs must be installed. These are typically bundled with your Gateway controller (e.g. Contour, Envoy Gateway). To install them separately, see the [Gateway API releases](https://github.com/kubernetes-sigs/gateway-api/releases) - A `GatewayClass` must be available on the cluster (e.g. `contour`, `envoy-gateway`) @@ -729,12 +788,14 @@ The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api **Route Modes:** The chart supports two route modes: + - **HTTPRoute** (default) -- TLS is terminated at the Kubernetes Gateway and re-encrypted to the Layer7 Gateway backend. Requires `backendTLSPolicy` to be enabled so the Gateway controller can validate the backend certificate. - **TLSRoute** -- TLS passthrough via SNI-based routing. The Kubernetes Gateway does not terminate TLS. The Layer7 Gateway handles TLS directly. **Gateway Resource:** The chart supports two modes for the Gateway resource: + - **Create a new Gateway** -- set `kubernetesGateway.gateway.create: true` with a `gatewayClassName`. The chart creates a Gateway with auto-generated listeners from route hostnames. - **Use an existing Gateway** -- set `kubernetesGateway.gateway.create: false` and provide `kubernetesGateway.gateway.existingRef.name` / `.namespace`. Routes attach to the existing Gateway via `parentRefs`. This is useful when sharing a Gateway across charts. See [Shared Gateway](../../examples/ingress#shared-gateway) for details. @@ -745,6 +806,7 @@ When using HTTPRoute, the Layer7 Gateway backend speaks HTTPS. Since the Gateway **Management Service Routing:** To route management traffic through the same Gateway, set `backend: management` on a rule: + ``` kubernetesGateway: enabled: true @@ -771,71 +833,78 @@ kubernetesGateway: enabled: true ``` -| Parameter | Description | Default | -|---|---|---| -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | + +| Parameter | Description | Default | +| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | + [Back to Additional Guides](#additional-guides) ### PM Tagger Configuration + [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `pmtagger.enabled` | Enable pm-tagger | `false` | -| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | -| `pmtagger.image.registry` | Image Registry | `docker.io` | -| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | -| `pmtagger.image.tag` | Image Tag | `1.0.3` | -| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | -| `pmtagger.resources` | Resources | `see values.yaml` | -| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | + +| Parameter | Description | Default | +| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `pmtagger.enabled` | Enable pm-tagger | `false` | +| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | +| `pmtagger.image.registry` | Image Registry | `docker.io` | +| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | +| `pmtagger.image.tag` | Image Tag | `1.0.3` | +| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | +| `pmtagger.resources` | Resources | `see values.yaml` | +| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | + [Back to Additional Guides](#additional-guides) ### OpenTelemetry Configuration + The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. This feature is a ***preview feature*** for v11.1.00 and is ***intentionally disabled*** by default. As with any integration that generates telemetry, there is a performance drop when turning on the OpenTelemetry integration with all of the features enabled. There is an integration example available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway. + - You are ***not required*** to use the observability stack that we provide as an example. - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) @@ -843,11 +912,13 @@ There is an integration example available [here](https://github.com/Layer7-Commu ***NOTE: *** In our example we inject the OpenTelemetry Java Agent to the Container Gateway, this emits additional telemetry like JVM metrics. The Gateway has the OpenTelemetry SDK built-in making the OpenTelemetry Java Agent Optional, the key difference between the built-in SDK and the OTel Agent is that the SDK only captures Gateway application level traces and metrics, things like JVM metrics will not be captured in this mode. #### Gateway OTel Configuration + OpenTelemetry is configured on the Gateway in two places, system properties and cluster-wide Properties. The configuration below represents the minimal settings required to enable the built-in SDK and configure the Gateway to send telemetry to an OpenTelemetry Collector. These can be configured in values.yaml. See the section below to view examples of how and where to configure this. - config.otel + ``` config: ... @@ -863,8 +934,8 @@ config: # - test1=someEnvValue1 ``` - - system.properties + ``` otel.sdk.disabled=false otel.java.global-autoconfigure.enabled=true @@ -874,14 +945,18 @@ otel.traces.exporter=otlp otel.metrics.exporter=otlp otel.logs.exporter=none ``` + - cluster-wide properties + ``` otel.enabled=true otel.serviceMetricEnabled=true otel.traceEnabled=true (if tracing is required) otel.traceConfig=(default {}) ``` + example otel.traceConfig + ``` { "services": [ @@ -905,23 +980,29 @@ example otel.traceConfig [Back to Additional Guides](#additional-guides) ##### Gateway OTel Examples (with or without the Optional Agent) + The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. + - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) [Back to Additional Guides](#additional-guides) ### Shared State Preview Features + There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. + - [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) - [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast + ``` # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast + ``` # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID @@ -930,54 +1011,63 @@ To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.co [Back to Additional Guides](#additional-guides) ### Redis Configuration + This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. **Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` + Uncomment the following + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | -| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | -| `config.redis.groupName` | Redis Group name | `l7GW` | -| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | -| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | -| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | -| `config.redis.auth.enabled` | Use auth for Redis | `false` | -| `config.redis.auth.username` | Redis username | `` | -| `config.redis.auth.password.encoded` | Password is encoded | `false` | -| `config.redis.auth.password.value` | Redis password | `mypassword` | -| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | -| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | -| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | -| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | -| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | -| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | -| `config.redis.tls.verifyPeer` | Verify Peer | `true` | -| `config.redis.tls.redisCrt` | Redis Public Cert | `` | + +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `config.redis.enabled` | Enable redis configuration | `false` | +| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | +| `config.redis.groupName` | Redis Group name | `l7GW` | +| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | +| `config.redis.auth.enabled` | Use auth for Redis | `false` | +| `config.redis.auth.username` | Redis username | `` | +| `config.redis.auth.password.encoded` | Password is encoded | `false` | +| `config.redis.auth.password.value` | Redis password | `mypassword` | +| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | +| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | +| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | +| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | +| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | +| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | +| `config.redis.tls.verifyPeer` | Verify Peer | `true` | +| `config.redis.tls.redisCrt` | Redis Public Cert | `` | #### Creating your own Redis Configuration + Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note + The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) ##### Redis Sentinel (11.1.1) + sharedstate_client.yaml + ``` redis: default: @@ -1001,7 +1091,9 @@ redis: ``` ##### Redis Standalone (11.1.1) + sharedstate_client.yaml + ``` redis: default: @@ -1023,7 +1115,9 @@ redis: ``` ##### Redis Sentinel (11.0.00_CR2 and 11.1.00) + redis.properties + ``` # Redis type can be sentinel or standalone redis.type=sentinel @@ -1040,13 +1134,15 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Redis Standalone (11.1.00) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties + ``` # Redis type can be sentinel or standalone redis.type=standalone @@ -1063,13 +1159,15 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Redis Standalone (11.0.00_CR2) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties + ``` # Redis type can be sentinel or standalone # standalone does not support SSL or Auth @@ -1078,13 +1176,16 @@ redis.properties redis.port=6379 redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 - ``` +``` ##### Create a secret from this configuration (11.1.1) + ``` kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml ``` + my-values.yaml + ``` config: sharedStateClient: @@ -1093,11 +1194,15 @@ config: ``` ##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) + **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. + ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` + my-values.yaml + ``` redis: enabled: true @@ -1107,6 +1212,7 @@ redis: [Back to Additional Guides](#additional-guides) ### Redis StatefulSet (Development/Testing Only) + **Important Note:** This is a simple Redis StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external Redis server or Redis cluster. The Redis StatefulSet provides standalone Redis functionality with optional authentication and TLS support. @@ -1115,58 +1221,61 @@ The Redis StatefulSet provides standalone Redis functionality with optional auth #### Configuration -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `redis.image.repository` | Redis image repository | `redis` | -| `redis.image.tag` | Redis image tag | `7.4-alpine` | -| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `redis.auth.enabled` | Enable Redis authentication | `false` | -| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | -| `redis.auth.password` | Redis password | `mypassword` | -| `redis.auth.existingSecret` | Use existing secret for credentials | `` | -| `redis.service.type` | Redis service type | `ClusterIP` | -| `redis.service.port` | Redis service port | `6379` | -| `redis.service.annotations` | Annotations for the Redis service | `{}` | -| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | -| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `redis.pdb.minAvailable` | Minimum available pods | `` | -| `redis.persistence.enabled` | Enable persistence using PVC | `false` | -| `redis.persistence.storageClass` | Storage class for PVC | `` | -| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `redis.persistence.size` | PVC size | `8Gi` | -| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `redis.persistence.existingClaim`| Use existing PVC | `` | -| `redis.maxmemory` | Redis max memory limit | `256mb` | -| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | -| `redis.appendonly` | Enable AOF persistence | `false` | -| `redis.tls.enabled` | Enable TLS | `true` | -| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | -| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | -| `redis.configuration` | Custom Redis configuration | `` | -| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | -| `redis.resources` | Resource requests and limits | `{}` | -| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | -| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | -| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | -| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | -| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | -| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | -| `redis.startupProbe.enabled` | Enable startup probe | `false` | -| `redis.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.affinity` | Affinity settings | `{}` | -| `redis.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.podSecurityContext` | Pod security context | `{}` | -| `redis.containerSecurityContext` | Container security context | `{}` | -| `redis.podAnnotations` | Pod annotations | `{}` | -| `redis.podLabels` | Pod labels | `{}` | + +| Parameter | Description | Default | +| ------------------------------------------ | --------------------------------------------- | ----------------- | +| `redis.image.repository` | Redis image repository | `redis` | +| `redis.image.tag` | Redis image tag | `7.4-alpine` | +| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `redis.auth.enabled` | Enable Redis authentication | `false` | +| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | +| `redis.auth.password` | Redis password | `mypassword` | +| `redis.auth.existingSecret` | Use existing secret for credentials | `` | +| `redis.service.type` | Redis service type | `ClusterIP` | +| `redis.service.port` | Redis service port | `6379` | +| `redis.service.annotations` | Annotations for the Redis service | `{}` | +| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | +| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `redis.pdb.minAvailable` | Minimum available pods | `` | +| `redis.persistence.enabled` | Enable persistence using PVC | `false` | +| `redis.persistence.storageClass` | Storage class for PVC | `` | +| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `redis.persistence.size` | PVC size | `8Gi` | +| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `redis.persistence.existingClaim` | Use existing PVC | `` | +| `redis.maxmemory` | Redis max memory limit | `256mb` | +| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | +| `redis.appendonly` | Enable AOF persistence | `false` | +| `redis.tls.enabled` | Enable TLS | `true` | +| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | +| `redis.configuration` | Custom Redis configuration | `` | +| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | +| `redis.resources` | Resource requests and limits | `{}` | +| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | +| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | +| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | +| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | +| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | +| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | +| `redis.startupProbe.enabled` | Enable startup probe | `false` | +| `redis.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.affinity` | Affinity settings | `{}` | +| `redis.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.podSecurityContext` | Pod security context | `{}` | +| `redis.containerSecurityContext` | Container security context | `{}` | +| `redis.podAnnotations` | Pod annotations | `{}` | +| `redis.podLabels` | Pod labels | `{}` | + #### Example Configuration Enable Redis with basic settings (no auth, no TLS): + ```yaml config: redis: @@ -1184,6 +1293,7 @@ redis: ``` With authentication and TLS enabled: + ```yaml config: redis: @@ -1212,6 +1322,7 @@ redis: ``` With custom memory and eviction policy: + ```yaml config: redis: @@ -1228,12 +1339,14 @@ redis: #### TLS Certificates When `redis.tls.autoGenerated` is `true`, the chart automatically generates self-signed TLS certificates that include the following Subject Alternative Names (SANs): + - StatefulSet pod FQDN (e.g., `ssg-gateway-redis-0.ssg-gateway-redis-headless.namespace.svc.cluster.local`) - Headless service names in all variations - Regular service names - `localhost` and `127.0.0.1` To use your own certificates, set `redis.tls.autoGenerated: false` and provide your own secret: + ```yaml redis: tls: @@ -1243,6 +1356,7 @@ redis: ``` The secret must contain the following keys: + - `tls.crt` - Server certificate - `tls.key` - Server private key - `ca.crt` - CA certificate @@ -1250,17 +1364,22 @@ The secret must contain the following keys: [Back to Additional Guides](#additional-guides) ### GemFire Configuration (11.1.3) + Gemfire as shared data provider is supported with Gateway v11.1.3 onwards. Prerequisites: -* ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer + +- ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer To configure gemfire as data provider comment out existing system properties + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` + Set the following system properties as needed + ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire # com.l7tech.server.extension.sharedCounterProvider=embeddedgemfire/externalgemfire @@ -1268,48 +1387,54 @@ Set the following system properties as needed # com.l7tech.server.extension.sharedSortedSetProvider=embeddedgemfire/externalgemfire # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire ``` -| Parameter | Description | Default | -|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| -| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | -| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | -| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | -| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | -| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | -| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | -| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | -| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided.
Takes priority over certificate issuer. | `` | -| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted.
If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | -| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | -| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | -| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | -| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | -| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | -| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | -| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | -| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | -| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | -| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | -| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | -| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | -| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | -| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | -| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | -| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | -| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | -| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | -| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | -| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | + + +| Parameter | Description | Default | +| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | +| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | +| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | +| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | +| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | +| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | +| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | +| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided. Takes priority over certificate issuer. | `` | +| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted. If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | +| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | +| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | +| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | +| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | +| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | +| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | +| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | +| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | +| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | +| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | +| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | +| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | +| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | +| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | +| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | +| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | +| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | +| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | +| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | +| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | + #### Creating your own Configuration + Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/connect-to-a-gemfire-datastore.html) for more context on the available configuration options #### Embedded GemFire + Embedded gemfire will have external locators but gemfire cache servers are inside gateway container. + ``` config: gemfire: @@ -1320,10 +1445,13 @@ config: embedded: enabled: true ``` + #### External GemFire + Gateway as client connect to external gemfire cluster. Shared State Provider Config is used to configure gemfire. External gemfire is deployed by GemFire Kubernetes Operator, override-values.yaml: + ``` config: gemfire: @@ -1349,7 +1477,9 @@ config: sharedStateClient: enabled: true ``` + External gemfire, override-values.yaml: + ``` config: gemfire: @@ -1373,9 +1503,11 @@ config: sharedStateClient: enabled: true ``` + Providing custom sharedstate_client.yaml from a secret override-values.yaml + ``` config: gemfire: @@ -1395,7 +1527,9 @@ config: enabled: true existingConfigSecret: shared-state-client-secret ``` + sharedstate_client.yaml from secret + ``` gemfire: testOnStart: true @@ -1420,18 +1554,23 @@ gemfire: [Back to Additional Guides](#additional-guides) ### Shared State Provider Config + Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. In order for this configuration to take effect config.redis.enabled must also be set to true. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | -| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | -| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | + +| Parameter | Description | Default | +| ----------------------------------------------- | --------------------------------------------------------------------------------- | --------------------------- | +| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | +| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | + [Back to Additional Guides](#additional-guides) ### Database Configuration + You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: + ``` database: enabled: true @@ -1442,9 +1581,11 @@ database: liquibaseLogLevel: "off" name: ssg ``` + In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: + - jdbcURL - username - password @@ -1452,11 +1593,13 @@ When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-con The values will come from node.properties instead. See [External MySQL](#external-mysql) section. More info on the JDBC URL: -- Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html -- Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html -- Configuration properties: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html + +- Connection URL syntax: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html) +- Failover config: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html) +- Configuration properties: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) Configuring SSL/TLS: the following parameters can be added to enable secure communication between the Gateway and an external MySQL Database + - useSSL=true - requireSSL=true - verifyServerCertificate=false @@ -1465,65 +1608,69 @@ Configuring SSL/TLS: the following parameters can be added to enable secure comm jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=true&requireSSL=true&verifyServerCertificate=false ``` -In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges +In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: [https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges](https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges) [Back to Additional Guides](#additional-guides) ### MySQL StatefulSet (Development/Testing Only) + **Important Note:** This is a simple MySQL StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external MySQL database. #### Configuration -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | -| `mysql.image.tag` | MySQL image tag | `8.4.5` | -| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | -| `mysql.auth.database` | Database name to create | `ssg` | -| `mysql.auth.username` | MySQL user (optional) | `gateway` | -| `mysql.auth.password` | MySQL user password | `mypassword` | -| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | -| `mysql.service.type` | MySQL service type | `ClusterIP` | -| `mysql.service.port` | MySQL service port | `3306` | -| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | -| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | -| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `mysql.pdb.minAvailable` | Minimum available pods | `` | -| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | -| `mysql.persistence.storageClass` | Storage class for PVC | `` | -| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `mysql.persistence.size` | PVC size | `8Gi` | -| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `mysql.persistence.existingClaim`| Use existing PVC | `` | -| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | -| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | -| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | -| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | -| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | -| `mysql.resources` | Resource requests and limits | `{}` | -| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | -| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | -| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | -| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | -| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | -| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | -| `mysql.startupProbe.enabled` | Enable startup probe | `false` | -| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | -| `mysql.affinity` | Affinity settings | `{}` | -| `mysql.tolerations` | Tolerations for pod assignment | `[]` | -| `mysql.podSecurityContext` | Pod security context | `{}` | -| `mysql.containerSecurityContext` | Container security context | `{}` | -| `mysql.podAnnotations` | Pod annotations | `{}` | -| `mysql.podLabels` | Pod labels | `{}` | + +| Parameter | Description | Default | +| ------------------------------------------ | ------------------------------------------------------------------- | ----------------- | +| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | +| `mysql.image.tag` | MySQL image tag | `8.4.5` | +| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | +| `mysql.auth.database` | Database name to create | `ssg` | +| `mysql.auth.username` | MySQL user (optional) | `gateway` | +| `mysql.auth.password` | MySQL user password | `mypassword` | +| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | +| `mysql.service.type` | MySQL service type | `ClusterIP` | +| `mysql.service.port` | MySQL service port | `3306` | +| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | +| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | +| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `mysql.pdb.minAvailable` | Minimum available pods | `` | +| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | +| `mysql.persistence.storageClass` | Storage class for PVC | `` | +| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `mysql.persistence.size` | PVC size | `8Gi` | +| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `mysql.persistence.existingClaim` | Use existing PVC | `` | +| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | +| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | +| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | +| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | +| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | +| `mysql.resources` | Resource requests and limits | `{}` | +| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | +| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | +| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | +| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | +| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `mysql.startupProbe.enabled` | Enable startup probe | `false` | +| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | +| `mysql.affinity` | Affinity settings | `{}` | +| `mysql.tolerations` | Tolerations for pod assignment | `[]` | +| `mysql.podSecurityContext` | Pod security context | `{}` | +| `mysql.containerSecurityContext` | Container security context | `{}` | +| `mysql.podAnnotations` | Pod annotations | `{}` | +| `mysql.podLabels` | Pod labels | `{}` | + #### Example Configuration Enable MySQL with basic settings: + ```yaml database: create: true # Enables the MySQL StatefulSet @@ -1540,6 +1687,7 @@ mysql: ``` With Helm hooks for pre-install: + ```yaml database: create: true @@ -1557,6 +1705,7 @@ mysql: ``` With custom configuration: + ```yaml database: create: true @@ -1570,6 +1719,7 @@ mysql: ``` With init scripts: + ```yaml database: create: true @@ -1588,6 +1738,7 @@ mysql: #### Connecting the Gateway to MySQL When using the MySQL StatefulSet, configure the Gateway's database connection: + ```yaml database: enabled: true @@ -1602,6 +1753,7 @@ The Gateway will automatically connect to the MySQL service at `-g #### OTK Demo Database Integration When `otk.database.useDemoDb` is set to `true` and `database.create` is `true`, the MySQL StatefulSet will automatically: + - Apply Helm hook annotations (`helm.sh/hook: pre-install,post-upgrade`) to ensure MySQL is created before OTK installation - Mount the OTK database initialization scripts from the `otk-db-scripts-cm` ConfigMap - Initialize the OTK database schema during MySQL startup @@ -1630,29 +1782,32 @@ mysql: ### Database Migration Job (Pre-Upgrade Schema Updates) -Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. This decouples the schema upgrade from the Gateway startup process, preventing stuck `DATABASECHANGELOGLOCK` entries from blocking pod startup during rolling upgrades. +Gateway 11.2.2 introduces an opt-in `pre-upgrade` Kubernetes Job that applies Liquibase database schema changes before the new Gateway pods roll out. By running the schema update once, in a dedicated job, before any Gateway pod starts, it avoids multiple pods racing to acquire the `DATABASECHANGELOGLOCK` simultaneously — reducing the risk of contention, stuck locks, and schema update failures that can block pods from starting during a rolling upgrade. The job also supports specifying a dedicated JDBC URL (for example, a primary writer endpoint) so that schema changes are applied directly to the primary database node, bypassing read replicas or load-balancing proxies that could route writes incorrectly. > **Requirements:** Gateway must be connected to an external MySQL database. The target Gateway image must be **11.2.2 or newer**. -> **Important — for upgrades only:** The `db-migration` job is a `pre-upgrade` Helm hook. It runs **only during `helm upgrade`**, never during `helm install`. Likewise, `-Dgateway.db.schema-update.mode=skip` must **not** be set during a fresh installation — if Liquibase is skipped on first install, the `ssg` database schema will never be populated and the Gateway will fail to start. Only add `skip` mode after the schema has been fully initialised by either a previous `helm install` (default mode) or a successful migration job. +> **Important — for upgrades only:** The `db-migration` job is a `pre-upgrade` Helm hook. It runs **only during `helm upgrade`**, never during `helm install`. Likewise, `-Dgateway.db.schema-update.mode=skip (which starts up Gateway container without Liquibase` must **not** be set during a fresh installation — if Liquibase is skipped on first install, the `ssg` database schema will never be populated and the Gateway will fail to start. Only add `skip` mode after the schema has been fully initialised by either a previous `helm install` (default mode) or a successful migration job. #### How it works When `database.migrationJob.enabled: true`, a short-lived `db-migration` Job pod is created as a Helm `pre-upgrade` hook. It runs the Gateway container image configured with a special startup mode that applies all pending schema changes and then exits — without starting the Gateway JVM. Once the Job completes successfully, Helm proceeds to roll out the main Gateway Deployment. -The main Gateway pods should be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. +The main Gateway pods can be configured with `javaArgs: ["-Dgateway.db.schema-update.mode=skip"]` so they bypass the Liquibase check entirely and start immediately without touching the database lock. This feature requires 11.2.2 or newer. #### Fresh install vs upgrade -| Operation | `skip` mode | Migration job | Expected behaviour | -|---|---|---|---| -| `helm install` (first time) | Not set (default) | Not applicable (`pre-upgrade` only) | Gateway populates the `ssg` schema on first boot — **correct** | -| `helm install` (first time) | Set | Not applicable | Gateway skips Liquibase — **schema never populated, Gateway broken** | -| `helm upgrade` | Set | Enabled | Migration job populates schema and exits, Gateway pods start fast — **correct** | + +| Operation | `config.javaArgs` — `-Dgateway.db.schema-update.mode` | Migration job (`database.migrationJob.enabled`) | Expected behaviour | +| --------------------------- | ------------------------------------------------------ | ----------------------------------------------- | ------------------------------------------------------------------------------- | +| `helm install` (first time) | Not set — Gateway runs Liquibase on startup (default) | Not applicable (`pre-upgrade` hook only) | Gateway populates the `ssg` schema on first boot — **correct** | +| `helm upgrade` | `skip` — Gateway bypasses Liquibase on startup | `true` — migration job applies schema changes first | Migration job populates schema and exits, Gateway pods start fast — **correct** | + +> **Warning:** Do not set `-Dgateway.db.schema-update.mode=skip` during `helm install`. The migration job is a `pre-upgrade` hook and does not run on install, so if Liquibase is skipped the `ssg` schema is never populated and the Gateway will fail to start. + #### Upgrade workflow -**Step 1 – Enable the migration job and run `helm upgrade`** +Configure both the migration job and `-Dgateway.db.schema-update.mode=skip` in your `values.yaml` together, then run `helm upgrade` once. The migration job runs as a `pre-upgrade` hook — it applies all pending schema changes and exits before any Gateway pod starts. The new Gateway pods, already configured to bypass Liquibase, can then start immediately without competing for the database lock. ```yaml database: @@ -1665,26 +1820,20 @@ database: # Optional: specify the primary writer endpoint directly. # If omitted, falls back to database.jdbcURL above. jdbcURL: "jdbc:mysql://myprimaryserver:3306/ssg" + +config: + javaArgs: + - "-Dgateway.db.schema-update.mode=skip" + # ... your other javaArgs ``` ```bash helm upgrade my-release layer7/gateway -f values.yaml ``` -The `db-migration` job will run, apply the schema, and exit. Helm then rolls out the new Gateway pods. - -**Step 2 – Configure Gateway pods to skip Liquibase** - -After the migration completes, add the following to ensure normal Gateway pods start fast and are immune to lock contention: +Helm runs the `db-migration` job first. Once it completes successfully, Helm rolls out the new Gateway pods. Because `skip` mode is already set, the pods bypass Liquibase and start immediately. -```yaml -javaArgs: - - "-Dgateway.db.schema-update.mode=skip" - -database: - migrationJob: - enabled: false # disable now that migration is complete -``` +Once enabled, you can leave `database.migrationJob.enabled: true` permanently. If there are no pending schema changes, the job completes in seconds and exits cleanly, so there is no harm in running it on every upgrade. #### Recovering from a stuck lock @@ -1701,28 +1850,42 @@ database: #### Configuration -| Parameter | Description | Default | -|---|---|---| -| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job. For upgrades only — do not enable on `helm install`. | `false` | -| `database.migrationJob.jdbcURL` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly to bypass load balancers or proxies. Falls back to `database.jdbcURL` if not set. | `""` | -| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | -| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | + +| Parameter | Description | Default | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | +| `database.migrationJob.enabled` | Enable the pre-upgrade schema migration Job. For upgrades only — do not enable on `helm install`. | `false` | +| `database.migrationJob.jdbcURL` | JDBC URL for the migration job. Recommended to point at the primary writer endpoint directly to bypass load balancers or proxies. Falls back to `database.jdbcURL` if not set. | `""` | +| `database.migrationJob.clearLocks` | Forcefully release any stuck Liquibase locks before applying schema changes | `false` | +| `database.migrationJob.activeDeadlineSeconds` | Maximum time (in seconds) the job pod is allowed to run before being terminated | `300` | + #### Retry behaviour The Job is configured with `backoffLimit: 1`. If the first pod fails or times out, Kubernetes creates exactly one retry pod. If the retry also fails, the Job is marked `Failed` and Helm aborts the upgrade, leaving the existing Gateway pods untouched. +To investigate a failed migration, retrieve the job logs to identify the failing changeset: + +```bash +kubectl logs -n -l job-name=-db-migration --tail=200 +``` + +Fix the root cause (for example, a missing MySQL privilege) and re-run `helm upgrade`. If the migration continues to fail, contact [Broadcom Support](https://support.broadcom.com) for assistance. + [Back to Additional Guides](#additional-guides) ### Cluster Wide Properties + You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | -| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | + +| Parameter | Description | Default | +| ----------------------- | --------------------------------------------------- | ----------------- | +| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | +| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | + The default cluster-wide properties are as follows + ``` config: ... @@ -1745,15 +1908,17 @@ config: [Back to Additional Guides](#additional-guides) ### Enable DualStack(IPv4/IPv6) + To enable dual stack, you need to add or uncomment the given Java arguments, which can be configured in the values.yaml file. Gateway v11.1.3 supports dual stack. -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true -| Java Argument | Description | Default | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------| -| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | -| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | + +| Java Argument | Description | Default | +| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | +| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | ``` @@ -1776,27 +1941,32 @@ config: Gateway and Management Service can optionally configure it as dual stack. -| Parameter | Description | Default | -|-------------------------------------|----------------------------------------------------------------------------------------------------------------------|-----------------| -| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | -| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- | +| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | [Back to Additional Guides](#additional-guides) ### Java Args + Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | -| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | -| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | + +| Parameter | Description | Default | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | +| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | + The default Java Args are as follows + ``` config: heapSize: "2g" @@ -1816,11 +1986,14 @@ config: [Back to Additional Guides](#additional-guides) ### System Properties + Additional System Properties as may be recommended by support can be configured in values.yaml -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `config.systemProperties` | Gateway System Properties | `see values.yaml` | + +| Parameter | Description | Default | +| ------------------------- | ------------------------- | ----------------- | +| `config.systemProperties` | Gateway System Properties | `see values.yaml` | + The default systemProperties represent what is currently in the base Gateway image with one added flag @@ -1830,6 +2003,7 @@ com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 ``` The full default is this + ``` systemProperties: |- # Default Gateway system properties @@ -1851,13 +2025,16 @@ The full default is this [Back to Additional Guides](#additional-guides) ### Diskless Configuration + Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. **DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. + - **disklessConfig.enabled: true** - Default, No changes. + ``` disklessConfig: enabled: true @@ -1865,11 +2042,13 @@ disklessConfig: # name: gateway-secret # csi: {} ``` + - **disklessConfig.enabled: false** - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. - Creates a secret with node.properties by default - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. + ``` disklessConfig: enabled: false @@ -1881,9 +2060,11 @@ disklessConfig: #### Creating a node.properties file ##### External MySQL + - Make sure the database configuration matches what is in node.properties Example: node.properties with MySQL database configuration + ``` node.cluster.pass=mypassword admin.user=admin @@ -1896,9 +2077,11 @@ l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306 See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. ##### Gateway running in Ephemeral Mode (no external MySQL) + - To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties Example: node.properties with Derby configuration + ``` node.cluster.pass=mypassword admin.user=admin @@ -1906,24 +2089,31 @@ admin.pass=mypassword node.db.type=derby node.db.config.main.user=gateway ``` + Unlike interactive password changes in Policy Manager, the container startup scripts validate the following username and password against a restricted character set (for parsing/scripting safety): + ``` admin.user, admin.pass, node.db.config.main.user, node.db.config.main.pass ``` + They may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %. Do NOT use space characters. ##### Update values.yaml + Update your values file to use the new node.properties file. This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. Note that the key name is node.properties. This is required. + ``` kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties ``` + values.yaml + ``` disklessConfig: enabled: false @@ -1935,6 +2125,7 @@ disklessConfig: # volumeAttributes: # secretProviderClass: "secret-provider-class-name" ``` + #### Set up node.properties secret by InitContainer From Gateway v11.2.0 onwards, node.properties support secrets provided in different format by different third party secret managers using InitContainer. @@ -1943,6 +2134,7 @@ Gateway container mounts only /opt/docker/custom/custom-properties/node.properti InitContainer volumeMounts name has to be **shared-secret** values.yaml + ``` disklessConfig: enabled: false @@ -1970,21 +2162,26 @@ initContainers: yum install -y jq jq -r 'to_entries | map("\(.key)=\(.value)") |.[]' /opt/docker/config/node.json > /opt/docker/config/node.properties ``` + More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Bundle Configuration + There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `existingBundle.enabled` | Enable bundle mounts | `false` | -| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | -| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | + +| Parameter | Description | Default | +| --------------------------- | --------------------------------- | ----------------- | +| `existingBundle.enabled` | Enable bundle mounts | `false` | +| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | +| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | + This example shows 1 secret and 1 configmap configured - you can also use the secrets-store.csi.k8s.io driver for bundles that contain sensitive information. + ``` # Bundles that contain sensitive information can be mounted using the Kubernetes CSI Driver existingBundle: @@ -2007,9 +2204,11 @@ existingBundle: [Back to Additional Guides](#additional-guides) ### Bootstrap Script + To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. The following configuration enables the script + ``` bootstrap: script: @@ -2017,36 +2216,37 @@ bootstrap: cleanup: false <== set this to true if you'd like to clear the /opt/docker/custom folder after it has run. ``` -The bootstrap script scans files in ```/opt/docker/custom```. This folder is populated by an initContainer. +The bootstrap script scans files in `/opt/docker/custom`. This folder is populated by an initContainer. The following folder stucture must be maintained - Restman Bundles (.bundle) - - Source ```/opt/docker/custom/bundles``` - - Target ```/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle``` + - Source `/opt/docker/custom/bundles` + - Target `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle` - Custom Assertions (.jar) - - Source ```/opt/docker/custom/custom-assertions``` - - Target ```/opt/SecureSpan/Gateway/runtime/modules/lib/``` + - Source `/opt/docker/custom/custom-assertions` + - Target `/opt/SecureSpan/Gateway/runtime/modules/lib/` - Modular Assertions (.aar) - - Source ```/opt/docker/custom/modular-assertions``` - - Target ```/opt/SecureSpan/Gateway/runtime/modules/assertions``` + - Source `/opt/docker/custom/modular-assertions` + - Target `/opt/SecureSpan/Gateway/runtime/modules/assertions` - Properties (.properties) - - Source ```/opt/docker/custom/properties``` - - Target ```/opt/SecureSpan/Gateway/node/default/etc/conf/``` - + - Source `/opt/docker/custom/properties` + - Target `/opt/SecureSpan/Gateway/node/default/etc/conf/` More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Custom Health Checks -You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. + +You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to `/opt/docker/rc.d/diagnostic/health_check` where they are run by `/opt/docker/rc.d/diagnostic/health_check.sh`. - Limited to a single configmap or secret. - ConfigMaps and Secrets can hold multiple scripts. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ***NOTE: if you set a configMap and a Secret only one of them will be applied to your API Gateway.*** + ``` existingHealthCheck: enabled: false @@ -2066,9 +2266,11 @@ existingHealthCheck: [Back to Additional Guides](#additional-guides) ### Custom Configuration Files + Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) + ``` customConfig: enabled: false @@ -2086,13 +2288,15 @@ customConfig: [Back to Additional Guides](#additional-guides) ### Graceful Termination + During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. This functionality delays Kubernetes sending a SIGTERM to the container gateway while connections remain open. This works in conjunction with terminationGracePeriodSeconds which should always be higher than preStopScript.timeoutSeconds. If preStopScript.timeoutSeconds is exceeded, the script will exit 0 and normal pod termination will resume. -The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. +The preStop script will monitor connections to **inbound (not outbound)** Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. + - 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. @@ -2102,32 +2306,38 @@ While there aren't any explicit limits on preStopScript.timeoutSeconds and termi The graceful termination (preStop script) is disabled by default. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | -| `preStopScript.enabled` | Enable the preStop script | `false` | -| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | -| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | -| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | -| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | + +| Parameter | Description | Default | +| ------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------- | +| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | +| `preStopScript.enabled` | Enable the preStop script | `false` | +| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | +| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | +| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | +| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | + [Back to Additional Guides](#additional-guides) ### Autoscaling + Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources We do not recommend setting MaxReplicas for a MySQL backed API Gateway above 8. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `autoscaling.enabled` | Enable autoscaling | `false` | -| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | -| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | -| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | -| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | + +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------------- | ----------------- | +| `autoscaling.enabled` | Enable autoscaling | `false` | +| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | +| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | +| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | +| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | + Here is an example of a configured autoscaling section. + ``` autoscaling: enabled: true @@ -2159,14 +2369,19 @@ autoscaling: [Back to Additional Guides](#additional-guides) ### Pod Disruption Budgets + [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | -| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | -| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | + + +| Parameter | Description | Default | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | +| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | +| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | +| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | + Example - note that only ***maxUnavailable*** or ***minAvailable*** can be set - both values ***cannot*** be set at the same time. + ``` pdb: create: true @@ -2177,16 +2392,20 @@ pdb: [Back to Additional Guides](#additional-guides) ### RBAC Parameters + PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `serviceAccount.create` | Create a service account for the Gateway | `true` | -| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | -| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | + +| Parameter | Description | Default | +| ----------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | +| `serviceAccount.create` | Create a service account for the Gateway | `true` | +| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | +| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | + If you would like to create and use your own service account the Gateway with PM Tagger will require the following role to function correctly. ***This should NOT be a cluster role*** + ``` rules: - apiGroups: [""] @@ -2197,6 +2416,7 @@ rules: [Back to Additional Guides](#additional-guides) ### Logs & Audit Configuration + The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: - System properties in the default template for the `config.javaArgs` value configure the log and audit behaviour: @@ -2205,32 +2425,37 @@ The API Gateway containers are configured to output logs and audits as JSON even - Default log output configuration is overridden by specifying an alternative configuration properties file: `-Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties` - The alternative log configuration properties file `log-override.properties` is mounted on the container, via ConfigMap. - System property to include well known Certificate Authorities Trust Anchors - - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) - configure following property to true - - Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) + - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) + configure following property to true - + Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) - Allow wildcards when verifying hostnames (true/false) - - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) + - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) [Back to Additional Guides](#additional-guides) ## Subchart Configuration + ***these do not represent production configurations*** For Production implementations, please see the Chart links for recommended settings. The best approach would be deploying each independently ## Hazelcast -The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | -| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | -| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | -| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | -| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | -| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | -| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | +The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail [https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml](https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml) + + +| Parameter | Description | Default | +| ------------------------------- | --------------------------------------------------------------------------- | ---------------------------- | +| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | +| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | +| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | +| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | +| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | +| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | + ### Subcharts -* Hazelcast (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast -[Back to Additional Guides](#additional-guides) +- Hazelcast (default: disabled) ==> [https://github.com/helm/charts/tree/master/stable/hazelcast](https://github.com/helm/charts/tree/master/stable/hazelcast) + +[Back to Additional Guides](#additional-guides) \ No newline at end of file diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md index af04da29..f409f8cd 100644 --- a/charts/gateway/release-notes.md +++ b/charts/gateway/release-notes.md @@ -3,11 +3,28 @@ Back to [Readme](./README.md#release-notes) # Java 21 + The Layer7 API Gateway is now running with Java 21 with the release of v11.2.0. If you use Policy Manager, you will need to update to v11.2.0. +## 3.1.2 Database Migration Job (Pre-Upgrade Schema Updates) + +Requires Gateway image **11.2.2 or newer**. + +- Added an opt-in `pre-upgrade` Kubernetes Job (`database.migrationJob`) that applies Liquibase database schema changes before the new Gateway pods roll out, avoiding multiple pods racing to acquire the `DATABASECHANGELOGLOCK` simultaneously during rolling upgrades. +- The migration job supports a dedicated `jdbcUrl` override, allowing schema changes to be applied directly to the primary writer endpoint and bypassing read replicas or load-balancing proxies. +- Added `database.migrationJob.clearLocks` option to forcefully release a stuck `DATABASECHANGELOGLOCK` before running schema updates, enabling recovery from a previously failed migration. +- Added four Gateway startup modes via `-Dgateway.db.schema-update.mode` in `config.javaArgs`: + - `default` — runs Liquibase then starts the Gateway JVM (original behaviour, unchanged) + - `skip` — bypasses Liquibase and starts the Gateway JVM immediately (use with the migration job on upgrade, not for helm install) + - `liquibase-only` — runs Liquibase and exits without starting the Gateway JVM (used by the migration job) + - `liquibase-only-with-unlock` — force-releases the Liquibase lock, runs Liquibase, and exits (used by `clearLocks`) +- The migration job is disabled by default (`database.migrationJob.enabled: false`) and only takes effect during `helm upgrade` — it does not run on `helm install`. +- See [Database Migration Job](./README.md#database-migration-job-pre-upgrade-schema-updates) for full configuration and upgrade workflow. + ## 3.1.1 OTK 4.7.0 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to 4.7.0. - otk.job.image.tag: 4.7.0 - Added support for SSL connection for MySQL database. The sslMode option can be used in the JDBC query @@ -15,22 +32,24 @@ If you use Policy Manager, you will need to update to v11.2.0. - For OTK 4.7.0 specific features please refer to [Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-7.html) ## 3.1.0 Bitnami SubChart removal + - All Bitnami SubCharts have been removed from the Gateway Helm Chart - Statefulsets for mysql and redis have been added to replace the subCharts - - These are examples only and should NOT be used in production environments! + - These are examples only and should **NOT** be used in production environments! - If you are using the mysql subChart in a development environment, a new persistent volume claim and statefulset will be created. - use graphman to export your gateway configuration prior to upgrading - your old mysql persistent volume claim and statefulset will remain - you will need to restart the gateway manually - - ```kubectl rollout restart deployment ``` + - `kubectl rollout restart deployment ` - The new Redis Statefulset is standalone only with optional SSL/TLS and password auth - Upgrading to the latest version of the Chart - will not remove the existing mysql statefulset or associated persistent volume claim - you will need to clean these up manually - will not redeploy the Gateway if restartOnConfigChange.enabled is not true - - ```kubectl rollout restart deployment -gateway``` + - `kubectl rollout restart deployment -gateway` ## 3.1.0 Kubernetes Gateway v1 Support + - Added support for the Gateway v1 API - See [kubernetesGateway Configuration](./README.md#kubernetes-gateway-api-configuration) for more details and the [examples](../../examples/ingress/readme.md) for getting started. - By default we autogenerate certificates for both Gateways @@ -41,6 +60,7 @@ If you use Policy Manager, you will need to update to v11.2.0. - this avoids unplanned changes if you are not already overriding the ingress class ## 3.1.0 General Updates + - Added per route annotations for Openshift - configured in ingress.rules - this has no impact on ingress v1 @@ -50,45 +70,58 @@ If you use Policy Manager, you will need to update to v11.2.0. - if you were using this functionality in previous versions of the Gateway we recommend configuring a kubernetes job instead ## 3.0.45 General Updates + Update chart to generate default TLS secret for external GemFire deployed by GemFire operator. ## 3.0.44 General Updates + This patch resolves conflicting labels/selectors for the OTK install, upgrade and scheduled task jobs. ## 3.0.43 General Updates + For Redis data provider, config.redis.tls.redisCrt is no longer required when config.redis.tls.verifyPeer is false ## 3.0.42 General Updates + Images for mysql, redis and grafana have been temporarily switched to caapim to avoid disruption during future changes to the bitnami legacy repository. ## 3.0.41 General Updates + For Specific compatibility changes related to OTK, please refer to [here](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/README.md#otk-compatibility-with-gateway-112) to have continuous support -## 3.0.40 General Updates -- Gemfire property statistic-sampling-enabled=false is added to disable Statistic sampling which is not supported for embedded gemfire on container gateway +## 3.0.40 General Updates + +- Gemfire property statistic-sampling-enabled=false is added to disable Statistic sampling which is not supported for embedded gemfire on container gateway ## 3.0.39 General Updates + - Add using initContainer to mount secret - Update GemFire version to 10.2.0 and GemFire management console version to 1.4.1 ## 3.0.38 General Updates + - Remove extra gateway container env config ## 3.0.37 General Updates + - Added support for Dual Stack Network in Gateway - Added GemFire configuration - Updated pm-tagger image (docker.io/caapim/pm-tagger:1.0.3) ## 3.0.36 General Updates + Images for mysql, redis and grafana have been temporarily switched to [bitnamilegacy](https://community.broadcom.com/blogs/beltran-rueda-borrego/2025/08/18/how-to-prepare-for-the-bitnami-changes-coming-soon) to avoid disruption during the bitnami secure switch. ## 3.0.35 General Updates + This is a minor patch to update pm-tagger, fix the readme format and add optional loadBalancerClass for services. + - PM-Tagger image updated (docker.io/caapim/pm-tagger:1.0.2) - Readme format fix - Added loadBalancerClass for services (optional) ## 3.0.34 OTK 4.6.4 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to 4.6.4. - otk.job.image.tag: 4.6.4 - Adding support to Oauth_Client_Read database connection @@ -98,11 +131,14 @@ This is a minor patch to update pm-tagger, fix the readme format and add optiona - Updated comments & documentation for better clarity ## 3.0.33 General Updates + This is a minor patch to remove the use of AWK in the following optional scripts + - Bootstrap script - Graceful shutdown script ## 3.0.32 General Updates + - Default image updated to v11.1.2 - Gateway v11.1.2 onwards has updated defaults for config.log.override.properties - Please review your configuration and remove this line prior to upgrading to avoid log duplication @@ -114,8 +150,9 @@ This is a minor patch to remove the use of AWK in the following optional scripts - Gateway 11.1.x supports 8.4.x - By Default, the MySQL version is updated to 8.4.3 - The MySQL subChart (testing/development only) has been updated to 12.1.0 - + ## 3.0.31 General Updates + - Support for Openshift Routes (disabled by default) - Uses passthrough termination (tls only) - path is ignored in this mode @@ -124,6 +161,7 @@ This is a minor patch to remove the use of AWK in the following optional scripts - Management service can be routed To enable - see [ingress configuration](./README.md#ingress-configuration) for more details + ``` ingress: enabled: true @@ -155,6 +193,7 @@ ingress: - New way to add system properties - You can now use key/value pairs to extend [system properties](./README.md#system-properties) - No impact to existing configuration + ``` config: ... @@ -162,6 +201,7 @@ config: - name: test value: test123 ``` + - New Deployment Configuration Options for the OTel SDK Only approach (Disabled by default) - Does ***NOT*** configure system or cluster-wide properties, this step is still required - Requires a Gateway restart when enabled @@ -180,6 +220,7 @@ config: - k8s.namespace.name ==> NAMESPACE - k8s.node.name ==> NODE_NAME - k8s.pod.name ==> POD_NAME + ``` config: ... @@ -193,7 +234,9 @@ config: ``` ## 3.0.30 General Updates + **Note** Gateway restart required if using preview Redis features. + - Support added for running the Gateway without [Diskless Config](./README.md#diskless-configuration) - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) - Must be conciously enabled (limited to Gateway v11.1.1) @@ -206,37 +249,40 @@ config: - config.redis is used to configure this - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](./README.md#custom-configuration-files) to load the additional certs. - - Configurable Java Min/Max Heap size - - Java Min and Max Heap Size is now [configurable](./README.md#java-args) - - Liquibase Log Level is now settable via database.liquibaseLogLevel. - - default "off" - - possible values - - severe - - warning - - info - - fine(debug) - - off - - System Properties - - FIPS - - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. - - Previous - - com.safelogic.cryptocomply.rsa.allow_multi_use=true - - New - - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true +- Configurable Java Min/Max Heap size + - Java Min and Max Heap Size is now [configurable](./README.md#java-args) +- Liquibase Log Level is now settable via database.liquibaseLogLevel. + - default "off" + - possible values + - severe + - warning + - info + - fine(debug) + - off +- System Properties + - FIPS + - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. + - Previous + - com.safelogic.cryptocomply.rsa.allow_multi_use=true + - New + - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true ## 3.0.29 OTK 4.6.3 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. - - otk.job.image.tag: 4.6.3 + - otk.job.image.tag: 4.6.3 - Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. - UTFMB4 Character Set Support for MySQL. - Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory ## 3.0.28 General Updates + - Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. - Disabled by default ## 3.0.27 General Updates + - Default image updated to v11.1.00 - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: - Scale down your containers to zero. @@ -256,6 +302,7 @@ config: - Cipher Suites in [Gateway Application Ports](./README.md#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** ## 3.0.26 General Updates + - Commented out Nginx specific annotations in the ingress configuration - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" @@ -264,22 +311,27 @@ config: - Added Gateway [Pod Disruption Budget](./README.md#pod-disruption-budgets) ## 3.0.25 OTK Schedule job success and failure limts + - Added configurable success and failure job history limit for OTK database maintenance schedule jobs. ## 3.0.24 General Updates + - Custom Volumes for initContainers and Sidecars - This allows configmaps/secrets to be mounted to initContainers and sideCars - customSideCarVolumes - customInitVolumes -## 3.0.23 OTK 4.6.2_202402 Released +## 3.0.23 OTK 4.6.2_202402 Released + - Updated OTK image version value ## 3.0.22 General Updates + - Updated Chart ci values - no impact ## 3.0.21 General Updates + - Updated [Redis Configuration](./README.md#redis-configuration) - More context added for creating your own redis properties file - More context added for Redis auth @@ -288,13 +340,14 @@ config: - Added Graphman Bundle support to the bootstrap script - files that end in .json will be copied into the bootstrap folder - ## 3.0.20 General Updates + - Updated image - Updated to Gateway 11.0.00_CR2 - this will cause a restart if you are not overriding the default image ## 3.0.19 General Updates + - Updated image - Updated to Gateway 11.0.00_CR1 - this will cause a restart if you are not overriding the default image @@ -312,70 +365,83 @@ config: - MySQL subChart updated - Grafana subChart updated - ## 3.0.18 General Updates + - OTK documentation updates. ## 3.0.17 OTK 4.6.2 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. - - otk.job.image.tag: 4.6.2 - - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. - - otk.database.dbupgrade - - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** - - otk.database.useDemodb - - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. - - database.enabled: false - - otk.type: SINGLE - - Added OTK Connection properties to support c3p0 settings. - - otk.database.connectionProperties - - Added support OTK read-only connections for MySQL and Oracle. - - otk.database.readOnlyConnection.* - - Added support for OTK policies customization through config maps and secrets. - - otk.customizations.existingBundle.enabled - - OTK DMZ/Internal gateway certs can now be configured using values file. - - otk.cert -> [!Important] -> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. -> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. -> ``` -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml -> ``` +- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. + - otk.job.image.tag: 4.6.2 +- OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. + - otk.database.dbupgrade +- OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** + - otk.database.useDemodb +- Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. + - database.enabled: false + - otk.type: SINGLE +- Added OTK Connection properties to support c3p0 settings. + - otk.database.connectionProperties +- Added support OTK read-only connections for MySQL and Oracle. + - otk.database.readOnlyConnection.* +- Added support for OTK policies customization through config maps and secrets. + - otk.customizations.existingBundle.enabled +- OTK DMZ/Internal gateway certs can now be configured using values file. + - otk.cert + > [!Important] + > + > - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. + > - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. + > + > ``` + > + > ``` + > helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml + > helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml + > ``` ## 3.0.16 General Updates + - Added resources to otk install job - otk.job.resources ## 3.0.15 General Updates + - Updated [bootstrap script](./README.md#bootstrap-script) - 'find' replaced with 'du' ## 3.0.14 General Updates + - Added pod labels and annotations to the otk-install job. - otk.job.podLabels - otk.job.podAnnotations ## 3.0.13 General Updates + - The OTK Install job now uses podSecurity and containerSecurity contexts if set. - Updated how pod labels and annotations are templated in deployment.yaml ## 3.0.12 General Updates + Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. + - [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) - [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) - ## 3.0.11 General Updates + Updates to Gateway Container Lifecycle. + - [A new preStop script has been added for graceful termination](./README.md#graceful-termination) - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds - Container Lifecycle can be overridden for custom exec/http calls ## 3.0.10 General Updates + Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. - Additional Labels/Annotations apply to everything in this Chart's templates + ``` # Additional Annotations apply to all deployed objects additionalAnnotations: {} @@ -385,6 +451,7 @@ additionalLabels: {} ``` - Pod Labels/Annotations at the base level apply to the Gateway Pod + ``` ## Pod Labels for the Gateway Pod ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ @@ -396,6 +463,7 @@ podAnnotations: {} ``` - PM-Tagger pod labels/annotations are separate + ``` pmtagger: ... @@ -409,42 +477,52 @@ pmtagger: ``` ## 3.0.9 Updates to PM-Tagger + PM tagger has following additional configuration options + - [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) - [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) - [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) - [All PM-Tagger Configuration](./README.md#pm-tagger-configuration) ## 3.0.8 Updates to Hazelcast + The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. The updates are applied to both the gateway and gateway-otk chart. ## 3.0.7 General Updates + The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . The PM Tagger image default version tag been updated to 1.0.1. ## 3.0.6 General Updates + The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. ## 3.0.5 General Updates + The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. ## 3.0.4 General Updates + OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](./README.md#otk-install-or-upgrade) for more details. [Gateway-OTK](../gateway-otk) is now deprecated. ## 3.0.2 General Updates + ***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. + - [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. The following configuration options have been added + - [Custom Health Checks](./README.md#custom-health-checks) - [Custom Configuration Files](./README.md#custom-configuration-files) - [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) @@ -456,20 +534,24 @@ The following configuration options have been added - SubCharts now show image repository and tags ### Upgrading to Chart v3.0.0 + Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](./README.md#additional-guides) for more info. ## 3.0.0 Updates to Hazelcast + ***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. + - If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. - The included Hazelcast subChart has been updated to reflect this change ### 3.0.0 Updates to Ingress Configuration + Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](./README.md#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. ## 3.0.0 General Updates -- You can now configure [Gateway Ports.](./README.md#port-configuration) - This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. +- You can now configure [Gateway Ports.](./README.md#port-configuration) +This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. - New Management Service - Provides separation of concerns for external/management traffic. This was previously a manual step. - [Autoscaling](./README.md#autoscaling) @@ -483,29 +565,34 @@ Ingress configuration has been updated to include multiple hosts, please see [In - Includes a baseline for production configuration - Resources are set to minimum recommended values - Application ports are hardened - - 8080 (disabled) - - 8443 (management features disabled - service is ClusterIP) - - 9443 (configured with management service) + - 8080 (disabled) + - 8443 (management features disabled - service is ClusterIP) + - 9443 (configured with management service) - Autoscaling is enabled - Ingress is enabled - - Rules are configured for 8443 + - Rules are configured for 8443 - Database is not created - you will need to supply a JDBC Url ## Changes that will affect you if upgrading from 2.0.1 and below + - MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. - tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName ## 2.0.6 General Updates + - Fixing bitnami repository dependency issue. ## 2.0.5 General Updates + - Internal only. ## 2.0.4 Updates to Secret Management + - Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. - The CSI functionality is optional ## 2.0.4 General Updates + - Added support for sidecars and initContainers - volumeMounts are automatically configured with emptyDir - Updated default values update to reflect empty objects/arrays for optional fields. @@ -513,14 +600,17 @@ Ingress configuration has been updated to include multiple hosts, please see [In - management.kubernetes.loadServiceAccountToken # Java 11 + The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. ## 2.0.2 Updates to Secret Management + - You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles ## 2.0.2 General Updates + - Ingress Definition updated to reflect the new API Version, additional configuration added. - HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. - System.properties is now mounted to the Gateway Container, default values have been applied. @@ -529,7 +619,9 @@ Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JA - Resources values updated to reflect minimum recommended configuration ## Upgrading to 2.0.2 + ***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** + ``` $ helm repo update $ helm show values layer7/gateway > gateway-values.yaml @@ -538,3 +630,4 @@ Inspect and update the new gateway-values.yaml $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway ``` + From bea7e002aef46ffd3f7bb08f3515f78c03f571dd Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Tue, 23 Jun 2026 00:38:31 -0700 Subject: [PATCH 19/20] updated release-notes.md --- charts/gateway/release-notes.md | 194 ++++++++++---------------------- 1 file changed, 58 insertions(+), 136 deletions(-) diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md index f409f8cd..14736b74 100644 --- a/charts/gateway/release-notes.md +++ b/charts/gateway/release-notes.md @@ -3,7 +3,6 @@ Back to [Readme](./README.md#release-notes) # Java 21 - The Layer7 API Gateway is now running with Java 21 with the release of v11.2.0. If you use Policy Manager, you will need to update to v11.2.0. @@ -24,7 +23,6 @@ Requires Gateway image **11.2.2 or newer**. - See [Database Migration Job](./README.md#database-migration-job-pre-upgrade-schema-updates) for full configuration and upgrade workflow. ## 3.1.1 OTK 4.7.0 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to 4.7.0. - otk.job.image.tag: 4.7.0 - Added support for SSL connection for MySQL database. The sslMode option can be used in the JDBC query @@ -32,24 +30,22 @@ Requires Gateway image **11.2.2 or newer**. - For OTK 4.7.0 specific features please refer to [Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-7.html) ## 3.1.0 Bitnami SubChart removal - - All Bitnami SubCharts have been removed from the Gateway Helm Chart - Statefulsets for mysql and redis have been added to replace the subCharts - - These are examples only and should **NOT** be used in production environments! + - These are examples only and should NOT be used in production environments! - If you are using the mysql subChart in a development environment, a new persistent volume claim and statefulset will be created. - use graphman to export your gateway configuration prior to upgrading - your old mysql persistent volume claim and statefulset will remain - you will need to restart the gateway manually - - `kubectl rollout restart deployment ` + - ```kubectl rollout restart deployment ``` - The new Redis Statefulset is standalone only with optional SSL/TLS and password auth - Upgrading to the latest version of the Chart - will not remove the existing mysql statefulset or associated persistent volume claim - you will need to clean these up manually - will not redeploy the Gateway if restartOnConfigChange.enabled is not true - - `kubectl rollout restart deployment -gateway` + - ```kubectl rollout restart deployment -gateway``` ## 3.1.0 Kubernetes Gateway v1 Support - - Added support for the Gateway v1 API - See [kubernetesGateway Configuration](./README.md#kubernetes-gateway-api-configuration) for more details and the [examples](../../examples/ingress/readme.md) for getting started. - By default we autogenerate certificates for both Gateways @@ -60,7 +56,6 @@ Requires Gateway image **11.2.2 or newer**. - this avoids unplanned changes if you are not already overriding the ingress class ## 3.1.0 General Updates - - Added per route annotations for Openshift - configured in ingress.rules - this has no impact on ingress v1 @@ -70,58 +65,45 @@ Requires Gateway image **11.2.2 or newer**. - if you were using this functionality in previous versions of the Gateway we recommend configuring a kubernetes job instead ## 3.0.45 General Updates - Update chart to generate default TLS secret for external GemFire deployed by GemFire operator. ## 3.0.44 General Updates - This patch resolves conflicting labels/selectors for the OTK install, upgrade and scheduled task jobs. ## 3.0.43 General Updates - For Redis data provider, config.redis.tls.redisCrt is no longer required when config.redis.tls.verifyPeer is false ## 3.0.42 General Updates - Images for mysql, redis and grafana have been temporarily switched to caapim to avoid disruption during future changes to the bitnami legacy repository. ## 3.0.41 General Updates - For Specific compatibility changes related to OTK, please refer to [here](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/README.md#otk-compatibility-with-gateway-112) to have continuous support -## 3.0.40 General Updates - -- Gemfire property statistic-sampling-enabled=false is added to disable Statistic sampling which is not supported for embedded gemfire on container gateway +## 3.0.40 General Updates +- Gemfire property statistic-sampling-enabled=false is added to disable Statistic sampling which is not supported for embedded gemfire on container gateway ## 3.0.39 General Updates - - Add using initContainer to mount secret - Update GemFire version to 10.2.0 and GemFire management console version to 1.4.1 ## 3.0.38 General Updates - - Remove extra gateway container env config ## 3.0.37 General Updates - - Added support for Dual Stack Network in Gateway - Added GemFire configuration - Updated pm-tagger image (docker.io/caapim/pm-tagger:1.0.3) ## 3.0.36 General Updates - Images for mysql, redis and grafana have been temporarily switched to [bitnamilegacy](https://community.broadcom.com/blogs/beltran-rueda-borrego/2025/08/18/how-to-prepare-for-the-bitnami-changes-coming-soon) to avoid disruption during the bitnami secure switch. ## 3.0.35 General Updates - This is a minor patch to update pm-tagger, fix the readme format and add optional loadBalancerClass for services. - - PM-Tagger image updated (docker.io/caapim/pm-tagger:1.0.2) - Readme format fix - Added loadBalancerClass for services (optional) ## 3.0.34 OTK 4.6.4 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to 4.6.4. - otk.job.image.tag: 4.6.4 - Adding support to Oauth_Client_Read database connection @@ -131,14 +113,11 @@ This is a minor patch to update pm-tagger, fix the readme format and add optiona - Updated comments & documentation for better clarity ## 3.0.33 General Updates - This is a minor patch to remove the use of AWK in the following optional scripts - - Bootstrap script - Graceful shutdown script ## 3.0.32 General Updates - - Default image updated to v11.1.2 - Gateway v11.1.2 onwards has updated defaults for config.log.override.properties - Please review your configuration and remove this line prior to upgrading to avoid log duplication @@ -150,9 +129,8 @@ This is a minor patch to remove the use of AWK in the following optional scripts - Gateway 11.1.x supports 8.4.x - By Default, the MySQL version is updated to 8.4.3 - The MySQL subChart (testing/development only) has been updated to 12.1.0 - + ## 3.0.31 General Updates - - Support for Openshift Routes (disabled by default) - Uses passthrough termination (tls only) - path is ignored in this mode @@ -161,7 +139,6 @@ This is a minor patch to remove the use of AWK in the following optional scripts - Management service can be routed To enable - see [ingress configuration](./README.md#ingress-configuration) for more details - ``` ingress: enabled: true @@ -193,7 +170,6 @@ ingress: - New way to add system properties - You can now use key/value pairs to extend [system properties](./README.md#system-properties) - No impact to existing configuration - ``` config: ... @@ -201,7 +177,6 @@ config: - name: test value: test123 ``` - - New Deployment Configuration Options for the OTel SDK Only approach (Disabled by default) - Does ***NOT*** configure system or cluster-wide properties, this step is still required - Requires a Gateway restart when enabled @@ -220,7 +195,6 @@ config: - k8s.namespace.name ==> NAMESPACE - k8s.node.name ==> NODE_NAME - k8s.pod.name ==> POD_NAME - ``` config: ... @@ -234,9 +208,7 @@ config: ``` ## 3.0.30 General Updates - **Note** Gateway restart required if using preview Redis features. - - Support added for running the Gateway without [Diskless Config](./README.md#diskless-configuration) - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) - Must be conciously enabled (limited to Gateway v11.1.1) @@ -249,40 +221,37 @@ config: - config.redis is used to configure this - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](./README.md#custom-configuration-files) to load the additional certs. -- Configurable Java Min/Max Heap size - - Java Min and Max Heap Size is now [configurable](./README.md#java-args) -- Liquibase Log Level is now settable via database.liquibaseLogLevel. - - default "off" - - possible values - - severe - - warning - - info - - fine(debug) - - off -- System Properties - - FIPS - - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. - - Previous - - com.safelogic.cryptocomply.rsa.allow_multi_use=true - - New - - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true + - Configurable Java Min/Max Heap size + - Java Min and Max Heap Size is now [configurable](./README.md#java-args) + - Liquibase Log Level is now settable via database.liquibaseLogLevel. + - default "off" + - possible values + - severe + - warning + - info + - fine(debug) + - off + - System Properties + - FIPS + - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. + - Previous + - com.safelogic.cryptocomply.rsa.allow_multi_use=true + - New + - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true ## 3.0.29 OTK 4.6.3 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. - - otk.job.image.tag: 4.6.3 + - otk.job.image.tag: 4.6.3 - Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. - UTFMB4 Character Set Support for MySQL. - Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory ## 3.0.28 General Updates - - Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. - Disabled by default ## 3.0.27 General Updates - - Default image updated to v11.1.00 - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: - Scale down your containers to zero. @@ -302,7 +271,6 @@ config: - Cipher Suites in [Gateway Application Ports](./README.md#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** ## 3.0.26 General Updates - - Commented out Nginx specific annotations in the ingress configuration - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" @@ -311,27 +279,22 @@ config: - Added Gateway [Pod Disruption Budget](./README.md#pod-disruption-budgets) ## 3.0.25 OTK Schedule job success and failure limts - - Added configurable success and failure job history limit for OTK database maintenance schedule jobs. ## 3.0.24 General Updates - - Custom Volumes for initContainers and Sidecars - This allows configmaps/secrets to be mounted to initContainers and sideCars - customSideCarVolumes - customInitVolumes -## 3.0.23 OTK 4.6.2_202402 Released - +## 3.0.23 OTK 4.6.2_202402 Released - Updated OTK image version value ## 3.0.22 General Updates - - Updated Chart ci values - no impact ## 3.0.21 General Updates - - Updated [Redis Configuration](./README.md#redis-configuration) - More context added for creating your own redis properties file - More context added for Redis auth @@ -340,14 +303,13 @@ config: - Added Graphman Bundle support to the bootstrap script - files that end in .json will be copied into the bootstrap folder -## 3.0.20 General Updates +## 3.0.20 General Updates - Updated image - Updated to Gateway 11.0.00_CR2 - this will cause a restart if you are not overriding the default image ## 3.0.19 General Updates - - Updated image - Updated to Gateway 11.0.00_CR1 - this will cause a restart if you are not overriding the default image @@ -365,83 +327,70 @@ config: - MySQL subChart updated - Grafana subChart updated -## 3.0.18 General Updates +## 3.0.18 General Updates - OTK documentation updates. ## 3.0.17 OTK 4.6.2 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. + - otk.job.image.tag: 4.6.2 + - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. + - otk.database.dbupgrade + - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** + - otk.database.useDemodb + - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. + - database.enabled: false + - otk.type: SINGLE + - Added OTK Connection properties to support c3p0 settings. + - otk.database.connectionProperties + - Added support OTK read-only connections for MySQL and Oracle. + - otk.database.readOnlyConnection.* + - Added support for OTK policies customization through config maps and secrets. + - otk.customizations.existingBundle.enabled + - OTK DMZ/Internal gateway certs can now be configured using values file. + - otk.cert +> [!Important] +> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. +> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. +> ``` +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml +> ``` -- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. - - otk.job.image.tag: 4.6.2 -- OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. - - otk.database.dbupgrade -- OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** - - otk.database.useDemodb -- Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. - - database.enabled: false - - otk.type: SINGLE -- Added OTK Connection properties to support c3p0 settings. - - otk.database.connectionProperties -- Added support OTK read-only connections for MySQL and Oracle. - - otk.database.readOnlyConnection.* -- Added support for OTK policies customization through config maps and secrets. - - otk.customizations.existingBundle.enabled -- OTK DMZ/Internal gateway certs can now be configured using values file. - - otk.cert - > [!Important] - > - > - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. - > - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. - > - > ``` - > - > ``` - > helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml - > helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml - > ``` ## 3.0.16 General Updates - - Added resources to otk install job - otk.job.resources ## 3.0.15 General Updates - - Updated [bootstrap script](./README.md#bootstrap-script) - 'find' replaced with 'du' ## 3.0.14 General Updates - - Added pod labels and annotations to the otk-install job. - otk.job.podLabels - otk.job.podAnnotations ## 3.0.13 General Updates - - The OTK Install job now uses podSecurity and containerSecurity contexts if set. - Updated how pod labels and annotations are templated in deployment.yaml ## 3.0.12 General Updates - Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. - - [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) - [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) -## 3.0.11 General Updates +## 3.0.11 General Updates Updates to Gateway Container Lifecycle. - - [A new preStop script has been added for graceful termination](./README.md#graceful-termination) - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds - Container Lifecycle can be overridden for custom exec/http calls ## 3.0.10 General Updates - Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. - Additional Labels/Annotations apply to everything in this Chart's templates - ``` # Additional Annotations apply to all deployed objects additionalAnnotations: {} @@ -451,7 +400,6 @@ additionalLabels: {} ``` - Pod Labels/Annotations at the base level apply to the Gateway Pod - ``` ## Pod Labels for the Gateway Pod ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ @@ -463,7 +411,6 @@ podAnnotations: {} ``` - PM-Tagger pod labels/annotations are separate - ``` pmtagger: ... @@ -477,52 +424,42 @@ pmtagger: ``` ## 3.0.9 Updates to PM-Tagger - PM tagger has following additional configuration options - - [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) - [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) - [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) - [All PM-Tagger Configuration](./README.md#pm-tagger-configuration) ## 3.0.8 Updates to Hazelcast - The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. The updates are applied to both the gateway and gateway-otk chart. ## 3.0.7 General Updates - The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . The PM Tagger image default version tag been updated to 1.0.1. ## 3.0.6 General Updates - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. ## 3.0.5 General Updates - The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. ## 3.0.4 General Updates - OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](./README.md#otk-install-or-upgrade) for more details. [Gateway-OTK](../gateway-otk) is now deprecated. ## 3.0.2 General Updates - ***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. - - [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. The following configuration options have been added - - [Custom Health Checks](./README.md#custom-health-checks) - [Custom Configuration Files](./README.md#custom-configuration-files) - [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) @@ -534,24 +471,20 @@ The following configuration options have been added - SubCharts now show image repository and tags ### Upgrading to Chart v3.0.0 - Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](./README.md#additional-guides) for more info. ## 3.0.0 Updates to Hazelcast - ***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. - - If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. - The included Hazelcast subChart has been updated to reflect this change ### 3.0.0 Updates to Ingress Configuration - Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](./README.md#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. ## 3.0.0 General Updates - - You can now configure [Gateway Ports.](./README.md#port-configuration) -This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. + This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. + - New Management Service - Provides separation of concerns for external/management traffic. This was previously a manual step. - [Autoscaling](./README.md#autoscaling) @@ -565,34 +498,29 @@ This does not cover Kubernetes Service level configuration which will ***need to - Includes a baseline for production configuration - Resources are set to minimum recommended values - Application ports are hardened - - 8080 (disabled) - - 8443 (management features disabled - service is ClusterIP) - - 9443 (configured with management service) + - 8080 (disabled) + - 8443 (management features disabled - service is ClusterIP) + - 9443 (configured with management service) - Autoscaling is enabled - Ingress is enabled - - Rules are configured for 8443 + - Rules are configured for 8443 - Database is not created - you will need to supply a JDBC Url ## Changes that will affect you if upgrading from 2.0.1 and below - - MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. - tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName ## 2.0.6 General Updates - - Fixing bitnami repository dependency issue. ## 2.0.5 General Updates - - Internal only. ## 2.0.4 Updates to Secret Management - - Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. - The CSI functionality is optional ## 2.0.4 General Updates - - Added support for sidecars and initContainers - volumeMounts are automatically configured with emptyDir - Updated default values update to reflect empty objects/arrays for optional fields. @@ -600,17 +528,14 @@ This does not cover Kubernetes Service level configuration which will ***need to - management.kubernetes.loadServiceAccountToken # Java 11 - The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. ## 2.0.2 Updates to Secret Management - - You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles ## 2.0.2 General Updates - - Ingress Definition updated to reflect the new API Version, additional configuration added. - HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. - System.properties is now mounted to the Gateway Container, default values have been applied. @@ -619,9 +544,7 @@ Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JA - Resources values updated to reflect minimum recommended configuration ## Upgrading to 2.0.2 - ***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** - ``` $ helm repo update $ helm show values layer7/gateway > gateway-values.yaml @@ -630,4 +553,3 @@ Inspect and update the new gateway-values.yaml $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway ``` - From 024a5aaa1c3d17cd388a9e552a82a5a4c4f7a26c Mon Sep 17 00:00:00 2001 From: jchanbcbc Date: Tue, 23 Jun 2026 00:49:06 -0700 Subject: [PATCH 20/20] revert back added lines by AI --- charts/gateway/README.md | 1390 ++++++++++++++++---------------------- 1 file changed, 586 insertions(+), 804 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index bb015d2c..3fc5268c 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -1,22 +1,18 @@ # Layer7 API Gateway - This Chart deploys the API Gateway v11.x onward with the following `optional` subchart: hazelcast. This Chart also includes basic MySQL and Redis statefulsets for trying out the Chart; these are example only and do not represent production ready configurations. ## Bitnami Public Catalog Removal - The Bitnami subCharts have now been fully removed from the Gateway Helm Chart. Please read the release notes for [Gateway v3.0.45](./release-notes.md#3039-bitnami-subchart-removal) for more details. ### Important Note - The included MySQL Statefulset is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. ## Release notes - - Current Chart Version 3.1.1 + - Please review release notes [here](./release-notes.md) ## Prerequisites - - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support - Helm v3.x @@ -24,34 +20,26 @@ The included MySQL Statefulset is enabled by default to make trying this chart o - Gateway v10.x or v11.x License #### Note - It's important that your Kubernetes Client and Server versions are compatible. You can verify this by running the following - ``` kubectl version ``` - output - ``` Client Version: v1.29.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.27.6+b49f9d1 WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1 ``` - The above message indicates that the client version (kubectl) is greater than the server version by more than 1 minor version. This may cause unforseen errors when using Kubectl or Helm. Please also check your Helm version against [this](https://helm.sh/docs/topics/version_skew/#supported-version-skew) compatibility matrix - ``` helm version ``` - output - ``` version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.21.5"} @@ -60,89 +48,76 @@ Helm Version Supported Kubernetes Versions ``` ## Optional - - Persistent Volume Provisioner (if using PVC for the Demo MySQL or Redis Statefulset) ## Recommended - - [An Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) ### Production - - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) if you would like to enable autoscaling. #### MySQL/Database Backed Gateways - - [A dedicated external MySQL 8.0.22/8.0.26 server](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/install-configure-upgrade/using-mysql-8-0-with-gateway-10.html) ### Advanced Configuration - -- [Additional Guides](#additional-guides) -- [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) +* [Additional Guides](#additional-guides) +* [Thinking in Kubernetes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes.html) #### Getting Started - ***If you are using a previous version of this Chart please read the updates section before you upgrade.*** - -- [Install the Chart](#installing-the-chart) -- [Upgrade the Chart](#upgrading-the-chart) -- [Uninstall the Chart](#uninstalling-the-chart) +* [Install the Chart](#installing-the-chart) +* [Upgrade the Chart](#upgrading-the-chart) +* [Uninstall the Chart](#uninstalling-the-chart) ## Additional Guides +* [Configuration](#configuration) +* [Service Configuration](#port-configuration) +* [Gateway Application Ports](#gateway-application-ports) +* [OTK Install or Upgrade](#otk-install-or-upgrade) +* [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) +* [Ingress Configuration](#ingress-configuration) +* [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) +* [PM Tagger Configuration](#pm-tagger-configuration) +* [Shared State Preview Features](#shared-state-preview-features) +* [Redis Configuration](#redis-configuration) +* [Redis StatefulSet](#redis-statefulset-developmenttesting-only) +* [GemFire Configuration](#gemfire-configuration-1113) +* [Shared State Provider Configuration](#shared-state-provider-config) +* [OpenTelemetry Configuration](#opentelemetry-configuration) +* [Database Configuration](#database-configuration) +* [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) +* [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) +* [Cluster-Wide Properties](#cluster-wide-properties) +* [Enable DualStack(IPv4/IPv6)](#enable-dualstack) +* [Java Args](#java-args) +* [System Properties](#system-properties) +* [Diskless Configuration](#diskless-configuration) +* [Gateway Bundles](#bundle-configuration) +* [Bootstrap Script](#bootstrap-script) +* [Custom Health Checks](#custom-health-checks) +* [Custom Configuration Files](#custom-configuration-files) +* [Logs & Audit Configuration](#logs--audit-configuration) +* [Graceful Termination](#graceful-termination) +* [Autoscaling](#autoscaling) +* [Pod Disruption Budgets](#pod-disruption-budgets) +* [RBAC Parameters](#rbac-parameters) +* [SubChart Configuration](#subchart-configuration) -- [Configuration](#configuration) -- [Service Configuration](#port-configuration) -- [Gateway Application Ports](#gateway-application-ports) -- [OTK Install or Upgrade](#otk-install-or-upgrade) -- [OTK Compatibility with Gateway 11.2](#otk-compatibility-with-gateway-112) -- [Ingress Configuration](#ingress-configuration) -- [Kubernetes Gateway API Configuration](#kubernetes-gateway-api-configuration) -- [PM Tagger Configuration](#pm-tagger-configuration) -- [Shared State Preview Features](#shared-state-preview-features) -- [Redis Configuration](#redis-configuration) -- [Redis StatefulSet](#redis-statefulset-developmenttesting-only) -- [GemFire Configuration](#gemfire-configuration-1113) -- [Shared State Provider Configuration](#shared-state-provider-config) -- [OpenTelemetry Configuration](#opentelemetry-configuration) -- [Database Configuration](#database-configuration) -- [Database Migration Job](#database-migration-job-pre-upgrade-schema-updates) -- [MySQL StatefulSet](#mysql-statefulset-developmenttesting-only) -- [Cluster-Wide Properties](#cluster-wide-properties) -- [Enable DualStack(IPv4/IPv6)](#enable-dualstack) -- [Java Args](#java-args) -- [System Properties](#system-properties) -- [Diskless Configuration](#diskless-configuration) -- [Gateway Bundles](#bundle-configuration) -- [Bootstrap Script](#bootstrap-script) -- [Custom Health Checks](#custom-health-checks) -- [Custom Configuration Files](#custom-configuration-files) -- [Logs & Audit Configuration](#logs--audit-configuration) -- [Graceful Termination](#graceful-termination) -- [Autoscaling](#autoscaling) -- [Pod Disruption Budgets](#pod-disruption-budgets) -- [RBAC Parameters](#rbac-parameters) -- [SubChart Configuration](#subchart-configuration) -## Installing the Chart +## Installing the Chart Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction - ``` $ helm repo add layer7 https://caapim.github.io/apim-charts/ $ helm repo update $ helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` - ## Upgrading the Chart - To upgrade your Gateway Release - ``` $ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway ``` - ## Uninstalling the Chart - To uninstall the Gateway Chart ``` @@ -150,15 +125,12 @@ $ helm uninstall -n ``` ## Custom values - To make sure that your custom values don't get overwritten by a pull, create your own values.yaml (myvalues.yaml..) then specify -f myvalues.yaml when deploying/upgrading ## Note on custom values - You only need to include the values you wish to change in your myvalues.yaml For example, you wish to deploy the Gateway Chart as is without a database. Your myvalues.yaml would then contain the following - ``` database: enabled: false @@ -166,165 +138,160 @@ database: ``` ## Configuration - The following table lists the configurable parameters of the Gateway chart and their default values. See values.yaml for additional parameters and info - -| Parameter | Description | Default | -| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | -| `nameOverride` | Name override | `nil` | -| `fullnameOverride` | Full name override | `nil` | -| `global.schedulerName` | Override the default scheduler | `nil` | -| `license.value` | Gateway license file | `nil` | -| `license.accept` | Accept Gateway license EULA | `false` | -| `disklessConfig.enabled` | Enable diskless configuration | `true` | -| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | -| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | -| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | -| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | -| `image.registry` | Image Registry | `docker.io` | -| `image.repository` | Image Repository | `caapim/gateway` | -| `image.tag` | Image tag | `11.0.00` | -| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | -| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | -| `imagePullSecret.username` | Registry Username | `nil` | -| `imagePullSecret.password` | Registry Password | `nil` | -| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | -| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | -| `podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `replicas` | Number of Gateway replicas | `1` | -| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | -| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | -| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | -| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | -| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | -| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | -| `management.enabled` | Enable/Disable Policy Manager access | `true` | -| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | -| `management.username` | Policy Manager Username | `admin` | -| `management.password` | Policy Manager Password | `mypassword` | -| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | -| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | -| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | -| `database.username` | Database Username | `gateway` | -| `database.password` | Database Password | `mypassword` | -| `database.liquibaseLogLevel` | Liquibase log level | `off` | -| `database.name` | Database name | `ssg` | -| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | -| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | -| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | -| `tls.pass` | p12 container password - this cannot be empty | `nil` | -| `config.heapSize` | Java Heap Size | `2g` | -| `config.minHeapSize` | Java Min Heap Size | `1g` | -| `config.maxHeapSize` | Java Max Heap Size | `3g` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | -| `config.log.override` | Override the standard log configuration | `true` | -| `config.log.properties` | Custom logging properties | `see values.yaml` | -| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | -| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | -| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | -| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | -| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | -| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | -| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | -| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | -| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | -| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | -| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | -| `service.type` | Service Type | `LoadBalancer` | -| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | -| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | -| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | -| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | -| `service.annotations` | Additional annotations to add to the service | {} | -| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | -| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | -| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | -| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | -| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | -| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | -| `ingress.annotations` | ingress annotations | `{}` | -| `ingress.labels` | additional ingress labels | `{}` | -| `ingress.ingressClassName` | Ingress Class Name | `nginx` | -| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | -| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | -| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | -| `startupProbe.enabled` | Enable/Disable | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay | `60` | -| `startupProbe.timeoutSeconds` | Timeout | `1` | -| `startupProbe.periodSeconds` | Frequency | `10` | -| `startupProbe.successThreshold` | Success Threshold | `1` | -| `startupProbe.failureThreshold` | Failure Threshold | `10` | -| `livenessProbe.enabled` | Enable/Disable | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | -| `livenessProbe.timeoutSeconds` | Timeout | `1` | -| `livenessProbe.periodSeconds` | Frequency | `10` | -| `livenessProbe.successThreshold` | Success Threshold | `1` | -| `livenessProbe.failureThreshold` | Failure Threshold | `10` | -| `readinessProbe.enabled` | Enable/Disable | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | -| `readinessProbe.timeoutSeconds` | Timeout | `1` | -| `readinessProbe.periodSeconds` | Frequency | `10` | -| `readinessProbe.successThreshold` | Success Threshold | `1` | -| `readinessProbe.failureThreshold` | Failure Threshold | `10` | -| `resources.limits` | Resource Limits | `{}` | -| `resources.requests` | Resource Requests | `{}` | -| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | -| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `nameOverride` | Name override | `nil` | +| `fullnameOverride` | Full name override | `nil` | +| `global.schedulerName` | Override the default scheduler | `nil` | +| `license.value` | Gateway license file | `nil` | +| `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.setSecretByInitContainer` | Fetch and mount node.properties secret by InitContainer | `false` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | +| `image.registry` | Image Registry | `docker.io` | +| `image.repository` | Image Repository | `caapim/gateway` | +| `image.tag` | Image tag | `11.0.00` | +| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `imagePullSecret.enabled` | Configures Gateway Deployment to use imagePullSecret, you can also leave this disabled and associate an image pull secret with the Gateway's Service Account | `false` | +| `imagePullSecret.existingSecretName` | Point to an existing Image Pull Secret | `commented out` | +| `imagePullSecret.username` | Registry Username | `nil` | +| `imagePullSecret.password` | Registry Password | `nil` | +| `additionalAnnotations` | Additional Annotations apply to all deployed objects | `{}` | +| `additionalLabels` | Additional Labels apply to all deployed objects | `{}` | +| `podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `replicas` | Number of Gateway replicas | `1` | +| `updateStrategy.type` | Deployment Strategy | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Rolling Update Max Surge | `1` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Rolling Update Max Unavailable | `0` | +| `clusterHostname` | Gateway Cluster Hostname | `my.localdomain` | +| `existingGatewaySecretName` | Existing Secret that contains management credentials, see values.yaml for what must be included | `commented out` | +| `clusterPassword` | Cluster Password, used if db backed | `mypassword` | +| `management.enabled` | Enable/Disable Policy Manager access | `true` | +| `management.restman.enabled` | Enable/Disable the Rest Management API (Restman) | `false` | +| `management.username` | Policy Manager Username | `admin` | +| `management.password` | Policy Manager Password | `mypassword` | +| `management.kubernetes.loadServiceAccountToken` | Automatically load the Gateway Deployment's ServiceAccount Token for querying the Kubernetes API | `false` | +| `management.service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `management.service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `database.enabled` | Run in DB Backed or Ephemeral Mode | `true` | +| `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | +| `database.username` | Database Username | `gateway` | +| `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | +| `database.name` | Database name | `ssg` | +| `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | +| `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | +| `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | +| `tls.pass` | p12 container password - this cannot be empty | `nil` | +| `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | +| `config.log.override` | Override the standard log configuration | `true` | +| `config.log.properties` | Custom logging properties | `see values.yaml` | +| `config.cwp.enabled` | Enable/Disable settable cluster-wide properties | `false` | +| `config.cwp.properties` | Set name/value pairs of cluster-wide properties | `see values.yaml` | +| `config.sytemProperties` | Configure the Gateway's system.properties file | `see values.yaml` | +| `additionalEnv` | Additional environment variables you wish to pass to the Gateway Configmap | `see values.yaml` | +| `additionalSecret` | Additional secret variables you wish to pass to the Gateway Secret | `see values.yaml` | +| `bundle.enabled` | Creates a configmap with bundles from the ./bundles folder | `false` | +| `bundle.path` | Specify the path to the bundle files. The bundles folder in this repo has some example bundle files | `"bundles/*.bundle"` | +| `existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain Layer7 Gateway Bundles - see values.yaml for more info | `false` | +| `existingBundle.configMaps` | Array of configMaps that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `existingBundle.secrets` | Array of Secrets that will be mounted to the Gateway's bootstrap folder | `see values.yaml` | +| `customHosts.enabled` | Enable customHosts on the Gateway, this overrides /etc/hosts. | `see values.yaml` | +| `customHosts.hostAliases` | Array of hostAliases to add to the Container Gateway | `see values.yaml` | +| `service.type` | Service Type | `LoadBalancer` | +| `service.ipFamilyPolicy` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `commented out` | +| `service.ipFamilies` | [IPv4/IPv6 dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) | `nil` | +| `service.loadbalancer` | Additional Loadbalancer Configuration | `see https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service` | +| `service.ports` | List of http external port mappings | https: 8443 -> 8443, management: 9443->9443 | +| `service.annotations` | Additional annotations to add to the service | {} | +| `service.internalTrafficPolicy` | [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) | `Cluster` | +| `service.externalTrafficPolicy` | [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) | `Cluster` | +| `ingress.enabled` | Enable/Disable an ingress or route record being created | `false` | +| `ingress.openshift.route.enabled` | Create an Openshift Route (Requires Openshift) | `false` | +| `ingress.openshift.route.wildcardPolicy` | Openshift Route Wildcard Policy | `None` | +| `ingress.openshift.route.weight` | Openshift Route Weight (0-255) | `commented` | +| `ingress.annotations` | ingress annotations | `{}` | +| `ingress.labels` | additional ingress labels | `{}` | +| `ingress.ingressClassName` | Ingress Class Name | `nginx` | +| `ingress.tls` | Ingress TLS Configuration | `see values.yaml` | +| `ingress.rules` | Ingress Rules Configuration | `see values.yaml` | +| `ingress.rules[].annotations` | Per-rule annotations (OpenShift Routes only). Merged with `ingress.annotations` | `not set` | +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources (EXPERIMENTAL) | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. contour, eg). Required when create: true | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the listener. When set, no secret is created | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Reference an existing kubernetes.io/tls Secret for the backend cert. When set, no secret is created | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | +| `startupProbe.enabled` | Enable/Disable | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay | `60` | +| `startupProbe.timeoutSeconds` | Timeout | `1` | +| `startupProbe.periodSeconds` | Frequency | `10` | +| `startupProbe.successThreshold` | Success Threshold | `1` | +| `startupProbe.failureThreshold` | Failure Threshold | `10` | +| `livenessProbe.enabled` | Enable/Disable | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay | `60` | +| `livenessProbe.timeoutSeconds` | Timeout | `1` | +| `livenessProbe.periodSeconds` | Frequency | `10` | +| `livenessProbe.successThreshold` | Success Threshold | `1` | +| `livenessProbe.failureThreshold` | Failure Threshold | `10` | +| `readinessProbe.enabled` | Enable/Disable | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay | `60` | +| `readinessProbe.timeoutSeconds` | Timeout | `1` | +| `readinessProbe.periodSeconds` | Frequency | `10` | +| `readinessProbe.successThreshold` | Success Threshold | `1` | +| `readinessProbe.failureThreshold` | Failure Threshold | `10` | +| `resources.limits` | Resource Limits | `{}` | +| `resources.requests` | Resource Requests | `{}` | +| `nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +| `bootstrap.script.enabled` | Enable the bootstrap script | `false` | [Back to Additional Guides](#additional-guides) ## Port Configuration - There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways ### Container/Service Level Ports ### Default Gateway Service - Sample entry that exposes 8443 which is one of the default TLS port on the API Gateway using service type LoadBalancer. - ``` service: type: LoadBalancer @@ -337,7 +304,6 @@ service: ``` ### Production Values Default - Sample entry that exposes 8443 which is one of the default TLS ports on the API Gateway Note that the service type is ClusterIP which does not receive an external IP address. We can make this service accessible by configuring an [ingress resource](#ingress-configuration). @@ -351,9 +317,7 @@ service: external: 8443 protocol: TCP ``` - ### Gateway Management Service - The Gateway Management Service is primarily used to expose Gateway Ports that you wish to use for Internal Management Access for tools like Policy Manager. This Service requires the [PM Tagger](#pm-tagger) to function correctly. ``` @@ -375,22 +339,19 @@ management: [Back to Additional Guides](#additional-guides) ### OTK Compatibility with Gateway 11.2 - These below information is relevant for those who are upgrading their Gateway to version 11.2 and utilizing the OAuth Toolkit (OTK) - 1. **OTK 4.6.4** is presently the only version that provides seamless support for Gateway 11.2 2. For older versions (< OTK 4.6.4), the below steps have to be followed to ensure smooth transition to Gateway 11.2 - - After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: - - 4.6.0.1 - - 4.6.1.1 - - 4.6.2.1 - - 4.6.3.1 - - It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. - - This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) - - In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) + * After upgrading Gateway to 11.2 If there is a necessity to install or upgrade to OTK version 4.6.3, 4.6.2, 4.6.1, or 4.6.0, please ensure to update the OTK image tag to use one of the below tags corresponding to the specific version being deployed: + * 4.6.0.1 + * 4.6.1.1 + * 4.6.2.1 + * 4.6.3.1 + * It has to be ensured that Evaluate JSON Path Assertion (V1) assertion is added to the GW. + * This will be provided as Tactical assertion. Please find more information on how to get the assertion [here](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/release-notes.html) + * In Helm chart, this can be done using init Containers. For more information & examples refer to [Utilities](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ### OTK install or upgrade - OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. - On a database backed gateway, once gateway is healthy, k8s kind/job is used to install OTK using Restman ([OTK Headless installation](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/install-the-oauth-solution-kit/headless-installation-of-otk-solution-kit.html)) @@ -398,21 +359,16 @@ OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types - On a Ephemeral or database backed gateway, before the start of gateway, k8s job to used to install/update the OTK database (Cassandra database is not supported and should be upgraded [manually](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database.html)) ***NOTE:*** - 1. When installing or Upgrading Gateway with OTK enabled, add timeout with the helm command to ensure OTK install job waits for Gateway to be ready - ``` Example: The timeout of 900s is recommended for helm upgrade since it takes additional time to complete helm install otk layer7/gateway --set-file "license.value=path/license.xml" \ --set "license.accept=true,management.restman.enabled=true,otk.enabled=true" --timeout 900s ``` - -1. In dual gateway installation, restart the pods after OTK install or upgrade is required. +2. In dual gateway installation, restart the pods after OTK install or upgrade is required. Prerequisites: - -- Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. - +* Configure cluster wide property for otk.port pointing to gateway ingress port and OTK database type. ``` config: cwp: @@ -423,10 +379,8 @@ config: - name: otk.dbsystem value: mysql ``` - -- Restman is enabled. Can be disabled once the install/upgrage is complete. - - This is not applicable for ephemeral GW - +* Restman is enabled. Can be disabled once the install/upgrage is complete. + * This is not applicable for ephemeral GW ``` management: restman: @@ -434,131 +388,125 @@ management: ``` Limitations: - -- OTK Instance modifiers are not supported. -- Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. -- The Cassandra install scripts have to executed manually for new install scenario -- The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario -- Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. -- OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) +* OTK Instance modifiers are not supported. +* Install/Upgrade of OTK schema on cassandra database using kubernetes job is not supported. +* The Cassandra install scripts have to executed manually for new install scenario +* The Cassandra upgrade & data migration scripts(if any) have to be executed manually for upgrade scenario +* Dual gateway OTK set-up (otk.type: DMZ or INTERNAL) is not supported with ephemeral gateway. +* OTK upgrade to 4.6.3 will not upgrade the DB with utf8mb4 character set. This has to be done seperately following the steps provided in upgrade section in [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-6/installation-workflow/create-or-upgrade-the-otk-database/mysql-database.html) OTK Deployment examples can be found [here](/examples/otk) -| Parameter | Description | Default | -| -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | -| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | -| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` | -| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false | -| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` | -| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ Internal Gateway: - #OTK Client Context Variables - #OTK id_token configuration DMZ Gateway: - #OTK OVP Configuration - #OTK Storage Configuration | `false` | -| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools. The Oauth Manager & Oauth Test Client will not be installed | `false` | -| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ | | -| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ | | -| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL | | -| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `16` | -| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks. | `240.224.2.1` | -| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | | -| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | | -| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | | -| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | | -| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | | -| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | | -| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | | -| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | | -| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | -| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL | | -| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | | -| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` | -| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` | -| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `otk.job.image.labels` | Job lables | {} | -| `otk.job.image.nodeSelector` | Job Node selector | {} | -| `otk.job.image.tolerations` | Job tolerations | [] | -| `otk.job.podLabels` | OTK Job podLabels | {} | -| `otk.job.podAnnotations` | OTK Job podAnnotations | {} | -| `otk.job.resources` | OTK Job resources | {} | -| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit` | OTK db maintenance scheduled job success history limit | `1` | -| `otk.job.scheduledTasksFailedJobsHistoryLimit` | OTK db maintenance scheduled job failed history limit | `1` | -| `otk.bootstrapDir` | The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | -| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` | -| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60` | -| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade | `true` | -| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | -| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | -| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: [https://test.com:8443](https://test.com:8443)) Required if createTestClients is `true` | | -| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true. This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false` | -| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true` | -| `otk.database.connectionName` | OTK database connection name | `OAuth` | -| `otk.database.existingSecretName` | Point to an existing OTK database Secret | | -| `otk.database.username` | OTK database user name | | -| `otk.database.password` | OTK database password | | -| `otk.database.properties` | OTK database additional properties | `{}` | -| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | | -| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | | -| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` | -| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | | -| `otk.database.sql.jdbcDriverClass` | OTK database sql driver class name (oracle/mysql) | | -| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | | -| `otk.database.sql.connectionProperties` | OTK database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | -| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | -| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | | -| `otk.database.readOnlyConnection.username` | OTK read only database user name | | -| `otk.database.readOnlyConnection.password` | OTK read only database password | | -| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | -| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | | -| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | | -| `otk.database.readOnlyConnection.connectionProperties` | OTK read only database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | | -| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | -| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | -| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | | -| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | | -| `otk.database.clientReadConnection.password` | OTK Client Read only database password | | -| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | -| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | | -| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | | -| `otk.database.clientReadConnection.connectionProperties` | OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` | -| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | | -| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | | -| `otk.database.cassandra.port` | OTK database cassandra connection port | | -| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | | -| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` | -| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` | -| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` | -| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` | -| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | -| `otk.livenessProbe.type` | | `httpGet` | -| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` | -| `otk.livenessProbe.httpGet.port` | | `8443` | -| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` | -| `otk.readinessProbe.type` | | `httpGet` | -| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` | -| `otk.readinessProbe.httpGet.port` | | `8443` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `otk.enabled` | Enable/Disable OTK installation or upgrade | `false` | +| `otk.type` | OTK installation type - SINGLE, DMZ or INTERNAL | `SINGLE` +| `otk.forceInstallOrUpgrade` | Force install or upgrade by uninstalling existing otk soluction kit and install. | false +| `otk.enablePortalIntegration` | Not applicable for DMZ and INTERNAL OTK types | `false` +| `otk.skipPostInstallationTasks` | Skip post installation tasks for OTK type INTERNAL and DMZ
Internal Gateway:
- #OTK Client Context Variables
- #OTK id_token configuration
DMZ Gateway:
- #OTK OVP Configuration
- #OTK Storage Configuration | `false` +| `otk.skipInternalServerTools` | Skip installation of the optional sub soluction Kit: Internal, Server Tools.
The Oauth Manager & Oauth Test Client will not be installed | `false` +| `otk.internalGatewayHost` | Internal gateway host for OTK type DMZ| +| `otk.internalGatewayPort` | Internal gateway post for OTK type DMZ| +| `otk.dmzGatewayHost` | DMZ gateway host for OTK type INTERNAL| +| `otk.networkMask` | Network mask used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `16` | +| `otk.startIP` | Start IP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.| `240.224.2.1` | +| `otk.cert.dmzGatewayCert` | DMZ gateway certificate (encoded) for OTK type DMZ | +| `otk.cert.internalGatewayIssuer` | DMZ gateway certificate issuer for OTK type DMZ | +| `otk.cert.dmzGatewaySerial` | DMZ gateway certificate serial for OTK type DMZ | +| `otk.cert.dmzGatewaySubject` | DMZ gateway certificate subject for OTK type DMZ | +| `otk.cert.internalGatewayCert` | INTERNAL gateway certificate (encoded) for OTK type INTERNAL | +| `otk.cert.internalGatewayIssuer` | INTERNAL gateway certificate issuer for OTK type INTERNAL | +| `otk.cert.internalGatewaySerial` | INTERNAL gateway certificate serial for OTK type INTERNAL | +| `otk.cert.internalGatewaySubject` | INTERNAL gateway certificate subject for OTK type INTERNAL | +| `otk.customizations.existingBundle.enabled` | Enable mounting existing configMaps/Secrets that contain OTK Bundles - see values.yaml for more info | `false` | +| `otk.dmzGatewayPort` | DMZ gateway port for OTK type INTERNAL| +| `otk.subSolutionKitNames` | List of comma seperated sub soluction Kits to install or upgrade. | +| `otk.job.image.repository` | Image Repositor | `caapim/otk-install` +| `otk.job.image.tag` | Image Tag. (OTK version) | `4.6` +| `otk.job.image.pullPolicy` | Image Pull Policy | `IfNotPresent` +| `otk.job.image.labels` | Job lables | {} +| `otk.job.image.nodeSelector` | Job Node selector | {} +| `otk.job.image.tolerations` | Job tolerations | [] +| `otk.job.podLabels` | OTK Job podLabels | {} +| `otk.job.podAnnotations` | OTK Job podAnnotations | {} +| `otk.job.resources` | OTK Job resources | {} +| `otk.job.scheduledTasksSuccessfulJobsHistoryLimit`| OTK db maintenance scheduled job success history limit | `1` | +| `otk.job.scheduledTasksFailedJobsHistoryLimit`| OTK db maintenance scheduled job failed history limit | `1` | +| `otk.bootstrapDir`| The location of OTK artifacts in the image | `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK` | +| `otk.database.type` | OTK database type - mysql/oracle/cassandra | `mysql` +| `otk.database.waitTimeout` | OTK database connection wait timeout in seconds | `60`| +| `otk.database.dbUpgrade` | Enable/Disable OTK DB Upgrade| `true` | +| `otk.database.useDemoDb` | Enable/Disable OTK Demo DB | `true` | +| `otk.database.sql.createTestClients` | Enable/Disable creation of demo test clients | `false` | +| `otk.database.sql.testClientsRedirectUrlPrefix` | The value of redirect_uri prefix (Example: https://test.com:8443) Required if createTestClients is `true` | | +| `otk.database.changeLogSync` | Applicable for OTK versions 4.6.3 & older only. If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true.
This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade. | `false`| +| `otk.database.updateConnection` | Update database connection properties during helm upgrade | `true`| +| `otk.database.connectionName` | OTK database connection name | `OAuth` +| `otk.database.existingSecretName` | Point to an existing OTK database Secret | +| `otk.database.username` | OTK database user name | +| `otk.database.password` | OTK database password | +| `otk.database.properties` | OTK database additional properties | `{}` +| `otk.database.sql.ddlUsername` | OTK database user name used for OTK DB creation | +| `otk.database.sql.ddlPassword` | OTK database password used for OTK DB creation | +| `otk.database.sql.type` | OTK database type (mysql/oracle/cassandra) | `mysql` +| `otk.database.sql.jdbcURL` | OTK database sql jdbc URL (oracle/mysql) | +| `otk.database.sql.jdbcDriverClass`| OTK database sql driver class name (oracle/mysql) | +| `otk.database.sql.databaseName` | OTK database Oracle database name or Demo db name | +| `otk.database.sql.connectionProperties`| OTK database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.readOnlyConnection.enabled` | Enable/Disable OTK read only database connection | `false` | +| `otk.database.readOnlyConnection.connectionName` | OTK read only database connection name | `OAuth_ReadOnly` | +| `otk.database.readOnlyConnection.existingSecretName` | Point to an existing OTK read only database Secret | +| `otk.database.readOnlyConnection.username` | OTK read only database user name| +| `otk.database.readOnlyConnection.password` | OTK read only database password | +| `otk.database.readOnlyConnection.properties` | OTK read only database additional properties | `{}` | +| `otk.database.readOnlyConnection.jdbcURL` | OTK read only database sql jdbc URL (oracle/mysql) | +| `otk.database.readOnlyConnection.jdbcDriverClass` | OTK read only database sql driver class name (oracle/mysql) | +| `otk.database.readOnlyConnection.connectionProperties`| OTK read only database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.readOnlyConnection.databaseName` | OTK read only Oracle database name | +| `otk.database.clientReadConnection.enabled` | Enable/Disable OTK Client Read only database connection | `false` | +| `otk.database.clientReadConnection.connectionName` | OTK Client Read only database connection name | `OAuth_Client_Read` | +| `otk.database.clientReadConnection.existingSecretName` | Point to an existing OTK Client Read only database Secret | +| `otk.database.clientReadConnection.username` | OTK Client Read only database user name | +| `otk.database.clientReadConnection.password` | OTK Client Read only database password | +| `otk.database.clientReadConnection.properties` | OTK Client Read only database additional properties | `{}` | +| `otk.database.clientReadConnection.jdbcURL` | OTK Client Read only database sql jdbc URL (oracle/mysql) | +| `otk.database.clientReadConnection.jdbcDriverClass` | OTK Client Read only database sql driver class name (oracle/mysql) | +| `otk.database.clientReadConnection.connectionProperties`| OTK Client Read only database mysql connection properties (oracle/mysql) | `{}` +| `otk.database.clientReadConnection.databaseName` | OTK Client Read only Oracle database name | +| `otk.database.cassandra.connectionPoints` | OTK database cassandra connection points (comma seperated) | +| `otk.database.cassandra.port` | OTK database cassandra connection port | +| `otk.database.cassandra.keyspace` | OTK database cassandra keyspace | +| `otk.database.cassandra.driverConfig` | OTK database cassandra driver config (Gateway 11+) | `{}` +| `otk.healthCheckBundle.enabled` | Enable/Disable installation of OTK health check service bundle | `false` +| `otk.healthCheckBundle.useExisting` | Use exising OTK health check service bundle | `false` +| `otk.healthCheckBundle.name` | OTK health check service bundle name | `otk-health-check-bundle-config` +| `otk.livenessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` +| `otk.livenessProbe.type` | | `httpGet` +| `otk.livenessProbe.httpGet.path` | | `/auth/oauth/health` +| `otk.livenessProbe.httpGet.port` | | `8443` +| `otk.readinessProbe.enabled` | Enable/Disable. Requires otk.healthCheckBundle.enabled set to true and OTK version >= 4.6.1. Valid only for SINGLE and INTERNAL OTK type installation. | `true` +| `otk.readinessProbe.type` | | `httpGet` +| `otk.readinessProbe.httpGet.path` | | `/auth/oauth/health` +| `otk.readinessProbe.httpGet.port` | | `8443` #### Note: - -- In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option +* In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option [Back to Additional Guides](#additional-guides) ### Gateway Application Ports - Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* This configuration creates and mounts a gateway bundle, if you wish to maintain Gateway ports outside of the Gateway Chart you can either use Policy Manager or create and mount your own bundle in the existingBundle section. By default the following ports are created - - 8080 (HTTP - disabled) - 8443 (HTTPS - Published service message input only) - 9443 (HTTPS - Published service message input only, Administrative access, Browser-based administration, Built-in services) Things to note before you get started: - - If you are deploying the Gateway with a fresh MySQL database - This port configuration will replace the defaults. - If you are using an existing database @@ -638,11 +586,9 @@ config: [Back to Additional Guides](#additional-guides) ### Ingress Configuration - The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. If your ingress controller is private and you would like to create an ingress record/route for the management service you can use the following configuration - ``` ... rules: @@ -660,7 +606,6 @@ If your ingress controller is private and you would like to create an ingress re ``` New Ingress Configuration Gateway Chart >= 3.0.31 (openshift route support) - ``` ingress: # Set to true to create ingress or route object @@ -711,7 +656,6 @@ ingress: ``` New Ingress Configuration Gateway Chart >= 3.0.0 - ``` ingress: enabled: true @@ -750,7 +694,6 @@ ingress: ``` This represents the ingress configuration for Gateway Chart < 3.0.0 you need to configure an Ingress Resource for the API Gateway - ``` ingress: enabled: true @@ -773,11 +716,9 @@ ingress: [Back to Additional Guides](#additional-guides) ### Kubernetes Gateway API Configuration - The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) as an alternative to Ingress. The implementation is controller-agnostic and has been tested with [Contour](https://projectcontour.io/) and [Envoy Gateway](https://gateway.envoyproxy.io/). See [examples/ingress](../../examples/ingress) for controller installation instructions. **Requirements:** - - Gateway API CRDs must be installed. These are typically bundled with your Gateway controller (e.g. Contour, Envoy Gateway). To install them separately, see the [Gateway API releases](https://github.com/kubernetes-sigs/gateway-api/releases) - A `GatewayClass` must be available on the cluster (e.g. `contour`, `envoy-gateway`) @@ -788,14 +729,12 @@ The Gateway Helm Chart supports the [Kubernetes Gateway API](https://gateway-api **Route Modes:** The chart supports two route modes: - - **HTTPRoute** (default) -- TLS is terminated at the Kubernetes Gateway and re-encrypted to the Layer7 Gateway backend. Requires `backendTLSPolicy` to be enabled so the Gateway controller can validate the backend certificate. - **TLSRoute** -- TLS passthrough via SNI-based routing. The Kubernetes Gateway does not terminate TLS. The Layer7 Gateway handles TLS directly. **Gateway Resource:** The chart supports two modes for the Gateway resource: - - **Create a new Gateway** -- set `kubernetesGateway.gateway.create: true` with a `gatewayClassName`. The chart creates a Gateway with auto-generated listeners from route hostnames. - **Use an existing Gateway** -- set `kubernetesGateway.gateway.create: false` and provide `kubernetesGateway.gateway.existingRef.name` / `.namespace`. Routes attach to the existing Gateway via `parentRefs`. This is useful when sharing a Gateway across charts. See [Shared Gateway](../../examples/ingress#shared-gateway) for details. @@ -806,7 +745,6 @@ When using HTTPRoute, the Layer7 Gateway backend speaks HTTPS. Since the Gateway **Management Service Routing:** To route management traffic through the same Gateway, set `backend: management` on a rule: - ``` kubernetesGateway: enabled: true @@ -833,78 +771,71 @@ kubernetesGateway: enabled: true ``` - -| Parameter | Description | Default | -| ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | -| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | -| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | -| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | -| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | -| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | -| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | -| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | -| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | -| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | -| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | -| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | -| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | -| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | -| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | -| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | -| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | -| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | -| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | -| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | -| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | -| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | -| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | -| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | -| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | -| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | -| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | - +| Parameter | Description | Default | +|---|---|---| +| `kubernetesGateway.enabled` | Enable Kubernetes Gateway API resources | `false` | +| `kubernetesGateway.gateway.create` | Create a new Gateway resource | `false` | +| `kubernetesGateway.gateway.gatewayClassName` | GatewayClass name (e.g. `contour`, `eg`). Required when `gateway.create` is `true` | `""` | +| `kubernetesGateway.gateway.addresses` | Optional addresses for the Gateway (e.g. static IPs). Array of `{type, value}` | `[]` | +| `kubernetesGateway.gateway.existingRef.name` | Name of an existing Gateway to reference | `""` | +| `kubernetesGateway.gateway.existingRef.namespace` | Namespace of the existing Gateway | `""` | +| `kubernetesGateway.gateway.tls.existingSecretName` | Existing TLS Secret for the Gateway listener | `""` | +| `kubernetesGateway.gateway.labels` | Additional labels for the Gateway resource | `{}` | +| `kubernetesGateway.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | +| `kubernetesGateway.httpRoute.enabled` | Enable HTTPRoute resource | `true` | +| `kubernetesGateway.httpRoute.rules` | HTTPRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.httpRoute.labels` | Additional labels for the HTTPRoute | `{}` | +| `kubernetesGateway.httpRoute.annotations` | Additional annotations for the HTTPRoute | `{}` | +| `kubernetesGateway.tlsRoute.enabled` | Enable TLSRoute resource (SNI passthrough) | `false` | +| `kubernetesGateway.tlsRoute.apiVersion` | TLSRoute API version. Set to `gateway.networking.k8s.io/v1` when your CRDs include TLSRoute at v1 | `gateway.networking.k8s.io/v1alpha2` | +| `kubernetesGateway.tlsRoute.rules` | TLSRoute rules. Each rule routes to the chart's own service | `see values.yaml` | +| `kubernetesGateway.tlsRoute.labels` | Additional labels for the TLSRoute | `{}` | +| `kubernetesGateway.tlsRoute.annotations` | Additional annotations for the TLSRoute | `{}` | +| `kubernetesGateway.backendTLSPolicy.enabled` | Enable BackendTLSPolicy for Gateway-to-backend TLS | `false` | +| `kubernetesGateway.backendTLSPolicy.excludePorts` | Ports to exclude from targetRefs. When empty, the policy covers all ports (no `sectionName`). When set, each non-excluded port gets an explicit targetRef with `sectionName` | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.hostname` | Hostname for backend TLS validation. If empty, defaults to `..svc.cluster.local` | `""` | +| `kubernetesGateway.backendTLSPolicy.validation.caCertificateRefs` | CA certificate references. If empty, defaults to the auto-generated CA ConfigMap | `[]` | +| `kubernetesGateway.backendTLSPolicy.validation.wellKnownCACertificates` | Use well-known CA certs (e.g. `System`). Mutually exclusive with `caCertificateRefs` | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.existingSecretName` | Existing TLS Secret for the backend certificate | `""` | +| `kubernetesGateway.backendTLSPolicy.tls.bootstrap` | Enable SSL key bootstrap into the pod. Set `false` when you only need the BackendTLSPolicy resource | `true` | +| `kubernetesGateway.backendTLSPolicy.tls.forceBootstrap` | Force the bootstrap script on every install/upgrade (db-backed gateways skip on upgrade by default) | `false` | +| `kubernetesGateway.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy | `{}` | +| `kubernetesGateway.labels` | Labels applied to all Gateway API resources | `{}` | +| `kubernetesGateway.annotations` | Annotations applied to all Gateway API resources | `{}` | [Back to Additional Guides](#additional-guides) ### PM Tagger Configuration - [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. - -| Parameter | Description | Default | -| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `pmtagger.enabled` | Enable pm-tagger | `false` | -| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | -| `pmtagger.image.registry` | Image Registry | `docker.io` | -| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | -| `pmtagger.image.tag` | Image Tag | `1.0.3` | -| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | -| `pmtagger.resources` | Resources | `see values.yaml` | -| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | -| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | -| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | -| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | -| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | -| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | -| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `pmtagger.enabled` | Enable pm-tagger | `false` | +| `pmtagger.replicas` | Replicas (you should never need more than one | `1` | +| `pmtagger.image.registry` | Image Registry | `docker.io` | +| `pmtagger.image.repository` | Image Repository | `caapim/pm-tagger` | +| `pmtagger.image.tag` | Image Tag | `1.0.3` | +| `pmtagger.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `pmtagger.image.imagePullSecret.enabled` | Use Image Pull secret - this uses the image pull secret configured for the API Gateway | `false` | +| `pmtagger.resources` | Resources | `see values.yaml` | +| `pmtagger.podLabels` | Pod Labels for the Gateway Pod | `{}` | +| `pmtagger.podAnnotations` | Pod Annotations apply to the Gateway Pod | `{}` | +| `pmtagger.nodeSelector` | [Node Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) | `{}` | +| `pmtagger.affinity` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | `{}` | +| `pmtagger.topologySpreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) | `[]` | +| `pmtagger.tolerations` | [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | +| `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | [Back to Additional Guides](#additional-guides) ### OpenTelemetry Configuration - The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. This feature is a ***preview feature*** for v11.1.00 and is ***intentionally disabled*** by default. As with any integration that generates telemetry, there is a performance drop when turning on the OpenTelemetry integration with all of the features enabled. There is an integration example available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway. - - You are ***not required*** to use the observability stack that we provide as an example. - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) @@ -912,13 +843,11 @@ There is an integration example available [here](https://github.com/Layer7-Commu ***NOTE: *** In our example we inject the OpenTelemetry Java Agent to the Container Gateway, this emits additional telemetry like JVM metrics. The Gateway has the OpenTelemetry SDK built-in making the OpenTelemetry Java Agent Optional, the key difference between the built-in SDK and the OTel Agent is that the SDK only captures Gateway application level traces and metrics, things like JVM metrics will not be captured in this mode. #### Gateway OTel Configuration - OpenTelemetry is configured on the Gateway in two places, system properties and cluster-wide Properties. The configuration below represents the minimal settings required to enable the built-in SDK and configure the Gateway to send telemetry to an OpenTelemetry Collector. These can be configured in values.yaml. See the section below to view examples of how and where to configure this. - config.otel - ``` config: ... @@ -934,8 +863,8 @@ config: # - test1=someEnvValue1 ``` -- system.properties +- system.properties ``` otel.sdk.disabled=false otel.java.global-autoconfigure.enabled=true @@ -945,18 +874,14 @@ otel.traces.exporter=otlp otel.metrics.exporter=otlp otel.logs.exporter=none ``` - - cluster-wide properties - ``` otel.enabled=true otel.serviceMetricEnabled=true otel.traceEnabled=true (if tracing is required) otel.traceConfig=(default {}) ``` - example otel.traceConfig - ``` { "services": [ @@ -980,29 +905,23 @@ example otel.traceConfig [Back to Additional Guides](#additional-guides) ##### Gateway OTel Examples (with or without the Optional Agent) - The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. - - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) [Back to Additional Guides](#additional-guides) ### Shared State Preview Features - There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. - - [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) - [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast - ``` # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast - ``` # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID @@ -1011,63 +930,54 @@ To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.co [Back to Additional Guides](#additional-guides) ### Redis Configuration - This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. **Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` - Uncomment the following - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis ``` - -| Parameter | Description | Default | -| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | -| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | -| `config.redis.groupName` | Redis Group name | `l7GW` | -| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | -| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | -| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | -| `config.redis.auth.enabled` | Use auth for Redis | `false` | -| `config.redis.auth.username` | Redis username | `` | -| `config.redis.auth.password.encoded` | Password is encoded | `false` | -| `config.redis.auth.password.value` | Redis password | `mypassword` | -| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | -| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | -| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | -| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | -| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | -| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | -| `config.redis.tls.verifyPeer` | Verify Peer | `true` | -| `config.redis.tls.redisCrt` | Redis Public Cert | `` | +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.redis.enabled` | Enable redis configuration | `false` | +| `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | +| `config.redis.groupName` | Redis Group name | `l7GW` | +| `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | +| `config.redis.auth.enabled` | Use auth for Redis | `false` | +| `config.redis.auth.username` | Redis username | `` | +| `config.redis.auth.password.encoded` | Password is encoded | `false` | +| `config.redis.auth.password.value` | Redis password | `mypassword` | +| `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | +| `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | +| `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | +| `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | +| `config.redis.tls.enabled` | Enable SSL/TLS | `false` | +| `config.redis.tls.existingSecret` | Use an existing secret - must contain a key called tls.crt | `` | +| `config.redis.tls.verifyPeer` | Verify Peer | `true` | +| `config.redis.tls.redisCrt` | Redis Public Cert | `` | #### Creating your own Redis Configuration - Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note - The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) ##### Redis Sentinel (11.1.1) - sharedstate_client.yaml - ``` redis: default: @@ -1091,9 +1001,7 @@ redis: ``` ##### Redis Standalone (11.1.1) - sharedstate_client.yaml - ``` redis: default: @@ -1115,9 +1023,7 @@ redis: ``` ##### Redis Sentinel (11.0.00_CR2 and 11.1.00) - redis.properties - ``` # Redis type can be sentinel or standalone redis.type=sentinel @@ -1134,15 +1040,13 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Redis Standalone (11.1.00) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties - ``` # Redis type can be sentinel or standalone redis.type=standalone @@ -1159,15 +1063,13 @@ redis.properties # Additional Config redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Redis Standalone (11.0.00_CR2) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties - ``` # Redis type can be sentinel or standalone # standalone does not support SSL or Auth @@ -1176,16 +1078,13 @@ redis.properties redis.port=6379 redis.key.prefix.grpname=l7GW redis.commandTimeout=5000 -``` + ``` ##### Create a secret from this configuration (11.1.1) - ``` kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml ``` - my-values.yaml - ``` config: sharedStateClient: @@ -1194,15 +1093,11 @@ config: ``` ##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) - **Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. - ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` - my-values.yaml - ``` redis: enabled: true @@ -1212,7 +1107,6 @@ redis: [Back to Additional Guides](#additional-guides) ### Redis StatefulSet (Development/Testing Only) - **Important Note:** This is a simple Redis StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external Redis server or Redis cluster. The Redis StatefulSet provides standalone Redis functionality with optional authentication and TLS support. @@ -1221,61 +1115,58 @@ The Redis StatefulSet provides standalone Redis functionality with optional auth #### Configuration - -| Parameter | Description | Default | -| ------------------------------------------ | --------------------------------------------- | ----------------- | -| `redis.image.repository` | Redis image repository | `redis` | -| `redis.image.tag` | Redis image tag | `7.4-alpine` | -| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `redis.auth.enabled` | Enable Redis authentication | `false` | -| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | -| `redis.auth.password` | Redis password | `mypassword` | -| `redis.auth.existingSecret` | Use existing secret for credentials | `` | -| `redis.service.type` | Redis service type | `ClusterIP` | -| `redis.service.port` | Redis service port | `6379` | -| `redis.service.annotations` | Annotations for the Redis service | `{}` | -| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | -| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `redis.pdb.minAvailable` | Minimum available pods | `` | -| `redis.persistence.enabled` | Enable persistence using PVC | `false` | -| `redis.persistence.storageClass` | Storage class for PVC | `` | -| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `redis.persistence.size` | PVC size | `8Gi` | -| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `redis.persistence.existingClaim` | Use existing PVC | `` | -| `redis.maxmemory` | Redis max memory limit | `256mb` | -| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | -| `redis.appendonly` | Enable AOF persistence | `false` | -| `redis.tls.enabled` | Enable TLS | `true` | -| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | -| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | -| `redis.configuration` | Custom Redis configuration | `` | -| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | -| `redis.resources` | Resource requests and limits | `{}` | -| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | -| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | -| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | -| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | -| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | -| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | -| `redis.startupProbe.enabled` | Enable startup probe | `false` | -| `redis.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.affinity` | Affinity settings | `{}` | -| `redis.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.podSecurityContext` | Pod security context | `{}` | -| `redis.containerSecurityContext` | Container security context | `{}` | -| `redis.podAnnotations` | Pod annotations | `{}` | -| `redis.podLabels` | Pod labels | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `redis.image.repository` | Redis image repository | `redis` | +| `redis.image.tag` | Redis image tag | `7.4-alpine` | +| `redis.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `redis.auth.enabled` | Enable Redis authentication | `false` | +| `redis.auth.username` | Redis username (optional, for ACL-based auth) | `` | +| `redis.auth.password` | Redis password | `mypassword` | +| `redis.auth.existingSecret` | Use existing secret for credentials | `` | +| `redis.service.type` | Redis service type | `ClusterIP` | +| `redis.service.port` | Redis service port | `6379` | +| `redis.service.annotations` | Annotations for the Redis service | `{}` | +| `redis.pdb.create` | Create PodDisruptionBudget for Redis | `false` | +| `redis.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `redis.pdb.minAvailable` | Minimum available pods | `` | +| `redis.persistence.enabled` | Enable persistence using PVC | `false` | +| `redis.persistence.storageClass` | Storage class for PVC | `` | +| `redis.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `redis.persistence.size` | PVC size | `8Gi` | +| `redis.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `redis.persistence.existingClaim`| Use existing PVC | `` | +| `redis.maxmemory` | Redis max memory limit | `256mb` | +| `redis.maxmemoryPolicy` | Redis eviction policy | `allkeys-lru` | +| `redis.appendonly` | Enable AOF persistence | `false` | +| `redis.tls.enabled` | Enable TLS | `true` | +| `redis.tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `redis.tls.certificatesSecret` | Existing secret with TLS certificates | `` | +| `redis.configuration` | Custom Redis configuration | `` | +| `redis.commonAnnotations` | Annotations applied to all Redis resources | `{}` | +| `redis.resources` | Resource requests and limits | `{}` | +| `redis.livenessProbe.enabled` | Enable liveness probe | `true` | +| `redis.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `5` | +| `redis.livenessProbe.periodSeconds` | Liveness probe period | `5` | +| `redis.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `redis.livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | +| `redis.readinessProbe.enabled` | Enable readiness probe | `true` | +| `redis.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `redis.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `redis.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `redis.readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | +| `redis.startupProbe.enabled` | Enable startup probe | `false` | +| `redis.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.affinity` | Affinity settings | `{}` | +| `redis.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.podSecurityContext` | Pod security context | `{}` | +| `redis.containerSecurityContext` | Container security context | `{}` | +| `redis.podAnnotations` | Pod annotations | `{}` | +| `redis.podLabels` | Pod labels | `{}` | #### Example Configuration Enable Redis with basic settings (no auth, no TLS): - ```yaml config: redis: @@ -1293,7 +1184,6 @@ redis: ``` With authentication and TLS enabled: - ```yaml config: redis: @@ -1322,7 +1212,6 @@ redis: ``` With custom memory and eviction policy: - ```yaml config: redis: @@ -1339,14 +1228,12 @@ redis: #### TLS Certificates When `redis.tls.autoGenerated` is `true`, the chart automatically generates self-signed TLS certificates that include the following Subject Alternative Names (SANs): - - StatefulSet pod FQDN (e.g., `ssg-gateway-redis-0.ssg-gateway-redis-headless.namespace.svc.cluster.local`) - Headless service names in all variations - Regular service names - `localhost` and `127.0.0.1` To use your own certificates, set `redis.tls.autoGenerated: false` and provide your own secret: - ```yaml redis: tls: @@ -1356,7 +1243,6 @@ redis: ``` The secret must contain the following keys: - - `tls.crt` - Server certificate - `tls.key` - Server private key - `ca.crt` - CA certificate @@ -1364,22 +1250,17 @@ The secret must contain the following keys: [Back to Additional Guides](#additional-guides) ### GemFire Configuration (11.1.3) - Gemfire as shared data provider is supported with Gateway v11.1.3 onwards. Prerequisites: - -- ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer +* ClusterIssuer/Issuer in cert-manager is required to generate TLS secret automatically when TLS is enabled without providing a tls secret. See how to configure [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/) and [CA](https://cert-manager.io/docs/configuration/ca/) issuer To configure gemfire as data provider comment out existing system properties - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` - Set the following system properties as needed - ``` # com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire # com.l7tech.server.extension.sharedCounterProvider=embeddedgemfire/externalgemfire @@ -1387,54 +1268,48 @@ Set the following system properties as needed # com.l7tech.server.extension.sharedSortedSetProvider=embeddedgemfire/externalgemfire # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=embeddedgemfire/externalgemfire ``` - - -| Parameter | Description | Default | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | -| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | -| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | -| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | -| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | -| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | -| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer. Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | -| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided. Takes priority over certificate issuer. | `` | -| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted. If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | -| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | -| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | -| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | -| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | -| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | -| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | -| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | -| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | -| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | -| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | -| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | -| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | -| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | -| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | -| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | -| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | -| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | -| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | -| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | -| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | -| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | -| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | -| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | - +| Parameter | Description | Default | +|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| +| `config.gemfire.acceptTerms` | Accepting the terms of use for VMware Tanzu GemFire. | `true` | +| `config.gemfire.auth.enabled` | Enable security athentication. | `false` | +| `config.gemfire.auth.username` | Authentication username, can be plaintext or openssl encrypted. If not provided use default username. | `default` | +| `config.gemfire.auth.password` | Authentication password in plaintxt or encrypted with OpenSSL. If not provided use clsuter password. | '' | +| `config.gemfire.tls.enabled` | Enable SSL/TLS secure communication between gateway and gemfire cluster components. | `false` | +| `config.gemfire.tls.certificate.issuerRef.kind` | Specifies cert-manager issuer type, Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `ClusterIssuer` | +| `config.gemfire.tls.certificate.issuerRef.name` | The exact name of the Issuer or ClusterIssuer.
Required when tls is enabled but existingSecret is not provided. | `myClusterIssuer` | +| `config.gemfire.tls.existingSecret` | Name of an existing secret - must contain two keys named truststore.p12 and keystore.p12 if provided.
Takes priority over certificate issuer. | `` | +| `config.gemfire.tls.password` | Pasword for truststore.12 and keystore.p12 in existingSecret, can be plaintext or openssl encrypted.
If existingSeret is set but password is not provided, default to clusterPassword | clusterPassword | +| `config.gemfire.tls.additionalProperties` | Additional tls related properties. | `` | +| `config.gemfire.useExistingLocators` | A list of existing locators to be used by gateway. | `[]` | +| `config.gemfire.embedded.enabled` | Enable embedded GemFire. | `false` | +| `config.gemfire.embedded.caches.additionalProperties` | Additional properties for embedded GemFire caches. | `` | +| `config.gemfire.embedded.externalLocators.replicas` | Number of GemFire locator replicas to deploy. | `2` | +| `config.gemfire.embedded.externalLocators.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.embedded.externalLocators.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.embedded.externalLocators.image.tag` | Image Tag | `10.2.0-jdk21` | +| `config.gemfire.embedded.externalLocators.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | +| `config.gemfire.embedded.externalLocators.resources` | Locator pod resources | {} | +| `config.gemfire.embedded.externalLocators.persistence.size` | Persistent Volume Claim Size | `2Gi` | +| `config.gemfire.external.enabled` | Enable external GemFire. | `false` | +| `config.gemfire.external.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start. | `false` | +| `config.gemfire.external.gwCounterRegionName` | GemFire data region name for gateway counter provider. | `layer7gw_counter` | +| `config.gemfire.external.gwRateLimiterRegionName` | GemFire data region name for gateway rate limiter provider. | `layer7gw_ratelimiter` | +| `config.gemfire.external.gwKeyValueRegionName` | GemFire data region name for gateway key value store provider. | `layer7gw_keyvalue` | +| `config.gemfire.external.gwSortedSetRegionName` | GemFire data region name for gateway sotred set provider. | `layer7gw_sortedset` | +| `config.gemfire.external.dynamicProperties` | Additional GemFire properties from gemfire.properties or gfsecurity.properties. | `` | +| `config.gemfire.managementConsole.enabled` | Enable GemFire management console. | `false` | +| `config.gemfire.managementConsole.service.port` | GemFire management console service port. | `8080` | +| `config.gemfire.managementConsole.service.annotations` | GemFire management console service annotations. | `{}` | +| `config.gemfire.managementConsole.image.registry` | Image Registry | `docker.io` | +| `config.gemfire.managementConsole.image.repository` | Image Repository | `gemfire/gemfire` | +| `config.gemfire.managementConsole.image.tag` | Image Tag | `1.4.1` | +| `config.gemfire.managementConsole.image.pullPolicy` | Image Pull Policy | `IfNotPresent` | #### Creating your own Configuration - Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/connect-to-a-gemfire-datastore.html) for more context on the available configuration options #### Embedded GemFire - Embedded gemfire will have external locators but gemfire cache servers are inside gateway container. - ``` config: gemfire: @@ -1445,13 +1320,10 @@ config: embedded: enabled: true ``` - #### External GemFire - Gateway as client connect to external gemfire cluster. Shared State Provider Config is used to configure gemfire. External gemfire is deployed by GemFire Kubernetes Operator, override-values.yaml: - ``` config: gemfire: @@ -1477,9 +1349,7 @@ config: sharedStateClient: enabled: true ``` - External gemfire, override-values.yaml: - ``` config: gemfire: @@ -1503,11 +1373,9 @@ config: sharedStateClient: enabled: true ``` - Providing custom sharedstate_client.yaml from a secret override-values.yaml - ``` config: gemfire: @@ -1527,9 +1395,7 @@ config: enabled: true existingConfigSecret: shared-state-client-secret ``` - sharedstate_client.yaml from secret - ``` gemfire: testOnStart: true @@ -1554,23 +1420,18 @@ gemfire: [Back to Additional Guides](#additional-guides) ### Shared State Provider Config - Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. In order for this configuration to take effect config.redis.enabled must also be set to true. - -| Parameter | Description | Default | -| ----------------------------------------------- | --------------------------------------------------------------------------------- | --------------------------- | -| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | -| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | -| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.sharedStateClient.enabled` | Enable redis configuration | `true` | +| `config.sharedStateClient.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateClient.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | [Back to Additional Guides](#additional-guides) ### Database Configuration - You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: - ``` database: enabled: true @@ -1581,11 +1442,9 @@ database: liquibaseLogLevel: "off" name: ssg ``` - In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: - - jdbcURL - username - password @@ -1593,13 +1452,11 @@ When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-con The values will come from node.properties instead. See [External MySQL](#external-mysql) section. More info on the JDBC URL: - -- Connection URL syntax: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html) -- Failover config: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html) -- Configuration properties: [https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) +- Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html +- Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html +- Configuration properties: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html Configuring SSL/TLS: the following parameters can be added to enable secure communication between the Gateway and an external MySQL Database - - useSSL=true - requireSSL=true - verifyServerCertificate=false @@ -1608,69 +1465,65 @@ Configuring SSL/TLS: the following parameters can be added to enable secure comm jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=true&requireSSL=true&verifyServerCertificate=false ``` -In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: [https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges](https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges) +In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges [Back to Additional Guides](#additional-guides) ### MySQL StatefulSet (Development/Testing Only) - **Important Note:** This is a simple MySQL StatefulSet implementation for development and testing purposes only. ***It is not supported or recommended for production use.*** For production deployments, use an external MySQL database. #### Configuration - -| Parameter | Description | Default | -| ------------------------------------------ | ------------------------------------------------------------------- | ----------------- | -| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | -| `mysql.image.tag` | MySQL image tag | `8.4.5` | -| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | -| `mysql.auth.database` | Database name to create | `ssg` | -| `mysql.auth.username` | MySQL user (optional) | `gateway` | -| `mysql.auth.password` | MySQL user password | `mypassword` | -| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | -| `mysql.service.type` | MySQL service type | `ClusterIP` | -| `mysql.service.port` | MySQL service port | `3306` | -| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | -| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | -| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | -| `mysql.pdb.minAvailable` | Minimum available pods | `` | -| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | -| `mysql.persistence.storageClass` | Storage class for PVC | `` | -| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | -| `mysql.persistence.size` | PVC size | `8Gi` | -| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | -| `mysql.persistence.existingClaim` | Use existing PVC | `` | -| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | -| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | -| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | -| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | -| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | -| `mysql.resources` | Resource requests and limits | `{}` | -| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | -| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | -| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | -| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | -| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | -| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | -| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | -| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | -| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | -| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | -| `mysql.startupProbe.enabled` | Enable startup probe | `false` | -| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | -| `mysql.affinity` | Affinity settings | `{}` | -| `mysql.tolerations` | Tolerations for pod assignment | `[]` | -| `mysql.podSecurityContext` | Pod security context | `{}` | -| `mysql.containerSecurityContext` | Container security context | `{}` | -| `mysql.podAnnotations` | Pod annotations | `{}` | -| `mysql.podLabels` | Pod labels | `{}` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `mysql.image.repository` | MySQL image repository | `docker.io/mysql` | +| `mysql.image.tag` | MySQL image tag | `8.4.5` | +| `mysql.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `mysql.auth.rootPassword` | MySQL root password | `mypassword` | +| `mysql.auth.database` | Database name to create | `ssg` | +| `mysql.auth.username` | MySQL user (optional) | `gateway` | +| `mysql.auth.password` | MySQL user password | `mypassword` | +| `mysql.auth.existingSecret` | Use existing secret for credentials | `` | +| `mysql.service.type` | MySQL service type | `ClusterIP` | +| `mysql.service.port` | MySQL service port | `3306` | +| `mysql.service.annotations` | Annotations for the MySQL service | `{}` | +| `mysql.pdb.create` | Create PodDisruptionBudget for MySQL | `false` | +| `mysql.pdb.maxUnavailable` | Maximum unavailable pods | `` | +| `mysql.pdb.minAvailable` | Minimum available pods | `` | +| `mysql.persistence.enabled` | Enable persistence using PVC | `true` | +| `mysql.persistence.storageClass` | Storage class for PVC | `` | +| `mysql.persistence.accessModes` | PVC access modes | `[ReadWriteOnce]` | +| `mysql.persistence.size` | PVC size | `8Gi` | +| `mysql.persistence.annotations` | PVC annotations (can include Helm hooks) | `{}` | +| `mysql.persistence.existingClaim`| Use existing PVC | `` | +| `mysql.configuration` | Custom MySQL configuration (my.cnf) | `see values.yaml` | +| `mysql.existingConfigmap` | Use existing ConfigMap for configuration | `` | +| `mysql.initdbScripts` | Init scripts as key-value pairs | `{}` | +| `mysql.initdbScriptsConfigMap` | Existing ConfigMap with init scripts | `` | +| `mysql.commonAnnotations` | Annotations applied to all MySQL resources (can include Helm hooks) | `{}` | +| `mysql.resources` | Resource requests and limits | `{}` | +| `mysql.livenessProbe.enabled` | Enable liveness probe | `true` | +| `mysql.livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `30` | +| `mysql.livenessProbe.periodSeconds` | Liveness probe period | `10` | +| `mysql.livenessProbe.timeoutSeconds` | Liveness probe timeout | `5` | +| `mysql.livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `mysql.readinessProbe.enabled` | Enable readiness probe | `true` | +| `mysql.readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `5` | +| `mysql.readinessProbe.periodSeconds` | Readiness probe period | `5` | +| `mysql.readinessProbe.timeoutSeconds` | Readiness probe timeout | `1` | +| `mysql.readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `mysql.startupProbe.enabled` | Enable startup probe | `false` | +| `mysql.nodeSelector` | Node labels for pod assignment | `{}` | +| `mysql.affinity` | Affinity settings | `{}` | +| `mysql.tolerations` | Tolerations for pod assignment | `[]` | +| `mysql.podSecurityContext` | Pod security context | `{}` | +| `mysql.containerSecurityContext` | Container security context | `{}` | +| `mysql.podAnnotations` | Pod annotations | `{}` | +| `mysql.podLabels` | Pod labels | `{}` | #### Example Configuration Enable MySQL with basic settings: - ```yaml database: create: true # Enables the MySQL StatefulSet @@ -1687,7 +1540,6 @@ mysql: ``` With Helm hooks for pre-install: - ```yaml database: create: true @@ -1705,7 +1557,6 @@ mysql: ``` With custom configuration: - ```yaml database: create: true @@ -1719,7 +1570,6 @@ mysql: ``` With init scripts: - ```yaml database: create: true @@ -1738,7 +1588,6 @@ mysql: #### Connecting the Gateway to MySQL When using the MySQL StatefulSet, configure the Gateway's database connection: - ```yaml database: enabled: true @@ -1753,7 +1602,6 @@ The Gateway will automatically connect to the MySQL service at `-g #### OTK Demo Database Integration When `otk.database.useDemoDb` is set to `true` and `database.create` is `true`, the MySQL StatefulSet will automatically: - - Apply Helm hook annotations (`helm.sh/hook: pre-install,post-upgrade`) to ensure MySQL is created before OTK installation - Mount the OTK database initialization scripts from the `otk-db-scripts-cm` ConfigMap - Initialize the OTK database schema during MySQL startup @@ -1874,18 +1722,14 @@ Fix the root cause (for example, a missing MySQL privilege) and re-run `helm upg [Back to Additional Guides](#additional-guides) ### Cluster Wide Properties - You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. - -| Parameter | Description | Default | -| ----------------------- | --------------------------------------------------- | ----------------- | -| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | -| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.cwp.enabled` | Enable the CWP functionality (mounts a volume) | `false` | +| `config.cwp.properties` | Array of Key/Value pairs of cluster-wide properties | `see values.yaml` | The default cluster-wide properties are as follows - ``` config: ... @@ -1908,17 +1752,15 @@ config: [Back to Additional Guides](#additional-guides) ### Enable DualStack(IPv4/IPv6) - To enable dual stack, you need to add or uncomment the given Java arguments, which can be configured in the values.yaml file. Gateway v11.1.3 supports dual stack. -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true - -| Java Argument | Description | Default | -| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | -| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | +| Java Argument | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------| +| `-Djava.net.preferIPv4Stack=false` | If IPv6 is available on the operating system, the underlying native socket will, by default, be an IPv6 socket. This allows applications to connect to, and accept connections from, both IPv4 and IPv6 hosts. | `true` | +| `-Djava.net.preferIPv6Addresses=true` | When connecting to a host that has both IPv4 and IPv6 addresses, and if IPv6 is available on the operating system, the default behavior is to prefer IPv4 addresses over IPv6. | `false` | ``` @@ -1941,32 +1783,27 @@ config: Gateway and Management Service can optionally configure it as dual stack. - -| Parameter | Description | Default | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- | -| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | -| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | -| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| Parameter | Description | Default | +|-------------------------------------|----------------------------------------------------------------------------------------------------------------------|-----------------| +| `service.ipFamilyPolicy` | Gateway Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `service.ipFamilies` | Gateway Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | +| `management.service.ipFamilyPolicy` | PolicyManager Service ipFamilyPolicy can be used to configure SingleStack, PreferDualStack or RequireDualStack | `commented out` | +| `management.service.ipFamilies` | PolicyMananger Service ipFamilies can be used to configure ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] | `nil` | [Back to Additional Guides](#additional-guides) ### Java Args - Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. - -| Parameter | Description | Default | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | -| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | -| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | -| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | -| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | +| `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | The default Java Args are as follows - ``` config: heapSize: "2g" @@ -1986,14 +1823,11 @@ config: [Back to Additional Guides](#additional-guides) ### System Properties - Additional System Properties as may be recommended by support can be configured in values.yaml - -| Parameter | Description | Default | -| ------------------------- | ------------------------- | ----------------- | -| `config.systemProperties` | Gateway System Properties | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.systemProperties` | Gateway System Properties | `see values.yaml` | The default systemProperties represent what is currently in the base Gateway image with one added flag @@ -2003,7 +1837,6 @@ com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 ``` The full default is this - ``` systemProperties: |- # Default Gateway system properties @@ -2025,16 +1858,13 @@ The full default is this [Back to Additional Guides](#additional-guides) ### Diskless Configuration - Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. **DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. - - **disklessConfig.enabled: true** - Default, No changes. - ``` disklessConfig: enabled: true @@ -2042,13 +1872,11 @@ disklessConfig: # name: gateway-secret # csi: {} ``` - - **disklessConfig.enabled: false** - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. - Creates a secret with node.properties by default - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. - ``` disklessConfig: enabled: false @@ -2060,11 +1888,9 @@ disklessConfig: #### Creating a node.properties file ##### External MySQL - - Make sure the database configuration matches what is in node.properties Example: node.properties with MySQL database configuration - ``` node.cluster.pass=mypassword admin.user=admin @@ -2077,11 +1903,9 @@ l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306 See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. ##### Gateway running in Ephemeral Mode (no external MySQL) - - To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties Example: node.properties with Derby configuration - ``` node.cluster.pass=mypassword admin.user=admin @@ -2089,31 +1913,24 @@ admin.pass=mypassword node.db.type=derby node.db.config.main.user=gateway ``` - Unlike interactive password changes in Policy Manager, the container startup scripts validate the following username and password against a restricted character set (for parsing/scripting safety): - ``` admin.user, admin.pass, node.db.config.main.user, node.db.config.main.pass ``` - They may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %. Do NOT use space characters. ##### Update values.yaml - Update your values file to use the new node.properties file. This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. Note that the key name is node.properties. This is required. - ``` kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties ``` - values.yaml - ``` disklessConfig: enabled: false @@ -2125,7 +1942,6 @@ disklessConfig: # volumeAttributes: # secretProviderClass: "secret-provider-class-name" ``` - #### Set up node.properties secret by InitContainer From Gateway v11.2.0 onwards, node.properties support secrets provided in different format by different third party secret managers using InitContainer. @@ -2134,7 +1950,6 @@ Gateway container mounts only /opt/docker/custom/custom-properties/node.properti InitContainer volumeMounts name has to be **shared-secret** values.yaml - ``` disklessConfig: enabled: false @@ -2162,26 +1977,21 @@ initContainers: yum install -y jq jq -r 'to_entries | map("\(.key)=\(.value)") |.[]' /opt/docker/config/node.json > /opt/docker/config/node.properties ``` - More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Bundle Configuration - There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. - -| Parameter | Description | Default | -| --------------------------- | --------------------------------- | ----------------- | -| `existingBundle.enabled` | Enable bundle mounts | `false` | -| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | -| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `existingBundle.enabled` | Enable bundle mounts | `false` | +| `existingBundle.configMaps` | Array of configmap configurations | `see values.yaml` | +| `existingBundle.secrets` | Array of secret configurations | `see values.yaml` | This example shows 1 secret and 1 configmap configured - you can also use the secrets-store.csi.k8s.io driver for bundles that contain sensitive information. - ``` # Bundles that contain sensitive information can be mounted using the Kubernetes CSI Driver existingBundle: @@ -2204,11 +2014,9 @@ existingBundle: [Back to Additional Guides](#additional-guides) ### Bootstrap Script - To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. The following configuration enables the script - ``` bootstrap: script: @@ -2216,37 +2024,36 @@ bootstrap: cleanup: false <== set this to true if you'd like to clear the /opt/docker/custom folder after it has run. ``` -The bootstrap script scans files in `/opt/docker/custom`. This folder is populated by an initContainer. +The bootstrap script scans files in ```/opt/docker/custom```. This folder is populated by an initContainer. The following folder stucture must be maintained - Restman Bundles (.bundle) - - Source `/opt/docker/custom/bundles` - - Target `/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle` + - Source ```/opt/docker/custom/bundles``` + - Target ```/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle``` - Custom Assertions (.jar) - - Source `/opt/docker/custom/custom-assertions` - - Target `/opt/SecureSpan/Gateway/runtime/modules/lib/` + - Source ```/opt/docker/custom/custom-assertions``` + - Target ```/opt/SecureSpan/Gateway/runtime/modules/lib/``` - Modular Assertions (.aar) - - Source `/opt/docker/custom/modular-assertions` - - Target `/opt/SecureSpan/Gateway/runtime/modules/assertions` + - Source ```/opt/docker/custom/modular-assertions``` + - Target ```/opt/SecureSpan/Gateway/runtime/modules/assertions``` - Properties (.properties) - - Source `/opt/docker/custom/properties` - - Target `/opt/SecureSpan/Gateway/node/default/etc/conf/` + - Source ```/opt/docker/custom/properties``` + - Target ```/opt/SecureSpan/Gateway/node/default/etc/conf/``` + More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). [Back to Additional Guides](#additional-guides) ### Custom Health Checks - -You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to `/opt/docker/rc.d/diagnostic/health_check` where they are run by `/opt/docker/rc.d/diagnostic/health_check.sh`. +You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. - Limited to a single configmap or secret. - ConfigMaps and Secrets can hold multiple scripts. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) ***NOTE: if you set a configMap and a Secret only one of them will be applied to your API Gateway.*** - ``` existingHealthCheck: enabled: false @@ -2266,11 +2073,9 @@ existingHealthCheck: [Back to Additional Guides](#additional-guides) ### Custom Configuration Files - Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. - [See this example](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - ``` customConfig: enabled: false @@ -2288,15 +2093,13 @@ customConfig: [Back to Additional Guides](#additional-guides) ### Graceful Termination - During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. This functionality delays Kubernetes sending a SIGTERM to the container gateway while connections remain open. This works in conjunction with terminationGracePeriodSeconds which should always be higher than preStopScript.timeoutSeconds. If preStopScript.timeoutSeconds is exceeded, the script will exit 0 and normal pod termination will resume. -The preStop script will monitor connections to **inbound (not outbound)** Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. +The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. - - 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. @@ -2306,38 +2109,32 @@ While there aren't any explicit limits on preStopScript.timeoutSeconds and termi The graceful termination (preStop script) is disabled by default. - -| Parameter | Description | Default | -| ------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------- | -| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | -| `preStopScript.enabled` | Enable the preStop script | `false` | -| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | -| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | -| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | -| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `lifecycleHooks` | Custom lifecycle hooks, takes precedence over the preStopScript | `{}` | +| `preStopScript.enabled` | Enable the preStop script | `false` | +| `preStopScript.periodSeconds` | The time in seconds between checks | `3` | +| `preStopScript.timeoutSeconds` | Timeout - must be lower than terminationGracePeriodSeconds | `60` | +| `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | +| `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | [Back to Additional Guides](#additional-guides) ### Autoscaling - Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources We do not recommend setting MaxReplicas for a MySQL backed API Gateway above 8. - -| Parameter | Description | Default | -| ----------------------------- | ----------------------------------------- | ----------------- | -| `autoscaling.enabled` | Enable autoscaling | `false` | -| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | -| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | -| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | -| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `autoscaling.enabled` | Enable autoscaling | `false` | +| `autoscaling.hpa.minReplicas` | Minimum replicas that should be available | `1` | +| `autoscaling.hpa.maxReplicas` | Maximum replicas that should be available | `3` | +| `autoscaling.hpa.metrics` | Metrics to scale on | `see values.yaml` | +| `autoscaling.hpa.behaviour` | Scale up/down behaviour | `see values.yaml` | Here is an example of a configured autoscaling section. - ``` autoscaling: enabled: true @@ -2369,19 +2166,14 @@ autoscaling: [Back to Additional Guides](#additional-guides) ### Pod Disruption Budgets - [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. - - -| Parameter | Description | Default | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- | -| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | -| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | -| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `pdb.create` | Create a PodDisruptionBudget for your Gateway Release | `false` | +| `pdb.maxUnavailable` | number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage. | `""` | +| `pdb.minAvailable` | number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage. | `""` | Example - note that only ***maxUnavailable*** or ***minAvailable*** can be set - both values ***cannot*** be set at the same time. - ``` pdb: create: true @@ -2392,20 +2184,16 @@ pdb: [Back to Additional Guides](#additional-guides) ### RBAC Parameters - PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. - -| Parameter | Description | Default | -| ----------------------- | ------------------------------------------------------------------------------------------------------------ | ------- | -| `serviceAccount.create` | Create a service account for the Gateway | `true` | -| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | -| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `serviceAccount.create` | Create a service account for the Gateway | `true` | +| `serviceAccount.name` | Use an existing service account or specify the name of the service account that you would like to be created | `nil` | +| `rbac.create` | Create Role and Rolebinding for Gateway Service Account | `true` | If you would like to create and use your own service account the Gateway with PM Tagger will require the following role to function correctly. ***This should NOT be a cluster role*** - ``` rules: - apiGroups: [""] @@ -2416,7 +2204,6 @@ rules: [Back to Additional Guides](#additional-guides) ### Logs & Audit Configuration - The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: - System properties in the default template for the `config.javaArgs` value configure the log and audit behaviour: @@ -2425,37 +2212,32 @@ The API Gateway containers are configured to output logs and audits as JSON even - Default log output configuration is overridden by specifying an alternative configuration properties file: `-Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties` - The alternative log configuration properties file `log-override.properties` is mounted on the container, via ConfigMap. - System property to include well known Certificate Authorities Trust Anchors - - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) - configure following property to true - - Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) + - API Gateway does not implicitly trust certificates without importing it but If you want to avoid import step then configure Gateway to accept any certificate signed by well known CA's (Certificate Authorities) + configure following property to true - + Set '-Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true' for well known Certificate Authorities be included as Trust Anchors (true/false) - Allow wildcards when verifying hostnames (true/false) - - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) + - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) [Back to Additional Guides](#additional-guides) ## Subchart Configuration - ***these do not represent production configurations*** For Production implementations, please see the Chart links for recommended settings. The best approach would be deploying each independently ## Hazelcast +The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml -The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail [https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml](https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml) - - -| Parameter | Description | Default | -| ------------------------------- | --------------------------------------------------------------------------- | ---------------------------- | -| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | -| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | -| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | -| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | -| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | -| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | - +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `hazelcast.enabled` | Enable/Disable deployment of Hazelcast | `false` | +| `hazelcast.external` | Point to an external Hazelcast - set enabled to false and configure the url | `false` | +| `hazelcast.image.tag` | The Gateway currently supports Hazelcast 4.x/5.x servers. | `5.2.1` | +| `hazelcast.url` | External Hazelcast Url | `hazelcast.example.com:5701` | +| `hazelcast.cluster.memberCount` | Number of Hazelcast Replicas you wish to deploy | `see values.yaml` | +| `hazelcast.hazelcast.yaml` | Hazelcast configuration | `see the documentation link` | ### Subcharts +* Hazelcast (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast -- Hazelcast (default: disabled) ==> [https://github.com/helm/charts/tree/master/stable/hazelcast](https://github.com/helm/charts/tree/master/stable/hazelcast) - -[Back to Additional Guides](#additional-guides) \ No newline at end of file +[Back to Additional Guides](#additional-guides)