forked from wso2/api-platform
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgateway_values.yaml
More file actions
365 lines (353 loc) · 11.2 KB
/
gateway_values.yaml
File metadata and controls
365 lines (353 loc) · 11.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
# Default values for the Open Choreo Gateway chart.
# This file is intended to be exhaustive and well documented; adjust per environment.
nameOverride: ""
fullnameOverride: ""
imagePullSecrets: []
commonLabels: {}
commonAnnotations: {}
serviceAccount:
create: true
annotations: {}
name: ""
## moved to each component's deployment block below
# Component-level configuration
gateway:
# Shared configuration for gateway-controller and policy-engine
# This config is mounted to both components as /configs/config.toml
config:
controller:
server:
api_port: 9090
xds_port: 18000
shutdown_timeout: 15s
gateway_id: "platform-gateway-id"
controlplane:
insecure_skip_verify: false
reconnect_initial: 1s
reconnect_max: 5m
polling_interval: 15m
deployment_push_enabled: false
sync_batch_size: 50
gateway_name: ""
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""
apim_oauth2_username: ""
apim_oauth2_password: ""
policy_server:
port: 18001
tls:
enabled: false
cert_file: ./certs/server.crt
key_file: ./certs/server.key
storage:
type: sqlite
sqlite:
path: ./data/gateway.db
policies:
definitions_path: ./default-policies
logging:
level: info
format: json
router:
gateway_host: "*"
listener_port: 8080
https_enabled: true
https_port: 8443
tracing_service_name: router
access_logs:
enabled: true
format: text
json_fields:
t: "%START_TIME%"
meth: "%REQ(:METHOD)%"
path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
proto: "%PROTOCOL%"
respCd: "%RESPONSE_CODE%"
respFlg: "%RESPONSE_FLAGS%"
bytesRx: "%BYTES_RECEIVED%"
bytesTx: "%BYTES_SENT%"
dur: "%DURATION%"
upSvcT: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
xff: "%REQ(X-FORWARDED-FOR)%"
ua: "%REQ(USER-AGENT)%"
reqId: "%REQ(X-REQUEST-ID)%"
host: "%REQ(:AUTHORITY)%"
upHost: "%UPSTREAM_HOST%"
upProto: "%UPSTREAM_PROTOCOL%"
upPath: "%REQ(:PATH)%"
respCdDtl: "%RESPONSE_CODE_DETAILS%"
connTrmDtl: "%CONNECTION_TERMINATION_DETAILS%"
reqTxDur: "%REQUEST_TX_DURATION%"
respTxDur: "%RESPONSE_TX_DURATION%"
reqDur: "%REQUEST_DURATION%"
respDur: "%RESPONSE_DURATION%"
text_format: |
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %REQ(:PATH)% %UPSTREAM_PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %REQUEST_TX_DURATION% %RESPONSE_TX_DURATION% %REQUEST_DURATION% %RESPONSE_DURATION% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"
downstream_tls:
cert_path: "./listener-certs/default-listener.crt"
key_path: "./listener-certs/default-listener.key"
minimum_protocol_version: TLS1_2
maximum_protocol_version: TLS1_3
ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,AES128-GCM-SHA256,AES128-SHA,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,AES256-GCM-SHA384,AES256-SHA"
policy_engine:
mode: uds
host: ""
port: 9001
timeout_ms: 60000
failure_mode_allow: false
route_cache_action: RETAIN
allow_mode_override: true
message_timeout_ms: 60000
tls:
enabled: false
cert_path: ""
key_path: ""
ca_path: ""
server_name: ""
skip_verify: false
upstream:
tls:
minimum_protocol_version: TLS1_2
maximum_protocol_version: TLS1_3
ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,AES128-GCM-SHA256,AES128-SHA,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,AES256-GCM-SHA384,AES256-SHA"
trusted_cert_path: /etc/ssl/certs/ca-certificates.crt
custom_certs_path: ./certificates
verify_host_name: true
disable_ssl_verification: false
timeouts:
route_timeout_ms: 60000
route_idle_timeout_ms: 300000
connect_timeout_ms: 5000
policy_engine:
server:
extproc_port: 9001
admin:
enabled: true
port: 9002
allowed_ips:
- "127.0.0.1"
- "::1"
config_mode:
mode: xds
xds:
connect_timeout: 10s
request_timeout: 5s
initial_reconnect_delay: 1s
max_reconnect_delay: 60s
tls:
enabled: false
cert_path: ""
key_path: ""
ca_path: ""
file_config:
path: ""
logging:
level: info
format: json
immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"
# Raw TOML appended to generated config.toml (see gateway chart values.yaml)
config_toml: ""
# metadata for the generated shared ConfigMap (annotations / labels)
configMap:
annotations: {}
labels: {}
controller:
image:
repository: ghcr.io/wso2/api-platform/gateway-controller
tag: "1.0.0"
pullPolicy: Always
imagePullSecrets: []
service:
type: ClusterIP
annotations: {}
labels: {}
ports:
rest: 9090
xds: 18000
policy: 18001
admin: 9092
metrics: 9091
controlPlane:
host: host.docker.internal
port: 8443
token:
value: ""
secretName: ""
key: token
# TLS certificate configuration for downstream (listener) HTTPS
tls:
# Enable TLS certificate management
enabled: true
# Certificate provisioning method: "cert-manager", "secret", or "none"
# - cert-manager: Use cert-manager to automatically provision certificates
# - secret: Use an existing Kubernetes secret containing tls.crt and tls.key
# - none: No TLS configuration (certificates must be provided manually)
certificateProvider: cert-manager
# cert-manager configuration (used when certificateProvider=cert-manager)
certManager:
# Create a Certificate resource
create: true
# Create a self-signed Issuer (only if issuerRef.name is selfsigned-issuer)
# Set to false if you want to create your own Issuer manually
createIssuer: true
# Issuer reference for cert-manager
issuerRef:
name: selfsigned-issuer
# Use "Issuer" for namespace-scoped issuer (recommended)
# Use "ClusterIssuer" for cluster-wide issuer
kind: Issuer
# group: cert-manager.io # Optional, defaults to cert-manager.io
# Certificate common name
commonName: localhost
# DNS names for the certificate
dnsNames:
- localhost
- "*.localhost"
# Certificate duration (default: 2160h = 90 days)
duration: 2160h
# Certificate renewal time (default: 720h = 30 days before expiry)
renewBefore: 720h
# Secret configuration (used when certificateProvider=secret)
secret:
# Name of existing secret containing tls.crt and tls.key
name: gateway-tls
# Key names in the secret
certKey: tls.crt
keyKey: tls.key
# Upstream certificate configuration for backend TLS verification
upstreamCerts:
# Enable custom upstream certificates
enabled: false
# Existing secret containing custom CA certificates
# Secret should contain one or more keys with PEM-encoded certificates
secretName: ""
# Existing ConfigMap containing custom CA certificates
# ConfigMap should contain one or more keys with PEM-encoded certificates
configMapName: ""
encryptionKeys:
enabled: false
secretName: ""
mountPath: /app/data/aesgcm-keys
logging:
level: info
storage:
type: sqlite
sqlitePath: ./data/gateway.db
metrics:
port: 9091
persistence:
enabled: true
existingClaim: ""
accessModes:
- ReadWriteOnce
size: 100Mi
storageClass: ""
deployment:
enabled: true
replicaCount: 1
volumeMountPath: /app/data
extraEnv: []
extraEnvFrom: []
env:
xdsServerAddress: ""
extraVolumeMounts: []
extraVolumes: []
labels: {}
annotations: {}
podAnnotations: {}
podLabels: {}
priorityClassName: ""
livenessProbe:
httpGet:
path: /health
port: admin
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: admin
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
# Resource limits and requests
# Uncomment and adjust based on your workload
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 250m
# memory: 256Mi
podSecurityContext: {}
securityContext: {}
nodeSelector: {}
tolerations: []
affinity: {}
# Unified gateway-runtime (Envoy + policy-engine). Required for operator Helm merges:
# without this block, chart defaults use health-check.sh for liveness (Envoy /ready),
# which often fails until CDS completes and causes ~1min restarts under operator deploy.
gatewayRuntime:
image:
repository: ghcr.io/wso2/api-platform/gateway-runtime
tag: "1.0.0"
pullPolicy: Always
imagePullSecrets: []
service:
type: LoadBalancer
annotations: {}
labels: {}
ports:
http: 8080
https: 8443
envoyAdmin: 9901
policyEngineAdmin: 9002
policyEngineMetrics: 9003
deployment:
enabled: true
replicaCount: 1
env:
gatewayControllerHost: ""
logLevel: info
moesifKey: ""
extraEnv: []
extraEnvFrom: []
extraVolumeMounts: []
extraVolumes: []
labels: {}
annotations: {}
podAnnotations: {}
podLabels: {}
priorityClassName: ""
# null removes chart default exec probe after Helm coalesce (only one probe handler allowed).
livenessProbe:
exec:
command: ["health-check.sh"]
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command: ["health-check.sh"]
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 6
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 250m
# memory: 256Mi
podSecurityContext: {}
securityContext: {}
nodeSelector: {}
tolerations: []
affinity: {}