Skip to content

Adding k8s templates related to gateway to apim sync mode #1784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CrowleyRajapakse merged 1 commit into from
Apr 28, 2026
Merged

Adding k8s templates related to gateway to apim sync mode #1784

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions kubernetes/gateway-operator/config/gateway_values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,18 @@ gateway:
xds_port: 18000
shutdown_timeout: 15s
gateway_id: "platform-gateway-id"
controlplane:
insecure_skip_verify: false
reconnect_initial: 1s
reconnect_max: 5m
polling_interval: 15m
deployment_push_enabled: false
sync_batch_size: 50
gateway_name: ""
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""
apim_oauth2_username: ""
apim_oauth2_password: ""
policy_server:
port: 18001
tls:
Expand Down Expand Up @@ -140,6 +152,10 @@ gateway:
level: info
format: json

immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"

# Raw TOML appended to generated config.toml (see gateway chart values.yaml)
config_toml: ""

Expand Down
11 changes: 11 additions & 0 deletions kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ data:
polling_interval = {{ $gc.controlplane.polling_interval | quote }}
deployment_push_enabled = {{ $gc.controlplane.deployment_push_enabled }}
sync_batch_size = {{ $gc.controlplane.sync_batch_size }}
gateway_name = {{ $gc.controlplane.gateway_name | quote }}
apim_oauth2_client_id = {{ $gc.controlplane.apim_oauth2_client_id | quote }}
apim_oauth2_client_secret = {{ $gc.controlplane.apim_oauth2_client_secret | quote }}
apim_oauth2_username = {{ $gc.controlplane.apim_oauth2_username | quote }}
apim_oauth2_password = {{ $gc.controlplane.apim_oauth2_password | quote }}
Comment on lines +52 to +55
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Move OAuth2 secret material out of ConfigMap data.

Line 53 and Line 55 render secret values directly into config.toml inside a ConfigMap. Please source apim_oauth2_client_secret and apim_oauth2_password from a Kubernetes Secret (or secret-backed env/file) and keep only non-sensitive fields in this ConfigMap.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml`
around lines 52 - 55, The ConfigMap template is embedding sensitive values
apim_oauth2_client_secret and apim_oauth2_password directly into
gateway-config.toml; remove those two keys from the ConfigMap and instead read
them from a Kubernetes Secret (e.g., create a Secret with keys
apim_oauth2_client_secret and apim_oauth2_password) and wire them into the
gateway pod via secretKeyRef or by mounting the secret as a file so the gateway
reads them at runtime; keep non-sensitive fields like apim_oauth2_client_id and
apim_oauth2_username in the ConfigMap and update the Deployment/StatefulSet
template to inject the secret values into the process environment or file path
the app expects.


{{- range $gc.encryption.providers }}
[[controller.encryption.providers]]
Expand Down Expand Up @@ -228,6 +233,12 @@ data:
{{ dict "policy_configurations" .Values.gateway.config.policy_configurations | toToml | indent 4 }}
{{- end }}

{{- if .Values.gateway.config.immutable_gateway }}
[immutable_gateway]
enabled = {{ .Values.gateway.config.immutable_gateway.enabled }}
artifacts_dir = {{ .Values.gateway.config.immutable_gateway.artifacts_dir | quote }}
{{- end }}

{{- if .Values.gateway.config_toml }}
{{ .Values.gateway.config_toml | indent 4 }}
{{- end }}
16 changes: 16 additions & 0 deletions kubernetes/helm/gateway-helm-chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,17 @@ gateway:
# Number of deployments to fetch per batch during startup sync
sync_batch_size: 50

# Friendly name shown for this gateway in the APIM control plane
gateway_name: ""

# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""

# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: ""

# Encryption provider configuration for secret management.
# File paths must match the mount path set in gateway.controller.encryptionKeys.mountPath.
encryption:
Expand Down Expand Up @@ -318,6 +329,11 @@ gateway:
# Log format: json, text
format: json

# Static API artifacts bundled with the gateway (see docs/gateway/immutable-gateway.md)
immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"

# Raw TOML string to append to the generated config.toml
# Use this for additional configuration not covered by the structured values above
# Example:
Expand Down
37 changes: 37 additions & 0 deletions kubernetes/helm/operator-helm-chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,38 @@ gateway:
# Directory containing policy definitions
definitions_path: ./default-policies

# Control plane connection configuration
# Note: host and token are set via gateway.controller.controlPlane and rendered as env vars in the deployment.
controlplane:
# Skip TLS certificate verification for the control plane connection (insecure, dev/test only)
insecure_skip_verify: false

# Initial delay before retrying a failed control plane connection
reconnect_initial: 1s

# Maximum delay between reconnection attempts (exponential backoff cap)
reconnect_max: 5m

# How often to reconcile state with the control plane
polling_interval: 15m

# Push API deployment events to the control plane
deployment_push_enabled: false

# Number of deployments to fetch per batch during startup sync
sync_batch_size: 50

# Friendly name shown for this gateway in the APIM control plane
gateway_name: ""

# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""

# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: ""
Comment on lines +196 to +202
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Move APIM OAuth2 secret inputs to Secret references instead of inline values.

Line 198 and Line 202 introduce direct credential value fields (apim_oauth2_client_secret, apim_oauth2_password). Please switch to SecretRef-style inputs (secretName/key) and render them from Secret-backed env vars to avoid storing sensitive values in chart values/config outputs.

Suggested schema direction 
             apim_oauth2_client_id: ""
-            apim_oauth2_client_secret: ""
+            apim_oauth2_client_secret: "" # deprecated fallback
+            apim_oauth2_client_secret_from:
+              secretName: ""
+              key: client-secret

             # OAuth2 Option 2: Resource Owner Password Credentials flow
             apim_oauth2_username: ""
-            apim_oauth2_password: ""
+            apim_oauth2_password: "" # deprecated fallback
+            apim_oauth2_password_from:
+              secretName: ""
+              key: password

As per coding guidelines, "Provide concise, actionable feedback focused on correctness and best practices... Use neutral, high-level language and validate safety without exposing sensitive context."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""
# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: ""
# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: "" # deprecated fallback
apim_oauth2_client_secret_from:
secretName: ""
key: client-secret
# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: "" # deprecated fallback
apim_oauth2_password_from:
secretName: ""
key: password
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@kubernetes/helm/operator-helm-chart/values.yaml` around lines 196 - 202, The
values file currently exposes credentials via apim_oauth2_client_secret and
apim_oauth2_password; change these two scalar fields into SecretRef objects
(e.g., apim_oauth2_client_secret: { secretName: "", key: "" } and
apim_oauth2_password: { secretName: "", key: "" }) alongside the existing
apim_oauth2_client_id and apim_oauth2_username, and update the chart templates
that consume apim_oauth2_client_secret and apim_oauth2_password to use
Kubernetes Secret-backed env vars (valueFrom.secretKeyRef or envFrom.secretRef)
instead of rendering the raw values so secrets are sourced from Secret resources
rather than stored inline in values.yaml.


# Logging configuration
logging:
# Log level: "debug", "info", "warn", or "error"
Expand Down Expand Up @@ -367,6 +399,11 @@ gateway:
# Log format: json, text
format: json

# Static API artifacts bundled with the gateway (see docs/gateway/immutable-gateway.md)
immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"

policy_configurations: {}

# metadata for the generated shared ConfigMap (annotations / labels)
Expand Down
10 changes: 10 additions & 0 deletions ...tes/helm/resources/apim-apigateway-restapi-operator-demo/01-gateway-values-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@ data:
controlplane:
# Skip TLS certificate verification for the control plane connection (insecure, dev/test only)
insecure_skip_verify: true
gateway_name: ""
# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""
# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: ""
immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"
controller:
controlPlane:
host: host.docker.internal:9444
Expand Down
10 changes: 10 additions & 0 deletions kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@ data:
controlplane:
# Skip TLS certificate verification for the control plane connection (insecure, dev/test only)
insecure_skip_verify: true
gateway_name: ""
# OAuth2 Option 1: Client Credentials flow
apim_oauth2_client_id: ""
apim_oauth2_client_secret: ""
# OAuth2 Option 2: Resource Owner Password Credentials flow
apim_oauth2_username: ""
apim_oauth2_password: ""
immutable_gateway:
enabled: false
artifacts_dir: "/etc/api-platform-gateway/immutable_gateway/artifacts"
controller:
controlPlane:
host: host.docker.internal:9444
Expand Down
Loading