Merge pull request #324 from CAAPIM/gateway_111

[charts/gateway] gateway v11.1.1 updates
CAAPIM · Aug 6, 2024 · aa9c12d · aa9c12d
2 parents a5bf45c + 6159c04
commit aa9c12d
Show file tree

Hide file tree

Showing 13 changed files with 985 additions and 462 deletions.
diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "11.1.00"
+appVersion: "11.1.1"
 description: This Helm Chart deploys the Layer7 Gateway in Kubernetes.
 name: gateway
-version: 3.0.29
+version: 3.0.30
 type: application
 home: https://github.com/CAAPIM/apim-charts
 maintainers:

diff --git a/charts/gateway/README.md b/charts/gateway/README.md
diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml
@@ -9,10 +9,23 @@ license:
   accept: false
   # existingSecretName: ssg-license
 
+# Diskless Configuration modes for the Gateway
+disklessConfig:
+  # true - environment variables are used for gateway configuration
+  # false - node.properties is used for gateway configuration
+  enabled: true
+  existingSecret: {}
+  #   name: gateway-secret
+  #   csi:
+  #      driver: secrets-store.csi.k8s.io
+  #      readOnly: true
+  #      volumeAttributes:
+  #        secretProviderClass: "secret-provider-class-name"
+
 image:
   registry: docker.io
   repository: caapim/gateway
-  tag: 11.1.00
+  tag: 11.1.1
   pullPolicy: IfNotPresent
 
 # If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true
@@ -169,6 +182,10 @@ config:
   # Heap Size should be a percentage of the memory configured in resource limits
   # by default it is 50% - you should not go above 75%
   heapSize: "2g"
+  # Gateway v11.1.1 provides min and max heap size options
+  # If you are using an earlier version of the Gateway, these will be ignored.
+  # minHeapSize: "1g"
+  # maxHeapSize: "3g"
   javaArgs:
     - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
     - -Dcom.l7tech.server.audit.message.saveToInternal=false
@@ -235,7 +252,7 @@ config:
     com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb
     # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for
     # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible.
-    com.safelogic.cryptocomply.rsa.allow_multi_use=true
+    com.l7tech.org.bouncycastle.rsa.allow_multi_use=true
     # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway.
     # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12.
     javax.net.ssl.trustStoreType=jks
@@ -245,6 +262,9 @@ config:
     # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis
     # com.l7tech.server.extension.sharedCounterProvider=redis
     # com.l7tech.server.extension.sharedRateLimiterProvider=redis
+    # Shared state provider preview settings
+    # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis
+    # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID
     # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration
     # otel.sdk.disabled=false
     # otel.java.global-autoconfigure.enabled=true
@@ -396,8 +416,10 @@ config:
           enabled: false
   redis:
     # enable or disable redis integration
-    # please uncomment the 3 redis properties in config.systemProperties
+    # please uncomment the 5 redis properties in config.systemProperties
+    # view more configurable system properties here - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs
     # Redis client properties for configuring Redis Standalone or Redis Sentinel connections
+    # This configuration is parsed into redis.default in sharedstate_client.yaml
     enabled: false
     # We recommend using an existing secret for Redis configuration in production environments
     # for separation of concerns and to better secure Redis client property secrets.
@@ -406,6 +428,8 @@ config:
     # To configure the Redis client directly in this values file uncomment and/or set the following client properties
     groupName: l7GW
     commandTimeout: 5000
+    connectTimeout: 10000
+    testOnStart: false
     # The Gateway supports Redis master auth only.
     # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default)
     # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start.
@@ -423,9 +447,12 @@ config:
       masterSet: mymaster
       # If the subChart is not enabled sentinel nodes need to be set
       nodes:
-      - <host>:<port>
-      - <host>:<port>
-      - <host>:<port>
+      - host: <host>
+        port: <port>
+      - host: <host>
+        port: <port>
+      - host: <host>
+        port: <port>
     standalone: {}
     #  host: redis-standalone
     #  port: 6379
@@ -445,7 +472,43 @@ config:
       # changes will be required
       # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration.
       enabled: false
-
+    additionalProviders: []
+    # - name: myRegionalRedisInstance1
+    #   redis:
+    #     tls:
+    #       existingSecret: myRegionalRedisCertSecret1
+    #       key: redis.crt
+    #       # path must match ssl.cert in your provider config
+    #       path: myRegionalRedisCert.crt
+    #   config: {}
+    #   config:
+    #     regional:
+    #       type: sentinel
+    #       keyPrefixGroupName: test
+    #       username: abc
+    #       password: "def"
+    #       commandTimeout: 5000
+    #       connectTimeout: 10000
+    #       testOnStart: false
+    #       ssl:
+    #         enabled: true
+    #         cert: myRegionalRedisCert.crt
+    #         verifyPeer: false
+    #       sentinel:
+    #         master: mymaster
+    #         nodes:
+    #         - host: 127.0.0.1
+    #           port: 26379
+    #         - host: 192.168.0.1
+    #           port: 26379
+
+  # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file.
+  sharedStateClient:
+    enabled: true
+  # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount
+  # existingConfigSecret: shared-state-client-secret
+  # reserved for future use
+    additionalProviders: []
 
 ## Reference an existing secret for sensitive Gateway fields
 ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set.
@@ -474,6 +537,10 @@ database:
   # Configurable, update the mysql.auth.<settings> if you change this and would like to use the demo database server.
   username: gateway
   password: mypassword
+  # Liquibase log level can be set to one of the following.
+  # This configuration is only valid from Gateway v11.1.1 onwards.
+  # severe/warning/info/fine(debug)/off
+  liquibaseLogLevel: "off"
   name: ssg
 
 ## If loading a TLS Key/Pair
@@ -941,7 +1008,6 @@ startupProbe:
   successThreshold: 1
   failureThreshold: 15
 
-
 livenessProbe:
   enabled: true
   type: command