diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml index 05d2acc2..3ae086fb 100644 --- a/charts/gateway/Chart.yaml +++ b/charts/gateway/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "11.1.00" +appVersion: "11.1.1" description: This Helm Chart deploys the Layer7 Gateway in Kubernetes. name: gateway -version: 3.0.29 +version: 3.0.30 type: application home: https://github.com/CAAPIM/apim-charts maintainers: diff --git a/charts/gateway/README.md b/charts/gateway/README.md index cf912afd..c7e6cbd9 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -4,6 +4,10 @@ This Chart deploys the API Gateway v10.x onward with the following `optional` su ### Important Note The included MySQL subChart is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. +## Release notes +- Current Chart Version 3.0.30 + - Please review release notes [here](./release-notes.md) + ## Prerequisites - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support @@ -62,17 +66,21 @@ Helm Version Supported Kubernetes Versions * [Uninstall the Chart](#uninstalling-the-chart) ## Additional Guides +* [Configuration](#configuration) * [Service Configuration](#port-configuration) * [Gateway Application Ports](#gateway-application-ports) +* [OTK Install or Upgrade](#otk-install-or-upgrade) * [Ingress Configuration](#ingress-configuration) * [PM Tagger Configuration](#pm-tagger-configuration) +* [Shared State Preview Features](#shared-state-preview-features) * [Redis Configuration](#redis-configuration) +* [Shared State Provider Configuration](#shared-state-provider-config) * [OpenTelemetry Configuration](#opentelemetry-configuration) -* [OTK Install or Upgrade](#otk-install-or-upgrade) * [Database Configuration](#database-configuration) * [Cluster-Wide Properties](#cluster-wide-properties) * [Java Args](#java-args) * [System Properties](#system-properties) +* [Diskless Configuration](#diskless-configuration) * [Gateway Bundles](#bundle-configuration) * [Bootstrap Script](#bootstrap-script) * [Custom Health Checks](#custom-health-checks) @@ -85,325 +93,7 @@ Helm Version Supported Kubernetes Versions * [Service Metrics Demo](#service-metrics-demo) * [SubChart Configuration](#subchart-configuration) -# Java 17 -The Layer7 API Gateway is now running with Java 17 with the release of v11.1.00. - -If you use Policy Manager, you will need to update to v11.1.00. - -# Java 11 -The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. - -Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. - -## 3.0.29 OTK 4.6.3 Released -- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. - - otk.job.image.tag: 4.6.3 -- Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. -- UTFMB4 Character Set Support for MySQL. -- Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions - - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory - -## 3.0.28 General Updates -- Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. - - Disabled by default - -## 3.0.27 General Updates -- Default image updated to v11.1.00 - - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: - - Scale down your containers to zero. - - Update the image tag to the target version (e.g., 11.1.00) - - Scale up your containers back to their original state. - - Hazelcast versions have not changed between 11.0 CR1/CR2 and 11.1 GA, rolling updates are supported between these Gateway versions. -- Added preview support for [OpenTelemetry](https://opentelemetry.io/) - - Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration - - Preview feature (only available on Gateway v11.1.00) - - An integration example is available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway - - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) - - You are ***not required*** to use the observability stack that we provide as an example. - - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - - [OpenTelemetry Configuration](#opentelemetry-configuration) -- Redis standalone now supports TLS and Password auth (only available on Gateway v11.1.00) - - see [Redis configuration](#redis-configuration) -- Cipher Suites in [Gateway Application Ports](#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** - -## 3.0.26 General Updates -- Commented out Nginx specific annotations in the ingress configuration - - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually - - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - - [production-values.yaml](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/production-values.yaml#L792) sets this if you would like to use that as a starting point. -- Upgraded Hazelcast SubChart and set default image to latest versions. -- Added Gateway [Pod Disruption Budget](#pod-disruption-budgets) - -## 3.0.25 OTK Schedule job success and failure limts -- Added configurable success and failure job history limit for OTK database maintenance schedule jobs. - -## 3.0.24 General Updates -- Custom Volumes for initContainers and Sidecars - - This allows configmaps/secrets to be mounted to initContainers and sideCars - - customSideCarVolumes - - customInitVolumes - -## 3.0.23 OTK 4.6.2_202402 Released -- Updated OTK image version value - -## 3.0.22 General Updates -- Updated Chart ci values - - no impact - -## 3.0.21 General Updates -- Updated [Redis Configuration](#redis-configuration) - - More context added for creating your own redis properties file - - More context added for Redis auth - - note: the Gateway only supports Redis master auth - - Removed comments from values.yaml -- Added Graphman Bundle support to the bootstrap script - - files that end in .json will be copied into the bootstrap folder - - -## 3.0.20 General Updates -- Updated image - - Updated to Gateway 11.0.00_CR2 - - this will cause a restart if you are not overriding the default image - -## 3.0.19 General Updates -- Updated image - - Updated to Gateway 11.0.00_CR1 - - this will cause a restart if you are not overriding the default image -- Redis Integration - - [Redis Configuration](#redis-configuration) options for the Gateway (future use) - - Added Redis SubChart -- Ingress - - Backend service is now more configurable allowing the management service to be exposed via ingress controller - - ***this should only be done in environments where the ingress controller does not have a Public Address*** - - ingress.rules[n]backend can be set to "management" -- Restart on config change - - A new flag has been added to facilitate auto redeploy of Gateways when there is a config change - - Applies to the default config map only - - does not include config.cwp, config.listenPorts or the Gateway Secret -- MySQL subChart updated -- Grafana subChart updated - - -## 3.0.18 General Updates -- OTK documentation updates. - -## 3.0.17 OTK 4.6.2 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. - - otk.job.image.tag: 4.6.2 - - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. - - otk.database.dbupgrade - - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** - - otk.database.useDemodb - - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. - - database.enabled: false - - otk.type: SINGLE - - Added OTK Connection properties to support c3p0 settings. - - otk.database.connectionProperties - - Added support OTK read-only connections for MySQL and Oracle. - - otk.database.readOnlyConnection.* - - Added support for OTK policies customization through config maps and secrets. - - otk.customizations.existingBundle.enabled - - OTK DMZ/Internal gateway certs can now be configured using values file. - - otk.cert -> [!Important] -> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. -> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. -> ``` -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml -> ``` - - -## 3.0.16 General Updates -- Added resources to otk install job - - otk.job.resources - -## 3.0.15 General Updates -- Updated [bootstrap script](#bootstrap-script) - - 'find' replaced with 'du' - -## 3.0.14 General Updates -- Added pod labels and annotations to the otk-install job. - - otk.job.podLabels - - otk.job.podAnnotations - -## 3.0.13 General Updates -- The OTK Install job now uses podSecurity and containerSecurity contexts if set. -- Updated how pod labels and annotations are templated in deployment.yaml - -## 3.0.12 General Updates -Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. -- [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) -- [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) - - -## 3.0.11 General Updates -Updates to Gateway Container Lifecycle. -- [A new preStop script has been added for graceful termination](#graceful-termination) - - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds -- Container Lifecycle can be overridden for custom exec/http calls - -## 3.0.10 General Updates -Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. - -- Additional Labels/Annotations apply to everything in this Chart's templates -``` -# Additional Annotations apply to all deployed objects -additionalAnnotations: {} - -# Additional Labels apply to all deployed objects -additionalLabels: {} -``` - -- Pod Labels/Annotations at the base level apply to the Gateway Pod -``` -## Pod Labels for the Gateway Pod -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -podLabels: {} - -# Pod Annotations apply to the Gateway Pod -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -podAnnotations: {} -``` - -- PM-Tagger pod labels/annotations are separate -``` -pmtagger: - ... - ## Pod Labels for the PM Tagger Pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - - # Pod Annotations apply to the PM Tagger Pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} -``` - -## 3.0.9 Updates to PM-Tagger -PM tagger has following additional configuration options -- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) -- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) -- [All PM-Tagger Configuration](#pm-tagger-configuration) - -## 3.0.8 Updates to Hazelcast -The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. -The updates are applied to both the gateway and gateway-otk chart. - -## 3.0.7 General Updates -The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . - -The PM Tagger image default version tag been updated to 1.0.1. - -## 3.0.6 General Updates -The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. - -## 3.0.5 General Updates -The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. - -Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. - -## 3.0.4 General Updates -OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](#otk-install-or-upgrade) for more details. -[Gateway-OTK](../gateway-otk) is now deprecated. - -## 3.0.2 General Updates -***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** - -To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. - -The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. -- [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. - -The following configuration options have been added -- [Custom Health Checks](#custom-health-checks) -- [Custom Configuration Files](#custom-configuration-files) -- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) -- [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) -- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) -- Http headers can also now be added to the liveness and readiness probes -- Ingress and HPA API Version validation has been updated to check for available APIs vs. KubeVersion -- SubCharts now show image repository and tags -### Upgrading to Chart v3.0.0 -Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](#additional-guides) for more info. - -## 3.0.0 Updates to Hazelcast -***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. -- If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. -- The included Hazelcast subChart has been updated to reflect this change - -### 3.0.0 Updates to Ingress Configuration -Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. - -## 3.0.0 General Updates -- You can now configure [Gateway Ports.](#port-configuration) - This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. - -- New Management Service - - Provides separation of concerns for external/management traffic. This was previously a manual step. -- [Autoscaling](#autoscaling) -- [Ingress Configuration](#ingress-configuration) -- [PM Tagger](#pm-tagger-configuration) - - PM (Policy Manager) tagger is a lightweight go application that works with the new management service. - - RBAC Role Required if using PM Tagger. -- Default values.yaml restructure - - configuration items more closely aligned -- Added production-values.yaml - - Includes a baseline for production configuration - - Resources are set to minimum recommended values - - Application ports are hardened - - 8080 (disabled) - - 8443 (management features disabled - service is ClusterIP) - - 9443 (configured with management service) - - Autoscaling is enabled - - Ingress is enabled - - Rules are configured for 8443 - - Database is not created - you will need to supply a JDBC Url - -## Changes that will affect you if upgrading from 2.0.1 and below -- MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. -- tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName - -## 2.0.6 General Updates -- Fixing bitnami repository dependency issue. - -## 2.0.5 General Updates -- Internal only. - -## 2.0.4 Updates to Secret Management -- Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. -- The CSI functionality is optional - -## 2.0.4 General Updates -- Added support for sidecars and initContainers - - volumeMounts are automatically configured with emptyDir -- Updated default values update to reflect empty objects/arrays for optional fields. -- Load the Gateway Deployment's ServiceAccountToken as a stored password for querying the Kubernetes API. - - management.kubernetes.loadServiceAccountToken - -## 2.0.2 Updates to Secret Management -- You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles - -## 2.0.2 General Updates -- Ingress Definition updated to reflect the new API Version, additional configuration added. -- HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. -- System.properties is now mounted to the Gateway Container, default values have been applied. -- You can now reference existing bundles stored in configMaps/Secrets -- NodeSelector and Affinity settings for the Gateway Deployment -- Resources values updated to reflect minimum recommended configuration - -## Upgrading to 2.0.2 -***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** -``` -$ helm repo update -$ helm show values layer7/gateway > gateway-values.yaml - -Inspect and update the new gateway-values.yaml - -$ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway -``` ## Installing the Chart Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction @@ -447,6 +137,10 @@ The following table lists the configurable parameters of the Gateway chart and t | `global.schedulerName` | Override the default scheduler | `nil` | | `license.value` | Gateway license file | `nil` | | `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | | `image.registry` | Image Registry | `docker.io` | | `image.repository` | Image Repository | `caapim/gateway` | | `image.tag` | Image tag | `11.0.00` | @@ -475,12 +169,15 @@ The following table lists the configurable parameters of the Gateway chart and t | `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | | `database.username` | Database Username | `gateway` | | `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | | `database.name` | Database name | `ssg` | | `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | | `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | | `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | | `tls.pass` | p12 container password - this cannot be empty | `nil` | | `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | | `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | | `config.log.override` | Override the standard log configuration | `true` | | `config.log.properties` | Custom logging properties | `see values.yaml` | @@ -538,6 +235,8 @@ The following table lists the configurable parameters of the Gateway chart and t | `bootstrap.script.enabled` | Enable the bootstrap script | `false` | +[Back to Additional Guides](#additional-guides) + ## Port Configuration There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways @@ -588,6 +287,9 @@ management: external: 9443 protocol: TCP ``` + +[Back to Additional Guides](#additional-guides) + ### OTK install or upgrade OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. @@ -711,6 +413,8 @@ OTK Deployment examples can be found [here](/examples/otk) #### Note: * In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option +[Back to Additional Guides](#additional-guides) + ### Gateway Application Ports Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* @@ -799,6 +503,8 @@ config: # - TLS_RSA_WITH_AES_128_CBC_SHA ``` +[Back to Additional Guides](#additional-guides) + ### Ingress Configuration The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. @@ -861,6 +567,8 @@ ingress: # #number: ``` +[Back to Additional Guides](#additional-guides) + ### PM Tagger Configuration [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. @@ -883,6 +591,8 @@ ingress: | `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | | `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +[Back to Additional Guides](#additional-guides) + ### OpenTelemetry Configuration The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. @@ -939,13 +649,37 @@ example otel.traceConfig } ``` +[Back to Additional Guides](#additional-guides) + ##### Gateway OTel Examples (with or without the Optional Agent) The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) +[Back to Additional Guides](#additional-guides) + +### Shared State Preview Features +There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. +- [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) +- [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) + +To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast +``` +# com.l7tech.server.extension.sharedRateLimiterProvider=redis +``` + +To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast +``` +# com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis +# com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID +``` + +[Back to Additional Guides](#additional-guides) + ### Redis Configuration -This enables integration with [Redis](https://redis.io/). The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated +This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. + +**Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following ``` @@ -962,17 +696,19 @@ Uncomment the following | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | | `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.existingConfigSecret` | Use an existing config secret - must contain a key called redis.properties | `redis-config-secret` | | `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | | `config.redis.groupName` | Redis Group name | `l7GW` | | `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | | `config.redis.auth.enabled` | Use auth for Redis | `false` | | `config.redis.auth.username` | Redis username | `` | | `config.redis.auth.password.encoded` | Password is encoded | `false` | | `config.redis.auth.password.value` | Redis password | `mypassword` | | `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | | `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes and ports | `[]` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | | `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | | `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | | `config.redis.tls.enabled` | Enable SSL/TLS | `false` | @@ -980,13 +716,60 @@ Uncomment the following | `config.redis.tls.verifyPeer` | Verify Peer | `true` | | `config.redis.tls.redisCrt` | Redis Public Cert | `` | + #### Creating your own Redis Configuration Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) -##### Redis Sentinel +##### Redis Sentinel (11.1.1) +sharedstate_client.yaml +``` +redis: + default: + type: sentinel + keyPrefixGroupName: test + username: redisuser + #password: "redispassword" + encodedPassword: "redisencodedpassword" + commandTimeout: 5000 + connectTimeout: 10000 + testOnStart: false + sentinel: + master: mymaster + nodes: + - host: node1 + port: 26379 + - host: node2 + port: 26379 + - host: node3 + port: 26379 +``` + +##### Redis Standalone (11.1.1) +sharedstate_client.yaml +``` +redis: + default: + type: standalone + keyPrefixGroupName: test + username: redisuser + #password: "redispassword" + encodedPassword: "redisencodedpassword" + commandTimeout: 5000 + connectTimeout: 10000 + testOnStart: false + standalone: + host: redis-standalone + port: 6379 + ssl: + enabled: true + cert: host.cert + verifyPeer: false +``` + +##### Redis Sentinel (11.0.00_CR2 and 11.1.00) redis.properties ``` # Redis type can be sentinel or standalone @@ -1006,7 +789,8 @@ redis.properties redis.commandTimeout=5000 ``` -##### Redis Standalone (11.1.00 and later) +##### Redis Standalone (11.1.00) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1028,7 +812,8 @@ redis.properties redis.commandTimeout=5000 ``` -##### Redis Standalone (11.0.00_CR2 and later) +##### Redis Standalone (11.0.00_CR2) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1042,7 +827,20 @@ redis.properties redis.commandTimeout=5000 ``` -##### Create a secret from this configuration +##### Create a secret from this configuration (11.1.1) +``` +kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml +``` +my-values.yaml +``` +config: + sharedStateClient: + enabled: true + existingConfigSecret: shared-state-provider-secret +``` + +##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` @@ -1053,6 +851,16 @@ redis: existingConfigSecret: redis-config-secret ``` +[Back to Additional Guides](#additional-guides) + +### Shared State Provider Config +Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. + +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.sharedStateProvider.enabled` | Enable redis configuration | `false` | +| `config.sharedStateProvider.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateProvider.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | ### Database Configuration You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: @@ -1063,10 +871,18 @@ database: jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?failOverReadOnly=false username: myuser password: mypassword + liquibaseLogLevel: "off" name: ssg ``` In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. +When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: +- jdbcURL +- username +- password + +The values will come from node.properties instead. See [External MySQL](#external-mysql) section. + More info on the JDBC URL: - Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html - Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html @@ -1083,6 +899,8 @@ jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=tru In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges +[Back to Additional Guides](#additional-guides) + ### Cluster Wide Properties You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. @@ -1111,19 +929,24 @@ config: value: 152 7101 7103 9648 9645 7026 7027 4155 150 4716 4114 6306 4100 9655 150 151 11000 4104 ``` +[Back to Additional Guides](#additional-guides) ### Java Args -Additional Java Arguments as may be recommended by support can be configured in values.yaml +Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | | `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | | `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | The default Java Args are as follows ``` config: heapSize: "2g" + minHeapSize: "1g" + maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -1135,6 +958,8 @@ config: - -Dcom.l7tech.security.ssl.hostAllowWildcard=true ``` +[Back to Additional Guides](#additional-guides) + ### System Properties Additional System Properties as may be recommended by support can be configured in values.yaml @@ -1159,7 +984,7 @@ The full default is this com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks @@ -1168,6 +993,89 @@ The full default is this # Additional properties go here ``` +[Back to Additional Guides](#additional-guides) + +### Diskless Configuration +Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. + +**DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. + +This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. +- **disklessConfig.enabled: true** + - Default, No changes. +``` +disklessConfig: + enabled: true + # existingSecret: + # name: gateway-secret + # csi: {} +``` +- **disklessConfig.enabled: false** + - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. + - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. + - Creates a secret with node.properties by default + - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. +``` +disklessConfig: + enabled: false + # existingSecret: + # name: gateway-secret + # csi: {} +``` + +#### Creating a node.properties file + +##### External MySQL +- Make sure the database configuration matches what is in node.properties + +Example: node.properties with MySQL database configuration +``` +node.cluster.pass=mypassword +admin.user=admin +admin.pass=mypassword +node.db.config.main.user=gateway +node.db.config.main.pass=mypassword +l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?failOverReadOnly=false&useSSL=true&requireSSL=true +``` + +See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. + +##### Gateway running in Ephemeral Mode (no external MySQL) +- To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties + +Example: node.properties with Derby configuration +``` +node.cluster.pass=mypassword +admin.user=admin +admin.pass=mypassword +node.db.type=derby +node.db.config.main.user=gateway +``` + +##### Update values.yaml +Update your values file to use the new node.properties file. + +This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. + +Note that the key name is node.properties. This is required. +``` +kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties +``` +values.yaml +``` +disklessConfig: + enabled: false + existingSecret: + name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" +``` + +[Back to Additional Guides](#additional-guides) + ### Bundle Configuration There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. @@ -1198,6 +1106,8 @@ existingBundle: # secretProviderClass: "secret-provider-class-name" ``` +[Back to Additional Guides](#additional-guides) + ### Bootstrap Script To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. @@ -1229,6 +1139,8 @@ The following folder stucture must be maintained More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). +[Back to Additional Guides](#additional-guides) + ### Custom Health Checks You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. @@ -1253,6 +1165,8 @@ existingHealthCheck: # secretProviderClass: "vault-database" ``` +[Back to Additional Guides](#additional-guides) + ### Custom Configuration Files Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. @@ -1271,6 +1185,8 @@ customConfig: # path: sampletrafficloggerca.properties ``` +[Back to Additional Guides](#additional-guides) + ### Graceful Termination During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. @@ -1279,7 +1195,7 @@ This functionality delays Kubernetes sending a SIGTERM to the container gateway The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. -- 8777 (Hazelcast) - Embedded Hazelcast. +- 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. If there are no open connections, the preStop script will exit immediately ignoring preStopScript.timeoutSeconds to avoid unnecessary resource utilisation (pod stuck in terminating state) during upgrades. @@ -1297,6 +1213,8 @@ The graceful termination (preStop script) is disabled by default. | `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | | `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | +[Back to Additional Guides](#additional-guides) + ### Autoscaling Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources @@ -1340,6 +1258,8 @@ autoscaling: periodSeconds: 15 ``` +[Back to Additional Guides](#additional-guides) + ### Pod Disruption Budgets [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. | Parameter | Description | Default | @@ -1356,6 +1276,8 @@ pdb: minAvailable: "" ``` +[Back to Additional Guides](#additional-guides) + ### RBAC Parameters PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. @@ -1374,6 +1296,8 @@ rules: verbs: ["list", "patch"] ``` +[Back to Additional Guides](#additional-guides) + ### Logs & Audit Configuration The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: @@ -1389,6 +1313,8 @@ The API Gateway containers are configured to output logs and audits as JSON even - Allow wildcards when verifying hostnames (true/false) - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) +[Back to Additional Guides](#additional-guides) + ### Service Metrics Demo To deploy the service metrics example you will need to enable serviceMetrics, influxdb and grafana. @@ -1403,6 +1329,7 @@ To deploy the service metrics example you will need to enable serviceMetrics, in | `influxdb.enabled` | Enable/Disable deployment of InfluxDb | `false` | | `grafana.enabled` | Enable/Disable deployment of Grafana | `false` | +[Back to Additional Guides](#additional-guides) ## Subchart Configuration ***these do not represent production configurations*** @@ -1425,7 +1352,6 @@ The following table lists the configured parameters of the MySQL Bitnami chart - | `mysql.primary.persistence.storageClass` | Storage class to use | `nil` | | `mysql.primary.configuration` | MySQL Configuration | `see values.yaml` | - ## Hazelcast The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml @@ -1468,3 +1394,5 @@ The following table lists the configured parameters of the Grafana Subchart - se * InfluxDb (default: disabled) ==> https://github.com/influxdata/helm-charts/tree/master/charts/influxdb * Grafana (default: disabled) ==> https://github.com/bitnami/charts/tree/master/bitnami/grafana * Redis (default: disabled) ==>https://github.com/bitnami/charts/tree/master/bitnami/redis + +[Back to Additional Guides](#additional-guides) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 0bd40969..a79aaecc 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -9,10 +9,23 @@ license: accept: false # existingSecretName: ssg-license +# Diskless Configuration modes for the Gateway +disklessConfig: + # true - environment variables are used for gateway configuration + # false - node.properties is used for gateway configuration + enabled: true + existingSecret: {} + # name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" + image: registry: docker.io repository: caapim/gateway - tag: 11.1.00 + tag: 11.1.1 pullPolicy: IfNotPresent # If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true @@ -169,6 +182,10 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" + # Gateway v11.1.1 provides min and max heap size options + # If you are using an earlier version of the Gateway, these will be ignored. + # minHeapSize: "1g" + # maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -235,7 +252,7 @@ config: com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks @@ -245,6 +262,9 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # Shared state provider preview settings + # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis + # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration # otel.sdk.disabled=false # otel.java.global-autoconfigure.enabled=true @@ -396,8 +416,10 @@ config: enabled: false redis: # enable or disable redis integration - # please uncomment the 3 redis properties in config.systemProperties + # please uncomment the 5 redis properties in config.systemProperties + # view more configurable system properties here - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs # Redis client properties for configuring Redis Standalone or Redis Sentinel connections + # This configuration is parsed into redis.default in sharedstate_client.yaml enabled: false # We recommend using an existing secret for Redis configuration in production environments # for separation of concerns and to better secure Redis client property secrets. @@ -406,6 +428,8 @@ config: # To configure the Redis client directly in this values file uncomment and/or set the following client properties groupName: l7GW commandTimeout: 5000 + connectTimeout: 10000 + testOnStart: false # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -423,9 +447,12 @@ config: masterSet: mymaster # If the subChart is not enabled sentinel nodes need to be set nodes: - - : - - : - - : + - host: + port: + - host: + port: + - host: + port: standalone: {} # host: redis-standalone # port: 6379 @@ -445,7 +472,43 @@ config: # changes will be required # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false - + additionalProviders: [] + # - name: myRegionalRedisInstance1 + # redis: + # tls: + # existingSecret: myRegionalRedisCertSecret1 + # key: redis.crt + # # path must match ssl.cert in your provider config + # path: myRegionalRedisCert.crt + # config: {} + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # testOnStart: false + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 + + # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + # reserved for future use + additionalProviders: [] ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. @@ -474,6 +537,10 @@ database: # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. username: gateway password: mypassword + # Liquibase log level can be set to one of the following. + # This configuration is only valid from Gateway v11.1.1 onwards. + # severe/warning/info/fine(debug)/off + liquibaseLogLevel: "off" name: ssg ## If loading a TLS Key/Pair @@ -941,7 +1008,6 @@ startupProbe: successThreshold: 1 failureThreshold: 15 - livenessProbe: enabled: true type: command diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md new file mode 100644 index 00000000..03fd45e8 --- /dev/null +++ b/charts/gateway/release-notes.md @@ -0,0 +1,356 @@ +# Layer7 Gateway Chart Release Notes + +Back to [Readme](./README.md#release-notes) + +# Java 17 +The Layer7 API Gateway is now running with Java 17 with the release of v11.1.00. + +If you use Policy Manager, you will need to update to v11.1.00. + +## 3.0.30 General Updates +Release notes will also be moved to a new file before merge... +**Note** Gateway restart required if using preview Redis features. +- Support added for running the Gateway without [Diskless Config](./README.md#diskless-configuration) + - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) + - Must be conciously enabled (limited to Gateway v11.1.1) +- Redis configuration update + - Additional system properties for the key/value store assertion added (commented by default) + - please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs) for more details + - Using new shared state provider config **(limited to Redis and Gateway v11.1.1)** + - this new configuration is **not backwards or forwards compatible** + - Please view [redis configuration](./README.md#redis-configuration) for more details on how to configure your values file. + - config.redis is used to configure this + - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders + - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](./README.md#custom-configuration-files) to load the additional certs. + - Configurable Java Min/Max Heap size + - Java Min and Max Heap Size is now [configurable](./README.md#java-args) + - Liquibase Log Level is now settable via database.liquibaseLogLevel. + - default "off" + - possible values + - severe + - warning + - info + - fine(debug) + - off + - System Properties + - FIPS + - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. + - Previous + - com.safelogic.cryptocomply.rsa.allow_multi_use=true + - New + - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true + +## 3.0.29 OTK 4.6.3 Released +- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. + - otk.job.image.tag: 4.6.3 +- Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. +- UTFMB4 Character Set Support for MySQL. +- Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions + - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory + +## 3.0.28 General Updates +- Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. + - Disabled by default + +## 3.0.27 General Updates +- Default image updated to v11.1.00 + - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: + - Scale down your containers to zero. + - Update the image tag to the target version (e.g., 11.1.00) + - Scale up your containers back to their original state. + - Hazelcast versions have not changed between 11.0 CR1/CR2 and 11.1 GA, rolling updates are supported between these Gateway versions. +- Added preview support for [OpenTelemetry](https://opentelemetry.io/) + - Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration + - Preview feature (only available on Gateway v11.1.00) + - An integration example is available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway + - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) + - You are ***not required*** to use the observability stack that we provide as an example. + - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. + - [OpenTelemetry Configuration](./README.md#opentelemetry-configuration) +- Redis standalone now supports TLS and Password auth (only available on Gateway v11.1.00) + - see [Redis configuration](./README.md#redis-configuration) +- Cipher Suites in [Gateway Application Ports](./README.md#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** + +## 3.0.26 General Updates +- Commented out Nginx specific annotations in the ingress configuration + - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually + - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + - [production-values.yaml](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/production-values.yaml#L792) sets this if you would like to use that as a starting point. +- Upgraded Hazelcast SubChart and set default image to latest versions. +- Added Gateway [Pod Disruption Budget](./README.md#pod-disruption-budgets) + +## 3.0.25 OTK Schedule job success and failure limts +- Added configurable success and failure job history limit for OTK database maintenance schedule jobs. + +## 3.0.24 General Updates +- Custom Volumes for initContainers and Sidecars + - This allows configmaps/secrets to be mounted to initContainers and sideCars + - customSideCarVolumes + - customInitVolumes + +## 3.0.23 OTK 4.6.2_202402 Released +- Updated OTK image version value + +## 3.0.22 General Updates +- Updated Chart ci values + - no impact + +## 3.0.21 General Updates +- Updated [Redis Configuration](./README.md#redis-configuration) + - More context added for creating your own redis properties file + - More context added for Redis auth + - note: the Gateway only supports Redis master auth + - Removed comments from values.yaml +- Added Graphman Bundle support to the bootstrap script + - files that end in .json will be copied into the bootstrap folder + + +## 3.0.20 General Updates +- Updated image + - Updated to Gateway 11.0.00_CR2 + - this will cause a restart if you are not overriding the default image + +## 3.0.19 General Updates +- Updated image + - Updated to Gateway 11.0.00_CR1 + - this will cause a restart if you are not overriding the default image +- Redis Integration + - [Redis Configuration](./README.md#redis-configuration) options for the Gateway (future use) + - Added Redis SubChart +- Ingress + - Backend service is now more configurable allowing the management service to be exposed via ingress controller + - ***this should only be done in environments where the ingress controller does not have a Public Address*** + - ingress.rules[n]backend can be set to "management" +- Restart on config change + - A new flag has been added to facilitate auto redeploy of Gateways when there is a config change + - Applies to the default config map only + - does not include config.cwp, config.listenPorts or the Gateway Secret +- MySQL subChart updated +- Grafana subChart updated + + +## 3.0.18 General Updates +- OTK documentation updates. + +## 3.0.17 OTK 4.6.2 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. + - otk.job.image.tag: 4.6.2 + - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. + - otk.database.dbupgrade + - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** + - otk.database.useDemodb + - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. + - database.enabled: false + - otk.type: SINGLE + - Added OTK Connection properties to support c3p0 settings. + - otk.database.connectionProperties + - Added support OTK read-only connections for MySQL and Oracle. + - otk.database.readOnlyConnection.* + - Added support for OTK policies customization through config maps and secrets. + - otk.customizations.existingBundle.enabled + - OTK DMZ/Internal gateway certs can now be configured using values file. + - otk.cert +> [!Important] +> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. +> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. +> ``` +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml +> ``` + + +## 3.0.16 General Updates +- Added resources to otk install job + - otk.job.resources + +## 3.0.15 General Updates +- Updated [bootstrap script](./README.md#bootstrap-script) + - 'find' replaced with 'du' + +## 3.0.14 General Updates +- Added pod labels and annotations to the otk-install job. + - otk.job.podLabels + - otk.job.podAnnotations + +## 3.0.13 General Updates +- The OTK Install job now uses podSecurity and containerSecurity contexts if set. +- Updated how pod labels and annotations are templated in deployment.yaml + +## 3.0.12 General Updates +Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. +- [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) +- [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) + + +## 3.0.11 General Updates +Updates to Gateway Container Lifecycle. +- [A new preStop script has been added for graceful termination](./README.md#graceful-termination) + - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds +- Container Lifecycle can be overridden for custom exec/http calls + +## 3.0.10 General Updates +Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. + +- Additional Labels/Annotations apply to everything in this Chart's templates +``` +# Additional Annotations apply to all deployed objects +additionalAnnotations: {} + +# Additional Labels apply to all deployed objects +additionalLabels: {} +``` + +- Pod Labels/Annotations at the base level apply to the Gateway Pod +``` +## Pod Labels for the Gateway Pod +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +# Pod Annotations apply to the Gateway Pod +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +``` + +- PM-Tagger pod labels/annotations are separate +``` +pmtagger: + ... + ## Pod Labels for the PM Tagger Pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + + # Pod Annotations apply to the PM Tagger Pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} +``` + +## 3.0.9 Updates to PM-Tagger +PM tagger has following additional configuration options +- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) +- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +- [All PM-Tagger Configuration](./README.md#pm-tagger-configuration) + +## 3.0.8 Updates to Hazelcast +The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. +The updates are applied to both the gateway and gateway-otk chart. + +## 3.0.7 General Updates +The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . + +The PM Tagger image default version tag been updated to 1.0.1. + +## 3.0.6 General Updates +The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. + +## 3.0.5 General Updates +The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. + +Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. + +## 3.0.4 General Updates +OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](./README.md#otk-install-or-upgrade) for more details. +[Gateway-OTK](../gateway-otk) is now deprecated. + +## 3.0.2 General Updates +***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** + +To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. + +The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. +- [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. + +The following configuration options have been added +- [Custom Health Checks](./README.md#custom-health-checks) +- [Custom Configuration Files](./README.md#custom-configuration-files) +- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) +- [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +- Http headers can also now be added to the liveness and readiness probes +- Ingress and HPA API Version validation has been updated to check for available APIs vs. KubeVersion +- SubCharts now show image repository and tags + +### Upgrading to Chart v3.0.0 +Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](./README.md#additional-guides) for more info. + +## 3.0.0 Updates to Hazelcast +***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. +- If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. +- The included Hazelcast subChart has been updated to reflect this change + +### 3.0.0 Updates to Ingress Configuration +Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](./README.md#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. + +## 3.0.0 General Updates +- You can now configure [Gateway Ports.](./README.md#port-configuration) + This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. + +- New Management Service + - Provides separation of concerns for external/management traffic. This was previously a manual step. +- [Autoscaling](./README.md#autoscaling) +- [Ingress Configuration](./README.md#ingress-configuration) +- [PM Tagger](./README.md#pm-tagger-configuration) + - PM (Policy Manager) tagger is a lightweight go application that works with the new management service. + - RBAC Role Required if using PM Tagger. +- Default values.yaml restructure + - configuration items more closely aligned +- Added production-values.yaml + - Includes a baseline for production configuration + - Resources are set to minimum recommended values + - Application ports are hardened + - 8080 (disabled) + - 8443 (management features disabled - service is ClusterIP) + - 9443 (configured with management service) + - Autoscaling is enabled + - Ingress is enabled + - Rules are configured for 8443 + - Database is not created - you will need to supply a JDBC Url + +## Changes that will affect you if upgrading from 2.0.1 and below +- MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. +- tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName + +## 2.0.6 General Updates +- Fixing bitnami repository dependency issue. + +## 2.0.5 General Updates +- Internal only. + +## 2.0.4 Updates to Secret Management +- Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. +- The CSI functionality is optional + +## 2.0.4 General Updates +- Added support for sidecars and initContainers + - volumeMounts are automatically configured with emptyDir +- Updated default values update to reflect empty objects/arrays for optional fields. +- Load the Gateway Deployment's ServiceAccountToken as a stored password for querying the Kubernetes API. + - management.kubernetes.loadServiceAccountToken + +# Java 11 +The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. + +Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. + +## 2.0.2 Updates to Secret Management +- You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles + +## 2.0.2 General Updates +- Ingress Definition updated to reflect the new API Version, additional configuration added. +- HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. +- System.properties is now mounted to the Gateway Container, default values have been applied. +- You can now reference existing bundles stored in configMaps/Secrets +- NodeSelector and Affinity settings for the Gateway Deployment +- Resources values updated to reflect minimum recommended configuration + +## Upgrading to 2.0.2 +***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** +``` +$ helm repo update +$ helm show values layer7/gateway > gateway-values.yaml + +Inspect and update the new gateway-values.yaml + +$ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway +``` \ No newline at end of file diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl index f33b49d1..8f24089e 100644 --- a/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/templates/_helpers.tpl @@ -85,16 +85,15 @@ Create java args to apply. {{- end -}} {{/* -Redis sentinel nodes +Shared state client secret name */}} -{{- define "gateway.redisSentinelNodes" -}} -{{- if .Values.config.redis.sentinel.enabled }} - {{- if empty .Values.config.redis.sentinel.nodes }} - {{- fail "config.redis.sentinel.nodes is required." }} - {{- end }} - {{- join "," .Values.config.redis.sentinel.nodes }} -{{- end -}} -{{- end -}} +{{- define "sharedStateClientSecretName" }} +{{- if not .Values.config.sharedStateClient.existingConfigSecret }} +{{- printf "%s-%s-%s" .Release.Name .Chart.Name "shared-state-client-configuration" -}} +{{- else }} +{{- .Values.config.sharedStateClient.existingConfigSecret }} +{{- end }} +{{- end }} {{/* Redis config secret name @@ -193,6 +192,17 @@ Define OTK Image Pull Secret Name {{- end -}} {{- end -}} +{{/* + Define Gateway node.properties Secret Name + */}} +{{- define "gateway.node.properties" -}} +{{- if .Values.disklessConfig.existingSecret.name -}} + {{ .Values.disklessConfig.existingSecret.name }} +{{- else -}} + {{- printf "%s-%s" (include "gateway.fullname" .) "node-properties" -}} +{{- end -}} +{{- end -}} + {{/* Validate OTK installation type (SINGLE, INTERNAL, DMZ) */}} diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index d6840b7d..bd69e590 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -18,13 +18,21 @@ metadata: {{- end }} data: ACCEPT_LICENSE: {{ .Values.license.accept | quote}} + DISKLESS_CONFIG: {{ .Values.disklessConfig.enabled | quote }} SSG_CLUSTER_HOST: {{ .Values.clusterHostname }} + LIQUIBASE_LOG_LEVEL: {{ default "off" .Values.database.liquibaseLogLevel | quote }} SSG_JVM_HEAP: {{ .Values.config.heapSize }} -{{- if .Values.database.enabled }} - {{- if .Values.database.create }} + {{- if and (.Values.config.minHeapSize) (.Values.config.maxHeapSize) }} + SSG_JVM_MIN_HEAP: {{ .Values.config.minHeapSize }} + SSG_JVM_MAX_HEAP: {{ .Values.config.maxHeapSize }} + {{- end }} +{{- if .Values.disklessConfig.enabled }} + {{- if .Values.database.enabled }} + {{- if .Values.database.create }} SSG_DATABASE_JDBC_URL: jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} - {{- else }} + {{- else }} SSG_DATABASE_JDBC_URL: {{ .Values.database.jdbcURL }} + {{- end }} {{- end }} {{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index d8263100..20ec4c02 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -48,7 +48,7 @@ spec: {{- end }} {{- end }} spec: - serviceAccountName: {{ include "gateway.serviceAccountName" . }} + serviceAccountName: {{ include "gateway.serviceAccountName" . | quote}} {{- if .Values.affinity }} affinity: {{- toYaml .Values.affinity | nindent 12 }} {{- end }} @@ -70,7 +70,6 @@ spec: {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{.Values.terminationGracePeriodSeconds }} {{- end }} - initContainers: {{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ .Chart.Name }}-otk-install-container @@ -98,15 +97,15 @@ spec: {{- range .Values.otk.customizations.existingBundle.secrets }} - name: {{ .name }} mountPath: /docker/custom_bundles/{{ .name }} - {{ if .csi }} + {{- if .csi }} readOnly: {{ .csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} {{- if .Values.initContainers }} {{toYaml .Values.initContainers | nindent 6 }} - {{ end }} + {{- end }} {{- if .Values.imagePullSecret.enabled }} imagePullSecrets: @@ -178,13 +177,13 @@ spec: containerPort: {{ .internal }} protocol: {{ .protocol }} {{- end }} - {{ if .Values.management.service.enabled}} + {{- if .Values.management.service.enabled}} {{- range .Values.management.service.ports }} - name: {{ .name }} containerPort: {{ .internal }} protocol: {{ .protocol }} {{- end }} - {{ end }} + {{- end }} volumeMounts: - name: {{ template "gateway.fullname" . }}-license-xml mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/license.xml @@ -192,6 +191,11 @@ spec: - name: {{ template "gateway.fullname" . }}-system-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties subPath: system.properties +{{- if not .Values.disklessConfig.enabled }} + - name: {{ template "gateway.fullname" . }}-node-properties + mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties + subPath: node.properties +{{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} - name: {{ template "gateway.fullname" . }}-hazelcast-client mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/ExternalHazelcastSharedStateProviderAssertion/hazelcast-client.xml @@ -233,15 +237,23 @@ spec: {{- end }} {{- end }} {{- if .Values.config.redis }} - {{- if .Values.config.redis.enabled }} - - name: {{ template "gateway.fullname" . }}-redis-properties - mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/RedisSharedStateProviderAssertion/redis.properties - subPath: redis.properties + {{- if and (.Values.config.redis.enabled) (.Values.config.sharedStateClient.enabled) }} + - name: {{ template "gateway.fullname" . }}-shared-state-client + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/sharedstate_client.yaml + subPath: sharedstate_client.yaml {{- if .Values.config.redis.tls.enabled }} - name: {{ template "gateway.fullname" . }}-redis-crt - mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/RedisSharedStateProviderAssertion/redis.crt + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/redis.crt subPath: redis.crt {{- end }} + {{- range .Values.config.redis.additionalProviders }} + {{- if .redis.tls }} + - name: {{ .name }}-redis-crt + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/{{ .redis.tls.path }} + subPath: {{ .redis.tls.path }} + {{- end }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.existingHealthCheck }} @@ -253,9 +265,9 @@ spec: {{- if .Values.existingHealthCheck.secret }} - name: {{ .Values.existingHealthCheck.secret.name }} mountPath: /opt/docker/rc.d/diagnostic/health_check - {{ if .Values.existingHealthCheck.secret.csi }} + {{- if .Values.existingHealthCheck.secret.csi }} readOnly: {{ .Values.existingHealthCheck.secret.csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -276,9 +288,9 @@ spec: {{- range .Values.existingBundle.secrets }} - name: {{ .name }} mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/{{ .name }} - {{ if .csi }} + {{- if .csi }} readOnly: {{ .csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- if .Values.management.kubernetes.loadServiceAccountToken }} @@ -308,13 +320,13 @@ spec: {{- range .volumeMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} - {{ if .subPath }} + {{- if .subPath }} subPath: {{ .subPath }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} -{{ if and (.Values.otk.enabled) (not .Values.database.enabled) }} +{{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ template "gateway.fullname" . }}-otk-install-container mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK {{- end }} @@ -332,12 +344,12 @@ spec: {{- end }} {{- end }} {{- end }} - {{ if not $duplicate }} + {{- if not $duplicate }} - name: {{ .name }} mountPath: {{ .mountPath }} - {{ if .subPath }} + {{- if .subPath }} subPath: {{ .subPath }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -463,6 +475,19 @@ spec: items: - key: license path: license.xml + {{- if not .Values.disklessConfig.enabled }} + - name: {{ template "gateway.fullname" . }}-node-properties + {{- if .Values.disklessConfig.existingSecret.csi }} + csi: {{ toYaml .Values.disklessConfig.existingSecret.csi | nindent 12 }} + {{- else }} + secret: + secretName: {{ template "gateway.node.properties" . }} + items: + - key: node.properties + path: node.properties + {{- end }} + #### add csi config if using an existingSecret + {{- end }} - name: {{ template "gateway.fullname" . }}-system-properties configMap: name: {{ template "gateway.fullname" . }}-configmap @@ -478,13 +503,13 @@ spec: path: hazelcast-client.xml {{- end }} {{- if .Values.config.redis }} - {{- if .Values.config.redis.enabled }} - - name: {{ template "gateway.fullname" . }}-redis-properties + {{- if and (.Values.config.redis.enabled) (.Values.config.sharedStateClient.enabled) }} + - name: {{ template "gateway.fullname" . }}-shared-state-client secret: - secretName: {{ template "redisConfigSecretName" . }} + secretName: {{ template "sharedStateClientSecretName" . }} items: - - key: redis.properties - path: redis.properties + - key: sharedstate_client.yaml + path: sharedstate_client.yaml {{- if .Values.config.redis.tls.enabled }} - name: {{ template "gateway.fullname" . }}-redis-crt secret: @@ -493,6 +518,16 @@ spec: - key: tls.crt path: redis.crt {{- end }} + {{- range .Values.config.redis.additionalProviders }} + {{- if .redis.tls }} + - name: {{ .name }}-redis-crt + secret: + secretName: {{ .redis.tls.existingSecret }} + items: + - key: {{ .redis.tls.key }} + path: {{ .redis.tls.path }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- if .Values.customConfig }} @@ -670,7 +705,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{ if and (.Values.otk.enabled) (not .Values.database.enabled) }} +{{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ template "gateway.fullname" . }}-otk-install-container emptyDir: {} {{- if .Values.otk.customizations.existingBundle.enabled }} diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml new file mode 100644 index 00000000..7aaab33d --- /dev/null +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -0,0 +1,39 @@ +{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecret.name) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "gateway.node.properties" . }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $val := .Values.additionalLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + annotations: + description: template for gateway node.properties + {{- if .Values.additionalAnnotations }} + {{- range $key, $val := .Values.additionalAnnotations }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} +type: Opaque +stringData: + node.properties: |+ + node.cluster.pass={{ .Values.clusterPassword }} + admin.user={{ .Values.management.username }} + admin.pass={{ .Values.management.password }} + {{- if .Values.database.enabled }} + {{- if .Values.database.create }} + l7.mysql.connection.url=jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} + {{- else }} + l7.mysql.connection.url={{ required "Please set .Values.database.jdbcURL" .Values.database.jdbcURL }} + {{- end }} + node.db.config.main.user={{ .Values.database.username }} + node.db.config.main.pass={{ .Values.database.password }} + {{- else }} + node.db.type=derby + node.db.config.main.user={{ default "gateway" .Values.database.username }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gateway/templates/redis-config-secret.yaml b/charts/gateway/templates/redis-config-secret.yaml deleted file mode 100644 index 6b423f2e..00000000 --- a/charts/gateway/templates/redis-config-secret.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- if and (.Values.config.redis.enabled) (not .Values.config.redis.existingConfigSecret)}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "redisConfigSecretName" . }} - labels: - app: {{ template "gateway.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- range $key, $val := .Values.additionalLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- if .Values.additionalAnnotations }} - annotations: -{{- range $key, $val := .Values.additionalAnnotations }} - {{ $key }}: "{{ $val }}" -{{- end }} -{{- end }} -type: Opaque -stringData: - redis.properties: |+ - {{- if .Values.config.redis.sentinel.enabled }} - redis.type=sentinel - redis.sentinel.master={{ .Values.config.redis.sentinel.masterSet }} - {{- if .Values.config.redis.subChart.enabled }} - redis.sentinel.nodes={{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379,{{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379,{{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379 - {{- else }} - redis.sentinel.nodes={{ template "gateway.redisSentinelNodes" . }} - {{- end }} - {{- if .Values.config.redis.auth.enabled }} - {{- if .Values.config.redis.auth.username }} - redis.sentinel.username={{.Values.config.redis.auth.username}} - {{- end }} - {{- if .Values.config.redis.auth.password.encoded }} - redis.sentinel.encodedPassword={{.Values.config.redis.auth.password.value}} - {{- else }} - redis.sentinel.password={{.Values.config.redis.auth.password.value}} - {{- end }} - {{- end }} - {{- else }} - redis.type=standalone - {{- if .Values.config.redis.subChart.enabled }} - redis.standalone.hostname={{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - redis.standalone.port=6379 - {{- else }} - redis.standalone.hostname={{ .Values.config.redis.standalone.host }} - redis.standalone.port={{ .Values.config.redis.standalone.port }} - {{- end }} - {{- if .Values.config.redis.auth.enabled }} - {{- if .Values.config.redis.auth.username }} - redis.standalone.username={{.Values.config.redis.auth.username}} - {{- end }} - {{- if .Values.config.redis.auth.password.encoded }} - redis.standalone.encodedPassword={{.Values.config.redis.auth.password.value}} - {{- else }} - redis.standalone.password={{.Values.config.redis.auth.password.value}} - {{- end }} - {{- end }} - {{- end }} - redis.ssl={{ .Values.config.redis.tls.enabled }} - {{- if .Values.config.redis.tls.enabled }} - redis.ssl.cert=redis.crt - redis.ssl.verifypeer={{ .Values.config.redis.tls.verifyPeer }} - {{- end }} - {{- if .Values.config.redis.groupName }} - redis.key.prefix.grpname={{ .Values.config.redis.groupName }} - {{- end }} - {{- if .Values.config.redis.commandTimeout }} - redis.commandTimeout={{ .Values.config.redis.commandTimeout }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gateway/templates/redis-tls-secret.yaml b/charts/gateway/templates/redis-tls-secret.yaml index 9c974f4a..53c00234 100644 --- a/charts/gateway/templates/redis-tls-secret.yaml +++ b/charts/gateway/templates/redis-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.config.redis.enabled) (.Values.config.redis.sentinel.enabled) (.Values.config.redis.tls.enabled) (not .Values.config.redis.tls.existingSecret) (not .Values.config.redis.subChart.enabled) }} +{{- if and (.Values.config.redis.enabled) (.Values.config.redis.tls.enabled) (not .Values.config.redis.tls.existingSecret) (not .Values.config.redis.subChart.enabled) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/gateway/templates/secret.yaml b/charts/gateway/templates/secret.yaml index bfac3cc3..8e40a705 100644 --- a/charts/gateway/templates/secret.yaml +++ b/charts/gateway/templates/secret.yaml @@ -21,13 +21,15 @@ metadata: {{- end }} type: Opaque data: +{{- if .Values.disklessConfig.enabled }} SSG_ADMIN_USERNAME: {{ .Values.management.username | b64enc }} SSG_ADMIN_PASSWORD: {{ .Values.management.password | b64enc }} SSG_CLUSTER_PASSWORD: {{.Values.clusterPassword | b64enc }} -{{ if .Values.database.enabled }} + {{ if .Values.database.enabled }} SSG_DATABASE_USER: {{.Values.database.username | b64enc }} SSG_DATABASE_PASSWORD: {{.Values.database.password | b64enc }} -{{ end }} + {{ end }} +{{- end }} {{ if .Values.additionalSecret }} {{- range $key, $val := .Values.additionalSecret }} {{ $key }}: {{ $val | toString | b64enc }} diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml new file mode 100644 index 00000000..a82472ba --- /dev/null +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -0,0 +1,84 @@ +{{- if and (.Values.config.sharedStateClient.enabled) (not .Values.config.sharedStateClient.existingConfigSecret) (.Values.config.redis.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "sharedStateClientSecretName" . }} + labels: + app: {{ template "gateway.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $val := .Values.additionalLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- if .Values.additionalAnnotations }} + annotations: +{{- range $key, $val := .Values.additionalAnnotations }} + {{ $key }}: "{{ $val }}" +{{- end }} +{{- end }} +type: Opaque +stringData: + sharedstate_client.yaml: |+ + redis: + default: + commandTimeout: {{ default 5000 .Values.config.redis.commandTimeout }} + connectTimeout: {{ default 10000 .Values.config.redis.connectTimeout }} + keyPrefixGroupName: {{ default "l7GW" .Values.config.redis.groupName }} + testOnStart: {{ default "false" .Values.config.redis.testOnStart }} + {{- if .Values.config.redis.auth.enabled }} + {{- if .Values.config.redis.auth.username }} + username: {{ .Values.config.redis.auth.username | quote }} + {{- end }} + {{- if .Values.config.redis.auth.password.encoded }} + encodedPassword: {{ .Values.config.redis.auth.password.value | quote }} + {{- else }} + password: {{ .Values.config.redis.auth.password.value | quote }} + {{- end }} + {{- end }} + {{- if .Values.config.redis.sentinel.enabled }} + type: sentinel + sentinel: + master: {{ .Values.config.redis.sentinel.masterSet }} + nodes: + {{- if .Values.config.redis.subChart.enabled }} + - host: {{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + {{- else }} + {{- range .Values.config.redis.sentinel.nodes }} + - host: {{ .host }} + port: {{ .port }} + {{- end }} + {{- end }} + {{- else }} + type: standalone + standalone: + {{- if .Values.config.redis.subChart.enabled }} + host: {{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 6379 + {{- else }} + host: {{ .Values.config.redis.standalone.host }} + port: {{ .Values.config.redis.standalone.port }} + {{- end }} + {{- end }} + ssl: + enabled: {{ .Values.config.redis.tls.enabled }} + {{- if .Values.config.redis.tls.enabled }} + cert: redis.crt + verifyPeer: {{ .Values.config.redis.tls.verifyPeer }} + {{- end }} + {{- if .Values.config.redis.additionalProviders }} + {{- range .Values.config.redis.additionalProviders }} + {{- toYaml .config | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.config.sharedStateClient.additionalProviders }} + {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- toYaml .config | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 895331f9..31cd3c3c 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -9,10 +9,23 @@ license: accept: false # existingSecretName: ssg-license +# Diskless Configuration modes for the Gateway +disklessConfig: + # true - environment variables are used for gateway configuration + # false - node.properties is used for gateway configuration + enabled: true + existingSecret: {} + # name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" + image: registry: docker.io repository: caapim/gateway - tag: 11.1.00 + tag: 11.1.1 pullPolicy: IfNotPresent # If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true @@ -169,6 +182,10 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" + # Gateway v11.1.1 provides min and max heap size options + # If you are using an earlier version of the Gateway, these will be ignored. + # minHeapSize: "1g" + # maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -235,7 +252,7 @@ config: com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks @@ -245,6 +262,9 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # Shared state provider preview settings + # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis + # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration # otel.sdk.disabled=false # otel.java.global-autoconfigure.enabled=true @@ -396,8 +416,10 @@ config: enabled: false redis: # enable or disable redis integration - # please uncomment the 3 redis properties in config.systemProperties + # please uncomment the 5 redis properties in config.systemProperties + # view more configurable system properties here - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs # Redis client properties for configuring Redis Standalone or Redis Sentinel connections + # This configuration is parsed into redis.default in sharedstate_client.yaml enabled: false # We recommend using an existing secret for Redis configuration in production environments # for separation of concerns and to better secure Redis client property secrets. @@ -406,6 +428,8 @@ config: # To configure the Redis client directly in this values file uncomment and/or set the following client properties groupName: l7GW commandTimeout: 5000 + connectTimeout: 10000 + testOnStart: false # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -423,9 +447,12 @@ config: masterSet: mymaster # If the subChart is not enabled sentinel nodes need to be set nodes: - - : - - : - - : + - host: + port: + - host: + port: + - host: + port: standalone: {} # host: redis-standalone # port: 6379 @@ -445,7 +472,43 @@ config: # changes will be required # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false - + additionalProviders: [] + # - name: myRegionalRedisInstance1 + # redis: + # tls: + # existingSecret: myRegionalRedisCertSecret1 + # key: redis.crt + # # path must match ssl.cert in your provider config + # path: myRegionalRedisCert.crt + # config: {} + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # testOnStart: false + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 + + # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + # reserved for future use + additionalProviders: [] ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. @@ -474,6 +537,10 @@ database: # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. username: gateway password: mypassword + # Liquibase log level can be set to one of the following. + # This configuration is only valid from Gateway v11.1.1 onwards. + # severe/warning/info/fine(debug)/off + liquibaseLogLevel: "off" name: ssg ## If loading a TLS Key/Pair