From 89761e3f7d29b18aa00e1abc1c90fede32e51cb5 Mon Sep 17 00:00:00 2001 From: jennarddy Date: Wed, 3 Jul 2024 15:48:52 -0700 Subject: [PATCH 01/16] [charts/gateway] Add disklessConfig property (#318) * Add DISKLESS_CONFIG to configmap template for visibility * Add description for disklessConfig property * Only set SSG_DATABASE_JDBC_URL when DISKLESS_CONFIG is true. If false, user does not need to provide JDBC URL as that info is in node.properties * Only set secret environment variables when DISKLESS_CONFIG is true. Switch the order of ifs in configmap * Templatise volume mount of node.properties. No need for customConfig section for node.properties in values.yaml * Added details w.r.t Diskless Config flag * Added node.db.type to address derby database * Updated Read Me w.r.t disklessConfig * If disklessConfig is false/disabled , then create secret for node.properties and mount it on Gateway Container * Updated Readme to address PR feedback * Updated production values w.r.t disklessConfig * Updated Readme and other files to support .Values.disklessConfig.enabled * Fix indents and update disklessConfig references to disklessConfig.enabled * Update README --------- Co-authored-by: Jennard Dy Co-authored-by: dk670466 --- charts/gateway/README.md | 86 +++++++++++++++++++ charts/gateway/production-values.yaml | 5 ++ charts/gateway/templates/_helpers.tpl | 11 +++ charts/gateway/templates/configmap.yaml | 9 +- charts/gateway/templates/deployment.yaml | 13 +++ .../templates/node-properties-secret.yaml | 18 ++++ charts/gateway/templates/secret.yaml | 6 +- charts/gateway/values.yaml | 8 ++ 8 files changed, 151 insertions(+), 5 deletions(-) create mode 100644 charts/gateway/templates/node-properties-secret.yaml diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 32dbda24..76fb285d 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -73,6 +73,7 @@ Helm Version Supported Kubernetes Versions * [Cluster-Wide Properties](#cluster-wide-properties) * [Java Args](#java-args) * [System Properties](#system-properties) +* [Diskless Configuration](#diskless-configuration) * [Gateway Bundles](#bundle-configuration) * [Bootstrap Script](#bootstrap-script) * [Custom Health Checks](#custom-health-checks) @@ -439,6 +440,9 @@ The following table lists the configurable parameters of the Gateway chart and t | `global.schedulerName` | Override the default scheduler | `nil` | | `license.value` | Gateway license file | `nil` | | `license.accept` | Accept Gateway license EULA | `false` | +| `disklessConfig.enabled` | Enable diskless configuration | `true` | +| `disklessConfig.value` | node.properties file. Used when disklessConfig.enabled is false. | `commented out` | +| `disklessConfig.existingSecretName` | Point to an existing secret containing node.properties | `commented out` | | `image.registry` | Image Registry | `docker.io` | | `image.repository` | Image Repository | `caapim/gateway` | | `image.tag` | Image tag | `11.0.00` | @@ -1157,6 +1161,88 @@ The full default is this com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 # Additional properties go here ``` +### Diskless Configuration +Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. + +DISKLESS_CONFIG is a flag that tells the container gateway where to get its configuration from. + +When DISKLESS_CONFIG is true, environment variables are used to configure Gateway. + +When DISKLESS_CONFIG is false, Gateway will be configured from node.properties. This node.properties file is mounted to the container gateway. + +#### DISKLESS_CONFIG = true +DISKLESS_CONFIG is set to true by default in values.yaml via disklessConfig.enabled: +``` +disklessConfig: + enabled: true + # value: + # existingSecretName: +``` + +#### DISKLESS_CONFIG = false +When setting DISKLESS_CONFIG to false, create node.properties and set disklessConfig.enabled to false + +##### Create node.properties +- Make sure the database configuration matches what is in node.properties + +Example: node.properties with MySQL database configuration +``` +node.cluster.pass=newpassword +admin.user=admin +admin.pass=newpassword +node.db.config.main.host=myDBHost.com +node.db.config.main.port=3306 +node.db.config.main.name=ssg +node.db.config.main.user=gateway +node.db.config.main.pass=newpassword +``` +- For derby database, it is required to add ***node.db.type=derby*** to node.properties + +Example: node.properties with Derby configuration +``` +node.cluster.pass=newpassword +admin.user=admin +admin.pass=newpassword +node.db.type=derby +node.db.config.main.user=gateway +``` + +##### Update values.yaml +Set disklessConfig.enabled to false. + +To create new secret for node.properties, set value to node.properties file via --set-file flag + +Example: Create new secret for node.properties + +values.yaml +``` +disklessConfig: + enabled: false + value: + # existingSecretName: +``` + +helm command +``` +helm install my-ssg --set-file "disklessConfig.value=path/to/node.properties" --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway -f ./values.yaml +``` + +If you already configured node.properties as a secret beforehand, you can just pass the secret name in values.yaml + +Example: Use existing secret for node.properties + +values.yaml +``` +disklessConfig: + enabled: false + # value: + existingSecretName: ssg-node-properties +``` + +helm command +``` +helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway -f ./values.yaml +``` ### Bundle Configuration There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 1c8cf2aa..7ace8fa1 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -9,6 +9,11 @@ license: accept: false # existingSecretName: ssg-license +disklessConfig: + enabled: true + # value: + # existingSecretName: + image: registry: docker.io repository: caapim/gateway diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl index f33b49d1..3b2d7284 100644 --- a/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/templates/_helpers.tpl @@ -193,6 +193,17 @@ Define OTK Image Pull Secret Name {{- end -}} {{- end -}} +{{/* + Define Gateway node.properties Secret Name + */}} +{{- define "gateway.node.properties" -}} +{{- if .Values.disklessConfig.existingSecretName -}} + {{ .Values.disklessConfig.existingSecretName }} +{{- else -}} + {{- printf "%s-%s" (include "gateway.fullname" .) "node.properties" -}} +{{- end -}} +{{- end -}} + {{/* Validate OTK installation type (SINGLE, INTERNAL, DMZ) */}} diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index d6840b7d..1bba8ff4 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -18,13 +18,16 @@ metadata: {{- end }} data: ACCEPT_LICENSE: {{ .Values.license.accept | quote}} + DISKLESS_CONFIG: {{ .Values.disklessConfig.enabled | quote }} SSG_CLUSTER_HOST: {{ .Values.clusterHostname }} SSG_JVM_HEAP: {{ .Values.config.heapSize }} -{{- if .Values.database.enabled }} - {{- if .Values.database.create }} +{{- if .Values.disklessConfig.enabled }} + {{- if .Values.database.enabled }} + {{- if .Values.database.create }} SSG_DATABASE_JDBC_URL: jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} - {{- else }} + {{- else }} SSG_DATABASE_JDBC_URL: {{ .Values.database.jdbcURL }} + {{- end }} {{- end }} {{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index d8263100..f5de25cc 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -192,6 +192,11 @@ spec: - name: {{ template "gateway.fullname" . }}-system-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties subPath: system.properties +{{- if not (.Values.disklessConfig.enabled) }} + - name: {{ template "gateway.fullname" . }}-node-properties + mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties + subPath: node.properties +{{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} - name: {{ template "gateway.fullname" . }}-hazelcast-client mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/ExternalHazelcastSharedStateProviderAssertion/hazelcast-client.xml @@ -463,6 +468,14 @@ spec: items: - key: license path: license.xml + {{- if not .Values.disklessConfig.enabled }} + - name: {{ template "gateway.fullname" . }}-node-properties + secret: + secretName: {{ template "gateway.node.properties" . }} + items: + - key: node.properties + path: node.properties + {{- end }} - name: {{ template "gateway.fullname" . }}-system-properties configMap: name: {{ template "gateway.fullname" . }}-configmap diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml new file mode 100644 index 00000000..fa142b36 --- /dev/null +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -0,0 +1,18 @@ +{{ if not .Values.disklessConfig.enabled }} + {{ if not .Values.disklessConfig.existingSecretName }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "gateway.node.properties" . }} + annotations: + description: Template for Secrets for Gateway node.properties + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + node.properties: {{ required "Please provide a Layer7 Gateway node.properties, as disklessConfig flag is false" .Values.disklessConfig.value | b64enc | quote }} + {{ end }} +{{ end }} \ No newline at end of file diff --git a/charts/gateway/templates/secret.yaml b/charts/gateway/templates/secret.yaml index bfac3cc3..8e40a705 100644 --- a/charts/gateway/templates/secret.yaml +++ b/charts/gateway/templates/secret.yaml @@ -21,13 +21,15 @@ metadata: {{- end }} type: Opaque data: +{{- if .Values.disklessConfig.enabled }} SSG_ADMIN_USERNAME: {{ .Values.management.username | b64enc }} SSG_ADMIN_PASSWORD: {{ .Values.management.password | b64enc }} SSG_CLUSTER_PASSWORD: {{.Values.clusterPassword | b64enc }} -{{ if .Values.database.enabled }} + {{ if .Values.database.enabled }} SSG_DATABASE_USER: {{.Values.database.username | b64enc }} SSG_DATABASE_PASSWORD: {{.Values.database.password | b64enc }} -{{ end }} + {{ end }} +{{- end }} {{ if .Values.additionalSecret }} {{- range $key, $val := .Values.additionalSecret }} {{ $key }}: {{ $val | toString | b64enc }} diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 3646aee9..667302f7 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -9,6 +9,14 @@ license: accept: false # existingSecretName: ssg-license +# Use set diskless Configuration mode for Gateway +# when true , get values from environment variable and on false will get values from node.properties +# when disklessConfig.enabled is false , node.properties is passed via disklessConfig.value parameter +disklessConfig: + enabled: true + # value: + # existingSecretName: + image: registry: docker.io repository: caapim/gateway From 744f039cd97a4876c686b20de7eb6c9efcf632a3 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Mon, 8 Jul 2024 20:06:21 +0100 Subject: [PATCH 02/16] updated redis integration, updated java min/max heap settings, updated diskless config --- charts/gateway/Chart.yaml | 4 +- charts/gateway/README.md | 212 +++++++++++++----- charts/gateway/production-values.yaml | 69 +++++- charts/gateway/templates/_helpers.tpl | 15 +- charts/gateway/templates/configmap.yaml | 9 + charts/gateway/templates/deployment.yaml | 97 +++++--- .../templates/node-properties-secret.yaml | 37 ++- .../templates/redis-config-secret.yaml | 72 ------ .../gateway/templates/redis-tls-secret.yaml | 2 +- .../templates/shared-state-client-secret.yaml | 76 +++++++ charts/gateway/values.yaml | 71 +++++- 11 files changed, 480 insertions(+), 184 deletions(-) delete mode 100644 charts/gateway/templates/redis-config-secret.yaml create mode 100644 charts/gateway/templates/shared-state-client-secret.yaml diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml index f0fe7ed7..83ae2d36 100644 --- a/charts/gateway/Chart.yaml +++ b/charts/gateway/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "11.1.00" +appVersion: "11.1.01" description: This Helm Chart deploys the Layer7 Gateway in Kubernetes. name: gateway -version: 3.0.28 +version: 3.0.30 type: application home: https://github.com/CAAPIM/apim-charts maintainers: diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 76fb285d..6a5218d7 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -67,6 +67,7 @@ Helm Version Supported Kubernetes Versions * [Ingress Configuration](#ingress-configuration) * [PM Tagger Configuration](#pm-tagger-configuration) * [Redis Configuration](#redis-configuration) +* [Shared State Provider Configuration](#shared-state-provider-config) * [OpenTelemetry Configuration](#opentelemetry-configuration) * [OTK Install or Upgrade](#otk-install-or-upgrade) * [Database Configuration](#database-configuration) @@ -96,6 +97,28 @@ The Layer7 API Gateway is now running with Java 11 with the release of the v10.1 Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. +## 3.0.30 General Updates +Release notes will also be moved to a new file before merge... +**Note** Gateway restart required if using preview Redis features. +- Support added for running the Gateway without [Diskless Config](#diskless-configuration) + - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) + - Must be conciously enabled (limited to Gateway v11.1.01) +- Redis configuration update + - Additional system properties for the key/value store assertion added (commented by default) + - please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs) for more details + - Using new shared state provider config **(limited to Redis and Gateway v11.1.01)** + - this new configuration is **not backwards or forwards compatible** + - Please view [redis configuration](#redis-configuration) for more details on how to configure your values file. + - config.redis is used to configure this + - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders + - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](#custom-configuration-files) to load the additional certs. + - Configurable Java Min/Max Heap size + - Java Min and Max Heap Size is now [configurable](#java-args) + +## 3.0.29 +Pending OTK update.. + + ## 3.0.28 General Updates - Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. - Disabled by default @@ -441,8 +464,9 @@ The following table lists the configurable parameters of the Gateway chart and t | `license.value` | Gateway license file | `nil` | | `license.accept` | Accept Gateway license EULA | `false` | | `disklessConfig.enabled` | Enable diskless configuration | `true` | -| `disklessConfig.value` | node.properties file. Used when disklessConfig.enabled is false. | `commented out` | -| `disklessConfig.existingSecretName` | Point to an existing secret containing node.properties | `commented out` | +| `disklessConfig.existingSecret` | existing node.properties secret mount configuration | `{}` | +| `disklessConfig.existingSecret.name` | existing secret containing node.properties | `gateway-secret` | +| `disklessConfig.existingSecret.csi` | csi configuration for the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) | `commented out` | | `image.registry` | Image Registry | `docker.io` | | `image.repository` | Image Repository | `caapim/gateway` | | `image.tag` | Image tag | `11.0.00` | @@ -477,6 +501,8 @@ The following table lists the configurable parameters of the Gateway chart and t | `tls.key` | p12 container - this can be set with --set-file tls.key=/path/to/tls.p12 | `nil` | | `tls.pass` | p12 container password - this cannot be empty | `nil` | | `config.heapSize` | Java Heap Size | `2g` | +| `config.minHeapSize` | Java Min Heap Size | `1g` | +| `config.maxHeapSize` | Java Max Heap Size | `3g` | | `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | | `config.log.override` | Override the standard log configuration | `true` | | `config.log.properties` | Custom logging properties | `see values.yaml` | @@ -939,7 +965,9 @@ The integration example [here](https://github.com/Layer7-Community/Integrations/ - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) ### Redis Configuration -This enables integration with [Redis](https://redis.io/). The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated +This enables integration with [Redis](https://redis.io/). The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. + +**Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.01. Comment out the following ``` @@ -951,22 +979,24 @@ Uncomment the following # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis +# com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis +# com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID ``` | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | | `config.redis.enabled` | Enable redis configuration | `false` | -| `config.redis.existingConfigSecret` | Use an existing config secret - must contain a key called redis.properties | `redis-config-secret` | | `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | | `config.redis.groupName` | Redis Group name | `l7GW` | | `config.redis.commandTimeout` | Redis Command Timeout | `5000` | +| `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | | `config.redis.auth.enabled` | Use auth for Redis | `false` | | `config.redis.auth.username` | Redis username | `` | | `config.redis.auth.password.encoded` | Password is encoded | `false` | | `config.redis.auth.password.value` | Redis password | `mypassword` | | `config.redis.sentinel.enabled` | Enable sentinel configuration | `true` | | `config.redis.sentinel.masterSet` | Redis Master set | `mymaster` | -| `config.redis.sentinel.nodes` | Array of sentinel nodes and ports | `[]` | +| `config.redis.sentinel.nodes` | Array of sentinel nodes host and port | `[]` | | `config.redis.standalone.host` | Redis host if sentinel is not enabled | `redis-standalone` | | `config.redis.standalone.port` | Redis port if sentinel is not enabled | `6379` | | `config.redis.tls.enabled` | Enable SSL/TLS | `false` | @@ -974,13 +1004,58 @@ Uncomment the following | `config.redis.tls.verifyPeer` | Verify Peer | `true` | | `config.redis.tls.redisCrt` | Redis Public Cert | `` | + #### Creating your own Redis Configuration Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options #### Note The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) -##### Redis Sentinel +##### Redis Sentinel (11.1.01) +sharedstate_client.yaml +``` +redis: + default: + type: sentinel + keyPrefixGroupName: test + username: redisuser + #password: "redispassword" + encodedPassword: "redisencodedpassword" + commandTimeout: 5000 + connectTimeout: 10000 + sentinel: + master: mymaster + nodes: + - host: node1 + port: 26379 + - host: node2 + port: 26379 + - host: node3 + port: 26379 +``` + +##### Redis Standalone (11.1.01) +sharedstate_client.yaml +``` +redis: + default: + type: standalone + keyPrefixGroupName: test + username: redisuser + #password: "redispassword" + encodedPassword: "redisencodedpassword" + commandTimeout: 5000 + connectTimeout: 10000 + standalone: + host: redis-standalone + port: 6379 + ssl: + enabled: true + cert: host.cert + verifyPeer: false +``` + +##### Redis Sentinel (11.0.00_CR2 and 11.1.00) redis.properties ``` # Redis type can be sentinel or standalone @@ -1000,7 +1075,8 @@ redis.properties redis.commandTimeout=5000 ``` -##### Redis Standalone (11.1.00 and later) +##### Redis Standalone (11.1.00) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1022,7 +1098,8 @@ redis.properties redis.commandTimeout=5000 ``` -##### Redis Standalone (11.0.00_CR2 and later) +##### Redis Standalone (11.0.00_CR2) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1036,7 +1113,20 @@ redis.properties redis.commandTimeout=5000 ``` -##### Create a secret from this configuration +##### Create a secret from this configuration (11.1.01) +``` +kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml +``` +my-values.yaml +``` +config: + sharedStateClient: + enabled: true + existingConfigSecret: shared-state-provider-secret +``` + +##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` @@ -1047,8 +1137,17 @@ redis: existingConfigSecret: redis-config-secret ``` +### Shared State Provider Config +Shared State Providers from Gateway v11.1.01 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. + +| Parameter | Description | Default | +| ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | +| `config.sharedStateProvider.enabled` | Enable redis configuration | `false` | +| `config.sharedStateProvider.existingConfigSecret` | Use an existing config secret - must contain a key called sharedstate_client.yaml | `sharedstate-client-secret` | +| `config.sharedStateProvider.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | ### Database Configuration +TODO: Update this for no disklessConfig + failover instructions You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: ``` database: @@ -1107,17 +1206,21 @@ config: ### Java Args -Additional Java Arguments as may be recommended by support can be configured in values.yaml +Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.01 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | | `config.heapSize` | Java Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 50%, going above 75% is not recommended | `2G` | +| `config.minHeapSize` | Java Min Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 25% | `1G` | +| `config.maxHeapSize` | Java Max Heap Size - this should be a percentage of the memory configured in resources.limits and should be updated together. The default assumes 75%, going above this is not recommended | `3G` | | `config.javaArgs` | Additional Java Args to pass to the SSG process | `see values.yaml` | The default Java Args are as follows ``` config: heapSize: "2g" + minHeapSize: "1g" + maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -1162,86 +1265,85 @@ The full default is this # Additional properties go here ``` ### Diskless Configuration -Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. +Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.01 onwards. Please make sure disklessConfig.enabled is false (default) if you are using a previous version of the Container Gateway. -DISKLESS_CONFIG is a flag that tells the container gateway where to get its configuration from. +**DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.01, that allows switching between configuration sources. -When DISKLESS_CONFIG is true, environment variables are used to configure Gateway. - -When DISKLESS_CONFIG is false, Gateway will be configured from node.properties. This node.properties file is mounted to the container gateway. - -#### DISKLESS_CONFIG = true -DISKLESS_CONFIG is set to true by default in values.yaml via disklessConfig.enabled: +This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. +- **disklessConfig.enabled: true** + - Default, No changes. ``` disklessConfig: enabled: true - # value: - # existingSecretName: + # existingSecret: + # name: gateway-secret + # csi: {} +``` +- **disklessConfig.enabled: false** + - The Gateway will be read its configuration from node.properties which is mounted to the container gateway. + - This facilitates the use of the [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount configuration. + - Creates a secret with node.properties by default + - We **strongly recommend** you create your own node.properties file and make use of disklessConfig.existingSecret configuration. +``` +disklessConfig: + enabled: false + # existingSecret: + # name: gateway-secret + # csi: {} ``` -#### DISKLESS_CONFIG = false -When setting DISKLESS_CONFIG to false, create node.properties and set disklessConfig.enabled to false +#### Creating a node.properties file -##### Create node.properties +##### External MySQL - Make sure the database configuration matches what is in node.properties Example: node.properties with MySQL database configuration ``` -node.cluster.pass=newpassword +node.cluster.pass=mypassword admin.user=admin -admin.pass=newpassword +admin.pass=mypassword node.db.config.main.host=myDBHost.com node.db.config.main.port=3306 node.db.config.main.name=ssg node.db.config.main.user=gateway -node.db.config.main.pass=newpassword +node.db.config.main.pass=mypassword +l7.mysql.url.parameters.extra=&useSSL=true&requireSSL=true ``` -- For derby database, it is required to add ***node.db.type=derby*** to node.properties + +See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more details on l7.mysql.url.parameters.extra + +##### Gateway running in Ephemeral Mode (no external MySQL) +- To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties Example: node.properties with Derby configuration ``` -node.cluster.pass=newpassword +node.cluster.pass=mypassword admin.user=admin -admin.pass=newpassword +admin.pass=mypassword node.db.type=derby node.db.config.main.user=gateway ``` ##### Update values.yaml -Set disklessConfig.enabled to false. - -To create new secret for node.properties, set value to node.properties file via --set-file flag +Update your values file to use the new node.properties file. -Example: Create new secret for node.properties +This command is the simplest way to create a secret with node.properties. Note that this can also be created with tools like [kustomize](https://kustomize.io/) which will be better for CI/CD pipelines. You can also take advantage of the secret [secret store csi driver](https://secrets-store-csi-driver.sigs.k8s.io/) to mount this secret from an external KMS provider. -values.yaml +Note that the key name is node.properties. This is required. ``` -disklessConfig: - enabled: false - value: - # existingSecretName: -``` - -helm command +kubectl create secret generic gateway-secret --from-file=node.properties=path/to/node.properties ``` -helm install my-ssg --set-file "disklessConfig.value=path/to/node.properties" --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway -f ./values.yaml -``` - -If you already configured node.properties as a secret beforehand, you can just pass the secret name in values.yaml - -Example: Use existing secret for node.properties - values.yaml ``` disklessConfig: enabled: false - # value: - existingSecretName: ssg-node-properties -``` - -helm command -``` -helm install my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway -f ./values.yaml + existingSecret: + name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" ``` ### Bundle Configuration diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 7ace8fa1..64f7ebee 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -9,10 +9,18 @@ license: accept: false # existingSecretName: ssg-license +# Diskless Configuration modes for the Gateway disklessConfig: + # true - environment variables are used for gateway configuration + # false - node.properties is used for gateway configuration enabled: true - # value: - # existingSecretName: + # existingSecret: + # name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" image: registry: docker.io @@ -174,6 +182,10 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" + # Gateway v11.1.01 provides min and max heap size options + # If you are using an earlier version of the Gateway, these will be ignored. + minHeapSize: "1g" + maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -250,6 +262,8 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis + # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration # otel.sdk.disabled=false # otel.java.global-autoconfigure.enabled=true @@ -401,8 +415,10 @@ config: enabled: false redis: # enable or disable redis integration - # please uncomment the 3 redis properties in config.systemProperties + # please uncomment the 5 redis properties in config.systemProperties + # view more configurable system properties here - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs # Redis client properties for configuring Redis Standalone or Redis Sentinel connections + # This configuration is parsed into redis.default in sharedstate_client.yaml enabled: false # We recommend using an existing secret for Redis configuration in production environments # for separation of concerns and to better secure Redis client property secrets. @@ -411,6 +427,7 @@ config: # To configure the Redis client directly in this values file uncomment and/or set the following client properties groupName: l7GW commandTimeout: 5000 + connectTimeout: 10000 # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -428,9 +445,12 @@ config: masterSet: mymaster # If the subChart is not enabled sentinel nodes need to be set nodes: - - : - - : - - : + - host: + port: + - host: + port: + - host: + port: standalone: {} # host: redis-standalone # port: 6379 @@ -451,6 +471,39 @@ config: # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false + # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + additionalProviders: [] + # - name: myRegionalRedisInstance1 + # redis: + # tls: + # existingSecret: myRegionalRedisCertSecret1 + # key: redis.crt + # # path must match ssl.cert in your provider config + # path: myRegionalRedisCert.crt + # config: {} + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. @@ -477,6 +530,9 @@ database: create: false # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. + # if disklessConfig.enabled is set to false, jdbcUrl should be set to the jdbcHost + # jdbcURL: + # jdbcPort: 3306 username: gateway password: mypassword name: ssg @@ -947,7 +1003,6 @@ startupProbe: successThreshold: 1 failureThreshold: 15 - livenessProbe: enabled: true type: command diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl index 3b2d7284..e8669dc0 100644 --- a/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/templates/_helpers.tpl @@ -96,6 +96,19 @@ Redis sentinel nodes {{- end -}} {{- end -}} + + +{{/* +Shared state client secret name +*/}} +{{- define "sharedStateClientSecretName" }} +{{- if not .Values.config.sharedStateClient.existingConfigSecret }} +{{- printf "%s-%s-%s" .Release.Name .Chart.Name "shared-state-client-configuration" -}} +{{- else }} +{{- .Values.config.sharedStateClient.existingConfigSecret }} +{{- end }} +{{- end }} + {{/* Redis config secret name */}} @@ -200,7 +213,7 @@ Define OTK Image Pull Secret Name {{- if .Values.disklessConfig.existingSecretName -}} {{ .Values.disklessConfig.existingSecretName }} {{- else -}} - {{- printf "%s-%s" (include "gateway.fullname" .) "node.properties" -}} + {{- printf "%s-%s" (include "gateway.fullname" .) "node-properties" -}} {{- end -}} {{- end -}} diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index 1bba8ff4..89cea382 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -21,6 +21,10 @@ data: DISKLESS_CONFIG: {{ .Values.disklessConfig.enabled | quote }} SSG_CLUSTER_HOST: {{ .Values.clusterHostname }} SSG_JVM_HEAP: {{ .Values.config.heapSize }} + {{- if and (.Values.config.minHeapSize) (.Values.config.maxHeapSize) }} + SSG_JVM_MIN_HEAP: {{ .Values.config.minHeapSize }} + SSG_JVM_MAX_HEAP: {{ .Values.config.maxHeapSize }} + {{- end }} {{- if .Values.disklessConfig.enabled }} {{- if .Values.database.enabled }} {{- if .Values.database.create }} @@ -88,6 +92,11 @@ data: system-properties: |- {{ .Values.config.systemProperties | indent 4 }} {{- end }} +{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi) }} + 004-configure-node-properties: |- + #!/bin/bash + cp /opt/docker/node-properties/{{ .Values.disklessConfig.existingSecret.name }} /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties +{{- end }} {{- if .Values.management.kubernetes.loadServiceAccountToken }} 002-load-service-account-token: |- #!/bin/bash diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index f5de25cc..a59ff5e3 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -48,7 +48,7 @@ spec: {{- end }} {{- end }} spec: - serviceAccountName: {{ include "gateway.serviceAccountName" . }} + serviceAccountName: {{ include "gateway.serviceAccountName" . | quote}} {{- if .Values.affinity }} affinity: {{- toYaml .Values.affinity | nindent 12 }} {{- end }} @@ -70,7 +70,6 @@ spec: {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{.Values.terminationGracePeriodSeconds }} {{- end }} - initContainers: {{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ .Chart.Name }}-otk-install-container @@ -98,15 +97,15 @@ spec: {{- range .Values.otk.customizations.existingBundle.secrets }} - name: {{ .name }} mountPath: /docker/custom_bundles/{{ .name }} - {{ if .csi }} + {{- if .csi }} readOnly: {{ .csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} {{- if .Values.initContainers }} {{toYaml .Values.initContainers | nindent 6 }} - {{ end }} + {{- end }} {{- if .Values.imagePullSecret.enabled }} imagePullSecrets: @@ -178,13 +177,13 @@ spec: containerPort: {{ .internal }} protocol: {{ .protocol }} {{- end }} - {{ if .Values.management.service.enabled}} + {{- if .Values.management.service.enabled}} {{- range .Values.management.service.ports }} - name: {{ .name }} containerPort: {{ .internal }} protocol: {{ .protocol }} {{- end }} - {{ end }} + {{- end }} volumeMounts: - name: {{ template "gateway.fullname" . }}-license-xml mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/license.xml @@ -192,10 +191,13 @@ spec: - name: {{ template "gateway.fullname" . }}-system-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties subPath: system.properties -{{- if not (.Values.disklessConfig.enabled) }} +{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecret.csi) }} - name: {{ template "gateway.fullname" . }}-node-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties subPath: node.properties +{{- else }} + - name: {{ template "gateway.fullname" . }}-node-properties + mountPath: /opt/docker/node-properties {{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} - name: {{ template "gateway.fullname" . }}-hazelcast-client @@ -238,15 +240,23 @@ spec: {{- end }} {{- end }} {{- if .Values.config.redis }} - {{- if .Values.config.redis.enabled }} - - name: {{ template "gateway.fullname" . }}-redis-properties - mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/RedisSharedStateProviderAssertion/redis.properties - subPath: redis.properties + {{- if and (.Values.config.redis.enabled) (.Values.config.sharedStateClient.enabled) }} + - name: {{ template "gateway.fullname" . }}-shared-state-client + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/sharedstate_client.yaml + subPath: sharedstate_client.yaml {{- if .Values.config.redis.tls.enabled }} - name: {{ template "gateway.fullname" . }}-redis-crt - mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/assertions/RedisSharedStateProviderAssertion/redis.crt + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/redis.crt subPath: redis.crt {{- end }} + {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- if .redis.tls }} + - name: {{ .name }}-shared-state-provider-crt + mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/{{ .redis.tls.path }} + subPath: {{ .redis.tls.path }} + {{- end }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.existingHealthCheck }} @@ -258,9 +268,9 @@ spec: {{- if .Values.existingHealthCheck.secret }} - name: {{ .Values.existingHealthCheck.secret.name }} mountPath: /opt/docker/rc.d/diagnostic/health_check - {{ if .Values.existingHealthCheck.secret.csi }} + {{- if .Values.existingHealthCheck.secret.csi }} readOnly: {{ .Values.existingHealthCheck.secret.csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -281,9 +291,9 @@ spec: {{- range .Values.existingBundle.secrets }} - name: {{ .name }} mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/{{ .name }} - {{ if .csi }} + {{- if .csi }} readOnly: {{ .csi.readOnly }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- if .Values.management.kubernetes.loadServiceAccountToken }} @@ -301,6 +311,11 @@ spec: subPath: 003-parse-custom-files.sh {{- end }} {{- end }} +{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi)}} + - name: {{ template "gateway.fullname" . }}-configure-node-properties + mountPath: /opt/docker/rc.d/004-configure-node-properties.sh + subPath: 004-configure-node-properties.sh +{{- end }} {{- if .Values.preStopScript }} {{- if .Values.preStopScript.enabled }} - name: {{ template "gateway.fullname" . }}-gracefulshutdown @@ -313,13 +328,13 @@ spec: {{- range .volumeMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} - {{ if .subPath }} + {{- if .subPath }} subPath: {{ .subPath }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} -{{ if and (.Values.otk.enabled) (not .Values.database.enabled) }} +{{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ template "gateway.fullname" . }}-otk-install-container mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK {{- end }} @@ -337,12 +352,12 @@ spec: {{- end }} {{- end }} {{- end }} - {{ if not $duplicate }} + {{- if not $duplicate }} - name: {{ .name }} mountPath: {{ .mountPath }} - {{ if .subPath }} + {{- if .subPath }} subPath: {{ .subPath }} - {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -470,11 +485,16 @@ spec: path: license.xml {{- if not .Values.disklessConfig.enabled }} - name: {{ template "gateway.fullname" . }}-node-properties + {{- if .Values.disklessConfig.existingSecret.csi }} + csi: {{ toYaml .Values.disklessConfig.existingSecret.csi | nindent 12 }} + {{- else }} secret: secretName: {{ template "gateway.node.properties" . }} items: - key: node.properties path: node.properties + {{- end }} + #### add csi config if using an existingSecret {{- end }} - name: {{ template "gateway.fullname" . }}-system-properties configMap: @@ -491,13 +511,13 @@ spec: path: hazelcast-client.xml {{- end }} {{- if .Values.config.redis }} - {{- if .Values.config.redis.enabled }} - - name: {{ template "gateway.fullname" . }}-redis-properties + {{- if and (.Values.config.redis.enabled) (.Values.config.sharedStateClient.enabled) }} + - name: {{ template "gateway.fullname" . }}-shared-state-client secret: - secretName: {{ template "redisConfigSecretName" . }} + secretName: {{ template "sharedStateClientSecretName" . }} items: - - key: redis.properties - path: redis.properties + - key: sharedstate_client.yaml + path: sharedstate_client.yaml {{- if .Values.config.redis.tls.enabled }} - name: {{ template "gateway.fullname" . }}-redis-crt secret: @@ -506,6 +526,16 @@ spec: - key: tls.crt path: redis.crt {{- end }} + {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- if .redis.tls }} + - name: {{ .name }}-shared-state-provider-crt + secret: + secretName: {{ .redis.tls.existingSecret }} + items: + - key: {{ .redis.tls.key }} + path: {{ .redis.tls.path }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- if .Values.customConfig }} @@ -605,6 +635,15 @@ spec: path: 003-parse-custom-files.sh {{- end }} {{- end }} +{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi)}} + - name: {{ template "gateway.fullname" . }}-configure-node-properties + configMap: + name: {{ template "gateway.fullname" . }}-configmap + items: + - key: 004-configure-node-properties + path: 004-configure-node-properties.sh +{{- end }} + {{- if .Values.preStopScript }} {{- if .Values.preStopScript.enabled }} - name: {{ template "gateway.fullname" . }}-gracefulshutdown @@ -683,7 +722,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{ if and (.Values.otk.enabled) (not .Values.database.enabled) }} +{{- if and (.Values.otk.enabled) (not .Values.database.enabled) }} - name: {{ template "gateway.fullname" . }}-otk-install-container emptyDir: {} {{- if .Values.otk.customizations.existingBundle.enabled }} diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml index fa142b36..f4e8aa48 100644 --- a/charts/gateway/templates/node-properties-secret.yaml +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -1,18 +1,39 @@ -{{ if not .Values.disklessConfig.enabled }} - {{ if not .Values.disklessConfig.existingSecretName }} +{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecretName) }} apiVersion: v1 kind: Secret metadata: name: {{ template "gateway.node.properties" . }} - annotations: - description: Template for Secrets for Gateway node.properties labels: app: {{ template "gateway.name" . }} chart: {{ template "gateway.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} + {{- range $key, $val := .Values.additionalLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + annotations: + description: template for gateway node.properties + {{- if .Values.additionalAnnotations }} + {{- range $key, $val := .Values.additionalAnnotations }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} type: Opaque -data: - node.properties: {{ required "Please provide a Layer7 Gateway node.properties, as disklessConfig flag is false" .Values.disklessConfig.value | b64enc | quote }} - {{ end }} -{{ end }} \ No newline at end of file +stringData: + node.properties: |+ + node.cluster.pass={{ .Values.clusterPassword }} + admin.user={{ .Values.management.username }} + admin.pass={{ .Values.management.password }} + {{- if .Values.database.enabled }} + {{- if .Values.database.create }} + node.db.config.main.host={{ .Release.Name }}-mysql + node.db.config.main.port=3306 + node.db.config.main.name={{ .Values.database.name }} + {{- else }} + node.db.config.main.host={{ required "Please set .Values.database.jdbcURL, this should be your database host only" .Values.database.jdbcURL }} + node.db.config.main.port={{ default 3306 .Values.database.jdbcPort }} + {{- end }} + node.db.config.main.user={{ .Values.database.username }} + node.db.config.main.pass={{ .Values.database.password }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gateway/templates/redis-config-secret.yaml b/charts/gateway/templates/redis-config-secret.yaml deleted file mode 100644 index 6b423f2e..00000000 --- a/charts/gateway/templates/redis-config-secret.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- if and (.Values.config.redis.enabled) (not .Values.config.redis.existingConfigSecret)}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "redisConfigSecretName" . }} - labels: - app: {{ template "gateway.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- range $key, $val := .Values.additionalLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- if .Values.additionalAnnotations }} - annotations: -{{- range $key, $val := .Values.additionalAnnotations }} - {{ $key }}: "{{ $val }}" -{{- end }} -{{- end }} -type: Opaque -stringData: - redis.properties: |+ - {{- if .Values.config.redis.sentinel.enabled }} - redis.type=sentinel - redis.sentinel.master={{ .Values.config.redis.sentinel.masterSet }} - {{- if .Values.config.redis.subChart.enabled }} - redis.sentinel.nodes={{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379,{{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379,{{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local:26379 - {{- else }} - redis.sentinel.nodes={{ template "gateway.redisSentinelNodes" . }} - {{- end }} - {{- if .Values.config.redis.auth.enabled }} - {{- if .Values.config.redis.auth.username }} - redis.sentinel.username={{.Values.config.redis.auth.username}} - {{- end }} - {{- if .Values.config.redis.auth.password.encoded }} - redis.sentinel.encodedPassword={{.Values.config.redis.auth.password.value}} - {{- else }} - redis.sentinel.password={{.Values.config.redis.auth.password.value}} - {{- end }} - {{- end }} - {{- else }} - redis.type=standalone - {{- if .Values.config.redis.subChart.enabled }} - redis.standalone.hostname={{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - redis.standalone.port=6379 - {{- else }} - redis.standalone.hostname={{ .Values.config.redis.standalone.host }} - redis.standalone.port={{ .Values.config.redis.standalone.port }} - {{- end }} - {{- if .Values.config.redis.auth.enabled }} - {{- if .Values.config.redis.auth.username }} - redis.standalone.username={{.Values.config.redis.auth.username}} - {{- end }} - {{- if .Values.config.redis.auth.password.encoded }} - redis.standalone.encodedPassword={{.Values.config.redis.auth.password.value}} - {{- else }} - redis.standalone.password={{.Values.config.redis.auth.password.value}} - {{- end }} - {{- end }} - {{- end }} - redis.ssl={{ .Values.config.redis.tls.enabled }} - {{- if .Values.config.redis.tls.enabled }} - redis.ssl.cert=redis.crt - redis.ssl.verifypeer={{ .Values.config.redis.tls.verifyPeer }} - {{- end }} - {{- if .Values.config.redis.groupName }} - redis.key.prefix.grpname={{ .Values.config.redis.groupName }} - {{- end }} - {{- if .Values.config.redis.commandTimeout }} - redis.commandTimeout={{ .Values.config.redis.commandTimeout }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gateway/templates/redis-tls-secret.yaml b/charts/gateway/templates/redis-tls-secret.yaml index 9c974f4a..53c00234 100644 --- a/charts/gateway/templates/redis-tls-secret.yaml +++ b/charts/gateway/templates/redis-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.config.redis.enabled) (.Values.config.redis.sentinel.enabled) (.Values.config.redis.tls.enabled) (not .Values.config.redis.tls.existingSecret) (not .Values.config.redis.subChart.enabled) }} +{{- if and (.Values.config.redis.enabled) (.Values.config.redis.tls.enabled) (not .Values.config.redis.tls.existingSecret) (not .Values.config.redis.subChart.enabled) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml new file mode 100644 index 00000000..931b8a70 --- /dev/null +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -0,0 +1,76 @@ +{{- if and (.Values.config.sharedStateClient.enabled) (not .Values.config.sharedStateClient.existingConfigSecret) (.Values.config.redis.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "sharedStateClientSecretName" . }} + labels: + app: {{ template "gateway.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $val := .Values.additionalLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- if .Values.additionalAnnotations }} + annotations: +{{- range $key, $val := .Values.additionalAnnotations }} + {{ $key }}: "{{ $val }}" +{{- end }} +{{- end }} +type: Opaque +stringData: + sharedstate_client.yaml: |+ + default: + commandTimeout: {{ default 5000 .Values.config.redis.commandTimeout }} + connectTimeout: {{ default 10000 .Values.config.redis.connectTimeout }} + keyPrefixGroupName: {{ default "l7GW" .Values.config.redis.groupName }} + {{- if .Values.config.redis.auth.enabled }} + {{- if .Values.config.redis.auth.username }} + username: {{.Values.config.redis.auth.username}} + {{- end }} + {{- if .Values.config.redis.auth.password.encoded }} + encodedPassword: {{.Values.config.redis.auth.password.value}} + {{- else }} + password: {{.Values.config.redis.auth.password.value}} + {{- end }} + {{- end }} + {{- if .Values.config.redis.sentinel.enabled }} + type: sentinel + sentinel: + master: {{ .Values.config.redis.sentinel.masterSet }} + nodes: + {{- if .Values.config.redis.subChart.enabled }} + redis.sentinel.nodes=,, + - host: {{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + {{- else }} + {{- range .Values.config.redis.sentinel.nodes }} + - host: {{ .host }} + port: {{ .port }} + {{- end }} + {{- end }} + {{- else }} + type: standalone + standalone: + {{- if .Values.config.redis.subChart.enabled }} + hostname: {{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 6379 + {{- else }} + hostname: {{ .Values.config.redis.standalone.host }} + port: {{ .Values.config.redis.standalone.port }} + {{- end }} + {{- end }} + ssl: + enabled: {{ .Values.config.redis.tls.enabled }} + cert: redis.crt + verifypeer: {{ .Values.config.redis.tls.verifyPeer }} + {{- if .Values.config.sharedStateClient.additionalProviders }} + {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- toYaml .config | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 667302f7..ab4a70a3 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -9,13 +9,18 @@ license: accept: false # existingSecretName: ssg-license -# Use set diskless Configuration mode for Gateway -# when true , get values from environment variable and on false will get values from node.properties -# when disklessConfig.enabled is false , node.properties is passed via disklessConfig.value parameter +# Diskless Configuration modes for the Gateway disklessConfig: + # true - environment variables are used for gateway configuration + # false - node.properties is used for gateway configuration enabled: true - # value: - # existingSecretName: + # existingSecret: + # name: gateway-secret + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "secret-provider-class-name" image: registry: docker.io @@ -177,6 +182,10 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" + # Gateway v11.1.01 provides min and max heap size options + # If you are using an earlier version of the Gateway, these will be ignored. + minHeapSize: "1g" + maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false @@ -253,6 +262,8 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis + # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration # otel.sdk.disabled=false # otel.java.global-autoconfigure.enabled=true @@ -404,8 +415,10 @@ config: enabled: false redis: # enable or disable redis integration - # please uncomment the 3 redis properties in config.systemProperties + # please uncomment the 5 redis properties in config.systemProperties + # view more configurable system properties here - https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs # Redis client properties for configuring Redis Standalone or Redis Sentinel connections + # This configuration is parsed into redis.default in sharedstate_client.yaml enabled: false # We recommend using an existing secret for Redis configuration in production environments # for separation of concerns and to better secure Redis client property secrets. @@ -414,6 +427,7 @@ config: # To configure the Redis client directly in this values file uncomment and/or set the following client properties groupName: l7GW commandTimeout: 5000 + connectTimeout: 10000 # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -431,9 +445,12 @@ config: masterSet: mymaster # If the subChart is not enabled sentinel nodes need to be set nodes: - - : - - : - - : + - host: + port: + - host: + port: + - host: + port: standalone: {} # host: redis-standalone # port: 6379 @@ -454,6 +471,39 @@ config: # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false + # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + additionalProviders: [] + # - name: myRegionalRedisInstance1 + # redis: + # tls: + # existingSecret: myRegionalRedisCertSecret1 + # key: redis.crt + # # path must match ssl.cert in your provider config + # path: myRegionalRedisCert.crt + # config: {} + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. @@ -480,6 +530,9 @@ database: create: true # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. + # if disklessConfig.enabled is set to false, jdbcUrl should be set to the jdbcHost + # jdbcURL: + # jdbcPort: 3306 username: gateway password: mypassword name: ssg From 75ddf5efb56bc14e2ed11d8f6990cf653cc9a1ec Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Tue, 9 Jul 2024 00:52:40 +0100 Subject: [PATCH 03/16] updated deployment --- charts/gateway/templates/deployment.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index a59ff5e3..4d4b187e 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -191,13 +191,15 @@ spec: - name: {{ template "gateway.fullname" . }}-system-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties subPath: system.properties -{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecret.csi) }} +{{- if not .Values.disklessConfig.enabled }} + {{- if not .Values.disklessConfig.existingSecret.csi}} - name: {{ template "gateway.fullname" . }}-node-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties subPath: node.properties -{{- else }} + {{- else }} - name: {{ template "gateway.fullname" . }}-node-properties mountPath: /opt/docker/node-properties + {{- end }} {{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} - name: {{ template "gateway.fullname" . }}-hazelcast-client From 8b7b5092312365cce36148f1ec4a9c0e3af1306a Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Tue, 9 Jul 2024 23:05:49 +0100 Subject: [PATCH 04/16] updated redis configuration --- charts/gateway/README.md | 4 + charts/gateway/production-values.yaml | 16 ++-- charts/gateway/templates/deployment.yaml | 8 +- .../templates/shared-state-client-secret.yaml | 95 ++++++++++--------- charts/gateway/values.yaml | 16 ++-- 5 files changed, 79 insertions(+), 60 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 6a5218d7..b27a0031 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -987,9 +987,11 @@ Uncomment the following | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | | `config.redis.enabled` | Enable redis configuration | `false` | | `config.redis.subChart.enabled` | Deploy the redis subChart | `true` | +| `config.redis.additionalProviders` | Configure additional Redis connections | `[]` | | `config.redis.groupName` | Redis Group name | `l7GW` | | `config.redis.commandTimeout` | Redis Command Timeout | `5000` | | `config.redis.connectTimeout` | Redis Connect Timeout | `10000` | +| `config.redis.testOnStart` | Test the connection to Redis during Gateway start. If the conection fails and this is true, the Gateway will not start | `false` | | `config.redis.auth.enabled` | Use auth for Redis | `false` | | `config.redis.auth.username` | Redis username | `` | | `config.redis.auth.password.encoded` | Password is encoded | `false` | @@ -1023,6 +1025,7 @@ redis: encodedPassword: "redisencodedpassword" commandTimeout: 5000 connectTimeout: 10000 + testOnStart: false sentinel: master: mymaster nodes: @@ -1046,6 +1049,7 @@ redis: encodedPassword: "redisencodedpassword" commandTimeout: 5000 connectTimeout: 10000 + testOnStart: false standalone: host: redis-standalone port: 6379 diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 64f7ebee..94f63bbd 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -428,6 +428,7 @@ config: groupName: l7GW commandTimeout: 5000 connectTimeout: 10000 + testOnStart: false # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -470,12 +471,6 @@ config: # changes will be required # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false - - # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. - sharedStateClient: - enabled: true - # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount - # existingConfigSecret: shared-state-client-secret additionalProviders: [] # - name: myRegionalRedisInstance1 # redis: @@ -493,6 +488,7 @@ config: # password: "def" # commandTimeout: 5000 # connectTimeout: 10000 + # testOnStart: false # ssl: # enabled: true # cert: myRegionalRedisCert.crt @@ -505,6 +501,14 @@ config: # - host: 192.168.0.1 # port: 26379 + # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + # reserved for future use + additionalProviders: [] + ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index 4d4b187e..410f1fb4 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -251,9 +251,9 @@ spec: mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/redis.crt subPath: redis.crt {{- end }} - {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- range .Values.config.redis.additionalProviders }} {{- if .redis.tls }} - - name: {{ .name }}-shared-state-provider-crt + - name: {{ .name }}-redis-crt mountPath: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/providers/{{ .redis.tls.path }} subPath: {{ .redis.tls.path }} {{- end }} @@ -528,9 +528,9 @@ spec: - key: tls.crt path: redis.crt {{- end }} - {{- range .Values.config.sharedStateClient.additionalProviders }} + {{- range .Values.config.redis.additionalProviders }} {{- if .redis.tls }} - - name: {{ .name }}-shared-state-provider-crt + - name: {{ .name }}-redis-crt secret: secretName: {{ .redis.tls.existingSecret }} items: diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml index 931b8a70..dae998b5 100644 --- a/charts/gateway/templates/shared-state-client-secret.yaml +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -20,54 +20,61 @@ metadata: type: Opaque stringData: sharedstate_client.yaml: |+ - default: - commandTimeout: {{ default 5000 .Values.config.redis.commandTimeout }} - connectTimeout: {{ default 10000 .Values.config.redis.connectTimeout }} - keyPrefixGroupName: {{ default "l7GW" .Values.config.redis.groupName }} - {{- if .Values.config.redis.auth.enabled }} - {{- if .Values.config.redis.auth.username }} - username: {{.Values.config.redis.auth.username}} - {{- end }} - {{- if .Values.config.redis.auth.password.encoded }} - encodedPassword: {{.Values.config.redis.auth.password.value}} - {{- else }} - password: {{.Values.config.redis.auth.password.value}} - {{- end }} - {{- end }} - {{- if .Values.config.redis.sentinel.enabled }} - type: sentinel - sentinel: - master: {{ .Values.config.redis.sentinel.masterSet }} - nodes: - {{- if .Values.config.redis.subChart.enabled }} - redis.sentinel.nodes=,, - - host: {{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - port: 26379 - - host: {{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - port: 26379 - - host: {{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - port: 26379 - {{- else }} - {{- range .Values.config.redis.sentinel.nodes }} - - host: {{ .host }} - port: {{ .port }} + redis: + default: + commandTimeout: {{ default 5000 .Values.config.redis.commandTimeout }} + connectTimeout: {{ default 10000 .Values.config.redis.connectTimeout }} + keyPrefixGroupName: {{ default "l7GW" .Values.config.redis.groupName }} + testOnStart: {{ default "false" .Values.config.redis.testOnStart }} + {{- if .Values.config.redis.auth.enabled }} + {{- if .Values.config.redis.auth.username }} + username: {{.Values.config.redis.auth.username}} {{- end }} - {{- end }} - {{- else }} - type: standalone - standalone: - {{- if .Values.config.redis.subChart.enabled }} - hostname: {{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local - port: 6379 + {{- if .Values.config.redis.auth.password.encoded }} + encodedPassword: {{.Values.config.redis.auth.password.value}} {{- else }} - hostname: {{ .Values.config.redis.standalone.host }} - port: {{ .Values.config.redis.standalone.port }} + password: {{.Values.config.redis.auth.password.value}} {{- end }} {{- end }} - ssl: - enabled: {{ .Values.config.redis.tls.enabled }} - cert: redis.crt - verifypeer: {{ .Values.config.redis.tls.verifyPeer }} + {{- if .Values.config.redis.sentinel.enabled }} + type: sentinel + sentinel: + master: {{ .Values.config.redis.sentinel.masterSet }} + nodes: + {{- if .Values.config.redis.subChart.enabled }} + redis.sentinel.nodes=,, + - host: {{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + - host: {{ .Release.Name }}-redis-node-2.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 26379 + {{- else }} + {{- range .Values.config.redis.sentinel.nodes }} + - host: {{ .host }} + port: {{ .port }} + {{- end }} + {{- end }} + {{- else }} + type: standalone + standalone: + {{- if .Values.config.redis.subChart.enabled }} + host: {{ .Release.Name }}-redis-master-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local + port: 6379 + {{- else }} + host: {{ .Values.config.redis.standalone.host }} + port: {{ .Values.config.redis.standalone.port }} + {{- end }} + {{- end }} + ssl: + enabled: {{ .Values.config.redis.tls.enabled }} + cert: redis.crt + verifypeer: {{ .Values.config.redis.tls.verifyPeer }} + {{- if .Values.config.redis.additionalProviders }} + {{- range .Values.config.redis.additionalProviders }} + {{- toYaml .config | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.config.sharedStateClient.additionalProviders }} {{- range .Values.config.sharedStateClient.additionalProviders }} {{- toYaml .config | nindent 4 }} diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index ab4a70a3..bf3c226c 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -428,6 +428,7 @@ config: groupName: l7GW commandTimeout: 5000 connectTimeout: 10000 + testOnStart: false # The Gateway supports Redis master auth only. # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default) # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start. @@ -470,12 +471,6 @@ config: # changes will be required # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration. enabled: false - - # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. - sharedStateClient: - enabled: true - # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount - # existingConfigSecret: shared-state-client-secret additionalProviders: [] # - name: myRegionalRedisInstance1 # redis: @@ -493,6 +488,7 @@ config: # password: "def" # commandTimeout: 5000 # connectTimeout: 10000 + # testOnStart: false # ssl: # enabled: true # cert: myRegionalRedisCert.crt @@ -505,6 +501,14 @@ config: # - host: 192.168.0.1 # port: 26379 + # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + sharedStateClient: + enabled: true + # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount + # existingConfigSecret: shared-state-client-secret + # reserved for future use + additionalProviders: [] + ## Reference an existing secret for sensitive Gateway fields ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set. From b4783e743914526c0c5a8ba732ab1f451b022bdb Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Tue, 9 Jul 2024 23:14:35 +0100 Subject: [PATCH 05/16] updated redis configuration --- charts/gateway/templates/shared-state-client-secret.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml index dae998b5..0affef11 100644 --- a/charts/gateway/templates/shared-state-client-secret.yaml +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -42,7 +42,6 @@ stringData: master: {{ .Values.config.redis.sentinel.masterSet }} nodes: {{- if .Values.config.redis.subChart.enabled }} - redis.sentinel.nodes=,, - host: {{ .Release.Name }}-redis-node-0.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local port: 26379 - host: {{ .Release.Name }}-redis-node-1.{{ .Release.Name }}-redis-headless.{{ .Release.Namespace }}.svc.cluster.local @@ -69,7 +68,7 @@ stringData: ssl: enabled: {{ .Values.config.redis.tls.enabled }} cert: redis.crt - verifypeer: {{ .Values.config.redis.tls.verifyPeer }} + verifyPeer: {{ .Values.config.redis.tls.verifyPeer }} {{- if .Values.config.redis.additionalProviders }} {{- range .Values.config.redis.additionalProviders }} {{- toYaml .config | nindent 6 }} From 3f0bf718a42df8f413be63439458f6f4e7d0da70 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Wed, 10 Jul 2024 01:55:00 +0100 Subject: [PATCH 06/16] updated readme, moved release notes to a new page, added liquibase log level --- charts/gateway/Chart.yaml | 2 +- charts/gateway/README.md | 413 ++++-------------------- charts/gateway/production-values.yaml | 8 +- charts/gateway/release-notes.md | 344 ++++++++++++++++++++ charts/gateway/templates/configmap.yaml | 1 + charts/gateway/values.yaml | 8 +- 6 files changed, 426 insertions(+), 350 deletions(-) create mode 100644 charts/gateway/release-notes.md diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml index 83ae2d36..3ae086fb 100644 --- a/charts/gateway/Chart.yaml +++ b/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "11.1.01" +appVersion: "11.1.1" description: This Helm Chart deploys the Layer7 Gateway in Kubernetes. name: gateway version: 3.0.30 diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 4371d1b5..19b8dbec 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -62,14 +62,15 @@ Helm Version Supported Kubernetes Versions * [Uninstall the Chart](#uninstalling-the-chart) ## Additional Guides +* [Configuration](#configuration) * [Service Configuration](#port-configuration) * [Gateway Application Ports](#gateway-application-ports) +* [OTK Install or Upgrade](#otk-install-or-upgrade) * [Ingress Configuration](#ingress-configuration) * [PM Tagger Configuration](#pm-tagger-configuration) * [Redis Configuration](#redis-configuration) * [Shared State Provider Configuration](#shared-state-provider-config) * [OpenTelemetry Configuration](#opentelemetry-configuration) -* [OTK Install or Upgrade](#otk-install-or-upgrade) * [Database Configuration](#database-configuration) * [Cluster-Wide Properties](#cluster-wide-properties) * [Java Args](#java-args) @@ -92,338 +93,9 @@ The Layer7 API Gateway is now running with Java 17 with the release of v11.1.00. If you use Policy Manager, you will need to update to v11.1.00. -# Java 11 -The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. - -Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. - -## 3.0.30 General Updates -Release notes will also be moved to a new file before merge... -**Note** Gateway restart required if using preview Redis features. -- Support added for running the Gateway without [Diskless Config](#diskless-configuration) - - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) - - Must be conciously enabled (limited to Gateway v11.1.01) -- Redis configuration update - - Additional system properties for the key/value store assertion added (commented by default) - - please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs) for more details - - Using new shared state provider config **(limited to Redis and Gateway v11.1.01)** - - this new configuration is **not backwards or forwards compatible** - - Please view [redis configuration](#redis-configuration) for more details on how to configure your values file. - - config.redis is used to configure this - - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders - - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](#custom-configuration-files) to load the additional certs. - - Configurable Java Min/Max Heap size - - Java Min and Max Heap Size is now [configurable](#java-args) - -## 3.0.29 OTK 4.6.3 Released -- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. - - otk.job.image.tag: 4.6.3 -- Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. -- UTFMB4 Character Set Support for MySQL. -- Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions - - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory - -## 3.0.28 General Updates -- Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. - - Disabled by default - -## 3.0.27 General Updates -- Default image updated to v11.1.00 - - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: - - Scale down your containers to zero. - - Update the image tag to the target version (e.g., 11.1.00) - - Scale up your containers back to their original state. - - Hazelcast versions have not changed between 11.0 CR1/CR2 and 11.1 GA, rolling updates are supported between these Gateway versions. -- Added preview support for [OpenTelemetry](https://opentelemetry.io/) - - Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration - - Preview feature (only available on Gateway v11.1.00) - - An integration example is available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway - - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) - - You are ***not required*** to use the observability stack that we provide as an example. - - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. - - [OpenTelemetry Configuration](#opentelemetry-configuration) -- Redis standalone now supports TLS and Password auth (only available on Gateway v11.1.00) - - see [Redis configuration](#redis-configuration) -- Cipher Suites in [Gateway Application Ports](#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** - -## 3.0.26 General Updates -- Commented out Nginx specific annotations in the ingress configuration - - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually - - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - - [production-values.yaml](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/production-values.yaml#L792) sets this if you would like to use that as a starting point. -- Upgraded Hazelcast SubChart and set default image to latest versions. -- Added Gateway [Pod Disruption Budget](#pod-disruption-budgets) - -## 3.0.25 OTK Schedule job success and failure limts -- Added configurable success and failure job history limit for OTK database maintenance schedule jobs. - -## 3.0.24 General Updates -- Custom Volumes for initContainers and Sidecars - - This allows configmaps/secrets to be mounted to initContainers and sideCars - - customSideCarVolumes - - customInitVolumes - -## 3.0.23 OTK 4.6.2_202402 Released -- Updated OTK image version value - -## 3.0.22 General Updates -- Updated Chart ci values - - no impact - -## 3.0.21 General Updates -- Updated [Redis Configuration](#redis-configuration) - - More context added for creating your own redis properties file - - More context added for Redis auth - - note: the Gateway only supports Redis master auth - - Removed comments from values.yaml -- Added Graphman Bundle support to the bootstrap script - - files that end in .json will be copied into the bootstrap folder - - -## 3.0.20 General Updates -- Updated image - - Updated to Gateway 11.0.00_CR2 - - this will cause a restart if you are not overriding the default image - -## 3.0.19 General Updates -- Updated image - - Updated to Gateway 11.0.00_CR1 - - this will cause a restart if you are not overriding the default image -- Redis Integration - - [Redis Configuration](#redis-configuration) options for the Gateway (future use) - - Added Redis SubChart -- Ingress - - Backend service is now more configurable allowing the management service to be exposed via ingress controller - - ***this should only be done in environments where the ingress controller does not have a Public Address*** - - ingress.rules[n]backend can be set to "management" -- Restart on config change - - A new flag has been added to facilitate auto redeploy of Gateways when there is a config change - - Applies to the default config map only - - does not include config.cwp, config.listenPorts or the Gateway Secret -- MySQL subChart updated -- Grafana subChart updated - - -## 3.0.18 General Updates -- OTK documentation updates. - -## 3.0.17 OTK 4.6.2 Released - - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. - - otk.job.image.tag: 4.6.2 - - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. - - otk.database.dbupgrade - - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** - - otk.database.useDemodb - - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. - - database.enabled: false - - otk.type: SINGLE - - Added OTK Connection properties to support c3p0 settings. - - otk.database.connectionProperties - - Added support OTK read-only connections for MySQL and Oracle. - - otk.database.readOnlyConnection.* - - Added support for OTK policies customization through config maps and secrets. - - otk.customizations.existingBundle.enabled - - OTK DMZ/Internal gateway certs can now be configured using values file. - - otk.cert -> [!Important] -> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. -> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. -> ``` -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml -> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml -> ``` - - -## 3.0.16 General Updates -- Added resources to otk install job - - otk.job.resources - -## 3.0.15 General Updates -- Updated [bootstrap script](#bootstrap-script) - - 'find' replaced with 'du' - -## 3.0.14 General Updates -- Added pod labels and annotations to the otk-install job. - - otk.job.podLabels - - otk.job.podAnnotations - -## 3.0.13 General Updates -- The OTK Install job now uses podSecurity and containerSecurity contexts if set. -- Updated how pod labels and annotations are templated in deployment.yaml - -## 3.0.12 General Updates -Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. -- [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) -- [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) - - -## 3.0.11 General Updates -Updates to Gateway Container Lifecycle. -- [A new preStop script has been added for graceful termination](#graceful-termination) - - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds -- Container Lifecycle can be overridden for custom exec/http calls - -## 3.0.10 General Updates -Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. - -- Additional Labels/Annotations apply to everything in this Chart's templates -``` -# Additional Annotations apply to all deployed objects -additionalAnnotations: {} - -# Additional Labels apply to all deployed objects -additionalLabels: {} -``` - -- Pod Labels/Annotations at the base level apply to the Gateway Pod -``` -## Pod Labels for the Gateway Pod -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -podLabels: {} - -# Pod Annotations apply to the Gateway Pod -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -podAnnotations: {} -``` - -- PM-Tagger pod labels/annotations are separate -``` -pmtagger: - ... - ## Pod Labels for the PM Tagger Pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - - # Pod Annotations apply to the PM Tagger Pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - podAnnotations: {} -``` - -## 3.0.9 Updates to PM-Tagger -PM tagger has following additional configuration options -- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) -- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) -- [All PM-Tagger Configuration](#pm-tagger-configuration) - -## 3.0.8 Updates to Hazelcast -The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. -The updates are applied to both the gateway and gateway-otk chart. - -## 3.0.7 General Updates -The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . - -The PM Tagger image default version tag been updated to 1.0.1. - -## 3.0.6 General Updates -The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. - -## 3.0.5 General Updates -The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. - -Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. - -## 3.0.4 General Updates -OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](#otk-install-or-upgrade) for more details. -[Gateway-OTK](../gateway-otk) is now deprecated. - -## 3.0.2 General Updates -***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** - -To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. - -The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. -- [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. - -The following configuration options have been added -- [Custom Health Checks](#custom-health-checks) -- [Custom Configuration Files](#custom-configuration-files) -- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) -- [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) -- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) -- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) -- Http headers can also now be added to the liveness and readiness probes -- Ingress and HPA API Version validation has been updated to check for available APIs vs. KubeVersion -- SubCharts now show image repository and tags - -### Upgrading to Chart v3.0.0 -Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](#additional-guides) for more info. - -## 3.0.0 Updates to Hazelcast -***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. -- If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. -- The included Hazelcast subChart has been updated to reflect this change - -### 3.0.0 Updates to Ingress Configuration -Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. - -## 3.0.0 General Updates -- You can now configure [Gateway Ports.](#port-configuration) - This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. - -- New Management Service - - Provides separation of concerns for external/management traffic. This was previously a manual step. -- [Autoscaling](#autoscaling) -- [Ingress Configuration](#ingress-configuration) -- [PM Tagger](#pm-tagger-configuration) - - PM (Policy Manager) tagger is a lightweight go application that works with the new management service. - - RBAC Role Required if using PM Tagger. -- Default values.yaml restructure - - configuration items more closely aligned -- Added production-values.yaml - - Includes a baseline for production configuration - - Resources are set to minimum recommended values - - Application ports are hardened - - 8080 (disabled) - - 8443 (management features disabled - service is ClusterIP) - - 9443 (configured with management service) - - Autoscaling is enabled - - Ingress is enabled - - Rules are configured for 8443 - - Database is not created - you will need to supply a JDBC Url - -## Changes that will affect you if upgrading from 2.0.1 and below -- MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. -- tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName - -## 2.0.6 General Updates -- Fixing bitnami repository dependency issue. - -## 2.0.5 General Updates -- Internal only. - -## 2.0.4 Updates to Secret Management -- Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. -- The CSI functionality is optional - -## 2.0.4 General Updates -- Added support for sidecars and initContainers - - volumeMounts are automatically configured with emptyDir -- Updated default values update to reflect empty objects/arrays for optional fields. -- Load the Gateway Deployment's ServiceAccountToken as a stored password for querying the Kubernetes API. - - management.kubernetes.loadServiceAccountToken - -## 2.0.2 Updates to Secret Management -- You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles - -## 2.0.2 General Updates -- Ingress Definition updated to reflect the new API Version, additional configuration added. -- HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. -- System.properties is now mounted to the Gateway Container, default values have been applied. -- You can now reference existing bundles stored in configMaps/Secrets -- NodeSelector and Affinity settings for the Gateway Deployment -- Resources values updated to reflect minimum recommended configuration - -## Upgrading to 2.0.2 -***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** -``` -$ helm repo update -$ helm show values layer7/gateway > gateway-values.yaml - -Inspect and update the new gateway-values.yaml - -$ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway -``` +## Release notes +- Current Chart Version 3.0.30 + - Please review release notes [here](./release-notes.md) ## Installing the Chart Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction @@ -499,6 +171,7 @@ The following table lists the configurable parameters of the Gateway chart and t | `database.create` | Deploy the MySQL stable deployment as part of this release | `true` | | `database.username` | Database Username | `gateway` | | `database.password` | Database Password | `mypassword` | +| `database.liquibaseLogLevel` | Liquibase log level | `off` | | `database.name` | Database name | `ssg` | | `tls.useSignedCertificates` | Enable/Disable use of your own TLS Certificate, this ovverides the Gateway's defaultSSLKey | `false` | | `tls.existingSecretName` | Existing Secret that contains TLS p12 container and pass, see values.yaml for what must be included | `commented out` | @@ -564,6 +237,8 @@ The following table lists the configurable parameters of the Gateway chart and t | `bootstrap.script.enabled` | Enable the bootstrap script | `false` | +[Back to Additional Guides](#additional-guides) + ## Port Configuration There are two types of port configuration available in the Gateway Helm Chart that are configured in the following ways @@ -614,6 +289,9 @@ management: external: 9443 protocol: TCP ``` + +[Back to Additional Guides](#additional-guides) + ### OTK install or upgrade OTK can be install or upgrade gateway. Supports SINGLE, INTERNAL and DMZ types of OTK installations on db backed gateway. On ephermal gateway only SINGLE mode is supported. @@ -737,6 +415,8 @@ OTK Deployment examples can be found [here](/examples/otk) #### Note: * In case of ephemeral GW instances where there only updates to OTK, it should be done using Helm --force option +[Back to Additional Guides](#additional-guides) + ### Gateway Application Ports Once you have decided on which container ports you would like to expose, you need to create the corresponding ports on the API Gateway. *These will need match the corresponding service and management service ports above.* @@ -825,6 +505,8 @@ config: # - TLS_RSA_WITH_AES_128_CBC_SHA ``` +[Back to Additional Guides](#additional-guides) + ### Ingress Configuration The Gateway Helm Chart allows you to configure an Ingress Resource that your central Ingress Controller can manage. You can find more information on [Ingress Controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) here. @@ -887,6 +569,8 @@ ingress: # #number: ``` +[Back to Additional Guides](#additional-guides) + ### PM Tagger Configuration [PM (Policy Manager) Tagger](https://github.com/gvermeulen7205/pm-tagger) is a lightweight go application that works in conjunction with the management service to provide a stable connection to your container gateway via Policy Manager. @@ -909,6 +593,8 @@ ingress: | `pmtagger.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | | `pmtagger.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +[Back to Additional Guides](#additional-guides) + ### OpenTelemetry Configuration The Gateway from v11.1.00 can be configured to send telemetry to Observability backends [that support OpenTelemetry](https://opentelemetry.io/ecosystem/vendors/). Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration. @@ -965,15 +651,19 @@ example otel.traceConfig } ``` +[Back to Additional Guides](#additional-guides) + ##### Gateway OTel Examples (with or without the Optional Agent) The integration example [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) contains two Gateway examples (values.yaml overrides) that are configured to use the SDK only approach ***or*** include the Optional OTel Java Agent. There are two Grafana Dashboards included that show the differences in the telemetry that emitted from the Gateway. - [SDK only, no agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-sdk-only-values.yaml) - [Agent](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel/gateway-example/gateway-otel-java-agent-values.yaml) +[Back to Additional Guides](#additional-guides) + ### Redis Configuration This enables integration with [Redis](https://redis.io/). The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. -**Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.01. +**Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following ``` @@ -1019,7 +709,7 @@ Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-sof #### Note The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart) -##### Redis Sentinel (11.1.01) +##### Redis Sentinel (11.1.1) sharedstate_client.yaml ``` redis: @@ -1043,7 +733,7 @@ redis: port: 26379 ``` -##### Redis Standalone (11.1.01) +##### Redis Standalone (11.1.1) sharedstate_client.yaml ``` redis: @@ -1086,7 +776,7 @@ redis.properties ``` ##### Redis Standalone (11.1.00) -**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway supports SSL/TLS and Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1109,7 +799,7 @@ redis.properties ``` ##### Redis Standalone (11.0.00_CR2) -**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. The Gateway does not support SSL/TLS or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes redis.properties @@ -1123,7 +813,7 @@ redis.properties redis.commandTimeout=5000 ``` -##### Create a secret from this configuration (11.1.01) +##### Create a secret from this configuration (11.1.1) ``` kubectl create secret generic shared-state-provider-secret --from-file=sharedstate_client.yaml=/path/to/sharedstate_client.yaml ``` @@ -1136,7 +826,7 @@ config: ``` ##### Create a secret from this configuration (11.0.00_CR2 and 11.1.00) -**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.01 and later for Redis** if you are not upgrading to Gateway v11.1.01 please specify the --version flag when installing or upgrading your release. +**Gateway Chart v3.0.30 onwards only supports Gateway 11.1.1 and later for Redis** if you are not upgrading to Gateway v11.1.1 please specify the --version flag when installing or upgrading your release. ``` kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties ``` @@ -1147,8 +837,10 @@ redis: existingConfigSecret: redis-config-secret ``` +[Back to Additional Guides](#additional-guides) + ### Shared State Provider Config -Shared State Providers from Gateway v11.1.01 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. +Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration required to connect to providers like Redis. This is currently limited to Redis. | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | @@ -1166,6 +858,7 @@ database: jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?failOverReadOnly=false username: myuser password: mypassword + liquibaseLogLevel: "off" name: ssg ``` In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. @@ -1186,6 +879,8 @@ jdbcURL: jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?useSSL=tru In order the create the database on the remote server, the provided user in the username field must have write privilege on the database. See GRANT statement usage: https://dev.mysql.com/doc/refman/8.0/en/grant.html#grant-database-privileges +[Back to Additional Guides](#additional-guides) + ### Cluster Wide Properties You can specify cluster-wide properties in values.yaml, you can also use the [bundle](#bundle-configuration) to load your own Gateway Bundles. @@ -1214,9 +909,10 @@ config: value: 152 7101 7103 9648 9645 7026 7027 4155 150 4716 4114 6306 4100 9655 150 151 11000 4104 ``` +[Back to Additional Guides](#additional-guides) ### Java Args -Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.01 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. +Additional Java Arguments as may be recommended by support can be configured in values.yaml. Gateway v11.1.1 supports two new fields that allows a min and max heap size to be set. If these are not set config.heapSize will take precedence. | Parameter | Description | Default | | ----------------------------- | ----------------------------------- | ----------------------------------------------------------- | @@ -1242,6 +938,8 @@ config: - -Dcom.l7tech.security.ssl.hostAllowWildcard=true ``` +[Back to Additional Guides](#additional-guides) + ### System Properties Additional System Properties as may be recommended by support can be configured in values.yaml @@ -1274,10 +972,13 @@ The full default is this com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400 # Additional properties go here ``` + +[Back to Additional Guides](#additional-guides) + ### Diskless Configuration -Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.01 onwards. Please make sure disklessConfig.enabled is false (default) if you are using a previous version of the Container Gateway. +Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is false (default) if you are using a previous version of the Container Gateway. -**DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.01, that allows switching between configuration sources. +**DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. This is exposed in the Gateway Helm Chart via the disklessConfig configuration in values.yaml. - **disklessConfig.enabled: true** @@ -1356,6 +1057,8 @@ disklessConfig: # secretProviderClass: "secret-provider-class-name" ``` +[Back to Additional Guides](#additional-guides) + ### Bundle Configuration There are a variety of ways to mount Gateway (Restman format) Bundles to the Gateway Container. The best option is making use of existingBundles where the bundle has been created ahead of deployment as a configMap or secret. This allows for purpose built Gateways with a guaranteed set of configuration, apis/services. @@ -1386,6 +1089,8 @@ existingBundle: # secretProviderClass: "secret-provider-class-name" ``` +[Back to Additional Guides](#additional-guides) + ### Bootstrap Script To reduce reliance on requiring a custom gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. @@ -1417,6 +1122,8 @@ The following folder stucture must be maintained More information on how to use initContainers with examples can be found on the [Layer7 Community Github Utilities Repository](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples). +[Back to Additional Guides](#additional-guides) + ### Custom Health Checks You can now specify a configMap or Secret that contains healthcheck scripts. These are mounted to ```/opt/docker/rc.d/diagnostic/health_check``` where they are run by ```/opt/docker/rc.d/diagnostic/health_check.sh```. @@ -1441,6 +1148,8 @@ existingHealthCheck: # secretProviderClass: "vault-database" ``` +[Back to Additional Guides](#additional-guides) + ### Custom Configuration Files Certain folders on the Container Gateway are not writeable by design. This configuration allows you to mount existing configMap/Secret keys to specific paths on the Gateway without the need for a root user or a custom/derived image. @@ -1459,6 +1168,8 @@ customConfig: # path: sampletrafficloggerca.properties ``` +[Back to Additional Guides](#additional-guides) + ### Graceful Termination During upgrades and other events where Gateway pods are replaced you may have APIs/Services that have long running connections open. @@ -1485,6 +1196,8 @@ The graceful termination (preStop script) is disabled by default. | `preStopScript.excludedPorts` | Array of ports that should be excluded from the preStop script check | `[8777, 2124]` | | `terminationGracePeriodSeconds` | Default duration in seconds kubernetes waits for container to exit before sending kill signal. | `see values.yaml` | +[Back to Additional Guides](#additional-guides) + ### Autoscaling Autoscaling is disabled by default, you will need [metrics server](https://github.com/kubernetes-sigs/metrics-server) in conjunction with the configuration below. In order for Kubernetes to determine when to scale, you will also need to configure resources @@ -1528,6 +1241,8 @@ autoscaling: periodSeconds: 15 ``` +[Back to Additional Guides](#additional-guides) + ### Pod Disruption Budgets [Pod Disruption Budgets](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) allow you to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. | Parameter | Description | Default | @@ -1544,6 +1259,8 @@ pdb: minAvailable: "" ``` +[Back to Additional Guides](#additional-guides) + ### RBAC Parameters PM Tagger requires access to pods in the current namespace, it uses the Gateway Configured service account. @@ -1562,6 +1279,8 @@ rules: verbs: ["list", "patch"] ``` +[Back to Additional Guides](#additional-guides) + ### Logs & Audit Configuration The API Gateway containers are configured to output logs and audits as JSON events, and to never write audits to the in-memory Derby database: @@ -1577,6 +1296,8 @@ The API Gateway containers are configured to output logs and audits as JSON even - Allow wildcards when verifying hostnames (true/false) - Set '-Dcom.l7tech.security.ssl.hostAllowWildcard=true' to allow wildcards when verifying hostnames (true/false) +[Back to Additional Guides](#additional-guides) + ### Service Metrics Demo To deploy the service metrics example you will need to enable serviceMetrics, influxdb and grafana. @@ -1591,6 +1312,7 @@ To deploy the service metrics example you will need to enable serviceMetrics, in | `influxdb.enabled` | Enable/Disable deployment of InfluxDb | `false` | | `grafana.enabled` | Enable/Disable deployment of Grafana | `false` | +[Back to Additional Guides](#additional-guides) ## Subchart Configuration ***these do not represent production configurations*** @@ -1613,7 +1335,6 @@ The following table lists the configured parameters of the MySQL Bitnami chart - | `mysql.primary.persistence.storageClass` | Storage class to use | `nil` | | `mysql.primary.configuration` | MySQL Configuration | `see values.yaml` | - ## Hazelcast The following table lists the configured parameters of the Hazelcast Subchart - see the following for more detail https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml @@ -1656,3 +1377,5 @@ The following table lists the configured parameters of the Grafana Subchart - se * InfluxDb (default: disabled) ==> https://github.com/influxdata/helm-charts/tree/master/charts/influxdb * Grafana (default: disabled) ==> https://github.com/bitnami/charts/tree/master/bitnami/grafana * Redis (default: disabled) ==>https://github.com/bitnami/charts/tree/master/bitnami/redis + +[Back to Additional Guides](#additional-guides) \ No newline at end of file diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 8cb575a7..7fe4211a 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -182,7 +182,7 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" - # Gateway v11.1.01 provides min and max heap size options + # Gateway v11.1.1 provides min and max heap size options # If you are using an earlier version of the Gateway, these will be ignored. minHeapSize: "1g" maxHeapSize: "3g" @@ -501,7 +501,7 @@ config: # - host: 192.168.0.1 # port: 26379 - # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. sharedStateClient: enabled: true # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount @@ -539,6 +539,10 @@ database: # jdbcPort: 3306 username: gateway password: mypassword + # Liquibase log level can be set to one of the following. + # This configuration is only valid from Gateway v11.1.1 onwards. + # severe/warning/info/fine(debug)/off + liquibaseLogLevel: "off" name: ssg ## If loading a TLS Key/Pair diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md new file mode 100644 index 00000000..6fedf96c --- /dev/null +++ b/charts/gateway/release-notes.md @@ -0,0 +1,344 @@ +# Layer7 Gateway Chart Release Notes + +Back to [Readme](./README.md#release-notes) + +## 3.0.30 General Updates +Release notes will also be moved to a new file before merge... +**Note** Gateway restart required if using preview Redis features. +- Support added for running the Gateway without [Diskless Config](./README.md#diskless-configuration) + - Uses node.properties which can be mounted via [Secret or Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) + - Must be conciously enabled (limited to Gateway v11.1.1) +- Redis configuration update + - Additional system properties for the key/value store assertion added (commented by default) + - please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html#_c8b71b7b-dd84-4ee6-9771-d0bc262c36e9_sys_prop_configs) for more details + - Using new shared state provider config **(limited to Redis and Gateway v11.1.1)** + - this new configuration is **not backwards or forwards compatible** + - Please view [redis configuration](./README.md#redis-configuration) for more details on how to configure your values file. + - config.redis is used to configure this + - additional redis providers can be set directly in your values file via sharedStateProviders.additionalProviders + - if using an existing secret that contains multiple providers with TLS, please use [Custom Config](./README.md#custom-configuration-files) to load the additional certs. + - Configurable Java Min/Max Heap size + - Java Min and Max Heap Size is now [configurable](./README.md#java-args) + - Liquibase Log Level is now settable via database.liquibaseLogLevel. + - default "off" + - possible values + - severe + - warning + - info + - fine(debug) + - off + +## 3.0.29 OTK 4.6.3 Released +- The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. + - otk.job.image.tag: 4.6.3 +- Liquibase version has been upgraded to 4.12.0 to enable offline Liquibase schema support for OTK Helm charts. +- UTFMB4 Character Set Support for MySQL. +- Fixed backward compatibility issue related to bootstrap director location for pre 4.6.2 OTK versions + - For versions older than OTK 4.6.2, in values.yaml manually add a new parameter otk.bootstrapDir with value "." indicating current directory + +## 3.0.28 General Updates +- Added a [Startup probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) for the Gateway Container. + - Disabled by default + +## 3.0.27 General Updates +- Default image updated to v11.1.00 + - Due to conflicting embedded Hazelcast versions between Gateway 10.x and 11.1, and between 11.0 and 11.1, a rolling update cannot be performed when upgrading to version 11.1 GA. Instead, follow the alternative steps: + - Scale down your containers to zero. + - Update the image tag to the target version (e.g., 11.1.00) + - Scale up your containers back to their original state. + - Hazelcast versions have not changed between 11.0 CR1/CR2 and 11.1 GA, rolling updates are supported between these Gateway versions. +- Added preview support for [OpenTelemetry](https://opentelemetry.io/) + - Please see [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/configuring-opentelemetry-for-the-gateway.html) for more details about this integration + - Preview feature (only available on Gateway v11.1.00) + - An integration example is available [here](https://github.com/Layer7-Community/Integrations/tree/main/grafana-stack-prometheus-otel) that details how to deploy and configure an observability backend to use with the Gateway + - OpenTelemetry is supported by [numerous vendors](https://opentelemetry.io/ecosystem/vendors/) + - You are ***not required*** to use the observability stack that we provide as an example. + - The observability stack that we provide ***is not*** production ready and should be used solely as an example or reference point. + - [OpenTelemetry Configuration](./README.md#opentelemetry-configuration) +- Redis standalone now supports TLS and Password auth (only available on Gateway v11.1.00) + - see [Redis configuration](./README.md#redis-configuration) +- Cipher Suites in [Gateway Application Ports](./README.md#gateway-application-ports) have been updated to reflect updates in Gateway v11.1.00. Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html#concept.dita_ea0082004fb8c78a1723b9377f592085674b7ef7_jdk17) for more details. This configuration is ***disabled by default.*** + +## 3.0.26 General Updates +- Commented out Nginx specific annotations in the ingress configuration + - If you are using an Nginx ingress controller you will need to add or uncomment the following annotation manually + - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + - [production-values.yaml](https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/production-values.yaml#L792) sets this if you would like to use that as a starting point. +- Upgraded Hazelcast SubChart and set default image to latest versions. +- Added Gateway [Pod Disruption Budget](./README.md#pod-disruption-budgets) + +## 3.0.25 OTK Schedule job success and failure limts +- Added configurable success and failure job history limit for OTK database maintenance schedule jobs. + +## 3.0.24 General Updates +- Custom Volumes for initContainers and Sidecars + - This allows configmaps/secrets to be mounted to initContainers and sideCars + - customSideCarVolumes + - customInitVolumes + +## 3.0.23 OTK 4.6.2_202402 Released +- Updated OTK image version value + +## 3.0.22 General Updates +- Updated Chart ci values + - no impact + +## 3.0.21 General Updates +- Updated [Redis Configuration](./README.md#redis-configuration) + - More context added for creating your own redis properties file + - More context added for Redis auth + - note: the Gateway only supports Redis master auth + - Removed comments from values.yaml +- Added Graphman Bundle support to the bootstrap script + - files that end in .json will be copied into the bootstrap folder + + +## 3.0.20 General Updates +- Updated image + - Updated to Gateway 11.0.00_CR2 + - this will cause a restart if you are not overriding the default image + +## 3.0.19 General Updates +- Updated image + - Updated to Gateway 11.0.00_CR1 + - this will cause a restart if you are not overriding the default image +- Redis Integration + - [Redis Configuration](./README.md#redis-configuration) options for the Gateway (future use) + - Added Redis SubChart +- Ingress + - Backend service is now more configurable allowing the management service to be exposed via ingress controller + - ***this should only be done in environments where the ingress controller does not have a Public Address*** + - ingress.rules[n]backend can be set to "management" +- Restart on config change + - A new flag has been added to facilitate auto redeploy of Gateways when there is a config change + - Applies to the default config map only + - does not include config.cwp, config.listenPorts or the Gateway Secret +- MySQL subChart updated +- Grafana subChart updated + + +## 3.0.18 General Updates +- OTK documentation updates. + +## 3.0.17 OTK 4.6.2 Released + - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.2**. + - otk.job.image.tag: 4.6.2 + - OTK DB install/upgrade using Liquibase scripts for MySql and Oracle. + - otk.database.dbupgrade + - OTK DB install/upgrade on the gateways MySQL container (MySQL subchart) - ***This is not supported or recommended for production use.*** + - otk.database.useDemodb + - Install/upgrade OTK of type SINGLE on Ephemeral gateways using initContainer is now supported. + - database.enabled: false + - otk.type: SINGLE + - Added OTK Connection properties to support c3p0 settings. + - otk.database.connectionProperties + - Added support OTK read-only connections for MySQL and Oracle. + - otk.database.readOnlyConnection.* + - Added support for OTK policies customization through config maps and secrets. + - otk.customizations.existingBundle.enabled + - OTK DMZ/Internal gateway certs can now be configured using values file. + - otk.cert +> [!Important] +> - To upgrade OTK to 4.6.2 installed over gateway with demo db as database, update helm repo, perform helm delete and install. +> - When upgrading OTK 4.6.2 on a db backed gateway, the gateway will restart as there is a change related to OTK health check bundle in gateway deployment. This can lead to failure of OTK upgrade. To circumvent this, please perform a helm upgrade `otk.healthCheckBundle.enabled` set to `false` and then upgrade to the 3.0.17. +> ``` +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true,otk.healthCheckBundle.enabled=false" layer7/gateway --version 3.0.16 -f ./values-production.yaml +> helm upgrade my-ssg --set-file "license.value=license.value=path/to/license.xml" --set "license.accept=true" layer7/gateway --version 3.0.17 -f ./values-production.yaml +> ``` + + +## 3.0.16 General Updates +- Added resources to otk install job + - otk.job.resources + +## 3.0.15 General Updates +- Updated [bootstrap script](./README.md#bootstrap-script) + - 'find' replaced with 'du' + +## 3.0.14 General Updates +- Added pod labels and annotations to the otk-install job. + - otk.job.podLabels + - otk.job.podAnnotations + +## 3.0.13 General Updates +- The OTK Install job now uses podSecurity and containerSecurity contexts if set. +- Updated how pod labels and annotations are templated in deployment.yaml + +## 3.0.12 General Updates +Traffic Policies for Gateway Services are now configurable. The Kubernetes default for these options is `Cluster` if left unset. +- [Internal Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy) +- [External Traffic Policy](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip) + + +## 3.0.11 General Updates +Updates to Gateway Container Lifecycle. +- [A new preStop script has been added for graceful termination](./README.md#graceful-termination) + - terminationGracePeriodSeconds must be greater than preStopScript.timeoutSeconds +- Container Lifecycle can be overridden for custom exec/http calls + +## 3.0.10 General Updates +Custom labels and annotations have been extended to all objects the Gateway Chart deploys. Pod Labels and annotations have been added to the Gateway and PM-Tagger deployments. + +- Additional Labels/Annotations apply to everything in this Chart's templates +``` +# Additional Annotations apply to all deployed objects +additionalAnnotations: {} + +# Additional Labels apply to all deployed objects +additionalLabels: {} +``` + +- Pod Labels/Annotations at the base level apply to the Gateway Pod +``` +## Pod Labels for the Gateway Pod +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +# Pod Annotations apply to the Gateway Pod +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +``` + +- PM-Tagger pod labels/annotations are separate +``` +pmtagger: + ... + ## Pod Labels for the PM Tagger Pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + + # Pod Annotations apply to the PM Tagger Pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} +``` + +## 3.0.9 Updates to PM-Tagger +PM tagger has following additional configuration options +- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) +- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +- [All PM-Tagger Configuration](./README.md#pm-tagger-configuration) + +## 3.0.8 Updates to Hazelcast +The default image tag in values.yaml is updated to **5.2.1** and xsd version in configmap.yaml to **5.2**. The updates are due to vulnerability from CVE-2022-36437. +The updates are applied to both the gateway and gateway-otk chart. + +## 3.0.7 General Updates +The bootstrap script has been updated to reflect changes to the Container Gateway's filesystem. The updates are currently limited to 10.1.00_CR3. Please see the [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) for more info . + +The PM Tagger image default version tag been updated to 1.0.1. + +## 3.0.6 General Updates +The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.1**. Support for liveness and readiness probes using OTK health check service. + +## 3.0.5 General Updates +The default image tag in values.yaml and production-values.yaml, and the appVersion in Chart.yaml have been updated to **11.0.00**. + +Before upgrading existing deployments, please see the [Container Gateway 11.0 Release Notes](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw.html) for important information regarding the procedure. + +## 3.0.4 General Updates +OTK installation and upgrade is now supported as part of Gateway charts. Please refer to [OTK Install or Upgrade](./README.md#otk-install-or-upgrade) for more details. +[Gateway-OTK](../gateway-otk) is now deprecated. + +## 3.0.2 General Updates +***The default image tag in values.yaml and production-values.yaml now points at specific GA or CR versions of the API Gateway. The appVersion in Chart.yaml has also been updated to reflect that. As of this release, that is 10.1.00_CR2*** + +To reduce reliance on requiring a custom/derived gateway image for custom and modular assertions, scripts and restman bundles a bootstrap script has been introduced. The script works with the /opt/docker/custom folder. + +The best way to populate this folder is with an initContainer where files can be copied directly across or dynamically loaded from an external source. +- [InitContainer Examples](https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples) - this repository also contains examples for custom health checks and configuration files. + +The following configuration options have been added +- [Custom Health Checks](./README.md#custom-health-checks) +- [Custom Configuration Files](./README.md#custom-configuration-files) +- [Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods) +- [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +- [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +- [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +- Http headers can also now be added to the liveness and readiness probes +- Ingress and HPA API Version validation has been updated to check for available APIs vs. KubeVersion +- SubCharts now show image repository and tags + +### Upgrading to Chart v3.0.0 +Please see the 3.0.0 updates, this release brings significant updates and ***breaking changes*** if you are using an external Hazelcast 3.x server. Services and Ingress configuration have also changed. Read the 3.0.0 Updates below and check out the [additional guides](./README.md#additional-guides) for more info. + +## 3.0.0 Updates to Hazelcast +***Hazelcast 4.x/5.x servers are now supported*** this represents a breaking change if you have configured an external Hazelcast 3.x server. +- If you are using Gateway v10.1 and below you will either need to set *hazelcast.legacy.enabled=true* and use the following gateway image *docker.io/caapim/gateway:10.1.00_20220802* or update your external Hazelcast server. +- The included Hazelcast subChart has been updated to reflect this change + +### 3.0.0 Updates to Ingress Configuration +Ingress configuration has been updated to include multiple hosts, please see [Ingress Configuration](./README.md#ingress-configuration) for more detail. You will need to update your values.yaml to reflect the changes. + +## 3.0.0 General Updates +- You can now configure [Gateway Ports.](./README.md#port-configuration) + This does not cover Kubernetes Service level configuration which will ***need to be updated*** to reflect your changes. + +- New Management Service + - Provides separation of concerns for external/management traffic. This was previously a manual step. +- [Autoscaling](./README.md#autoscaling) +- [Ingress Configuration](./README.md#ingress-configuration) +- [PM Tagger](./README.md#pm-tagger-configuration) + - PM (Policy Manager) tagger is a lightweight go application that works with the new management service. + - RBAC Role Required if using PM Tagger. +- Default values.yaml restructure + - configuration items more closely aligned +- Added production-values.yaml + - Includes a baseline for production configuration + - Resources are set to minimum recommended values + - Application ports are hardened + - 8080 (disabled) + - 8443 (management features disabled - service is ClusterIP) + - 9443 (configured with management service) + - Autoscaling is enabled + - Ingress is enabled + - Rules are configured for 8443 + - Database is not created - you will need to supply a JDBC Url + +## Changes that will affect you if upgrading from 2.0.1 and below +- MySQL Stable Chart is deprecated - the demo database subChart has been changed to Bitnami MySQL - if your database is NOT externalised you will lose any policy/configuration you have there. +- tls.customKey ==> tls.useSignedCertificates tls.key tls.pass tls.existingSecretName + +## 2.0.6 General Updates +- Fixing bitnami repository dependency issue. + +## 2.0.5 General Updates +- Internal only. + +## 2.0.4 Updates to Secret Management +- Added support for the Kubernetes CSI Driver for gateway bundles. This does not currently extend to environment variables or the Gateway license. +- The CSI functionality is optional + +## 2.0.4 General Updates +- Added support for sidecars and initContainers + - volumeMounts are automatically configured with emptyDir +- Updated default values update to reflect empty objects/arrays for optional fields. +- Load the Gateway Deployment's ServiceAccountToken as a stored password for querying the Kubernetes API. + - management.kubernetes.loadServiceAccountToken + +# Java 11 +The Layer7 API Gateway is now running with Java 11 with the release of the v10.1.00. The Gateway chart's version has been incremented to 2.0.2. + +Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well. + +## 2.0.2 Updates to Secret Management +- You can now specify existing secrets for Gateway Configuration, DefaultSSLKey (tls) and bundles + +## 2.0.2 General Updates +- Ingress Definition updated to reflect the new API Version, additional configuration added. +- HostAliases applies to /etc/hosts for dns names that aren't available on a dns server. +- System.properties is now mounted to the Gateway Container, default values have been applied. +- You can now reference existing bundles stored in configMaps/Secrets +- NodeSelector and Affinity settings for the Gateway Deployment +- Resources values updated to reflect minimum recommended configuration + +## Upgrading to 2.0.2 +***If you are using the demo database in a previous version of this Chart this upgrade will remove it. If you wish to keep your data you will need to perform a backup.*** +``` +$ helm repo update +$ helm show values layer7/gateway > gateway-values.yaml + +Inspect and update the new gateway-values.yaml + +$ helm upgrade my-ssg --set-file "license.value=path/to/license.xml" --set "license.accept=true" -f ./gateway-values.yaml layer7/gateway +``` \ No newline at end of file diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index 89cea382..5153261f 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -27,6 +27,7 @@ data: {{- end }} {{- if .Values.disklessConfig.enabled }} {{- if .Values.database.enabled }} + LIQUIBASE_LOG_LEVEL: {{ default "off" .Values.database.liquibaseLogLevel | quote }} {{- if .Values.database.create }} SSG_DATABASE_JDBC_URL: jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} {{- else }} diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 08d4d498..b4894ac3 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -182,7 +182,7 @@ config: # Heap Size should be a percentage of the memory configured in resource limits # by default it is 50% - you should not go above 75% heapSize: "2g" - # Gateway v11.1.01 provides min and max heap size options + # Gateway v11.1.1 provides min and max heap size options # If you are using an earlier version of the Gateway, these will be ignored. minHeapSize: "1g" maxHeapSize: "3g" @@ -501,7 +501,7 @@ config: # - host: 192.168.0.1 # port: 26379 - # In Gateway v11.1.01 shared state providers like redis (redis only currently) can be configured in a yaml file. + # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. sharedStateClient: enabled: true # If you are using an existingConfigSecret for more than one shared state client that requires a tls cert, please use the customConfig section to mount @@ -539,6 +539,10 @@ database: # jdbcPort: 3306 username: gateway password: mypassword + # Liquibase log level can be set to one of the following. + # This configuration is only valid from Gateway v11.1.1 onwards. + # severe/warning/info/fine(debug)/off + liquibaseLogLevel: "off" name: ssg ## If loading a TLS Key/Pair From cf771561523c13055244bf28dd9ad7dcbf861859 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Fri, 12 Jul 2024 03:13:17 +0100 Subject: [PATCH 07/16] updated _helpers.tpl --- charts/gateway/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl index e8669dc0..215589f0 100644 --- a/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/templates/_helpers.tpl @@ -210,8 +210,8 @@ Define OTK Image Pull Secret Name Define Gateway node.properties Secret Name */}} {{- define "gateway.node.properties" -}} -{{- if .Values.disklessConfig.existingSecretName -}} - {{ .Values.disklessConfig.existingSecretName }} +{{- if .Values.disklessConfig.existingSecret.name -}} + {{ .Values.disklessConfig.existingSecret.name }} {{- else -}} {{- printf "%s-%s" (include "gateway.fullname" .) "node-properties" -}} {{- end -}} From 6b69343333c446d3f1c88c94a702311ebdf004ec Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Fri, 12 Jul 2024 03:22:30 +0100 Subject: [PATCH 08/16] updated node-properties-secret --- charts/gateway/templates/node-properties-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml index f4e8aa48..1bcc2e5d 100644 --- a/charts/gateway/templates/node-properties-secret.yaml +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecretName) }} +{{- if and (not .Values.disklessConfig.enabled) (not .Values.disklessConfig.existingSecret.name) }} apiVersion: v1 kind: Secret metadata: From 37fb2660f13b999ad8dd723d29533ae9ae144a80 Mon Sep 17 00:00:00 2001 From: jennarddy Date: Fri, 12 Jul 2024 15:43:05 -0700 Subject: [PATCH 09/16] [charts/gateway] Update README related to Diskless Configuration (#327) * Update diskless config areas in README.md * Update Database Configuration section in gateway README * Add a minor update to README --- charts/gateway/README.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 19b8dbec..e6280f6e 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -849,7 +849,6 @@ Shared State Providers from Gateway v11.1.1 onwards simplifies the configuration | `config.sharedStateProvider.additionalProviders` | Configure additional shared state providers - example in values.yaml | `[]` | ### Database Configuration -TODO: Update this for no disklessConfig + failover instructions You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server: ``` database: @@ -863,6 +862,13 @@ database: ``` In the above example, two MySQL database servers are specified with myprimaryserver acting as the primary server and mysecondaryserver acting as the secondary server. The failOverReadOnly property is also set to false meaning that the secondary server db is also writable. +When disklessConfig.enabled is false (see [Diskless Configuration](#diskless-configuration)), the following database fields will be ignored: +- jdbcURL +- username +- password + +The values will come from node.properties instead. See [External MySQL](#external-mysql) section. + More info on the JDBC URL: - Connection URL syntax: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-url-format.html - Failover config: https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-config-failover.html @@ -976,7 +982,7 @@ The full default is this [Back to Additional Guides](#additional-guides) ### Diskless Configuration -Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is false (default) if you are using a previous version of the Container Gateway. +Refer to [TechDocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/configuring-the-container-gateway/environment-variables-for-the-container-gateway.html) for more info. Running without Diskless config is supported from Gateway v11.1.1 onwards. Please make sure disklessConfig.enabled is true (default) if you are using a previous version of the Container Gateway. **DISKLESS_CONFIG** is a new environment variable that was introduced in Gateway v11.1.1, that allows switching between configuration sources. @@ -1013,15 +1019,12 @@ Example: node.properties with MySQL database configuration node.cluster.pass=mypassword admin.user=admin admin.pass=mypassword -node.db.config.main.host=myDBHost.com -node.db.config.main.port=3306 -node.db.config.main.name=ssg node.db.config.main.user=gateway node.db.config.main.pass=mypassword -l7.mysql.url.parameters.extra=&useSSL=true&requireSSL=true +l7.mysql.connection.url=jdbc:mysql://myprimaryserver:3306,mysecondaryserver:3306/ssg?failOverReadOnly=false&useSSL=true&requireSSL=true ``` -See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more details on l7.mysql.url.parameters.extra +See [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/install-configure-upgrade/enable-ssl-connections-for-mysql.html) for more info on setting l7.mysql.connection.url. JDBC URLs like the value provided in database.jdbcUrl can be used as the value of l7.mysql.connection.url in node.properties. ##### Gateway running in Ephemeral Mode (no external MySQL) - To run the Gateway in Ephemeral mode, ***node.db.type=derby*** needs to be added to node.properties @@ -1378,4 +1381,4 @@ The following table lists the configured parameters of the Grafana Subchart - se * Grafana (default: disabled) ==> https://github.com/bitnami/charts/tree/master/bitnami/grafana * Redis (default: disabled) ==>https://github.com/bitnami/charts/tree/master/bitnami/redis -[Back to Additional Guides](#additional-guides) \ No newline at end of file +[Back to Additional Guides](#additional-guides) From 3ba988c929ec5e0bc575aa9d6ec8318a7f4734aa Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Sat, 13 Jul 2024 00:29:13 +0100 Subject: [PATCH 10/16] addressing pr comments --- charts/gateway/production-values.yaml | 40 +++++++++---------- charts/gateway/templates/_helpers.tpl | 14 ------- charts/gateway/templates/configmap.yaml | 2 +- .../templates/node-properties-secret.yaml | 7 +--- .../templates/shared-state-client-secret.yaml | 6 +-- charts/gateway/values.yaml | 40 +++++++++---------- 6 files changed, 46 insertions(+), 63 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 7fe4211a..b29758b3 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -480,26 +480,26 @@ config: # # path must match ssl.cert in your provider config # path: myRegionalRedisCert.crt # config: {} - # config: - # regional: - # type: sentinel - # keyPrefixGroupName: test - # username: abc - # password: "def" - # commandTimeout: 5000 - # connectTimeout: 10000 - # testOnStart: false - # ssl: - # enabled: true - # cert: myRegionalRedisCert.crt - # verifyPeer: false - # sentinel: - # master: mymaster - # nodes: - # - host: 127.0.0.1 - # port: 26379 - # - host: 192.168.0.1 - # port: 26379 + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # testOnStart: false + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. sharedStateClient: diff --git a/charts/gateway/templates/_helpers.tpl b/charts/gateway/templates/_helpers.tpl index 215589f0..8f24089e 100644 --- a/charts/gateway/templates/_helpers.tpl +++ b/charts/gateway/templates/_helpers.tpl @@ -84,20 +84,6 @@ Create java args to apply. {{- end -}} {{- end -}} -{{/* -Redis sentinel nodes -*/}} -{{- define "gateway.redisSentinelNodes" -}} -{{- if .Values.config.redis.sentinel.enabled }} - {{- if empty .Values.config.redis.sentinel.nodes }} - {{- fail "config.redis.sentinel.nodes is required." }} - {{- end }} - {{- join "," .Values.config.redis.sentinel.nodes }} -{{- end -}} -{{- end -}} - - - {{/* Shared state client secret name */}} diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index 5153261f..2bf9a53a 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -20,6 +20,7 @@ data: ACCEPT_LICENSE: {{ .Values.license.accept | quote}} DISKLESS_CONFIG: {{ .Values.disklessConfig.enabled | quote }} SSG_CLUSTER_HOST: {{ .Values.clusterHostname }} + LIQUIBASE_LOG_LEVEL: {{ default "off" .Values.database.liquibaseLogLevel | quote }} SSG_JVM_HEAP: {{ .Values.config.heapSize }} {{- if and (.Values.config.minHeapSize) (.Values.config.maxHeapSize) }} SSG_JVM_MIN_HEAP: {{ .Values.config.minHeapSize }} @@ -27,7 +28,6 @@ data: {{- end }} {{- if .Values.disklessConfig.enabled }} {{- if .Values.database.enabled }} - LIQUIBASE_LOG_LEVEL: {{ default "off" .Values.database.liquibaseLogLevel | quote }} {{- if .Values.database.create }} SSG_DATABASE_JDBC_URL: jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} {{- else }} diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml index 1bcc2e5d..60e42858 100644 --- a/charts/gateway/templates/node-properties-secret.yaml +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -26,12 +26,9 @@ stringData: admin.pass={{ .Values.management.password }} {{- if .Values.database.enabled }} {{- if .Values.database.create }} - node.db.config.main.host={{ .Release.Name }}-mysql - node.db.config.main.port=3306 - node.db.config.main.name={{ .Values.database.name }} + l7.mysql.connection.url=jdbc:mysql://{{ .Release.Name }}-mysql:3306/{{ .Values.database.name }} {{- else }} - node.db.config.main.host={{ required "Please set .Values.database.jdbcURL, this should be your database host only" .Values.database.jdbcURL }} - node.db.config.main.port={{ default 3306 .Values.database.jdbcPort }} + l7.mysql.connection.url={{ required "Please set .Values.database.jdbcURL" .Values.database.jdbcURL }} {{- end }} node.db.config.main.user={{ .Values.database.username }} node.db.config.main.pass={{ .Values.database.password }} diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml index 0affef11..0048b405 100644 --- a/charts/gateway/templates/shared-state-client-secret.yaml +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -28,12 +28,12 @@ stringData: testOnStart: {{ default "false" .Values.config.redis.testOnStart }} {{- if .Values.config.redis.auth.enabled }} {{- if .Values.config.redis.auth.username }} - username: {{.Values.config.redis.auth.username}} + username: {{ .Values.config.redis.auth.username | quote }} {{- end }} {{- if .Values.config.redis.auth.password.encoded }} - encodedPassword: {{.Values.config.redis.auth.password.value}} + encodedPassword: {{ .Values.config.redis.auth.password.value | quote }} {{- else }} - password: {{.Values.config.redis.auth.password.value}} + password: {{ .Values.config.redis.auth.password.value | quote }} {{- end }} {{- end }} {{- if .Values.config.redis.sentinel.enabled }} diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index b4894ac3..7ecb0981 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -480,26 +480,26 @@ config: # # path must match ssl.cert in your provider config # path: myRegionalRedisCert.crt # config: {} - # config: - # regional: - # type: sentinel - # keyPrefixGroupName: test - # username: abc - # password: "def" - # commandTimeout: 5000 - # connectTimeout: 10000 - # testOnStart: false - # ssl: - # enabled: true - # cert: myRegionalRedisCert.crt - # verifyPeer: false - # sentinel: - # master: mymaster - # nodes: - # - host: 127.0.0.1 - # port: 26379 - # - host: 192.168.0.1 - # port: 26379 + # config: + # regional: + # type: sentinel + # keyPrefixGroupName: test + # username: abc + # password: "def" + # commandTimeout: 5000 + # connectTimeout: 10000 + # testOnStart: false + # ssl: + # enabled: true + # cert: myRegionalRedisCert.crt + # verifyPeer: false + # sentinel: + # master: mymaster + # nodes: + # - host: 127.0.0.1 + # port: 26379 + # - host: 192.168.0.1 + # port: 26379 # In Gateway v11.1.1 shared state providers like redis (redis only currently) can be configured in a yaml file. sharedStateClient: From 6cfddf9b140dce597af40da587c8638296a1a23e Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Sat, 13 Jul 2024 00:33:35 +0100 Subject: [PATCH 11/16] removing redundant database config for node.properties in values.yaml --- charts/gateway/production-values.yaml | 3 --- charts/gateway/values.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index b29758b3..b9b289cf 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -534,9 +534,6 @@ database: create: false # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. - # if disklessConfig.enabled is set to false, jdbcUrl should be set to the jdbcHost - # jdbcURL: - # jdbcPort: 3306 username: gateway password: mypassword # Liquibase log level can be set to one of the following. diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 7ecb0981..b7e70ed3 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -534,9 +534,6 @@ database: create: true # jdbcURL: jdbc:mysql://:/ | jdbc:mysql://:,:/,... # Configurable, update the mysql.auth. if you change this and would like to use the demo database server. - # if disklessConfig.enabled is set to false, jdbcUrl should be set to the jdbcHost - # jdbcURL: - # jdbcPort: 3306 username: gateway password: mypassword # Liquibase log level can be set to one of the following. From 9016830ecf402921838310a1cef5f1fa51327aaf Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Tue, 16 Jul 2024 09:37:06 +0100 Subject: [PATCH 12/16] removed 004 script, reverted deployment.yaml changes --- charts/gateway/README.md | 11 ++++------- charts/gateway/release-notes.md | 5 +++++ charts/gateway/templates/configmap.yaml | 5 ----- charts/gateway/templates/deployment.yaml | 19 ------------------- 4 files changed, 9 insertions(+), 31 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index e6280f6e..8def9819 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -4,6 +4,10 @@ This Chart deploys the API Gateway v10.x onward with the following `optional` su ### Important Note The included MySQL subChart is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database. +## Release notes +- Current Chart Version 3.0.30 + - Please review release notes [here](./release-notes.md) + ## Prerequisites - Kubernetes - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support @@ -88,14 +92,7 @@ Helm Version Supported Kubernetes Versions * [Service Metrics Demo](#service-metrics-demo) * [SubChart Configuration](#subchart-configuration) -# Java 17 -The Layer7 API Gateway is now running with Java 17 with the release of v11.1.00. -If you use Policy Manager, you will need to update to v11.1.00. - -## Release notes -- Current Chart Version 3.0.30 - - Please review release notes [here](./release-notes.md) ## Installing the Chart Check out [this guide](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-10-1/learning-center/thinking-in-kubernetes/hands-on-gateway-deployment-in-kubernetes.html) for more in-depth instruction diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md index 6fedf96c..1579cbf9 100644 --- a/charts/gateway/release-notes.md +++ b/charts/gateway/release-notes.md @@ -2,6 +2,11 @@ Back to [Readme](./README.md#release-notes) +# Java 17 +The Layer7 API Gateway is now running with Java 17 with the release of v11.1.00. + +If you use Policy Manager, you will need to update to v11.1.00. + ## 3.0.30 General Updates Release notes will also be moved to a new file before merge... **Note** Gateway restart required if using preview Redis features. diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml index 2bf9a53a..bd69e590 100644 --- a/charts/gateway/templates/configmap.yaml +++ b/charts/gateway/templates/configmap.yaml @@ -93,11 +93,6 @@ data: system-properties: |- {{ .Values.config.systemProperties | indent 4 }} {{- end }} -{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi) }} - 004-configure-node-properties: |- - #!/bin/bash - cp /opt/docker/node-properties/{{ .Values.disklessConfig.existingSecret.name }} /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties -{{- end }} {{- if .Values.management.kubernetes.loadServiceAccountToken }} 002-load-service-account-token: |- #!/bin/bash diff --git a/charts/gateway/templates/deployment.yaml b/charts/gateway/templates/deployment.yaml index 410f1fb4..20ec4c02 100644 --- a/charts/gateway/templates/deployment.yaml +++ b/charts/gateway/templates/deployment.yaml @@ -192,14 +192,9 @@ spec: mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties subPath: system.properties {{- if not .Values.disklessConfig.enabled }} - {{- if not .Values.disklessConfig.existingSecret.csi}} - name: {{ template "gateway.fullname" . }}-node-properties mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/node.properties subPath: node.properties - {{- else }} - - name: {{ template "gateway.fullname" . }}-node-properties - mountPath: /opt/docker/node-properties - {{- end }} {{- end }} {{- if or (.Values.hazelcast.enabled) (.Values.hazelcast.external) }} - name: {{ template "gateway.fullname" . }}-hazelcast-client @@ -313,11 +308,6 @@ spec: subPath: 003-parse-custom-files.sh {{- end }} {{- end }} -{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi)}} - - name: {{ template "gateway.fullname" . }}-configure-node-properties - mountPath: /opt/docker/rc.d/004-configure-node-properties.sh - subPath: 004-configure-node-properties.sh -{{- end }} {{- if .Values.preStopScript }} {{- if .Values.preStopScript.enabled }} - name: {{ template "gateway.fullname" . }}-gracefulshutdown @@ -637,15 +627,6 @@ spec: path: 003-parse-custom-files.sh {{- end }} {{- end }} -{{- if and (not .Values.disklessConfig.enabled) (.Values.disklessConfig.existingSecret.csi)}} - - name: {{ template "gateway.fullname" . }}-configure-node-properties - configMap: - name: {{ template "gateway.fullname" . }}-configmap - items: - - key: 004-configure-node-properties - path: 004-configure-node-properties.sh -{{- end }} - {{- if .Values.preStopScript }} {{- if .Values.preStopScript.enabled }} - name: {{ template "gateway.fullname" . }}-gracefulshutdown From d55468e23b3fcf3d2ca5ef2284d01295da0aaf8c Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Mon, 29 Jul 2024 09:17:19 +0100 Subject: [PATCH 13/16] updated systemproperties, use bouncy castle, use local for sharedKeyValueStoreProvider --- charts/gateway/README.md | 8 ++++---- charts/gateway/production-values.yaml | 6 +++--- charts/gateway/release-notes.md | 12 ++++++++++++ charts/gateway/values.yaml | 6 +++--- 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index 8def9819..c59fcdc0 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -664,7 +664,7 @@ This enables integration with [Redis](https://redis.io/). The following sections Comment out the following ``` -# com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast +# com.l7tech.server.extension.sharedKeyValueStoreProvider=local # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` Uncomment the following @@ -962,12 +962,12 @@ The full default is this systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast + com.l7tech.server.extension.sharedKeyValueStoreProvider=local com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks @@ -1178,7 +1178,7 @@ This functionality delays Kubernetes sending a SIGTERM to the container gateway The preStop script will monitor connections to inbound (not outbound) Gateway Application TCP ports (i.e. inbound listener ports opened by the Gateway Application and not some other process) except those that are explicitly excluded. The following ports are excluded from monitoring by default. -- 8777 (Hazelcast) - Embedded Hazelcast. +- 8777 (Hazelcast) - Hazelcast. - 2124 (Internode-Communication) - not utilised by the Container Gateway. If there are no open connections, the preStop script will exit immediately ignoring preStopScript.timeoutSeconds to avoid unnecessary resource utilisation (pod stuck in terminating state) during upgrades. diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index b9b289cf..9a65c082 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -25,7 +25,7 @@ disklessConfig: image: registry: docker.io repository: caapim/gateway - tag: 11.1.00 + tag: 11.1.1 pullPolicy: IfNotPresent # If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true @@ -247,12 +247,12 @@ config: systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast + com.l7tech.server.extension.sharedKeyValueStoreProvider=local com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md index 1579cbf9..3d48697d 100644 --- a/charts/gateway/release-notes.md +++ b/charts/gateway/release-notes.md @@ -32,6 +32,18 @@ Release notes will also be moved to a new file before merge... - info - fine(debug) - off + - System Properties + - FIPS + - Switched to BCFIPS 2.0 to provide both non-FIPS and FIPS functionality to the Gateway. + - Previous + - com.safelogic.cryptocomply.rsa.allow_multi_use=true + - New + - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true + - com.l7tech.server.extension.sharedKeyValueStoreProvider + - Previous + - embeddedHazelcast + - New + - local ## 3.0.29 OTK 4.6.3 Released - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index b7e70ed3..959dde4b 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -25,7 +25,7 @@ disklessConfig: image: registry: docker.io repository: caapim/gateway - tag: 11.1.00 + tag: 11.1.1 pullPolicy: IfNotPresent # If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true @@ -247,12 +247,12 @@ config: systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast + com.l7tech.server.extension.sharedKeyValueStoreProvider=local com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible. - com.safelogic.cryptocomply.rsa.allow_multi_use=true + com.l7tech.org.bouncycastle.rsa.allow_multi_use=true # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway. # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12. javax.net.ssl.trustStoreType=jks From 002d685f1542fce2f40eeb0c1296ceb071420c04 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Mon, 29 Jul 2024 09:27:26 +0100 Subject: [PATCH 14/16] updated ssl settings for redis, added default derby db type when mysql is disabled --- charts/gateway/templates/node-properties-secret.yaml | 3 +++ charts/gateway/templates/shared-state-client-secret.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/charts/gateway/templates/node-properties-secret.yaml b/charts/gateway/templates/node-properties-secret.yaml index 60e42858..7aaab33d 100644 --- a/charts/gateway/templates/node-properties-secret.yaml +++ b/charts/gateway/templates/node-properties-secret.yaml @@ -32,5 +32,8 @@ stringData: {{- end }} node.db.config.main.user={{ .Values.database.username }} node.db.config.main.pass={{ .Values.database.password }} + {{- else }} + node.db.type=derby + node.db.config.main.user={{ default "gateway" .Values.database.username }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/gateway/templates/shared-state-client-secret.yaml b/charts/gateway/templates/shared-state-client-secret.yaml index 0048b405..a82472ba 100644 --- a/charts/gateway/templates/shared-state-client-secret.yaml +++ b/charts/gateway/templates/shared-state-client-secret.yaml @@ -67,8 +67,10 @@ stringData: {{- end }} ssl: enabled: {{ .Values.config.redis.tls.enabled }} + {{- if .Values.config.redis.tls.enabled }} cert: redis.crt verifyPeer: {{ .Values.config.redis.tls.verifyPeer }} + {{- end }} {{- if .Values.config.redis.additionalProviders }} {{- range .Values.config.redis.additionalProviders }} {{- toYaml .config | nindent 6 }} From 199fb605be82c26e29478627015717ae040f6c00 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Tue, 30 Jul 2024 00:54:41 +0100 Subject: [PATCH 15/16] fixed default disklessConfig configuration, removed default min/max jvm settings to avoid unexpected upgrade behaviour --- charts/gateway/production-values.yaml | 6 +++--- charts/gateway/values.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index 9a65c082..f710629c 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -14,7 +14,7 @@ disklessConfig: # true - environment variables are used for gateway configuration # false - node.properties is used for gateway configuration enabled: true - # existingSecret: + existingSecret: {} # name: gateway-secret # csi: # driver: secrets-store.csi.k8s.io @@ -184,8 +184,8 @@ config: heapSize: "2g" # Gateway v11.1.1 provides min and max heap size options # If you are using an earlier version of the Gateway, these will be ignored. - minHeapSize: "1g" - maxHeapSize: "3g" + # minHeapSize: "1g" + # maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 959dde4b..557dbeba 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -14,7 +14,7 @@ disklessConfig: # true - environment variables are used for gateway configuration # false - node.properties is used for gateway configuration enabled: true - # existingSecret: + existingSecret: {} # name: gateway-secret # csi: # driver: secrets-store.csi.k8s.io @@ -184,8 +184,8 @@ config: heapSize: "2g" # Gateway v11.1.1 provides min and max heap size options # If you are using an earlier version of the Gateway, these will be ignored. - minHeapSize: "1g" - maxHeapSize: "3g" + # minHeapSize: "1g" + # maxHeapSize: "3g" javaArgs: - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER - -Dcom.l7tech.server.audit.message.saveToInternal=false From 6159c0449e004021956c6aef179e9cf7c589fb48 Mon Sep 17 00:00:00 2001 From: Gary Vermeulen Date: Thu, 1 Aug 2024 19:25:37 +0100 Subject: [PATCH 16/16] reverted com.l7tech.server.extension.sharedKeyValueStoreProvider change, added a dedicated shared state preview readme section --- charts/gateway/README.md | 27 ++++++++++++++++++++++----- charts/gateway/production-values.yaml | 3 ++- charts/gateway/release-notes.md | 5 ----- charts/gateway/values.yaml | 3 ++- 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/charts/gateway/README.md b/charts/gateway/README.md index c59fcdc0..c7e6cbd9 100644 --- a/charts/gateway/README.md +++ b/charts/gateway/README.md @@ -72,6 +72,7 @@ Helm Version Supported Kubernetes Versions * [OTK Install or Upgrade](#otk-install-or-upgrade) * [Ingress Configuration](#ingress-configuration) * [PM Tagger Configuration](#pm-tagger-configuration) +* [Shared State Preview Features](#shared-state-preview-features) * [Redis Configuration](#redis-configuration) * [Shared State Provider Configuration](#shared-state-provider-config) * [OpenTelemetry Configuration](#opentelemetry-configuration) @@ -657,14 +658,32 @@ The integration example [here](https://github.com/Layer7-Community/Integrations/ [Back to Additional Guides](#additional-guides) +### Shared State Preview Features +There are two preview features that you may choose to enable with Gateway v11.1.1 onwards. +- [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html) +- [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html) + +To use the [Apply Distributed Rate Limit Assertion (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/apply-distributed-rate-limit-assertion.html), uncomment the following and set it to redis or externalhazelcast +``` +# com.l7tech.server.extension.sharedRateLimiterProvider=redis +``` + +To use the [Key Value Storage Assertions (Preview)](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw11-1/policy-assertions/assertion-palette/service-availability-assertions/key-value-storage-assertions.html), uncomment the following and set sharedKeyValueStoreProvider to redis or externalhazelcast +``` +# com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis +# com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID +``` + +[Back to Additional Guides](#additional-guides) + ### Redis Configuration -This enables integration with [Redis](https://redis.io/). The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. +This enables integration with [Redis](https://redis.io/) which is a preview feature on the Layer7 Gateway. The following sections configure a redis configuration file on the Gateway. The following properties in config.systemProperties will need to be updated. **Important Note** The latest version of this chart uses a new format for Redis configuration that will simplify configuring additional shared state providers in the future. Please view [shared state provider config](#shared-state-provider-config) for more details. This is only compatible with Gateway v11.1.1. Comment out the following ``` -# com.l7tech.server.extension.sharedKeyValueStoreProvider=local +# com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast # com.l7tech.server.extension.sharedCounterProvider=ssgdb ``` Uncomment the following @@ -672,8 +691,6 @@ Uncomment the following # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis -# com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis -# com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID ``` | Parameter | Description | Default | @@ -962,7 +979,7 @@ The full default is this systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=local + com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml index f710629c..a79aaecc 100644 --- a/charts/gateway/production-values.yaml +++ b/charts/gateway/production-values.yaml @@ -247,7 +247,7 @@ config: systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=local + com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for @@ -262,6 +262,7 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # Shared state provider preview settings # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration diff --git a/charts/gateway/release-notes.md b/charts/gateway/release-notes.md index 3d48697d..03fd45e8 100644 --- a/charts/gateway/release-notes.md +++ b/charts/gateway/release-notes.md @@ -39,11 +39,6 @@ Release notes will also be moved to a new file before merge... - com.safelogic.cryptocomply.rsa.allow_multi_use=true - New - com.l7tech.org.bouncycastle.rsa.allow_multi_use=true - - com.l7tech.server.extension.sharedKeyValueStoreProvider - - Previous - - embeddedHazelcast - - New - - local ## 3.0.29 OTK 4.6.3 Released - The default image tag in values.yaml and production-values.yaml for OTK updated to **4.6.3**. diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml index 557dbeba..31cd3c3c 100644 --- a/charts/gateway/values.yaml +++ b/charts/gateway/values.yaml @@ -247,7 +247,7 @@ config: systemProperties: |- # Default Gateway system properties # Configuration properties for shared state extensions. - com.l7tech.server.extension.sharedKeyValueStoreProvider=local + com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast com.l7tech.server.extension.sharedCounterProvider=ssgdb com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for @@ -262,6 +262,7 @@ config: # com.l7tech.server.extension.sharedKeyValueStoreProvider=redis # com.l7tech.server.extension.sharedCounterProvider=redis # com.l7tech.server.extension.sharedRateLimiterProvider=redis + # Shared state provider preview settings # com.l7tech.external.assertions.keyvaluestore.sharedKeyValueStoreProvider=redis # com.l7tech.external.assertions.keyvaluestore.storeIdList=GW_STORE_ID # If you would like to use the built in OpenTelemetry SDK uncomment and set the following configuration