Merge pull request #288 from CAAPIM/gateway_3_0_21

charts/gateway general updates
CAAPIM · Jan 25, 2024 · fbe4444 · fbe4444
2 parents 425dc15 + d0cf2e2
commit fbe4444
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 64 deletions.
diff --git a/charts/gateway/Chart.yaml b/charts/gateway/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "11.0.00_CR2"
 description: This Helm Chart deploys the Layer7 Gateway in Kubernetes.
 name: gateway
-version: 3.0.20
+version: 3.0.21
 type: application
 home: https://github.com/CAAPIM/apim-charts
 maintainers:

diff --git a/charts/gateway/README.md b/charts/gateway/README.md
@@ -5,11 +5,40 @@ This Chart deploys the API Gateway v10.x onward with the following `optional` su
 The included MySQL subChart is enabled by default to make trying this chart out easier. ***It is not supported or recommended for production.*** Layer7 assumes that you are deploying a Gateway solution to a Kubernetes environment with an external MySQL database.
 
 ## Prerequisites
-- Kubernetes 1.24.x
+- Kubernetes
   - [Refer to techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/release-notes_cgw/requirements-and-compatibility.html#concept.dita_req_comp_refresh_gw10cr2_platforms) for the latest version support
-- Helm v3.7.x
+- Helm v3.x
+  - Refer to the [Helm Documentation](https://helm.sh/docs/topics/version_skew/#supported-version-skew) for their compatibility matrix
 - Gateway v10.x or v11.x License
 
+#### Note
+It's important that your Kubernetes Client and Server versions are compatible.
+
+You can verify this by running the following
+```
+kubectl version
+```
+output
+```
+Client Version: v1.29.1
+Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
+Server Version: v1.27.6+b49f9d1
+WARNING: version difference between client (1.29) and server (1.27) exceeds the supported minor version skew of +/-1
+```
+The above message indicates that the client version (kubectl) is greater than the server version by more than 1 minor version. This may cause unforseen errors when using Kubectl or Helm.
+
+Please also check your Helm version against [this](https://helm.sh/docs/topics/version_skew/#supported-version-skew) compatibility matrix
+```
+helm version
+```
+output
+```
+version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.21.5"}
+
+Helm Version    Supported Kubernetes Versions
+3.13.x         	1.28.x - 1.25.x
+```
+
 ## Optional
 - Persistent Volume Provisioner (if using PVC for the Demo MySQL Database or Service Metrics example with Grafana or InfluxDb)
 
@@ -37,6 +66,15 @@ The Layer7 API Gateway is now running with Java 11 with the release of the v10.1
 
 Things to note and be aware of are the deprecation of TLSv1.0/TLSv1.1 and the JAVA_HOME dir has gone through some changes as well.
 
+## 3.0.21 General Updates
+- Updated [Redis Configuration](#redis-configuration)
+  - More context added for creating your own redis properties file
+  - More context added for Redis auth
+    - note: the Gateway only supports Redis master auth
+  - Removed comments from values.yaml
+- Added Graphman Bundle support to the bootstrap script
+  - files that end in .json will be copied into the bootstrap folder
+
 
 ## 3.0.20 General Updates
 - Updated image
@@ -809,6 +847,59 @@ Uncomment the following
 | `config.redis.tls.verifyPeer`    | Verify Peer             | `true` |
 | `config.redis.tls.redisCrt`    | Redis Public Cert            | `` |
 
+#### Creating your own Redis Configuration
+Please refer to [Techdocs](https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/congw-11-0/install-configure-upgrade/connect-to-an-external-redis-datastore.html) for more context on the available configuration options
+
+#### Note
+The Gateway supports Redis master auth only. The Gateway will not be able to connect to Redis if your Sentinel nodes have passwords. Please refer to the notes in values.yaml for details on config.redis.auth and redis.auth (subChart)
+
+##### Redis Sentinel
+redis.properties
+```
+# Redis type can be sentinel or standalone
+# standalone does not support SSL or Auth
+ redis.type=sentinel
+ redis.sentinel.nodes=node1:26379,node2:26379,node3:26379
+## Credentials are optional
+ redis.sentinel.username=redisuser
+# Password can be plaintext or encoded
+ redis.sentinel.password=redispassword
+ redis.sentinel.encodedPassword=redisencodedpassword
+# SSL is optional
+ redis.ssl=true
+ redis.ssl.cert=redis.crt
+ redis.ssl.verifypeer=true
+# Additional Config
+ redis.key.prefix.grpname=l7GW
+ redis.commandTimeout=5000
+ ```
+
+##### Redis Standalone (11.0.00_CR2 and later)
+The Gateway does not support SSL or Authentication when connecting to a standalone Redis instance. This configuration should only be used for development purposes
+
+redis.properties
+```
+# Redis type can be sentinel or standalone
+# standalone does not support SSL or Auth
+ redis.type=standalone
+ redis.hostname=redis-standalone
+ redis.port=6379
+ redis.key.prefix.grpname=l7GW
+ redis.commandTimeout=5000
+ ```
+
+##### Create a secret from this configuration
+```
+kubectl create secret generic redis-config-secret --from-file=redis.properties=/path/to/redis.properties
+```
+my-values.yaml
+```
+redis:
+    enabled: true
+    existingConfigSecret: redis-config-secret
+```
+
+
 ### Database Configuration
 You can configure the deployment to use an external database (this is the recommended approach - the included MySQL SubChart is not supported). In the values.yaml file, set the create field in the database section to false, and set jdbcURL to use your own database server:
 ```
@@ -1202,7 +1293,8 @@ The following table lists the configured parameters of the Grafana Subchart - se
 | `grafana.datasources.secretName`                | Configures an InfluxDb Datasource.   | `see values.yaml` |
 
 ### Subcharts
-*  Hazelcast (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast
-*  MySQL (default: enabled)  ==> https://github.com/bitnami/charts/tree/master/bitnami/mysql
-*  InfluxDb (default: disabled) ==> https://github.com/influxdata/helm-charts/tree/master/charts/influxdb
-*  Grafana (default: disabled) ==> https://github.com/bitnami/charts/tree/master/bitnami/grafana
+*  Hazelcast  (default: disabled) ==> https://github.com/helm/charts/tree/master/stable/hazelcast
+*  MySQL      (default: enabled)  ==> https://github.com/bitnami/charts/tree/master/bitnami/mysql
+*  InfluxDb   (default: disabled) ==> https://github.com/influxdata/helm-charts/tree/master/charts/influxdb
+*  Grafana    (default: disabled) ==> https://github.com/bitnami/charts/tree/master/bitnami/grafana
+*  Redis      (default: disabled) ==>https://github.com/bitnami/charts/tree/master/bitnami/redis
diff --git a/charts/gateway/production-values.yaml b/charts/gateway/production-values.yaml
@@ -219,6 +219,7 @@ config:
     # com.l7tech.server.extension.sharedCounterProvider=redis
     # com.l7tech.server.extension.sharedRateLimiterProvider=redis
     # Additional properties go here
+
  # If enabled this will override the default listen ports and their configuration in the API Gateway
   listenPorts:
     custom:
@@ -360,38 +361,18 @@ config:
   redis:
     # enable or disable redis integration
     # please uncomment the 3 redis properties in config.systemProperties
+    # Redis client properties for configuring Redis Standalone or Redis Sentinel connections
     enabled: false
-    # Use an existing secret for Redis configuration
-    # redis configuration must have a key called redis.properties
+    # We recommend using an existing secret for Redis configuration in production environments
+    # for separation of concerns and to better secure Redis client property secrets.
+    # redis configuration must have a key called redis.properties (see the Redis Configuration in the readme for more details)
     # existingConfigSecret: redis-config-secret
-    # below is an example configuration for Redis Sentinel
-    #### redis.properties
-    ## Redis type can be sentinel or standalone
-    ## standalone does not support SSL or Auth
-    # redis.type=sentinel
-    # redis.sentinel.nodes=node1:26379,node2:26379,node3:26379
-    ### Credentials are optional
-    # redis.sentinel.username=redisuser
-    ## Password can be plaintext or encoded
-    # redis.sentinel.password=redispassword
-    # redis.sentinel.encodedPassword=redisencodedpassword
-    ## SSL is optional
-    # redis.ssl=true
-    # redis.ssl.cert=redis.crt
-    # redis.ssl.verifypeer=true
-    ## Additional Config
-    # redis.key.prefix.grpname=l7GW
-    # redis.commandTimeout=5000
-
-    # kubectl create secret generic redis-config-secret --from-file redis.properties
-    subChart:
-      # If the subChart is enabled, configuration from redis in the subCharts section
-      # will need to match the auth and tls settings here. This is true by default so no
-      # changes will be required
-      # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration.
-      enabled: false
+    # To configure the Redis client directly in this values file uncomment and/or set the following client properties
     groupName: l7GW
     commandTimeout: 5000
+    # The Gateway supports Redis master auth only.
+    # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default)
+    # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start.
     auth:
       enabled: false
     # username: username
@@ -421,6 +402,14 @@ config:
       #   MIIEGzCCAwOgAwIBAgIRANzOj1Mgxk7VRFClPaQnUGgwDQYJKoZIhvcNAQELBQAw
       #   ....
       #   -----END CERTIFICATE-----
+    # Enable subChart to have Helm optionally deploy Redis Sentinel/Standalone with your gateways.
+    subChart:
+      # If the subChart is enabled, configuration from redis in the subCharts section
+      # will need to match the auth and tls settings here. This is true by default so no
+      # changes will be required
+      # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration.
+      enabled: false
+
 
 ## Reference an existing secret for sensitive Gateway fields
 ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set.
@@ -1029,7 +1018,9 @@ installSolutionKits:
 # Settings for Redis - https://github.com/bitnami/charts/tree/master/bitnami/redis
 redis:
   auth:
+    # The Gateway supports Redis master auth in sentinel mode only, set this value to true to enable auth.
     enabled: false
+    # Sentinel auth which enables password authentication on sentinels too is not supported by the Gateway and should remain false
     sentinel: false
     password: "mypassword"
   tls:

diff --git a/charts/gateway/templates/configmap.yaml b/charts/gateway/templates/configmap.yaml
@@ -186,7 +186,8 @@ data:
         done
     }
     
-    copy "bundles" ".bundle" $BUNDLE_DIR $TARGET_BUNDLE_DIR
+    copy "restman bundles" ".bundle" $BUNDLE_DIR $TARGET_BUNDLE_DIR
+    copy "graphman bundles" ".json" $BUNDLE_DIR $TARGET_BUNDLE_DIR
     copy "custom assertions" ".jar" $CUSTOM_ASSERTIONS_DIR $TARGET_CUSTOM_ASSERTIONS_DIR
     copy "modular assertions" ".aar" $MODULAR_ASSERTIONS_DIR $TARGET_MODULAR_ASSERTIONS_DIR
     copy "external libraries" ".jar" $EXTERNAL_LIBRARIES_DIR $TARGET_EXTERNAL_LIBRARIES_DIR

diff --git a/charts/gateway/values.yaml b/charts/gateway/values.yaml
@@ -361,38 +361,18 @@ config:
   redis:
     # enable or disable redis integration
     # please uncomment the 3 redis properties in config.systemProperties
+    # Redis client properties for configuring Redis Standalone or Redis Sentinel connections
     enabled: false
-    # Use an existing secret for Redis configuration
-    # redis configuration must have a key called redis.properties
+    # We recommend using an existing secret for Redis configuration in production environments
+    # for separation of concerns and to better secure Redis client property secrets.
+    # redis configuration must have a key called redis.properties (see the Redis Configuration in the readme for more details)
     # existingConfigSecret: redis-config-secret
-    # below is an example configuration for Redis Sentinel
-    #### redis.properties
-    ## Redis type can be sentinel or standalone
-    ## standalone does not support SSL or Auth
-    # redis.type=sentinel
-    # redis.sentinel.nodes=node1:26379,node2:26379,node3:26379
-    ### Credentials are optional
-    # redis.sentinel.username=redisuser
-    ## Password can be plaintext or encoded
-    # redis.sentinel.password=redispassword
-    # redis.sentinel.encodedPassword=redisencodedpassword
-    ## SSL is optional
-    # redis.ssl=true
-    # redis.ssl.cert=redis.crt
-    # redis.ssl.verifypeer=true
-    ## Additional Config
-    # redis.key.prefix.grpname=l7GW
-    # redis.commandTimeout=5000
-
-    # kubectl create secret generic redis-config-secret --from-file redis.properties
-    subChart:
-      # If the subChart is enabled, configuration from redis in the subCharts section
-      # will need to match the auth and tls settings here. This is true by default so no
-      # changes will be required
-      # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration.
-      enabled: false
+    # To configure the Redis client directly in this values file uncomment and/or set the following client properties
     groupName: l7GW
     commandTimeout: 5000
+    # The Gateway supports Redis master auth only.
+    # If trying out auth using the subChart redis.auth.enabled should be true, and redis.auth.sentinel should be false (default)
+    # If redis.auth.sentinel is enabled in the redis subChart or on your External Redis Sentinel Deployment, the Gateway will fail to start.
     auth:
       enabled: false
     # username: username
@@ -422,6 +402,14 @@ config:
       #   MIIEGzCCAwOgAwIBAgIRANzOj1Mgxk7VRFClPaQnUGgwDQYJKoZIhvcNAQELBQAw
       #   ....
       #   -----END CERTIFICATE-----
+    # Enable subChart to have Helm optionally deploy Redis Sentinel/Standalone with your gateways.
+    subChart:
+      # If the subChart is enabled, configuration from redis in the subCharts section
+      # will need to match the auth and tls settings here. This is true by default so no
+      # changes will be required
+      # Using Redis as a subChart is not recommended in production, please use your own Redis for this integration.
+      enabled: false
+
 
 ## Reference an existing secret for sensitive Gateway fields
 ## Note that additionalSecret will no longer take effect when existingGatewaySecret is set.
@@ -1030,7 +1018,9 @@ installSolutionKits:
 # Settings for Redis - https://github.com/bitnami/charts/tree/master/bitnami/redis
 redis:
   auth:
+    # The Gateway supports Redis master auth in sentinel mode only, set this value to true to enable auth.
     enabled: false
+    # Sentinel auth which enables password authentication on sentinels too is not supported by the Gateway and should remain false
     sentinel: false
     password: "mypassword"
   tls: