| description |
|---|
This article covers how to install and configure APIM with Gravitee's official Helm chart |
This guide will walk you through how to install APIM on a Kubernetes cluster using our official Helm chart.
Additionally, the Helm chart supports a variety of configuration types and database options. Gravitee Helm Chart parameters, default values, and other configuration details are summarized in the following sections:
The following command line tools must be installed:
- Add the Gravitee Helm Chart repo:
helm repo add graviteeio https://helm.gravitee.io- Install the chart from the Helm repo by specifying the desired release. The example below uses
graviteeio-apim4x.
{% hint style="warning" %} Dedicated namespace
To prevent potential issues, it is best practice to create a separate namespace for your installation and avoid using the default Kubernetes namespace. This is not mandatory, but the installation command below follows this recommendation. {% endhint %}
{% tabs %}
{% tab title="Dedicated Namespace" %}
To install the Helm Chart using a dedicated namespace (e.g., gravitee-apim), run the following command:
{% code overflow="wrap" %}
helm install graviteeio-apim4x graviteeio/apim --create-namespace --namespace gravitee-apim{% endcode %} {% endtab %}
{% tab title="Default Namespace" %} To install the Helm Chart using the default namespace (not recommended), run the following command:
helm install graviteeio-apim4x graviteeio/apim{% endtab %} {% endtabs %}
{% hint style="info" %} Installation tips
Specify each parameter using helm install and the --set key=value[,key=value].
Alternatively, provide a YAML file that specifies the values for the parameters when installing the chart. For example:
helm install my-release -f values.yaml graviteeBy default, APIM uses the values in the values.yml config file during installation. These can be modified via the parameters in the configuration tables.
{% endhint %}
- (Optional) Alternatively, you can package this chart directory into a chart archive:
helm package .To install the chart using the chart archive, run:
helm install apim-4.0.0.tgzBy default, the Helm Chart creates a ServiceAccount that enables Gravitee API Management (APIM) to connect to the Kubernetes API. This allows Kubernetes ConfigMaps and Secrets to initialize Gravitee settings.
Roles enable use of the service account:
- By default, the service account created does not have a cluster role.
- The Helm Chart includes an option to configure the service account to use a cluster role.
- To access a Secret, create a role within your namespace.
- To deploy in another namespace from which you will access a Secret, create a another role in that namespace. The two roles can have the same name but are completely separate objects. Each role only provides access to the namespace in which it is created.
Application settings must be defined as follows:
- Secret settings:
kubernetes://<namespace>/secrets/<my-secret-name>/<my-secret-key> - ConfigMap settings:
kubernetes://<namespace>/configmaps/<my-configmap-name>/<my-configmap-key>
For example, the MongoDB URI initialized from the mongo Secret deployed in the default namespace is defined as:
mongo:
uri: kubernetes://default/secrets/mongo/mongouri
DB-less mode, development deployment, external, and shared configuration types are described in detail below.
{% tabs %} {% tab title="DB-less mode" %} DB-less mode allows a Gateway to be deployed with no dependencies, assuming only that there is an operator running in the same cluster or namespace. Although the setup does not include Elasticsearch or MongoDB, analytics can still be configured using a custom reporter such as Datadog, TCP with Logstash, etc.
Below is the minimum value-dbless.yml APIM configuration required by a DB-less deployment. Change the domain value and run the following command:
helm install gravitee-apim graviteeio/apim -f values-dbless.yml
{% code title="values-dbless.yaml" %}
api:
enabled: false
portal:
enabled: false
ui:
enabled: false
es:
enabled: false
ratelimit:
type: none
gateway:
replicaCount: 1
autoscaling:
enabled: false
ingress:
enabled: false
image:
repository: graviteeio/apim-gateway
tag: 4.1
pullPolicy: Always
services:
sync:
kubernetes:
enabled: true
dbLess: true
reporters:
elasticsearch:
enabled: false{% endcode %}
{% hint style="info" %}
The above is just one example of a DB-less mode configuration. Note that if DB-less mode is configured without a running APIM instance to sync with, the management-contextresource serves no purpose.
{% endhint %}
{% endtab %}
{% tab title="Dev deployment" %}
Below is the minimum value-light.yml configuration required by a development deployment. Change the domain value and run the following command:
{% hint style="warning" %}
Do not use value-light.yml in production.
{% endhint %}
helm install gravitee-apim graviteeio/apim -f value-light.yml
# Deploy an elasticsearch cluster.
elasticsearch:
enabled: true
# Elasticsearch uri, do not change.
es:
endpoints:
- http://graviteeio-apim-elasticsearch-ingest-hl:9200
# Deploy a mongoDB cluster.
mongodb:
enabled: true
# MongoDB uri, do not change.
mongo:
uri: mongodb://graviteeio-apim-mongodb-replicaset-headless:27017/gravitee?replicaset=rs0&connectTimeoutMS=30000
# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
api:
ingress:
management:
hosts:
- management-api.mydomain.com
portal:
hosts:
- management-api.mydomain.com
# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
gateway:
ingress:
hosts:
- gateway.mydomain.com
# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
portal:
ingress:
hosts:
- portal.mydomain.com
# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
ui:
ingress:
hosts:
- management-ui.mydomain.com{% endtab %}
{% tab title="External configuration" %}
To use an external configuration file, such as gravitee.yaml for the Gateway or API management, or constant.json for the UI, add the following to the Helm Chart (gravitee-config-configmap-name is the name of the ConfigMap that contains the external configuration file):
extraVolumes: |
- name: config
configMap:
name: gravitee-config-configmap-name{% hint style="warning" %} External configuration files are only available for:
- AE Helm Charts 1.1.42 and later
- AM Helm Charts 1.0.53 and later
- APIM Helm Charts 3.1.60 and later {% endhint %} {% endtab %}
{% tab title="Shared configuration" %} To configure common features such as:
- Chaos testing: See chaoskube chart
- Configuration database: See mongodb chart
- Logs database: See elasticsearch chart
| Parameter | Description | Default |
|---|---|---|
chaos.enabled | Enable Chaos test | false |
inMemoryAuth.enabled | Enable oauth login | true |
ldap.enabled | Enable LDAP login | false |
Gravitee supports MongoDB, PostgreSQL, Elasticsearch, and Redis configurations. Installation instructions and parameters are detailed below.
{% tabs %} {% tab title="MongoDB" %} To install MongoDB with Helm:
helm install mongodb bitnami/mongodb --set auth.rootPassword=r00t
MongoDB connections
There are three ways to configure MongoDB connections.
- The simplest way is to provide the MongoDB URI.
| Parameter | Description | Default |
|---|---|---|
mongo.uri |
Mongo URI | null |
- If no
mongo.uriis provided, you can provide amongo.serversraw definition in combination withmongo.dbnameand an authentication configuration:
mongo:
servers: |
- host: mongo1
port: 27017
- host: mongo2
port: 27017
dbname: gravitee
auth:
enabled: false
username:
password:- If neither
mongo.urinormongo.serversis provided, you must define the following configuration options:
| Parameter | Description | Default |
|---|---|---|
mongo.rsEnabled | Whether Mongo replicaset is enabled or not | true |
mongo.rs | Mongo replicaset name | rs0 |
mongo.dbhost | Mongo host address | mongo-mongodb-replicaset |
mongo.dbport | Mongo host port | 27017 |
mongo.dbname | Mongo DB name | gravitee |
mongo.auth.enabled | Enable Mongo DB authentication | false |
mongo.auth.username | Mongo DB username | null |
mongo.auth.password | Mongo DB password | null |
Other keys
| Parameter | Description | Default |
|---|---|---|
mongo.sslEnabled |
Enable SSL connection to MongoDB | false |
mongo.socketKeepAlive |
Enable keep alive for socket | false |
Mongo replica set
{% hint style="warning" %} The mongodb-replicaset installed by Gravitee is NOT recommended in production. It should be used for testing purpose and running APIM locally. {% endhint %}
| Parameter | Description | Default |
|---|---|---|
mongodb-replicaset.enabled | Enable deployment of Mongo replicaset | false |
See MongoDB for detailed Helm Chart documentation.
{% hint style="warning" %} You may encounter issues while running this Helm Chart on Apple Silicon M1. If you want to deploy MongoDB on M1, we encourage you to use another Helm Chart. {% endhint %} {% endtab %}
{% tab title="PostgreSQL" %}
To install a new PostgresSQL database via JDBC, first run the command below after updating the username, password, and databasename parameters:
helm install --set postgresqlUsername=postgres --set postgresqlPassword=P@ssw0rd
--set postgresqlDatabase=graviteeapim postgres-apim bitnami/postgresqlVerify that the PostgreSQL pod is up and running via kubectl get pods:
kubectl get pods{% code title="Expected output" %}
NAME READY UP-TO-DATE AVAILABLE AGE
postgres-apim-postgresql-0 1/1 Running 0 98s
{% endcode %}
Modify the values.yml content below to use the username, password, URL, and database name specific to your instance:
jdbc:
driver: https://jdbc.postgresql.org/download/postgresql-42.2.23.jar
url: jdbc:postgresql://postgres-apim-postgresql:5432/graviteeapim
username: postgres
password: P@ssw0rd
management:
type: jdbc{% endtab %}
{% tab title="Elasticsearch" %}
| Parameter | Description | Default |
|---|---|---|
es.security.enabled | Elasticsearch username and password enabled | false |
es.security.username | Elasticsearch username | example |
es.security.password | Elasticsearch password | example |
es.tls.enabled | Elasticsearch TLS enabled | false |
es.tls.keystore.type | Elasticsearch TLS keystore type (jks, pem or pfx) | null |
es.tls.keystore.path | Elasticsearch TLS keystore path (jks, pfx) | null |
es.tls.keystore.password | Elasticsearch TLS keystore password (jks, pfx) | null |
es.tls.keystore.certs | Elasticsearch TLS certs (only pems) | null |
es.tls.keystore.keys | Elasticsearch TLS keys (only pems) | null |
es.index | Elasticsearch index | gravitee |
es.endpoints | Elasticsearch endpoint array | [http://elastic-elasticsearch-client.default.svc.cluster.local:9200] |
Elasticsearch Cluster
| Parameter | Description | Default |
|---|---|---|
elasticsearch.enabled |
Enable deployment of Elasticsearch cluster | false |
See Elasticsearch for detailed documentation on optional Helm Chart requirements.
{% hint style="warning" %} The Elasticsearch installed by Gravitee is NOT recommended in production. It is for testing purposes and running APIM locally. {% endhint %} {% endtab %}
{% tab title="Redis" %} To install Redis, use the command below:
helm install --set auth.password=p@ssw0rd redis-apim bitnami/redisSee Redis for detailed documentation on this Helm Chart (like how to use Sentinel).
Check that Redis pod is up and running before proceeding by running kubectl get pods as indicated below.
kubectl get pods
{% code title="Expected output" %}
NAME READY STATUS RESTARTS AGE
redis-apim-master-0 1/1 Running 0 105s
redis-apim-replicas-0 1/1 Running 0 105s
redis-apim-replicas-1 1/1 Running 0 68s
redis-apim-replicas-2 1/1 Running 0 40s
{% endcode %}
To use Redis for rate limit policy, use the information below in values.yml and replace the host, port and password with details for your specific instance. You can enable ssl by setting ssl to true.
ratelimit:
type: redis
gateway:
ratelimit:
redis:
host: redis-apim-master
port: 6379
password: p@ssw0rd
ssl: falseIf you want to connect to a Sentinel cluster, you need to specify the master and the nodes.
gateway:
ratelimit:
password: p@ssw0rd
ssl: false
sentinel:
master: redis-master
nodes:
- host: sentinel1
port: 26379
- host: sentinel2
port: 26379Other Keys
| Parameter | Description | Default |
|---|---|---|
gateway.ratelimit.redis.ssl |
Enable SSL connection to Redis | false |
gateway.ratelimit.redis.password |
Redis password | false |
| {% endtab %} | ||
| {% endtabs %} |
The following tables list the available configuration parameters for the Gravitee UI, Gravitee API, Gravitee Gateway, and Alert Engine.
{% tabs %} {% tab title="Gravitee UI" %}
| Parameter | Description | Default |
|---|---|---|
ui.name |
UI service name | ui |
ui.baseURL |
Base URL to access to the Management API (if set to null, defaults to Management API ingress value) |
[apim.example.com]/management |
ui.title |
UI Portal title (if set to null, retrieved from the management repository) |
API Portal |
ui.managementTitle |
UI Management title (if set to null, retrieved from the management repository) |
API Management |
ui.documentationLink |
UI link to documentation (if set to null, retrieved from the management repository) |
http://docs.gravitee.io/ |
ui.portal.apikeyHeader |
API key header name (if set to null, retrieved from the management repository) |
X-Gravitee-Api-Key |
ui.portal.devMode.enabled |
Whether to enable developer mode (if set to null, retrieved from the management repository) |
false |
ui.portal.userCreation.enabled |
Whether to enable user creation (if set to null, retrieved from the management repository) |
false |
ui.portal.support.enabled |
Whether to enable support features (if set to null, retrieved from the management repository) |
true |
ui.portal.rating.enabled |
Whether to enable API rating (if set to null, retrieved from the management repository) |
false |
ui.portal.analytics.enabled |
Whether to enable analytics features (if set to null, retrieved from the management repository) |
false |
ui.portal.analytics.trackingId |
Tracking ID used for analytics (if set to null, retrieved from the management repository) |
"" |
ui.replicaCount |
How many replicas of the UI pod | 1 |
ui.image.repository |
Gravitee UI image repository | graviteeio/management-ui |
ui.image.tag |
Gravitee UI image tag | 1.29.5 |
ui.image.pullPolicy |
K8s image pull policy | Always |
ui.image.pullSecrets |
K8s image pull Secrets, used to pull both Gravitee UI image and extraInitContainers |
null |
ui.autoscaling.enabled |
Whether auto-scaling is enabled or not | true |
ui.autoscaling.minReplicas |
If ui.autoscaling.enabled is true, what’s the minimum number of replicas |
2 |
ui.autoscaling.maxReplicas |
If ui.autoscaling.enabled is true, what’s the maximum number of replicas |
3 |
ui.autoscaling.targetAverageUtilization |
If ui.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale |
50 |
ui.service.name |
UI service name | nginx |
ui.service.type |
K8s publishing service type | ClusterIP |
ui.service.externalPort |
K8s UI service external port | 8082 |
ui.service.internalPort |
K8s UI service internal port (container) | 80 |
ui.service.internalPortName |
K8s UI service internal port name (container) | http |
ui.ingress.enabled |
Whether Ingress is enabled or not | true |
ui.ingress.hosts |
If ui.ingress.enabled is enabled, set possible ingress hosts |
[apim.example.com] |
ui.ingress.annotations |
Supported Ingress annotations to configure ingress controller | [kubernetes.io/ingress.class: nginx, kubernetes.io/app-root: /management, kubernetes.io/rewrite-target: /management, ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\n"] |
ui.ingress.tls.hosts |
Ingress TLS termination | [apim.example.com] |
ui.ingress.tls.secretName |
Ingress TLS K8s Secret name containing the TLS private key and certificate | api-custom-cert |
ui.resources.limits.cpu |
K8s pod deployment limits definition for CPU | 100m |
ui.resources.limits.memory |
K8s pod deployment limits definition for memory | 128Mi |
ui.resources.requests.cpu |
K8s pod deployment requests definition for CPU | 50m |
ui.resources.requests.memory |
K8s pod deployment requests definition for memory | 64Mi |
ui.lifecycle.postStart |
K8s pod deployment postStart command definition | null |
ui.lifecycle.preStop |
K8s pod deployment preStop command definition | null |
| {% endtab %} |
{% tab title="Gravitee API" %}
| Parameter | Description | Default |
|---|---|---|
api.name |
API service name | api |
api.logging.debug |
Whether to enable API debug logging or not | false |
api.logging.graviteeLevel |
Logging level for Gravitee classes | DEBUG |
api.logging.jettyLevel |
Logging level for Jetty classes | INFO |
api.logging.stdout.encoderPattern |
Logback standard output encoder pattern | %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n |
api.logging.file.enabled |
Whether to enable file logging or not | true |
api.logging.file.rollingPolicy |
Logback file rolling policy configuration | TimeBasedRollingPolicy for 30 days |
api.logging.file.encoderPattern |
Logback file encoder pattern | %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n |
api.logging.additionalLoggers |
List of additional logback loggers. Each logger is defined by a name and level (TRACE, DEBUG, INFO, WARN, or ERROR) |
empty |
api.ssl.enabled |
API exposition through HTTPS protocol activation | false |
api.ssl.keystore.type |
Keystore type for API exposition through HTTPS protocol | jks |
api.ssl.keystore.path |
Keystore path for API exposition through HTTPS protocol | null |
api.ssl.keystore.password |
Keystore password for API exposition through HTTPS protocol | null |
api.ssl.truststore.type |
Truststore type for client authentication through 2 way TLS | jks |
api.ssl.truststore.path |
Truststore path for client authentication through 2 way TLS | null |
api.ssl.truststore.password |
Truststore password for client authentication through 2 way TLS | null |
api.http.services.core.http.authentication.password |
HTTP core service authentication password | adminadmin |
api.http.services.core.http.port |
HTTP core service port exposed in container | 18083 |
api.http.services.core.http.host |
HTTP core service bind IP or host inside container (0.0.0.0 for exposure on every interfaces) | localhost |
api.http.services.core.http.authentication.password |
HTTP core service authentication password | adminadmin |
api.http.services.core.http.ingress.enabled |
Ingress for HTTP core service authentication (requires api.http.services.core.service.enabled to be true) |
false |
api.http.services.core.http.ingress.path |
The ingress path which should match for incoming requests to the management technical API. | /management/_(.*) |
api.http.services.core.http.ingress.hosts |
If api.ingress.enabled is enabled, set possible ingress hosts |
[apim.example.com] |
api.http.services.core.http.ingress.annotations |
Supported Ingress annotations to configure ingress controller | [kubernetes.io/ingress.class: nginx, nginx.ingress.kubernetes.io/rewrite-target: /_$1] |
api.http.services.core.http.ingress.tls.hosts |
Ingress TLS termination | [apim.example.com] |
api.http.services.core.http.ingress.tls.secretName |
Ingress TLS K8s Secret name containing the TLS private key and certificate | api-custom-cert |
api.http.services.core.http.service.enabled |
Whether a service is added or not for technical API | false |
api.http.services.core.http.service.externalPort |
K8s service external port (internal port is defined by api.http.services.core.http.port ) |
18083 |
api.http.api.entrypoint |
Listening path for the API | /management |
api.http.client.timeout |
HTTP client global timeout | 10000 |
api.http.client.proxy.type |
HTTP client proxy type | HTTP |
api.http.client.proxy.http.host |
HTTP client proxy host for HTTP protocol | localhost |
api.http.client.proxy.http.port |
HTTP client proxy port for HTTP protocol | 3128 |
api.http.client.proxy.http.username |
HTTP client proxy username for HTTP protocol | null |
api.http.client.proxy.http.password |
HTTP client proxy password for HTTP protocol | null |
api.http.client.proxy.https.host |
HTTP client proxy host for HTTPS protocol | localhost |
api.http.client.proxy.https.port |
HTTP client proxy port for HTTPS protocol | 3128 |
api.http.client.proxy.https.username |
HTTP client proxy username for HTTPS protocol | null |
api.http.client.proxy.https.password |
HTTP client proxy password for HTTPS protocol | null |
api.user.login.defaultApplication |
Whether to enable default application creation on first user authentication | true |
api.user.anonymizeOnDelete |
Whether to enable user anonymization on deletion | false |
api.supportEnabled |
Whether to enable support feature | true |
api.ratingEnabled |
Whether to enable API rating feature | true |
smtp.enabled |
Email sending activation | true |
smtp.host |
SMTP server host | smtp.example.com |
smtp.port |
SMTP server port | 25 |
smtp.from |
Email sending address | info@example.com |
smtp.username |
SMTP server username | info@example.com |
smtp.password |
SMTP server password | example.com |
smtp.subject |
Email subjects template | [gravitee] %s |
smtp.auth |
SMTP server authentication activation | true |
smtp.starttlsEnable |
SMTP server TLS activation | false |
smtp.localhost |
Hostname that is resolvable by the SMTP server | null |
api.portalURL |
The portal URL used in emails | https://{{ index .Values.ui.ingress.hosts 0 }} |
api.restartPolicy |
Policy to restart K8 pod | OnFailure |
api.updateStrategy.type |
K8s deployment strategy type | RollingUpdate |
api.updateStrategy.rollingUpdate.maxUnavailable |
If api.updateStrategy.type is set to The deployment controller will stop the bad rollout automatically and will stop scaling up the new replica set. This depends on the |
1 |
api.replicaCount |
How many replicas for the API pod | 1 |
api.image.repository |
Gravitee API image repository | graviteeio/management-api |
api.image.tag |
Gravitee API image tag | 1.29.5 |
api.image.pullPolicy |
K8s image pull policy | Always |
api.image.pullSecrets |
K8s image pull Secrets, used to pull both Gravitee Management API image and extraInitContainers |
null |
api.env |
Environment variables, defined as a list of name and value as specified in Kubernetes documentation |
null |
api.service.type |
K8s publishing service type | ClusterIP |
api.service.externalPort |
K8s service external port | 83 |
api.service.internalPort |
K8s service internal port (container) | 8083 |
api.service.internalPortName |
K8s service internal port name (container) | http |
api.autoscaling.enabled |
Whether auto-scaling is enabled or not | true |
api.autoscaling.minReplicas |
If api.autoscaling.enabled is true, what’s the minimum number of replicas |
2 |
api.autoscaling.maxReplicas |
If api.autoscaling.enabled is true, what’s the maximum number of replicas |
3 |
api.autoscaling.targetAverageUtilization |
If api.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale |
50 |
api.ingress.enabled |
Whether Ingress is enabled or not | true |
api.ingress.path |
The ingress path which should match for incoming requests to the Management API. | /management |
api.ingress.hosts |
If api.ingress.enabled is enabled, set possible ingress hosts |
[apim.example.com] |
api.ingress.annotations |
Supported Ingress annotations to configure ingress controller | [kubernetes.io/ingress.class: nginx, ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\nproxy_set_header if-match \"\";\n"] |
api.ingress.tls.hosts |
Ingress TLS termination | [apim.example.com] |
api.ingress.tls.secretName |
Ingress TLS K8s Secret name containing the TLS private key and certificate | api-custom-cert |
api.ingress.management.scheme |
Whether to use HTTP or HTTPS to communicate with Management API, defaults to https | https |
api.ingress.portal.scheme |
Whether to use HTTP or HTTPS to communicate with Management API, defaults to https | https |
api.resources.limits.cpu |
K8s pod deployment limits definition for CPU | 500m |
api.resources.limits.memory |
K8s pod deployment limits definition for memory | 1024Mi |
api.resources.requests.cpu |
K8s pod deployment requests definition for CPU | 200m |
api.resources.requests.memory |
K8s pod deployment requests definition for memory | 512Mi |
api.lifecycle.postStart |
K8s pod deployment postStart command definition | null |
api.lifecycle.preStop |
K8s pod deployment preStop command definition | null |
| {% endtab %} |
{% tab title="Gravitee Gateway" %}
| Parameter | Description | Default |
|---|---|---|
gateway.name |
Gateway service name | gateway |
gateway.logging.debug |
Whether to enable Gateway debug logging or not | false |
api.logging.additionalLoggers |
List of additional logback loggers. Each logger is defined by a name and level (TRACE, DEBUG, INFO, WARN, or ERROR) |
empty |
gateway.ssl.enabled |
API exposition through HTTPS protocol activation | false |
gateway.ssl.keystore.type |
Keystore type for API exposition through HTTPS protocol | jks |
gateway.ssl.keystore.path |
Keystore path for API exposition through HTTPS protocol | null |
gateway.ssl.keystore.password |
Keystore password for API exposition through HTTPS protocol | null |
gateway.ssl.clientAuth |
Client authentication through 2 way TLS activation | false |
gateway.ssl.truststore.type |
Truststore type for client authentication through 2 way TLS | jks |
gateway.ssl.truststore.path |
Truststore path for client authentication through 2 way TLS | null |
gateway.ssl.truststore.password |
Truststore password for client authentication through 2 way TLS | null |
gateway.logging.graviteeLevel |
Logging level for Gravitee classes | DEBUG |
gateway.logging.jettyLevel |
Logging level for Jetty classes | INFO |
gateway.logging.stdout.encoderPattern |
Logback standard output encoder pattern | %d{HH:mm:ss.SSS} [%thread] [%X{api}] %-5level %logger{36} - %msg%n |
gateway.logging.file.enabled |
Whether to enable file logging or not | true |
gateway.logging.file.rollingPolicy |
Logback file rolling policy configuration | TimeBasedRollingPolicy for 30 days |
gateway.logging.file.encoderPattern |
Logback file encoder pattern | %d{HH:mm:ss.SSS} [%thread] [%X{api}] %-5level %logger{36} - %msg%n |
gateway.type |
Gateway deployment type: deployment or statefulSet |
deployment |
gateway.replicaCount |
How many replicas of the Gateway pod | 2 |
gateway.image.repository |
Gravitee Gateway image repository | graviteeio/gateway |
gateway.image.tag |
Gravitee Gateway image tag | 1.29.5 |
gateway.image.pullPolicy |
K8s image pull policy | Always |
gateway.image.pullSecrets |
K8s image pull Secrets, used to pull both Gravitee Gateway image and extraInitContainers |
null |
gateway.env |
Environment variables, defined as a list of name and value as specified in Kubernetes documentation |
null |
gateway.service.type |
K8s publishing service type | ClusterIP |
gateway.service.externalPort |
K8s Gateway service external port | 82 |
gateway.service.internalPort |
K8s Gateway service internal port (container) | 8082 |
gateway.service.internalPortName |
K8s Gateway service internal port name (container) | http |
gateway.autoscaling.enabled |
Whether auto-scaling is enabled or not | true |
gateway.autoscaling.minReplicas |
If gateway.autoscaling.enabled is true, what’s the minimum number of replicas |
2 |
gateway.autoscaling.maxReplicas |
If gateway.autoscaling.enabled is true, what’s the maximum number of replicas |
3 |
gateway.autoscaling.targetAverageUtilization |
If gateway.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale |
50 |
gateway.websocket |
Whether websocket protocol is enabled or not | false |
gateway.apiKey.header |
Header used for the API Key. Set an empty value to prohibit its use. | X-Gravitee-Api-Key |
gateway.apiKey.param |
Query parameter used for the API Key. Set an empty value to prohibit its use. | api-key |
gateway.sharding_tags |
Sharding tags (comma separated list) | `` |
gateway.ingress.enabled |
Whether Ingress is enabled or not | true |
gateway.ingress.path |
The ingress path which should match for incoming requests to the Gateway. | /gateway |
gateway.ingress.hosts |
If gateway.ingress.enabled is enabled, set possible ingress hosts |
[apim.example.com] |
gateway.ingress.annotations |
Supported Ingress annotations to configure ingress controller | [kubernetes.io/ingress.class: nginx, nginx.ingress.kubernetes.io/ssl-redirect: "false", nginx.ingress.kubernetes.io/enable-rewrite-log: "true", kubernetes.io/app-root: /gateway, kubernetes.io/rewrite-target: /gateway] |
gateway.ingress.tls.hosts |
Ingress TLS termination | [apim.example.com] |
gateway.ingress.tls.secretName |
Ingress TLS K8s Secret name containing the TLS private key and certificate | api-custom-cert |
gateway.resources.limits.cpu |
K8s pod deployment limits definition for CPU | 500m |
gateway.resources.limits.memory |
K8s pod deployment limits definition for memory | 512Mi |
gateway.resources.requests.cpu |
K8s pod deployment requests definition for CPU | 200m |
gateway.resources.requests.memory |
K8s pod deployment requests definition for memory | 256Mi |
gateway.lifecycle.postStart |
K8s pod deployment postStart command definition | null |
gateway.lifecycle.preStop |
K8s pod deployment preStop command definition | null |
| {% endtab %} |
{% tab title="Alert Engine" %}
| Parameter | Description | Default |
|---|---|---|
alerts.enabled |
Enables AE connectivity | true |
alerts.endpoints |
Defines AE endpoints | - http://localhost:8072/ |
alerts.security.enabled |
Enables AE secure connectivity | false |
alerts.security.username |
The AE username | "admin" |
alerts.security.password |
The AE password | "password" |
alerts.options.sendEventsOnHttp |
Send event on http to AE (websocket otherwise) | true |
alerts.options.useSystemProxy |
Use system proxy to connect to AE | false |
alerts.options.connectTimeout |
AE connection timeout | 2000 |
alerts.options.idleTimeout |
AE idleTimeout timeout | 120000 |
alerts.options.keepAlive |
Keep the connection alive | true |
alerts.options.pipelining |
Enables event pipelining | true |
alerts.options.tryCompression |
Enables event compression | true |
alerts.options.maxPoolSize |
Set the maximum numner of connection | 50 |
alerts.options.bulkEventsSize |
Send events by packets | 100 |
alerts.options.bulkEventsWait |
Duration for events to be ready to be sent | 100 |
alerts.options.ssl.trustall |
Ssl trust all | false |
alerts.options.ssl.keystore.type |
Type of the keystore (jks, pkcs12, pem) | null |
alerts.options.ssl.keystore.path |
Path to the keystore | null |
alerts.options.ssl.keystore.password |
Path to the keystore | null |
alerts.options.ssl.keystore.certs |
Keystore cert paths (array, only for pem) | null |
alerts.options.ssl.keystore.keys |
Keystore key paths (array, only for pem) | null |
alerts.options.ssl.truststore.type |
Type of the truststore | null |
alerts.options.ssl.truststore.path |
Path to the truststore | null |
alerts.options.ssl.truststore.password |
Password of the truststore | null |
alerts.engines.<cluster-name>.endpoints |
Defines AE endpoints on the cluster <cluster-name> | - http://localhost:8072/ |
alerts.engines.<cluster-name>.security.username |
The AE username on the cluster <cluster-name> | "admin" |
alerts.engines.<cluster-name>.security.password |
The AE password on the cluster <cluster-name> | "password" |
alerts.engines.<cluster-name>.ssl.trustall |
Ssl trust all on the cluster <cluster-name> | false |
alerts.engines.<cluster-name>.ssl.keystore.type |
Type of the keystore (jks, pkcs12, pem) on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.keystore.path |
Path to the keystore (jks, pkcs12, pem) on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.keystore.password |
Path to the keystore on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.keystore.certs |
Keystore cert paths (array, only for pem) on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.keystore.keys |
Keystore key paths (array, only for pem) on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.truststore.type |
Type of the truststore on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.truststore.path |
Path to the truststore on the cluster <cluster-name> | null |
alerts.engines.<cluster-name>.ssl.truststore.password |
Password of the truststore on the cluster <cluster-name> | null |
| {% endtab %} | ||
| {% endtabs %} |
The Gravitee API Management Helm Chart supports Ingress standard objects and does not support specific OpenShift Routes. It is therefore compatible with OpenShift versions 3.10 and later. When deploying APIM within OpenShift:
- Use the full host domain instead of paths for all components (ingress paths are not supported well by OpenShift)
- Override the security context to let OpenShift automatically define the
user-idandgroup-idused to run the containers
For Openshift to automatically create Routes from the Ingress, you must define the ingressClassName as none. Here is a standard values.yaml used to deploy APIM into OpenShift:
{% code title="values.yml" %}
api:
ingress:
management:
ingressClassName: none
path: /management
hosts:
- api-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
annotations:
route.openshift.io/termination: edge
portal:
ingressClassName: none
path: /portal
hosts:
- api-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
annotations:
route.openshift.io/termination: edge
deployment:
securityContext:
runAsUser: null
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
gateway:
ingress:
ingressClassName: none
path: /
hosts:
- gw-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
annotations:
route.openshift.io/termination: edge
deployment:
securityContext:
runAsUser: null
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
portal:
ingress:
ingressClassName: none
path: /
hosts:
- portal-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
annotations:
route.openshift.io/termination: edge
securityContext: null
deployment:
securityContext:
runAsUser: null
runAsGroup: null
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
ui:
ingress:
ingressClassName: none
path: /
hosts:
- console-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
annotations:
route.openshift.io/termination: edge
securityContext: null
deployment:
securityContext:
runAsUser: null
runAsGroup: null
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault{% endcode %}
By setting runAsUser to null, OpenShift is forced to define the correct values when deploying the Helm Chart.
Enterprise plugins require a license in APIM. To define a license, enter the license.key value in the values.yml file and add the Helm argument --set license.key=<license.key in base64>.
{% hint style="info" %}
The license.key value you enter must be encoded in base64:
- Linux:
base64 -w 0 license.key - macOS:
base64 license.key{% endhint %}
Example:
$ export GRAVITEESOURCE_LICENSE_B64="$(base64 -w 0 license.key)"
$ helm install \
--set license.key=${GRAVITEESOURCE_LICENSE_B64} \
--create-namespace --namespace gravitee-apim \
graviteeio-apim3x \
graviteeio/apim3| Parameter | Description | Default |
|---|---|---|
license.key |
string | license.key file encoded in base64 |