Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/gateway/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ type: application
# Versions are expected to follow Semantic Versioning (https://semver.org/)
# major.minor mirrors the API7 EE release line (3.10.x), patch is this chart's
# own counter on that line and is decoupled from the app patch (see appVersion).
version: 3.10.8
version: 3.10.9

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
79 changes: 79 additions & 0 deletions charts/gateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,85 @@ helm delete [RELEASE_NAME] --namespace api7

The command removes all the Kubernetes components associated with the chart and deletes the release.

## Configuration examples

The full list of values is in the [Parameters](#parameters) table below. The snippets here cover a
few common setups — put them in a `values.yaml` and pass it with `-f values.yaml`, or translate each
line into a `--set key=value` flag.

### Trust additional CA certificates for outbound TLS

The gateway verifies the TLS certificate of any external service it dials (for example an
`openid-connect` identity provider) against its outbound trust store, which is the system CA bundle
plus `gateway.tls.existingCASecret`. In a Control Plane-managed deployment `existingCASecret` already
carries the Control Plane CA, so use `gateway.tls.additionalTrustedCAs` to trust an extra private or
enterprise CA **on top of** it, without modifying that Secret.

Create a Secret that holds the CA certificate:

```sh
kubectl -n api7 create secret generic keycloak-ca --from-file=keycloak-ca.crt=./keycloak-ca.crt
```

Reference it (each entry mounts `filename` from `secretName` and appends it to the trust store):

```yaml
gateway:
tls:
additionalTrustedCAs:
- secretName: keycloak-ca
filename: keycloak-ca.crt
```

The rendered `ssl_trusted_certificate` becomes `system,<existingCASecret CA>,<additional CA>`, so the
system CAs and the existing CA are preserved. The trust store is merged when the gateway starts, so
restart the gateway Pods after adding an entry or changing the Secret contents:

```sh
kubectl -n api7 rollout restart deploy/[RELEASE_NAME]
```

### Expose the gateway through a LoadBalancer

`gateway.type` defaults to `NodePort`. To publish the proxy through a cloud load balancer instead:

```yaml
gateway:
type: LoadBalancer
http:
servicePort: 80
tls:
servicePort: 443
```

### Set replicas and resource limits

```yaml
apisix:
replicaCount: 3
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: "2"
memory: 2Gi
```

### Inject extra environment variables

```yaml
apisix:
extraEnvVars:
- name: MY_ENV
value: "my-value"
- name: TOKEN_ENV
valueFrom:
secretKeyRef:
name: my-secret
key: token
```

## Parameters

## Values
Expand Down
80 changes: 80 additions & 0 deletions charts/gateway/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,86 @@ helm delete [RELEASE_NAME] --namespace api7
The command removes all the Kubernetes components associated with the chart and deletes the release.


## Configuration examples

The full list of values is in the [Parameters](#parameters) table below. The snippets here cover a
few common setups — put them in a `values.yaml` and pass it with `-f values.yaml`, or translate each
line into a `--set key=value` flag.

### Trust additional CA certificates for outbound TLS

The gateway verifies the TLS certificate of any external service it dials (for example an
`openid-connect` identity provider) against its outbound trust store, which is the system CA bundle
plus `gateway.tls.existingCASecret`. In a Control Plane-managed deployment `existingCASecret` already
carries the Control Plane CA, so use `gateway.tls.additionalTrustedCAs` to trust an extra private or
enterprise CA **on top of** it, without modifying that Secret.

Create a Secret that holds the CA certificate:

```sh
kubectl -n api7 create secret generic keycloak-ca --from-file=keycloak-ca.crt=./keycloak-ca.crt
```

Reference it (each entry mounts `filename` from `secretName` and appends it to the trust store):

```yaml
gateway:
tls:
additionalTrustedCAs:
- secretName: keycloak-ca
filename: keycloak-ca.crt
Comment thread
coderabbitai[bot] marked this conversation as resolved.
```

The rendered `ssl_trusted_certificate` becomes `system,<existingCASecret CA>,<additional CA>`, so the
system CAs and the existing CA are preserved. The trust store is merged when the gateway starts, so
restart the gateway Pods after adding an entry or changing the Secret contents:

```sh
kubectl -n api7 rollout restart deploy/[RELEASE_NAME]
Comment thread
nic-6443 marked this conversation as resolved.
```

### Expose the gateway through a LoadBalancer

`gateway.type` defaults to `NodePort`. To publish the proxy through a cloud load balancer instead:

```yaml
gateway:
type: LoadBalancer
http:
servicePort: 80
tls:
servicePort: 443
```

### Set replicas and resource limits

```yaml
apisix:
replicaCount: 3
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: "2"
memory: 2Gi
```

### Inject extra environment variables

```yaml
apisix:
extraEnvVars:
- name: MY_ENV
value: "my-value"
- name: TOKEN_ENV
valueFrom:
secretKeyRef:
name: my-secret
key: token
```


## Parameters

{{ template "chart.valuesSection" . }}
Expand Down
14 changes: 7 additions & 7 deletions charts/gateway/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -199,14 +199,15 @@ Output: JSON {"entries": [{"port": 9200, "nodePort": ""}, ...]}

{{/*
Build the value of `apisix.ssl.ssl_trusted_certificate` — the gateway's outbound
trust store. Starts from the system CA bundle (`system`), then appends the
Control Plane CA (gateway.tls.existingCASecret) and every entry in
gateway.tls.additionalTrustedCAs, matching the mount paths rendered in _pod.tpl.
Returns an empty string when TLS is disabled or no CA is configured, so the
caller can omit the key entirely.
trust store, used to verify external services the gateway dials (etcd/Control
Plane, openid-connect, loggers, ...). It is independent of the inbound HTTPS
listener (gateway.tls.enabled). Starts from the system CA bundle (`system`),
then appends the Control Plane CA (gateway.tls.existingCASecret) and every entry
in gateway.tls.additionalTrustedCAs, matching the mount paths rendered in
_pod.tpl. Returns an empty string when no CA is configured, so the caller can
omit the key entirely.
*/}}
{{- define "gateway.sslTrustedCertificate" -}}
{{- if .Values.gateway.tls.enabled -}}
{{- $paths := list -}}
{{- if .Values.gateway.tls.existingCASecret -}}
{{- $paths = append $paths (printf "/usr/local/apisix/conf/ssl/%s" .Values.gateway.tls.certCAFilename) -}}
Expand All @@ -218,4 +219,3 @@ caller can omit the key entirely.
{{- printf "system,%s" (join "," $paths) -}}
{{- end -}}
{{- end -}}
{{- end -}}
8 changes: 2 additions & 6 deletions charts/gateway/templates/_pod.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -184,18 +184,16 @@ spec:
- mountPath: /usr/local/apisix/conf/config.yaml
name: apisix-config
subPath: config.yaml
{{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
{{- if .Values.gateway.tls.existingCASecret }}
- mountPath: /usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}
name: ssl
subPath: {{ .Values.gateway.tls.certCAFilename }}
{{- end }}
{{- if .Values.gateway.tls.enabled }}
{{- range $i, $ca := .Values.gateway.tls.additionalTrustedCAs }}
- mountPath: /usr/local/apisix/conf/ssl/additional-ca-{{ $i }}
name: additional-ca-{{ $i }}
readOnly: true
{{- end }}
{{- end }}

{{- if .Values.etcd.auth.tls.enabled }}
- mountPath: /etcd-ssl
Expand Down Expand Up @@ -298,12 +296,11 @@ spec:
- configMap:
name: {{ include "apisix.fullname" . }}
name: apisix-config
{{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
{{- if .Values.gateway.tls.existingCASecret }}
- secret:
secretName: {{ .Values.gateway.tls.existingCASecret | quote }}
name: ssl
{{- end }}
{{- if .Values.gateway.tls.enabled }}
{{- range $i, $ca := .Values.gateway.tls.additionalTrustedCAs }}
- secret:
secretName: {{ $ca.secretName | quote }}
Expand All @@ -312,7 +309,6 @@ spec:
path: {{ $ca.filename | quote }}
name: additional-ca-{{ $i }}
{{- end }}
{{- end }}
{{- if .Values.etcd.auth.tls.enabled }}
- secret:
secretName: {{ .Values.etcd.auth.tls.existingSecret | quote }}
Expand Down
Loading