forked from CAAPIM/apim-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
executable file
·334 lines (301 loc) · 10.4 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
nameOverride: ""
fullnameOverride: ""
# Use set file to place a Gateway license here
license:
value:
accept: false
image:
registry: docker.io
repository: caapim/gateway
tag: 10.1.00
pullPolicy: Always
# Will create a Registry secret and apply it to the Gateway
secretName:
credentials:
username:
password:
email:
# Number of Edge Gateways to deploy
replicas: 1
# Update strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# Cluster Hostname
clusterHostname: my.localdomain
# Cluster Password
clusterPassword: mypassword
# This enables/disables Policy Manager Access and sets the SSG_ADMIN username and password
# Credentials will be moved to a secret object in the next push..
management:
enabled: true
# Enable Restman, if DBbacked this setting will persist until manually deleted via Policy Manager.
restman:
enabled: false
username: admin
password: mypassword
# Database configuration
database:
# DB Backed or ephemeral
enabled: true
# A MySQL Database is configured with this Chart, set to false and set jdbcURL to use your own DB server
create: true
# jdbcURL: jdbc:mysql://<host>:<port>/<database> | jdbc:mysql://<host>:<port>,<host>:<port>/<database>,...
# Configurable, update the mysql.<settings> if you change this
username: gateway
password: mypassword
name: ssg
## Beta - enable/disable the background metrics processing task
## Enabling this creates a policy on the Gateway and routes service metrics to influxDbUrl
## Disabling on upgrade will have no effect on the deployed policy
## To be replaced with a user defined bundle relevant to the endpoint they wish to relay service metrics to.
## InfluxDbUrl and tags are Cluster-Wide-Properties.
serviceMetrics:
enabled: false
## By default influxdb is not deployed with this Chart.
## Set influxdb.enabled in the subchart section to true to deploy it.
external: false
influxDbUrl: http://influxdb:8086
influxDbDatabase: serviceMetricsDb
tags: env=dev
config:
heapSize: "2g"
javaArgs:
- -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
- -Dcom.l7tech.server.audit.message.saveToInternal=false
- -Dcom.l7tech.server.audit.admin.saveToInternal=false
- -Dcom.l7tech.server.audit.system.saveToInternal=false
- -Dcom.l7tech.server.audit.log.format=json
- -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties
- -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true
- -Dcom.l7tech.security.ssl.hostAllowWildcard=true
log:
override: true
properties: |-
handlers = com.l7tech.server.log.GatewayRootLoggingHandler, com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler
com.l7tech.server.log.GatewayRootLoggingHandler.formatter = com.l7tech.util.JsonLogFormatter
java.util.logging.SimpleFormatter.format=
com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.formatter = com.l7tech.util.JsonLogFormatter
com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.level = CONFIG
tls:
customKey:
enabled: false
# when enabled, the pass cannot be empty. key value needs to be base64 encoded .p12
# This key will become the default ssl key. Can only have one.
# ex. DEMO_KEY=`cat demo-key.p12 | base64 --wrap=0`
# use with helm command: --set "tls.customDefaultSslKey.key=$DEMO_KEY"
customDefaultSslKey:
enabled: false
key:
pass: mypassword
installSolutionKits:
enabled: false
restmanPort: 8443
restmanReadyWaitInterval: 30s
restmanReadyWaitMaxAttempt: 10
# Additional Environment variables to be added to the Gateway Configmap
additionalEnv:
key1: value
# key1: value
# key2: value
# Additional Secret variables to be added to the Gateway Secret
additionalSecret:
key1: value
# key1: value
# key2: value
# This mounts a bundle folder to the Gateway.
bundle:
enabled: false
path: "bundles/*.bundle"
service:
# Service Type, ClusterIP, NodePort, LoadBalancer
type: LoadBalancer
## Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
# loadBalancerSourceRanges:
# - 10.10.10.0/24
## Set the ExternalIPs
##
# externalIPs:
## Set the LoadBalancerIP
##
# loadBalancerIP:
# Update this port list if additional ports need to be exposed
ports:
- name: https
internal: 8443
external: 8443
- name: management
internal: 9443
external: 9443
# Additional Service annotations, the example below shows configuration for an internal load balancer on GCP
# See the docs for more ==> https://kubernetes.io/docs/concepts/services-networking/service/
annotations: {}
# cloud.google.com/load-balancer-type: "Internal"
# Uncomment the following section to enable session affinity
# sessionAffinity: ClientIP
# sessionAffinityConfig:
# clientIP:
# timeoutSeconds: 10800
# This project does not currently support Google's GCE controller.
# The default way to expose the Gateway is via L4 Load Balancer because it goes far beyond the HTTP(S) limitation ingress currently imposes
# Certificates are not created here, please specify an existing cert secret to use if enabling TLS
ingress:
# Set to true to create ingress object
enabled: false
# Ingress annotations
annotations:
# Ingress class
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# When the ingress is enabled, a host pointing to this will be created
# By default clusterHostname is used, only set this if you want to use a different host
## Enable TLS configuration for the hostname defined at ingress.hostname/clusterHostname parameter
# TLS Secret Name - this must present in your Kubernetes Cluster.
secretName: tls-secret
# Array of Hostnames that the certificate is valid for - must contain at least one.
hostname: dev.ca.com
tlsHostnames: []
# - dev.ca.com
# - dev1.ca.com
## The port that you want to route to via ingress. This needs to be available via service.ports.
port: 8443
## Define additional hostnames and ports as key-value pairs.
additionalHostnamesAndPorts: {}
# dev1.ca.com: 9443
livenessProbe:
enabled: true
initialDelaySeconds: 60
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
readinessProbe:
enabled: true
initialDelaySeconds: 60
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
resources:
# There are no resource limits set by default, this is a consicious choice for the user and
# increases the chance of these running on environments with fewer resources available
# Remove the curly braces and uncomment cpu/memory to set.
limits: {}
# cpu: 1000m
# memory: 2Gi
requests: {}
# cpu: 1000m
# memory: 2Gi
serviceAccount:
# name:
create: true
###############################################################################################
## ##
## Subchart Configuration ##
## ##
###############################################################################################
# MySQL Bitnami chart - https://github.com/bitnami/charts/tree/master/bitnami/mysql (DO NOT USE IN PRODUCTION!!)
mysql:
image:
tag: "8.0.22-debian-10-r75"
auth:
username: gateway
password: mypassword
database: ssg
rootPassword: mypassword
primary:
# persistence:
# enabled: true
# size: 8Gi
configuration: |-
[client]
port=3306
socket=/opt/bitnami/mysql/tmp/mysql.sock
default-character-set=UTF8
plugin_dir=/opt/bitnami/mysql/plugin
[mysqld]
default_authentication_plugin=mysql_native_password
log-bin-trust-function-creators=1
skip-name-resolve
explicit_defaults_for_timestamp
basedir=/opt/bitnami/mysql
plugin_dir=/opt/bitnami/mysql/plugin
port=3306
socket=/opt/bitnami/mysql/tmp/mysql.sock
datadir=/bitnami/mysql/data
tmpdir=/opt/bitnami/mysql/tmp
collation-server=utf8_general_ci
character-set-server=UTF8
innodb_log_buffer_size=32M
innodb_log_file_size=80M
max_allowed_packet=20M
sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
bind-address=0.0.0.0
pid-file=/opt/bitnami/mysql/tmp/mysqld.pid
log-error=/opt/bitnami/mysql/logs/mysqld.log
[manager]
port=3306
socket=/opt/bitnami/mysql/tmp/mysql.sock
pid-file=/opt/bitnami/mysql/tmp/mysqld.pid
# Settings for Hazelcast - https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml
# The Gateway currently supports Hazelcast 4.x & 5.x servers
hazelcast:
# Older versions of the API Gateway will still support 3.x servers
legacy:
# set this to true if your Gateway version does not support 4.x and 5.x
enabled: true
# If you wish to connect to an existing Hazelcast instance set enabled to false
# external to true, and uncomment and set url.
enabled: false
external: false
# url: hazelcast.example.com:5701
image:
tag: "5.1.1"
cluster:
memberCount: 2
mancenter:
enabled: false
hazelcast:
yaml:
hazelcast:
network:
join:
multicast:
enabled: false
kubernetes:
enabled: true
service-name: ${serviceName}
namespace: ${namespace}
resolve-not-ready-addresses: true
# Settings for InfluxDB - https://github.com/influxdata/helm-charts/tree/master/charts/influxdb
# This is not a production implementation!
influxdb:
enabled: false
service:
port: 8086
persistence:
enabled: true
# storageClass:
size: 8Gi
env:
- name: INFLUXDB_DB
value: "serviceMetricsDb"
# Settings for Grafana - https://github.com/bitnami/charts/tree/master/bitnami/grafana
grafana:
enabled: false
# Change this to update the UI Password
admin:
user: admin
password: password
dashboardsProvider:
enabled: true
dashboardsConfigMaps:
- configMapName: grafana-configmap
fileName: gateway-service-metrics.json
datasources:
secretName: grafana-secret