Simplification of Mongo and ES config

apim-values.yml

@@ -7,24 +7,6 @@
 adminAccountEnable: true
 adminPasswordBcrypt: "${GRAVITEE_ADMIN_PASSWORD_BCRYPT}"
 
-# External MongoDB — URI injected at runtime via GRAVITEE_MANAGEMENT/RATELIMIT_MONGODB_URI
-# from the gravitee-mongodb-uri secret (see deployment.envFrom below)
-mongo:
-  dbhost: mongodb.gravitee-apim.svc.cluster.local
-  dbname: gravitee
-  dbport: 27017
-  rsEnabled: false
-
-# External Elasticsearch (HTTPS + basic auth)
-# Password injected at runtime via env var from gravitee-es-master-credentials secret
-es:
-  endpoints:
-    - https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200
-  security:
-    enabled: true
-    username: elastic
-    password: ""
-
 # ============================================================
 # API Gateway (data plane) - 2 replicas
 # ============================================================
@@ -60,12 +42,26 @@ gateway:
       mountPath: /run/secrets/truststore
       readOnly: true
 
-  deployment:
-    envFrom:
-      - secretRef:
-          name: gravitee-mongodb-uri
-
   env:
+    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-mongodb-uri
+          key: GRAVITEE_MANAGEMENT_MONGODB_URI
+    - name: GRAVITEE_RATELIMIT_MONGODB_URI
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-mongodb-uri
+          key: GRAVITEE_RATELIMIT_MONGODB_URI
+    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_ENDPOINTS_0
+      value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
+    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_ENABLED
+      value: "true"
+    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-es-master-credentials
+          key: username
     - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_PASSWORD
       valueFrom:
         secretKeyRef:
@@ -104,9 +100,11 @@ gateway:
     enabled: true
     ingressClassName: nginx
     annotations:
-      # Gateway already terminates TLS internally; nginx forwards as HTTPS
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-      nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
+      nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+      nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        proxy_ssl_name gateway.gravitee.sttlab.pc;
     hosts:
       - gateway.gravitee.sttlab.pc
     path: /
@@ -153,19 +151,36 @@ api:
       mountPath: /run/secrets/truststore
       readOnly: true
 
-  deployment:
-    envFrom:
-      - secretRef:
-          name: gravitee-mongodb-uri
-      - secretRef:
-          name: gravitee-jwt
-
   env:
+    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-mongodb-uri
+          key: GRAVITEE_MANAGEMENT_MONGODB_URI
+    - name: GRAVITEE_RATELIMIT_MONGODB_URI
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-mongodb-uri
+          key: GRAVITEE_RATELIMIT_MONGODB_URI
+    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_ENDPOINTS_0
+      value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
+    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_ENABLED
+      value: "true"
+    - name: GRAVITEE_JWT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-jwt
+          key: GRAVITEE_JWT_SECRET
     - name: GRAVITEE_ADMIN_PASSWORD_BCRYPT
       valueFrom:
         secretKeyRef:
           name: gravitee-admin
           key: admin-password-bcrypt
+    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: gravitee-es-master-credentials
+          key: username
     - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_PASSWORD
       valueFrom:
         secretKeyRef:
@@ -209,7 +224,10 @@ api:
       ingressClassName: nginx
       annotations:
         nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-        nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
+        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          proxy_ssl_name api.gravitee.sttlab.pc;
       path: /management
       pathType: Prefix
       hosts:
@@ -223,7 +241,10 @@ api:
       ingressClassName: nginx
       annotations:
         nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-        nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
+        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          proxy_ssl_name api.gravitee.sttlab.pc;
       path: /portal
       pathType: Prefix
       hosts: