stt/infra-gravitee-apim
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
sttlab
2026-05-31 12:18:37 +00:00
parent 4f1c251ff8
commit e525b053ec
18 changed files with 974 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files
platform/apim-values-env-var.yml
+309
View File
@@ -0,0 +1,309 @@
# Gravitee APIM OSS - prod-like single-node k3s deployment
# - Domain: gravitee.sttlab.pc
# - Ingress: nginx
# - TLS everywhere (ingress + internal component HTTPS)
# - Credentials sourced from pre-created secrets
adminAccountEnable: true
adminPasswordBcrypt: "${GRAVITEE_ADMIN_PASSWORD_BCRYPT}"
# ============================================================
# Kubernetes Secret Provider
# ============================================================
secrets:
kubernetes:
enabled: true
namespace: gravitee-apim
timeoutMs: 3000
# ============================================================
# API Gateway (data plane) - 2 replicas
# ============================================================
gateway:
enabled: true
replicaCount: 2
extraVolumes: |
- name: gateway-internal-tls
secret:
secretName: gateway-internal-tls
items:
- key: keystore.p12
path: keystore.p12
- key: truststore.p12
path: truststore.p12
extraVolumeMounts: |
- name: gateway-internal-tls
mountPath: /run/secrets/tls
readOnly: true
env:
- name: GRAVITEE_MANAGEMENT_MONGODB_URI
valueFrom:
secretKeyRef:
name: gravitee-mongodb-uri
key: GRAVITEE_MANAGEMENT_MONGODB_URI
- name: GRAVITEE_RATELIMIT_MONGODB_URI
valueFrom:
secretKeyRef:
name: gravitee-mongodb-uri
key: GRAVITEE_RATELIMIT_MONGODB_URI
- name: GRAVITEE_REPORTERS_ELASTICSEARCH_ENDPOINTS_0
value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
- name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_ENABLED
value: "true"
- name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_USERNAME
valueFrom:
secretKeyRef:
name: gravitee-es-master-credentials
key: username
- name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_PASSWORD
valueFrom:
secretKeyRef:
name: gravitee-es-master-credentials
key: password
- name: JKS_PASSWORD
valueFrom:
secretKeyRef:
name: gravitee-jks-password
key: password
- name: GRAVITEE_API_PROPERTIES_ENCRYPTION_SECRET
valueFrom:
secretKeyRef:
name: gravitee-encryption
key: api-properties-encryption-secret
- name: JAVA_OPTS
value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"
# Enable HTTPS on the gateway listener (port 8082)
ssl:
enabled: true
keystore:
type: pkcs12
path: /run/secrets/tls/keystore.p12
password: "${JKS_PASSWORD}"
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
service:
type: ClusterIP
externalPort: 443
internalPort: 8082
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_ssl_name gateway.gravitee.sttlab.pc;
hosts:
- gateway.gravitee.sttlab.pc
path: /
pathType: Prefix
tls:
- hosts:
- gateway.gravitee.sttlab.pc
secretName: gateway-tls
autoscaling:
enabled: false
# ============================================================
# Management API (control plane) - 1 replica
# ============================================================
api:
enabled: true
replicaCount: 1
extraVolumes: |
- name: api-internal-tls
secret:
secretName: api-internal-tls
items:
- key: keystore.p12
path: keystore.p12
- key: truststore.p12
path: truststore.p12
extraVolumeMounts: |
- name: api-internal-tls
mountPath: /run/secrets/tls
readOnly: true
env:
- name: GRAVITEE_MANAGEMENT_MONGODB_URI
valueFrom:
secretKeyRef:
name: gravitee-mongodb-uri
key: GRAVITEE_MANAGEMENT_MONGODB_URI
- name: GRAVITEE_RATELIMIT_MONGODB_URI
valueFrom:
secretKeyRef:
name: gravitee-mongodb-uri
key: GRAVITEE_RATELIMIT_MONGODB_URI
- name: GRAVITEE_ANALYTICS_ELASTICSEARCH_ENDPOINTS_0
value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
- name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_ENABLED
value: "true"
- name: GRAVITEE_JWT_SECRET
valueFrom:
secretKeyRef:
name: gravitee-jwt
key: GRAVITEE_JWT_SECRET
- name: GRAVITEE_ADMIN_PASSWORD_BCRYPT
valueFrom:
secretKeyRef:
name: gravitee-admin
key: admin-password-bcrypt
- name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_USERNAME
valueFrom:
secretKeyRef:
name: gravitee-es-master-credentials
key: username
- name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_PASSWORD
valueFrom:
secretKeyRef:
name: gravitee-es-master-credentials
key: password
- name: JKS_PASSWORD
valueFrom:
secretKeyRef:
name: gravitee-jks-password
key: password
- name: GRAVITEE_API_PROPERTIES_ENCRYPTION_SECRET
valueFrom:
secretKeyRef:
name: gravitee-encryption
key: api-properties-encryption-secret
- name: JAVA_OPTS
value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"
# Enable HTTPS on Management API + Portal API listeners
http:
services:
core:
http:
enabled: true
port: 18083
host: 0.0.0.0
ssl:
enabled: true
keystore:
type: pkcs12
path: /run/secrets/tls/keystore.p12
password: "${JKS_PASSWORD}"
resources:
requests:
cpu: 200m
memory: 2Gi
limits:
cpu: 1000m
memory: 2Gi
ingress:
management:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_ssl_name api.gravitee.sttlab.pc;
path: /management
pathType: Prefix
hosts:
- api.gravitee.sttlab.pc
tls:
- hosts:
- api.gravitee.sttlab.pc
secretName: api-tls
portal:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_ssl_name api.gravitee.sttlab.pc;
path: /portal
pathType: Prefix
hosts:
- api.gravitee.sttlab.pc
tls:
- hosts:
- api.gravitee.sttlab.pc
secretName: api-tls
# ============================================================
# Management UI (Console) - 1 replica
# ============================================================
ui:
enabled: true
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
hosts:
- console.gravitee.sttlab.pc
path: /(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- console.gravitee.sttlab.pc
secretName: console-tls
# ============================================================
# Developer Portal UI - 1 replica
# ============================================================
portal:
enabled: true
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
hosts:
- portal.gravitee.sttlab.pc
path: /(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- portal.gravitee.sttlab.pc
secretName: portal-tls