# Gravitee APIM OSS - prod-like single-node k3s deployment # - Domain: gravitee.sttlab.pc # - Ingress: nginx # - TLS everywhere (ingress + internal component HTTPS) # - Credentials sourced from pre-created secrets adminAccountEnable: true adminPasswordBcrypt: "${GRAVITEE_ADMIN_PASSWORD_BCRYPT}" # ============================================================ # Kubernetes Secret Provider # ============================================================ secrets: kubernetes: enabled: true namespace: gravitee-apim timeoutMs: 3000 # ============================================================ # API Gateway (data plane) - 2 replicas # ============================================================ gateway: enabled: true replicaCount: 2 extraVolumes: | - name: gateway-internal-tls secret: secretName: gateway-internal-tls items: - key: keystore.p12 path: keystore.p12 - key: truststore.p12 path: truststore.p12 extraVolumeMounts: | - name: gateway-internal-tls mountPath: /run/secrets/tls readOnly: true env: - name: GRAVITEE_MANAGEMENT_MONGODB_URI valueFrom: secretKeyRef: name: gravitee-mongodb-uri key: GRAVITEE_MANAGEMENT_MONGODB_URI - name: GRAVITEE_RATELIMIT_MONGODB_URI valueFrom: secretKeyRef: name: gravitee-mongodb-uri key: GRAVITEE_RATELIMIT_MONGODB_URI - name: GRAVITEE_REPORTERS_ELASTICSEARCH_ENDPOINTS_0 value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200" - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_ENABLED value: "true" - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_USERNAME valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: username - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: password - name: JKS_PASSWORD valueFrom: secretKeyRef: name: gravitee-jks-password key: password - name: GRAVITEE_API_PROPERTIES_ENCRYPTION_SECRET valueFrom: secretKeyRef: name: gravitee-encryption key: api-properties-encryption-secret - name: JAVA_OPTS value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)" # Enable HTTPS on the gateway listener (port 8082) ssl: enabled: true keystore: type: pkcs12 path: /run/secrets/tls/keystore.p12 password: "${JKS_PASSWORD}" resources: requests: cpu: 200m memory: 512Mi limits: cpu: 1000m memory: 1Gi service: type: ClusterIP externalPort: 443 internalPort: 8082 ingress: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_ssl_name gateway.gravitee.sttlab.pc; hosts: - gateway.gravitee.sttlab.pc path: / pathType: Prefix tls: - hosts: - gateway.gravitee.sttlab.pc secretName: gateway-tls autoscaling: enabled: false # ============================================================ # Management API (control plane) - 1 replica # ============================================================ api: enabled: true replicaCount: 1 extraVolumes: | - name: api-internal-tls secret: secretName: api-internal-tls items: - key: keystore.p12 path: keystore.p12 - key: truststore.p12 path: truststore.p12 extraVolumeMounts: | - name: api-internal-tls mountPath: /run/secrets/tls readOnly: true env: - name: GRAVITEE_MANAGEMENT_MONGODB_URI valueFrom: secretKeyRef: name: gravitee-mongodb-uri key: GRAVITEE_MANAGEMENT_MONGODB_URI - name: GRAVITEE_RATELIMIT_MONGODB_URI valueFrom: secretKeyRef: name: gravitee-mongodb-uri key: GRAVITEE_RATELIMIT_MONGODB_URI - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_ENDPOINTS_0 value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200" - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_ENABLED value: "true" - name: GRAVITEE_JWT_SECRET valueFrom: secretKeyRef: name: gravitee-jwt key: GRAVITEE_JWT_SECRET - name: GRAVITEE_ADMIN_PASSWORD_BCRYPT valueFrom: secretKeyRef: name: gravitee-admin key: admin-password-bcrypt - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_USERNAME valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: username - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: password - name: JKS_PASSWORD valueFrom: secretKeyRef: name: gravitee-jks-password key: password - name: GRAVITEE_API_PROPERTIES_ENCRYPTION_SECRET valueFrom: secretKeyRef: name: gravitee-encryption key: api-properties-encryption-secret - name: JAVA_OPTS value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)" # Enable HTTPS on Management API + Portal API listeners http: services: core: http: enabled: true port: 18083 host: 0.0.0.0 ssl: enabled: true keystore: type: pkcs12 path: /run/secrets/tls/keystore.p12 password: "${JKS_PASSWORD}" resources: requests: cpu: 200m memory: 2Gi limits: cpu: 1000m memory: 2Gi ingress: management: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_ssl_name api.gravitee.sttlab.pc; path: /management pathType: Prefix hosts: - api.gravitee.sttlab.pc tls: - hosts: - api.gravitee.sttlab.pc secretName: api-tls portal: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_ssl_name api.gravitee.sttlab.pc; path: /portal pathType: Prefix hosts: - api.gravitee.sttlab.pc tls: - hosts: - api.gravitee.sttlab.pc secretName: api-tls # ============================================================ # Management UI (Console) - 1 replica # ============================================================ ui: enabled: true replicaCount: 1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi ingress: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/use-regex: "true" hosts: - console.gravitee.sttlab.pc path: /(.*) pathType: ImplementationSpecific tls: - hosts: - console.gravitee.sttlab.pc secretName: console-tls # ============================================================ # Developer Portal UI - 1 replica # ============================================================ portal: enabled: true replicaCount: 1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi ingress: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 hosts: - portal.gravitee.sttlab.pc path: /(.*) pathType: ImplementationSpecific tls: - hosts: - portal.gravitee.sttlab.pc secretName: portal-tls