# Gravitee APIM OSS - prod-like single-node k3s deployment # - Domain: gravitee.sttlab.pc # - Ingress: nginx # - TLS everywhere (ingress + internal component HTTPS) # - Credentials sourced from pre-created secrets adminAccountEnable: true adminPasswordBcrypt: "${GRAVITEE_ADMIN_PASSWORD_BCRYPT}" # External MongoDB — URI injected at runtime via GRAVITEE_MANAGEMENT/RATELIMIT_MONGODB_URI # from the gravitee-mongodb-uri secret (see deployment.envFrom below) mongo: dbhost: mongodb.gravitee-apim.svc.cluster.local dbname: gravitee dbport: 27017 rsEnabled: false # External Elasticsearch (HTTPS + basic auth) # Password injected at runtime via env var from gravitee-es-master-credentials secret es: endpoints: - https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200 security: enabled: true username: elastic password: "" # ============================================================ # API Gateway (data plane) - 2 replicas # ============================================================ gateway: enabled: true replicaCount: 2 # Mount CA bundle and internal server cert extraVolumes: | - name: gravitee-ca secret: secretName: gravitee-ca-tls items: - key: ca.crt path: ca.crt - name: gateway-internal-tls secret: secretName: gateway-internal-tls - name: es-truststore secret: secretName: elasticsearch-tls items: - key: truststore.jks path: truststore.jks extraVolumeMounts: | - name: gravitee-ca mountPath: /run/secrets/ca readOnly: true - name: gateway-internal-tls mountPath: /run/secrets/tls readOnly: true - name: es-truststore mountPath: /run/secrets/truststore readOnly: true deployment: envFrom: - secretRef: name: gravitee-mongodb-uri env: - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: password - name: JKS_PASSWORD valueFrom: secretKeyRef: name: gravitee-jks-password key: password - name: JAVA_OPTS value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.jks -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)" # Enable HTTPS on the gateway listener (port 8082) ssl: enabled: true keystore: type: pkcs12 path: /run/secrets/tls/keystore.p12 password: "${JKS_PASSWORD}" resources: requests: cpu: 200m memory: 512Mi limits: cpu: 1000m memory: 1Gi service: type: ClusterIP externalPort: 443 internalPort: 8082 ingress: enabled: true ingressClassName: nginx annotations: # Gateway already terminates TLS internally; nginx forwards as HTTPS nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "off" hosts: - gateway.gravitee.sttlab.pc path: / pathType: Prefix tls: - hosts: - gateway.gravitee.sttlab.pc secretName: gateway-tls autoscaling: enabled: false # ============================================================ # Management API (control plane) - 1 replica # ============================================================ api: enabled: true replicaCount: 1 extraVolumes: | - name: gravitee-ca secret: secretName: gravitee-ca-tls items: - key: ca.crt path: ca.crt - name: api-internal-tls secret: secretName: api-internal-tls - name: es-truststore secret: secretName: elasticsearch-tls items: - key: truststore.jks path: truststore.jks extraVolumeMounts: | - name: gravitee-ca mountPath: /run/secrets/ca readOnly: true - name: api-internal-tls mountPath: /run/secrets/tls readOnly: true - name: es-truststore mountPath: /run/secrets/truststore readOnly: true deployment: envFrom: - secretRef: name: gravitee-mongodb-uri - secretRef: name: gravitee-jwt env: - name: GRAVITEE_ADMIN_PASSWORD_BCRYPT valueFrom: secretKeyRef: name: gravitee-admin key: admin-password-bcrypt - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: name: gravitee-es-master-credentials key: password - name: JKS_PASSWORD valueFrom: secretKeyRef: name: gravitee-jks-password key: password - name: JAVA_OPTS value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.jks -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)" # Enable HTTPS on Management API + Portal API listeners http: services: core: http: enabled: true port: 18083 host: 0.0.0.0 ssl: enabled: true keystore: type: pkcs12 path: /run/secrets/tls/keystore.p12 password: "${JKS_PASSWORD}" resources: requests: cpu: 200m memory: 768Mi limits: cpu: 1000m memory: 2Gi ingress: management: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "off" path: /management pathType: Prefix hosts: - api.gravitee.sttlab.pc tls: - hosts: - api.gravitee.sttlab.pc secretName: api-tls portal: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "off" path: /portal pathType: Prefix hosts: - api.gravitee.sttlab.pc tls: - hosts: - api.gravitee.sttlab.pc secretName: api-tls # ============================================================ # Management UI (Console) - 1 replica # ============================================================ ui: enabled: true replicaCount: 1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi ingress: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/use-regex: "true" hosts: - console.gravitee.sttlab.pc path: /(.*) pathType: ImplementationSpecific tls: - hosts: - console.gravitee.sttlab.pc secretName: console-tls # ============================================================ # Developer Portal UI - 1 replica # ============================================================ portal: enabled: true replicaCount: 1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi ingress: enabled: true ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 hosts: - portal.gravitee.sttlab.pc path: /(.*) pathType: ImplementationSpecific tls: - hosts: - portal.gravitee.sttlab.pc secretName: portal-tls