infra-gravitee-apim/apim-values.yml

# Gravitee APIM OSS - prod-like single-node k3s deployment
# - Domain: gravitee.sttlab.pc
# - Ingress: nginx
# - TLS everywhere (ingress + internal component HTTPS)
# - Credentials sourced from pre-created secrets

adminAccountEnable: true
adminPasswordBcrypt: "${GRAVITEE_ADMIN_PASSWORD_BCRYPT}"

# ============================================================
# API Gateway (data plane) - 2 replicas
# ============================================================
gateway:
  enabled: true
  replicaCount: 2

  extraVolumes: |
    - name: gateway-internal-tls
      secret:
        secretName: gateway-internal-tls
        items:
          - key: keystore.p12
            path: keystore.p12
          - key: truststore.p12
            path: truststore.p12
  extraVolumeMounts: |
    - name: gateway-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true

  env:
    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
      valueFrom:
        secretKeyRef:
          name: gravitee-mongodb-uri
          key: GRAVITEE_MANAGEMENT_MONGODB_URI
    - name: GRAVITEE_RATELIMIT_MONGODB_URI
      valueFrom:
        secretKeyRef:
          name: gravitee-mongodb-uri
          key: GRAVITEE_RATELIMIT_MONGODB_URI
    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_ENDPOINTS_0
      value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_ENABLED
      value: "true"
    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_USERNAME
      valueFrom:
        secretKeyRef:
          name: gravitee-es-master-credentials
          key: username
    - name: GRAVITEE_REPORTERS_ELASTICSEARCH_SECURITY_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-es-master-credentials
          key: password
    - name: JKS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on the gateway listener (port 8082)
  ssl:
    enabled: true
    keystore:
      type: pkcs12
      path: /run/secrets/tls/keystore.p12
      password: "${JKS_PASSWORD}"

  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1000m
      memory: 1Gi

  service:
    type: ClusterIP
    externalPort: 443
    internalPort: 8082

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
      nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_ssl_name gateway.gravitee.sttlab.pc;
    hosts:
      - gateway.gravitee.sttlab.pc
    path: /
    pathType: Prefix
    tls:
      - hosts:
          - gateway.gravitee.sttlab.pc
        secretName: gateway-tls

  autoscaling:
    enabled: false

# ============================================================
# Management API (control plane) - 1 replica
# ============================================================
api:
  enabled: true
  replicaCount: 1

  extraVolumes: |
    - name: api-internal-tls
      secret:
        secretName: api-internal-tls
        items:
          - key: keystore.p12
            path: keystore.p12
          - key: truststore.p12
            path: truststore.p12
  extraVolumeMounts: |
    - name: api-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true

  env:
    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
      valueFrom:
        secretKeyRef:
          name: gravitee-mongodb-uri
          key: GRAVITEE_MANAGEMENT_MONGODB_URI
    - name: GRAVITEE_RATELIMIT_MONGODB_URI
      valueFrom:
        secretKeyRef:
          name: gravitee-mongodb-uri
          key: GRAVITEE_RATELIMIT_MONGODB_URI
    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_ENDPOINTS_0
      value: "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_ENABLED
      value: "true"
    - name: GRAVITEE_JWT_SECRET
      valueFrom:
        secretKeyRef:
          name: gravitee-jwt
          key: GRAVITEE_JWT_SECRET
    - name: GRAVITEE_ADMIN_PASSWORD_BCRYPT
      valueFrom:
        secretKeyRef:
          name: gravitee-admin
          key: admin-password-bcrypt
    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_USERNAME
      valueFrom:
        secretKeyRef:
          name: gravitee-es-master-credentials
          key: username
    - name: GRAVITEE_ANALYTICS_ELASTICSEARCH_SECURITY_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-es-master-credentials
          key: password
    - name: JKS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on Management API + Portal API listeners
  http:
    services:
      core:
        http:
          enabled: true
          port: 18083
          host: 0.0.0.0

  ssl:
    enabled: true
    keystore:
      type: pkcs12
      path: /run/secrets/tls/keystore.p12
      password: "${JKS_PASSWORD}"

  resources:
    requests:
      cpu: 200m
      memory: 768Mi
    limits:
      cpu: 1000m
      memory: 2Gi

  ingress:
    management:
      enabled: true
      ingressClassName: nginx
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_ssl_name api.gravitee.sttlab.pc;
      path: /management
      pathType: Prefix
      hosts:
        - api.gravitee.sttlab.pc
      tls:
        - hosts:
            - api.gravitee.sttlab.pc
          secretName: api-tls
    portal:
      enabled: true
      ingressClassName: nginx
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_ssl_name api.gravitee.sttlab.pc;
      path: /portal
      pathType: Prefix
      hosts:
        - api.gravitee.sttlab.pc
      tls:
        - hosts:
            - api.gravitee.sttlab.pc
          secretName: api-tls

# ============================================================
# Management UI (Console) - 1 replica
# ============================================================
ui:
  enabled: true
  replicaCount: 1

  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
    hosts:
      - console.gravitee.sttlab.pc
    path: /(.*)
    pathType: ImplementationSpecific
    tls:
      - hosts:
          - console.gravitee.sttlab.pc
        secretName: console-tls


# ============================================================
# Developer Portal UI - 1 replica
# ============================================================
portal:
  enabled: true
  replicaCount: 1

  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: /$1
    hosts:
      - portal.gravitee.sttlab.pc
    path: /(.*)
    pathType: ImplementationSpecific
    tls:
      - hosts:
          - portal.gravitee.sttlab.pc
        secretName: portal-tls