install-on-kubernetes.md

description
How to install Gravitee API Management on Kubernetes

Installing Gravitee API Management on Kubernetes

Introduction

This page describes how to install APIM on any Kubernetes environment using the official Gravitee Helm Chart.

{% hint style="info" %} For more information about Helm charts, go to Helm Docs. {% endhint %}

The APIM Helm chart deploys the following components:

• APIM Management API
• APIM Management Console
• APIM Developer Portal
• APIM Gateway
• MongoDB replica set or PostgresSQL
• Elasticsearch Cluster

Installing Gravitee API Management

Prerequisites

You must install the following command line tools:

• Kubectl
• Helm v3

Installation steps

1. Add the Gravitee Helm chart repo using the following command:

   helm repo add graviteeio https://helm.gravitee.io
   

2. Install the Helm chart to a dedicated namespace using the following command:

   {% code overflow="wrap" %}

   helm install graviteeio-apim4x graviteeio/apim --create-namespace --namespace gravitee-apim

   {% endcode %}

{% hint style="info" %} Installation tips

• Specify each parameter using either of the following methods:
  • Specify each parameter using the following command:helm install and the --set key=value[,key=value].
  • Provide a YAML file that specifics the values for the parameters when you install the Helm chart. For example,

helm install my-release -f values.yaml gravitee

{% endhint %}

Configuring the application settings

By default, the Helm chart creates a ServiceAccount that enables Gravitee API Management (APIM) to connect to the Kubernetes API. This connection allows Kubernetes ConfigMaps and Secrets to initialize Gravitee settings.

Roles enable use of the service account, which has the following characteristics:

• The service account created does not have a cluster role. The Helm chart includes an option to configure the service account to use a cluster role.
• To access a Secret, create a role within your namespace.
• To access a Secret after you deployed in another namespace, create another role in the other namespace. The two roles can have the same name. Each role provides access to only the namespace where you created the role.

{% hint style="info" %} For more information about roles, go to Role and ClusterRole. {% endhint %}

To define the application settings, complete the following settings:

• Ensure that you enable the kubernetes plugin, and then define the Secret settings using the following command: secrets://kubernetes/mysecret:key?namespace=ns.

{% hint style="warning" %} This syntax applies to only Gravitee versions 4.2 and later. {% endhint %}

• Define the ConfigMap settings using the following command: kubernetes://<namespace>/configmaps/<my-configmap-name>/<my-configmap-key>

Configuration types

{% tabs %} {% tab title="Development deployment" %} Here is the minimum value-light.yml configuration required by a development deployment.

• To deploy the development deployment, change the domain value, and then run the following command:

{% hint style="warning" %} Do not use value-light.yml in production. {% endhint %}

helm install gravitee-apim graviteeio/apim -f value-light.yml

# Deploy an elasticsearch cluster.
elasticsearch:
  enabled: true

# Elasticsearch uri, do not change.
es:
  endpoints:
    - http://graviteeio-apim-elasticsearch-ingest-hl:9200

# Deploy a mongoDB cluster.
mongodb:
  enabled: true

# MongoDB uri, do not change.
mongo:
  uri: mongodb://graviteeio-apim-mongodb-replicaset-headless:27017/gravitee?replicaset=rs0&connectTimeoutMS=30000

# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
api:
  ingress:
    management:
      hosts:
        - management-api.mydomain.com
    portal:
      hosts:
        - management-api.mydomain.com

# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
gateway:
  ingress:
    hosts:
      - gateway.mydomain.com

# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
portal:
  ingress:
    hosts:
      - portal.mydomain.com

# Change the ingress host with your host domain.
# no TLS provided here. Check the documentation if needed.
ui:
  ingress:
    hosts:
      - management-ui.mydomain.com

{% endtab %}

{% tab title="External configuration" %}

• To use an external configuration file, for example thegravitee.yaml for the Gateway or API management, add the following code to the Helm Chart:

extraVolumes: |
    - name: config
      configMap:
        name: gravitee-config-configmap-name

{% hint style="warning" %} External configuration files are available for only the following Hellm Chart versions:

• AE Helm Charts 1.1.42 and later
• AM Helm Charts 1.0.53 and later
• APIM Helm Charts 3.1.60 and later {% endhint %} {% endtab %}

{% tab title="Shared configuration" %} To configure the following features, complete the following steps:

• To configure Chaos testing, see the chaoskube chart.
• To configure the Configuration database, see the mongodb chart.
• To configure the Logs database, see the elasticsearch chart.

Parameter	Description	Default
chaos.enabled	Enable Chaos test	false
inMemoryAuth.enabled	Enable oauth login	true
ldap.enabled	Enable LDAP login	false

{% endtab %} {% endtabs %}

Configuring your database options

{% tabs %} {% tab title="MongoDB" %} To install MongoDB with Helm, use the following command:

helm install mongodb bitnami/mongodb --set auth.rootPassword=r00t

Configuring the connection MongoBD

To configure the connection to MongoDB, complete any of the following steps:

• Provide the MongoDB URI. For more information about the MongoDB URI, go to Connection Strings.

Parameter	Description	Default
mongo.uri	Mongo URI	null

• Provide a mongo.servers raw definition with mongo.dbname and an authentication configuration:

mongo:
  servers: |
    - host: mongo1
      port: 27017
    - host: mongo2
      port: 27017
  dbname: gravitee
  auth:
    enabled: false
    username:
    password:

• Define the following configuration options:

Parameter	Description	Default
mongo.rsEnabled	Whether Mongo replicaset is enabled or not	true
mongo.rs	Mongo replicaset name	rs0
mongo.dbhost	Mongo host address	mongo-mongodb-replicaset
mongo.dbport	Mongo host port	27017
mongo.dbname	Mongo DB name	gravitee
mongo.auth.enabled	Enable Mongo DB authentication	false
mongo.auth.username	Mongo DB username	null
mongo.auth.password	Mongo DB password	null

Other keys

Parameter	Description	Default
mongo.sslEnabled	Enable SSL connection to MongoDB	false
mongo.socketKeepAlive	Enable keep alive for socket	false

Mongo replica set

{% hint style="warning" %} Use the mongodb-replicaset for only testing purposes and running locally. {% endhint %}

Parameter	Description	Default
mongodb-replicaset.enabled	Enable deployment of Mongo replicaset	false

{% hint style="warning" %} You may encounter issues while running this Helm chart on Apple Silicon M1. If you want to deploy MongoDB on M1, use another Helm chart. For more information, go to Support for ARM64 architecture in Bitnami container images. {% endhint %} {% endtab %}

{% tab title="PostgreSQL" %} To install a new PostgresSQL database using JDBC, complete the following steps:

1. Update the username, password, and databasename parameters
2. Run the following command:

helm install --set postgresqlUsername=postgres --set postgresqlPassword=P@ssw0rd
--set postgresqlDatabase=graviteeapim postgres-apim bitnami/postgresql

3. Verify that the PostgreSQL pod works using the following command:

kubectl get pods

If the PostgresSQL is running correctly, you see an output similar to the following output:

{% code title="Expected output" %}

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
postgres-apim-postgresql-0                1/1     Running      0           98s

{% endcode %}

4. Modify the values.yml the following content to use the username, password, URL, and database name that is specific to your instance:

jdbc:
  driver: https://jdbc.postgresql.org/download/postgresql-42.2.23.jar
  url: jdbc:postgresql://postgres-apim-postgresql:5432/graviteeapim
  username: postgres
  password: P@ssw0rd
management:
  type: jdbc

{% endtab %}

{% tab title="Elasticsearch" %}

Parameter	Description	Default
es.security.enabled	Elasticsearch username and password enabled	false
es.security.username	Elasticsearch username	example
es.security.password	Elasticsearch password	example
es.tls.enabled	Elasticsearch TLS enabled	false
es.tls.keystore.type	Elasticsearch TLS keystore type (jks, pem or pfx)	null
es.tls.keystore.path	Elasticsearch TLS keystore path (jks, pfx)	null
es.tls.keystore.password	Elasticsearch TLS keystore password (jks, pfx)	null
es.tls.keystore.certs	Elasticsearch TLS certs (only pems)	null
es.tls.keystore.keys	Elasticsearch TLS keys (only pems)	null
es.index	Elasticsearch index	gravitee
es.endpoints	Elasticsearch endpoint array	[http://elastic-elasticsearch-client.default.svc.cluster.local:9200]

Elasticsearch Cluster

Parameter	Description	Default
elasticsearch.enabled	Enable deployment of Elasticsearch cluster	false

See Elasticsearch for detailed documentation on optional Helm Chart requirements.

{% hint style="warning" %} The Elasticsearch installed by Gravitee is NOT recommended in production. It is for testing purposes and running APIM locally. {% endhint %} {% endtab %}

{% tab title="Redis" %}

1. To install Redis, use the following command:

helm install --set auth.password=p@ssw0rd redis-apim bitnami/redis

For more information about Redis, go to Redis.

2. Check that Redis pod works using the following command:

kubectl get pods

If the Redis pod is working correctly, you see an output similar to the following output:

{% code title="Expected output" %}

NAME                    READY   STATUS    RESTARTS   AGE
redis-apim-master-0     1/1     Running   0          105s
redis-apim-replicas-0   1/1     Running   0          105s
redis-apim-replicas-1   1/1     Running   0          68s
redis-apim-replicas-2   1/1     Running   0          40s

{% endcode %}

3. To use Redis for rate limit policy, add the following information to the values.yml file:

ratelimit:
  type: redis
gateway:
  ratelimit:
    redis:
      host: redis-apim-master
      port: 6379
      password: p@ssw0rd
      ssl: false

• Replace host, port, and password with details specific to your instance.

4. (optional) Enable ssl by setting ssl to true.
5. (optional) To connect to a Sentinel cluster, specify the master and the nodes.

gateway:
  ratelimit:
      password: p@ssw0rd
      ssl: false
      sentinel:
        master: redis-master
        nodes:
          - host: sentinel1
            port: 26379
          - host: sentinel2
            port: 26379

Other Keys

Parameter	Description	Default
gateway.ratelimit.redis.ssl	Enable SSL connection to Redis	false
gateway.ratelimit.redis.password	Redis password	false
{% endtab %}
{% endtabs %}

Gravitee parameters

The following tables lists the available configuration parameters for these components:

• Gravitee UI
• Gravitee API
• Gravitee Gateway
• Alert Engine.

{% tabs %} {% tab title="Gravitee UI" %}

Parameter	Description	Default
ui.name	UI service name	ui
ui.baseURL	Base URL to access to the Management API (if set to null, defaults to Management API ingress value)	[apim.example.com]/management
ui.title	UI Portal title (if set to null, retrieved from the management repository)	API Portal
ui.managementTitle	UI Management title (if set to null, retrieved from the management repository)	API Management
ui.documentationLink	UI link to documentation (if set to null, retrieved from the management repository)	http://docs.gravitee.io/
ui.portal.apikeyHeader	API key header name (if set to null, retrieved from the management repository)	X-Gravitee-Api-Key
ui.portal.devMode.enabled	Whether to enable developer mode (if set to null, retrieved from the management repository)	false
ui.portal.userCreation.enabled	Whether to enable user creation (if set to null, retrieved from the management repository)	false
ui.portal.support.enabled	Whether to enable support features (if set to null, retrieved from the management repository)	true
ui.portal.rating.enabled	Whether to enable API rating (if set to null, retrieved from the management repository)	false
ui.portal.analytics.enabled	Whether to enable analytics features (if set to null, retrieved from the management repository)	false
ui.portal.analytics.trackingId	Tracking ID used for analytics (if set to null, retrieved from the management repository)	""
ui.replicaCount	How many replicas of the UI pod	1
ui.image.repository	Gravitee UI image repository	graviteeio/management-ui
ui.image.tag	Gravitee UI image tag	1.29.5
ui.image.pullPolicy	K8s image pull policy	Always
ui.image.pullSecrets	K8s image pull Secrets, used to pull both Gravitee UI image and extraInitContainers	null
ui.autoscaling.enabled	Whether auto-scaling is enabled or not	true
ui.autoscaling.minReplicas	If ui.autoscaling.enabled is true, what’s the minimum number of replicas	2
ui.autoscaling.maxReplicas	If ui.autoscaling.enabled is true, what’s the maximum number of replicas	3
ui.autoscaling.targetAverageUtilization	If ui.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale	50
ui.service.name	UI service name	nginx
ui.service.type	K8s publishing service type	ClusterIP
ui.service.externalPort	K8s UI service external port	8082
ui.service.internalPort	K8s UI service internal port (container)	80
ui.service.internalPortName	K8s UI service internal port name (container)	http
ui.ingress.enabled	Whether Ingress is enabled or not	true
ui.ingress.hosts	If ui.ingress.enabled is enabled, set possible ingress hosts	[apim.example.com]
ui.ingress.annotations	Supported Ingress annotations to configure ingress controller	[kubernetes.io/ingress.class: nginx, kubernetes.io/app-root: /management, kubernetes.io/rewrite-target: /management, ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\n"]
ui.ingress.tls.hosts	Ingress TLS termination	[apim.example.com]
ui.ingress.tls.secretName	Ingress TLS K8s Secret name containing the TLS private key and certificate	api-custom-cert
ui.resources.limits.cpu	K8s pod deployment limits definition for CPU	100m
ui.resources.limits.memory	K8s pod deployment limits definition for memory	128Mi
ui.resources.requests.cpu	K8s pod deployment requests definition for CPU	50m
ui.resources.requests.memory	K8s pod deployment requests definition for memory	64Mi
ui.lifecycle.postStart	K8s pod deployment postStart command definition	null
ui.lifecycle.preStop	K8s pod deployment preStop command definition	null
{% endtab %}

{% tab title="Gravitee API" %}

Parameter	Description	Default
api.name	API service name	api
api.logging.debug	Whether to enable API debug logging or not	false
api.logging.graviteeLevel	Logging level for Gravitee classes	DEBUG
api.logging.jettyLevel	Logging level for Jetty classes	INFO
api.logging.stdout.encoderPattern	Logback standard output encoder pattern	%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
api.logging.file.enabled	Whether to enable file logging or not	true
api.logging.file.rollingPolicy	Logback file rolling policy configuration	TimeBasedRollingPolicy for 30 days
api.logging.file.encoderPattern	Logback file encoder pattern	%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
api.logging.additionalLoggers	List of additional logback loggers. Each logger is defined by a name and level (TRACE, DEBUG, INFO, WARN, or ERROR)	empty
api.ssl.enabled	API exposition through HTTPS protocol activation	false
api.ssl.keystore.type	Keystore type for API exposition through HTTPS protocol	jks
api.ssl.keystore.path	Keystore path for API exposition through HTTPS protocol	null
api.ssl.keystore.password	Keystore password for API exposition through HTTPS protocol	null
api.ssl.truststore.type	Truststore type for client authentication through 2 way TLS	jks
api.ssl.truststore.path	Truststore path for client authentication through 2 way TLS	null
api.ssl.truststore.password	Truststore password for client authentication through 2 way TLS	null
api.http.services.core.http.authentication.password	HTTP core service authentication password	adminadmin
api.http.services.core.http.port	HTTP core service port exposed in container	18083
api.http.services.core.http.host	HTTP core service bind IP or host inside container (0.0.0.0 for exposure on every interfaces)	localhost
api.http.services.core.http.authentication.password	HTTP core service authentication password	adminadmin
api.http.services.core.http.ingress.enabled	Ingress for HTTP core service authentication (requires api.http.services.core.service.enabled to be true)	false
api.http.services.core.http.ingress.path	The ingress path which should match for incoming requests to the management technical API.	/management/_(.*)
api.http.services.core.http.ingress.hosts	If api.ingress.enabled is enabled, set possible ingress hosts	[apim.example.com]
api.http.services.core.http.ingress.annotations	Supported Ingress annotations to configure ingress controller	[kubernetes.io/ingress.class: nginx, nginx.ingress.kubernetes.io/rewrite-target: /_$1]
api.http.services.core.http.ingress.tls.hosts	Ingress TLS termination	[apim.example.com]
api.http.services.core.http.ingress.tls.secretName	Ingress TLS K8s Secret name containing the TLS private key and certificate	api-custom-cert
api.http.services.core.http.service.enabled	Whether a service is added or not for technical API	false
api.http.services.core.http.service.externalPort	K8s service external port (internal port is defined by api.http.services.core.http.port )	18083
api.http.api.entrypoint	Listening path for the API	/management
api.http.client.timeout	HTTP client global timeout	10000
api.http.client.proxy.type	HTTP client proxy type	HTTP
api.http.client.proxy.http.host	HTTP client proxy host for HTTP protocol	localhost
api.http.client.proxy.http.port	HTTP client proxy port for HTTP protocol	3128
api.http.client.proxy.http.username	HTTP client proxy username for HTTP protocol	null
api.http.client.proxy.http.password	HTTP client proxy password for HTTP protocol	null
api.http.client.proxy.https.host	HTTP client proxy host for HTTPS protocol	localhost
api.http.client.proxy.https.port	HTTP client proxy port for HTTPS protocol	3128
api.http.client.proxy.https.username	HTTP client proxy username for HTTPS protocol	null
api.http.client.proxy.https.password	HTTP client proxy password for HTTPS protocol	null
api.user.login.defaultApplication	Whether to enable default application creation on first user authentication	true
api.user.anonymizeOnDelete	Whether to enable user anonymization on deletion	false
api.supportEnabled	Whether to enable support feature	true
api.ratingEnabled	Whether to enable API rating feature	true
smtp.enabled	Email sending activation	true
smtp.host	SMTP server host	smtp.example.com
smtp.port	SMTP server port	25
smtp.from	Email sending address	info@example.com
smtp.username	SMTP server username	info@example.com
smtp.password	SMTP server password	example.com
smtp.subject	Email subjects template	[gravitee] %s
smtp.auth	SMTP server authentication activation	true
smtp.starttlsEnable	SMTP server TLS activation	false
smtp.localhost	Hostname that is resolvable by the SMTP server	null
api.portalURL	The portal URL used in emails	https://{{ index .Values.ui.ingress.hosts 0 }}
api.restartPolicy	Policy to restart K8 pod	OnFailure
api.updateStrategy.type	K8s deployment strategy type	RollingUpdate
api.updateStrategy.rollingUpdate.maxUnavailable	If api.updateStrategy.type is set to RollingUpdate, you must set a value here or your deployment can default to 100% unavailability. The deployment controller will stop the bad rollout automatically and will stop scaling up the new replica set. This depends on the rollingUpdate parameters (specifically on maxUnavailable) that you have specified. By default, Kubernetes sets the value to 1 and sets spec.replicas to 1, so if you don’t set those parameters, your deployment can have 100% unavailability by default!	1
api.replicaCount	How many replicas for the API pod	1
api.image.repository	Gravitee API image repository	graviteeio/management-api
api.image.tag	Gravitee API image tag	1.29.5
api.image.pullPolicy	K8s image pull policy	Always
api.image.pullSecrets	K8s image pull Secrets, used to pull both Gravitee Management API image and extraInitContainers	null
api.env	Environment variables, defined as a list of name and value as specified in Kubernetes documentation	null
api.service.type	K8s publishing service type	ClusterIP
api.service.externalPort	K8s service external port	83
api.service.internalPort	K8s service internal port (container)	8083
api.service.internalPortName	K8s service internal port name (container)	http
api.autoscaling.enabled	Whether auto-scaling is enabled or not	true
api.autoscaling.minReplicas	If api.autoscaling.enabled is true, what’s the minimum number of replicas	2
api.autoscaling.maxReplicas	If api.autoscaling.enabled is true, what’s the maximum number of replicas	3
api.autoscaling.targetAverageUtilization	If api.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale	50
api.ingress.enabled	Whether Ingress is enabled or not	true
api.ingress.path	The ingress path which should match for incoming requests to the Management API.	/management
api.ingress.hosts	If api.ingress.enabled is enabled, set possible ingress hosts	[apim.example.com]
api.ingress.annotations	Supported Ingress annotations to configure ingress controller	[kubernetes.io/ingress.class: nginx, ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\nproxy_set_header if-match \"\";\n"]
api.ingress.tls.hosts	Ingress TLS termination	[apim.example.com]
api.ingress.tls.secretName	Ingress TLS K8s Secret name containing the TLS private key and certificate	api-custom-cert
api.ingress.management.scheme	Whether to use HTTP or HTTPS to communicate with Management API, defaults to https	https
api.ingress.portal.scheme	Whether to use HTTP or HTTPS to communicate with Management API, defaults to https	https
api.resources.limits.cpu	K8s pod deployment limits definition for CPU	500m
api.resources.limits.memory	K8s pod deployment limits definition for memory	1024Mi
api.resources.requests.cpu	K8s pod deployment requests definition for CPU	200m
api.resources.requests.memory	K8s pod deployment requests definition for memory	512Mi
api.lifecycle.postStart	K8s pod deployment postStart command definition	null
api.lifecycle.preStop	K8s pod deployment preStop command definition	null
{% endtab %}

{% tab title="Gravitee Gateway" %}

Parameter	Description	Default
gateway.name	Gateway service name	gateway
gateway.logging.debug	Whether to enable Gateway debug logging or not	false
api.logging.additionalLoggers	List of additional logback loggers. Each logger is defined by a name and level (TRACE, DEBUG, INFO, WARN, or ERROR)	empty
gateway.ssl.enabled	API exposition through HTTPS protocol activation	false
gateway.ssl.keystore.type	Keystore type for API exposition through HTTPS protocol	jks
gateway.ssl.keystore.path	Keystore path for API exposition through HTTPS protocol	null
gateway.ssl.keystore.password	Keystore password for API exposition through HTTPS protocol	null
gateway.ssl.clientAuth	Client authentication through 2 way TLS activation	false
gateway.ssl.truststore.type	Truststore type for client authentication through 2 way TLS	jks
gateway.ssl.truststore.path	Truststore path for client authentication through 2 way TLS	null
gateway.ssl.truststore.password	Truststore password for client authentication through 2 way TLS	null
gateway.logging.graviteeLevel	Logging level for Gravitee classes	DEBUG
gateway.logging.jettyLevel	Logging level for Jetty classes	INFO
gateway.logging.stdout.encoderPattern	Logback standard output encoder pattern	%d{HH:mm:ss.SSS} [%thread] [%X{api}] %-5level %logger{36} - %msg%n
gateway.logging.file.enabled	Whether to enable file logging or not	true
gateway.logging.file.rollingPolicy	Logback file rolling policy configuration	TimeBasedRollingPolicy for 30 days
gateway.logging.file.encoderPattern	Logback file encoder pattern	%d{HH:mm:ss.SSS} [%thread] [%X{api}] %-5level %logger{36} - %msg%n
gateway.type	Gateway deployment type: deployment or statefulSet	deployment
gateway.replicaCount	How many replicas of the Gateway pod	2
gateway.image.repository	Gravitee Gateway image repository	graviteeio/gateway
gateway.image.tag	Gravitee Gateway image tag	1.29.5
gateway.image.pullPolicy	K8s image pull policy	Always
gateway.image.pullSecrets	K8s image pull Secrets, used to pull both Gravitee Gateway image and extraInitContainers	null
gateway.env	Environment variables, defined as a list of name and value as specified in Kubernetes documentation	null
gateway.service.type	K8s publishing service type	ClusterIP
gateway.service.externalPort	K8s Gateway service external port	82
gateway.service.internalPort	K8s Gateway service internal port (container)	8082
gateway.service.internalPortName	K8s Gateway service internal port name (container)	http
gateway.autoscaling.enabled	Whether auto-scaling is enabled or not	true
gateway.autoscaling.minReplicas	If gateway.autoscaling.enabled is true, what’s the minimum number of replicas	2
gateway.autoscaling.maxReplicas	If gateway.autoscaling.enabled is true, what’s the maximum number of replicas	3
gateway.autoscaling.targetAverageUtilization	If gateway.autoscaling.enabled what’s the average target utilization (in %) before it auto-scale	50
gateway.websocket	Whether websocket protocol is enabled or not	false
gateway.apiKey.header	Header used for the API Key. Set an empty value to prohibit its use.	X-Gravitee-Api-Key
gateway.apiKey.param	Query parameter used for the API Key. Set an empty value to prohibit its use.	api-key
gateway.sharding_tags	Sharding tags (comma separated list)	``
gateway.ingress.enabled	Whether Ingress is enabled or not	true
gateway.ingress.path	The ingress path which should match for incoming requests to the Gateway.	/gateway
gateway.ingress.hosts	If gateway.ingress.enabled is enabled, set possible ingress hosts	[apim.example.com]
gateway.ingress.annotations	Supported Ingress annotations to configure ingress controller	[kubernetes.io/ingress.class: nginx, nginx.ingress.kubernetes.io/ssl-redirect: "false", nginx.ingress.kubernetes.io/enable-rewrite-log: "true", kubernetes.io/app-root: /gateway, kubernetes.io/rewrite-target: /gateway]
gateway.ingress.tls.hosts	Ingress TLS termination	[apim.example.com]
gateway.ingress.tls.secretName	Ingress TLS K8s Secret name containing the TLS private key and certificate	api-custom-cert
gateway.resources.limits.cpu	K8s pod deployment limits definition for CPU	500m
gateway.resources.limits.memory	K8s pod deployment limits definition for memory	512Mi
gateway.resources.requests.cpu	K8s pod deployment requests definition for CPU	200m
gateway.resources.requests.memory	K8s pod deployment requests definition for memory	256Mi
gateway.lifecycle.postStart	K8s pod deployment postStart command definition	null
gateway.lifecycle.preStop	K8s pod deployment preStop command definition	null
{% endtab %}

{% tab title="Alert Engine" %}

Parameter	Description	Default
alerts.enabled	Enables AE connectivity	true
alerts.endpoints	Defines AE endpoints	- http://localhost:8072/
alerts.security.enabled	Enables AE secure connectivity	false
alerts.security.username	The AE username	"admin"
alerts.security.password	The AE password	"password"
alerts.options.sendEventsOnHttp	Send event on http to AE (websocket otherwise)	true
alerts.options.useSystemProxy	Use system proxy to connect to AE	false
alerts.options.connectTimeout	AE connection timeout	2000
alerts.options.idleTimeout	AE idleTimeout timeout	120000
alerts.options.keepAlive	Keep the connection alive	true
alerts.options.pipelining	Enables event pipelining	true
alerts.options.tryCompression	Enables event compression	true
alerts.options.maxPoolSize	Set the maximum numner of connection	50
alerts.options.bulkEventsSize	Send events by packets	100
alerts.options.bulkEventsWait	Duration for events to be ready to be sent	100
alerts.options.ssl.trustall	Ssl trust all	false
alerts.options.ssl.keystore.type	Type of the keystore (jks, pkcs12, pem)	null
alerts.options.ssl.keystore.path	Path to the keystore	null
alerts.options.ssl.keystore.password	Path to the keystore	null
alerts.options.ssl.keystore.certs	Keystore cert paths (array, only for pem)	null
alerts.options.ssl.keystore.keys	Keystore key paths (array, only for pem)	null
alerts.options.ssl.truststore.type	Type of the truststore	null
alerts.options.ssl.truststore.path	Path to the truststore	null
alerts.options.ssl.truststore.password	Password of the truststore	null
alerts.engines.<cluster-name>.endpoints	Defines AE endpoints on the cluster <cluster-name>	- http://localhost:8072/
alerts.engines.<cluster-name>.security.username	The AE username on the cluster <cluster-name>	"admin"
alerts.engines.<cluster-name>.security.password	The AE password on the cluster <cluster-name>	"password"
alerts.engines.<cluster-name>.ssl.trustall	Ssl trust all on the cluster <cluster-name>	false
alerts.engines.<cluster-name>.ssl.keystore.type	Type of the keystore (jks, pkcs12, pem) on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.keystore.path	Path to the keystore (jks, pkcs12, pem) on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.keystore.password	Path to the keystore on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.keystore.certs	Keystore cert paths (array, only for pem) on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.keystore.keys	Keystore key paths (array, only for pem) on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.truststore.type	Type of the truststore on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.truststore.path	Path to the truststore on the cluster <cluster-name>	null
alerts.engines.<cluster-name>.ssl.truststore.password	Password of the truststore on the cluster <cluster-name>	null
{% endtab %}
{% endtabs %}

Federation

Federation is a new capability that was released with APIM 4.4.

Federation is deactivated by default in the default Helm values. To activate Federation, set enabled = true like the following example:

federation:
    enabled: true
    port: 8072
    ingress:
      enabled: true
      ingressClassName: ""
      path: /integration-controller(/.*)?
      pathType: Prefix
#      hosts:
#        - apim.example.com
      annotations:
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/proxy-read-timeout: 3600                                                                                                                                              
        nginx.ingress.kubernetes.io/proxy-send-timeout: 3600
        nginx.ingress.kubernetes.io/rewrite-target: /$1
#      tls:
#        - hosts:
#            - apim.example.com
#          secretName: api-custom-cert
    service:
      externalPort: 72  

When this flag is set to enabled, it has the following impacts:

• APIM cluster mode is activated. Federation can work correctly in a highly available APIM deployment. Also, Hazelcast is configured and runs in memory as a library inside APIM.
• The default ingress used is the host used for the management API. Here is the default path: /integration-controller. The default ingress can be overridden n the federation ingress section with a dedicated host for the integration controller.

If you run a single replica of APIM, you can deactivate cluster mode by specifying the following environment variables and values:

api:
  env: 
    - name: GRAVITEE_CLUSTER_TYPE
      value: standalone
    - name: GRAVITEE_CACHE_TYPE
      value: standalone

OpenShift

{% hint style="warning" %} The Gravitee API Management Helm chart is compatible with only OpenShift versions 3.10 and later. {% endhint %}

When deploying APIM within OpenShift, you must complete the following actions:

• Use the full host domain instead of paths for all components.
• Override the security context to let OpenShift automatically define the user-id and group-id you use to run the containers.
• For Openshift to automatically create Routes from the Ingress, define the ingressClassName as none. Here is a standard values.yaml used to deploy APIM into OpenShift:

{% code title="values.yml" %}

api:
  ingress:
    management:
      ingressClassName: none
      path: /management
      hosts:
        - api-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
      annotations:
        route.openshift.io/termination: edge
    portal:
      ingressClassName: none
      path: /portal
      hosts:
        - api-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
      annotations:
        route.openshift.io/termination: edge
  deployment:
    securityContext:
      runAsUser: null
      runAsGroup: 1000
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault

gateway:
  ingress:
    ingressClassName: none
    path: /
    hosts:
      - gw-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
    annotations:
      route.openshift.io/termination: edge
  deployment:
    securityContext:
      runAsUser: null
      runAsGroup: 1000
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault

portal:
  ingress:
    ingressClassName: none
    path: /
    hosts:
      - portal-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
    annotations:
      route.openshift.io/termination: edge
  securityContext: null
  deployment:
    securityContext:
      runAsUser: null
      runAsGroup: null
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault

ui:
  ingress:
    ingressClassName: none
    path: /
    hosts:
      - console-graviteeio.apps.openshift-test.l8e4.p1.openshiftapps.com
    annotations:
      route.openshift.io/termination: edge
  securityContext: null
  deployment:
    securityContext:
      runAsUser: null
      runAsGroup: null
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault

{% endcode %}

By setting runAsUser to null, OpenShift is forced to define the correct values when deploying the Helm chart.

Licenses

Enterprise plugins require a license in APIM.

To define a license, enter the license.key value in the values.yml file, and then add the Helm argument --set license.key=<license.key in base64>.

{% hint style="info" %} The license.key value you enter must be encoded in base64:

• Linux: base64 -w 0 license.key
• macOS: base64 license.key {% endhint %}

$ export GRAVITEESOURCE_LICENSE_B64="$(base64 -w 0 license.key)"
$ helm install \
  --set license.key=${GRAVITEESOURCE_LICENSE_B64} \
  --create-namespace --namespace gravitee-apim \
  graviteeio-apim3x \
  graviteeio/apim3

Parameter	Description	Default
license.key	string	license.key file encoded in base64

	APIM Helm Install and Configuration		Broken link
	Architecture Overview		Broken link