From 906e95a8dabfb09eb039788a5d93ac8b7660a020 Mon Sep 17 00:00:00 2001 From: Pubudu Gunatilaka Date: Mon, 25 Mar 2024 17:59:28 +0530 Subject: [PATCH 1/3] Add version upgrade related helm changes --- helm-charts/README.md | 653 ++++++++++-------- helm-charts/Version-Upgrade.md | 3 + .../templates/crds/dp.wso2.com_apis.yaml | 3 +- .../config-ds-prometheus-jmx-configmap.yaml | 2 + .../adapter/gateway-class.yaml | 18 + ...common-controller-sts-shared-auth-key.yaml | 3 + .../prometheus-jmx-configmap.yaml | 4 +- .../idp-ds-prometheus-jmx-configmap.yaml | 2 + helm-charts/values.yaml.template | 5 +- helm-charts/version-upgrade-values.yaml | 48 ++ 10 files changed, 430 insertions(+), 311 deletions(-) create mode 100644 helm-charts/Version-Upgrade.md create mode 100644 helm-charts/version-upgrade-values.yaml diff --git a/helm-charts/README.md b/helm-charts/README.md index ea655f253..bd5e3c383 100644 --- a/helm-charts/README.md +++ b/helm-charts/README.md @@ -1,6 +1,6 @@ # apk-helm -![Version: 1.1.0-alpha](https://img.shields.io/badge/Version-1.1.0-alpha--informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: 1.1.0-alpha](https://img.shields.io/badge/Version-1.1.0--alpha-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) A Helm chart for APK components @@ -14,311 +14,350 @@ A Helm chart for APK components ## Values -| Key | Type | Default | Description | -|------------------------------------------------------------------------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------| -| wso2.subscription.imagePullSecrets | string | `""` | Optionally specify image pull secrets. | -| wso2.apk.webhooks.validatingwebhookconfigurations | bool | `true` | | -| wso2.apk.webhooks.mutatingwebhookconfigurations | bool | `true` | | -| wso2.apk.auth.enabled | bool | `true` | Enable Service Account Creation | -| wso2.apk.auth.enableServiceAccountCreation | bool | `true` | Enable Service Account Creation | -| wso2.apk.auth.enableClusterRoleCreation | bool | `true` | Enable Cluster Role Creation | -| wso2.apk.auth.serviceAccountName | string | `"wso2apk-platform"` | Service Account name | -| wso2.apk.auth.roleName | string | `"wso2apk-role"` | Cluster Role name | -| wso2.apk.listener.hostname | string | `"api.am.wso2.com"` | System api listener hostname | -| wso2.apk.listener.port | int | `9095` | Gatewaylistener port | -| wso2.apk.listener.secretName | string | `"system-api-listener-cert"` | System api listener certificates. If you are using a custom certificate. | -| wso2.apk.idp.issuer | string | `"https://idp.am.wso2.com/token"` | IDP issuer value | -| wso2.apk.idp.usernameClaim | string | `"sub"` | | -| wso2.apk.idp.scopeClaim | string | `"scope"` | Optionally configure scope Claim in JWT. | -| wso2.apk.idp.organizationClaim | string | `"organization"` | Optionally configure organization Claim in JWT. | -| wso2.apk.idp.organizationResolver | string | `"none"` | Optionally configure organization Resolution method for APK (none)). | -| wso2.apk.idp.tls.configMapName | string | `""` | IDP public certificate configmap name | -| wso2.apk.idp.tls.secretName | string | `""` | IDP public certificate secret name | -| wso2.apk.idp.tls.fileName | string | `""` | IDP public certificate file name | -| wso2.apk.idp.signing.jwksEndpoint | string | `""` | IDP jwks endpoint (optional) | -| wso2.apk.idp.signing.configMapName | string | `""` | IDP jwt signing certificate configmap name | -| wso2.apk.idp.signing.secretName | string | `""` | IDP jwt signing certificate secret name | -| wso2.apk.idp.signing.fileName | string | `""` | IDP jwt signing certificate file name | -| wso2.apk.dp.enabled | bool | `true` | Enable the deployment of the Data Plane | -| wso2.apk.dp.environment.name | string | `Default` | Environment of the Data Plane | -| wso2.apk.dp.gatewayClass.name | string | `wso2-apk-default` | GatewayClass custom resource name | -| wso2.apk.dp.gateway.name | string | `wso2-apk-default` | Gateway custom resource name | -| wso2.apk.dp.gateway.httpListener.enabled | bool | `false` | HTTP listener enabled or not | -| wso2.apk.dp.gateway.httpListener.hostname | string | `"api.am.wso2.com"` | HTTP listener hostname | -| wso2.apk.dp.gateway.httpListener.port | int | `9080` | HTTP listener port | -| wso2.apk.dp.gateway.listener.hostname | string | `"gw.wso2.com"` | Gateway Listener Hostname | -| wso2.apk.dp.gateway.listener.secretName | string | `""` | Gateway Listener Certificate Secret Name | -| wso2.apk.dp.gateway.listener.dns | list | `["*.gw.wso2.com","*.sandbox.gw.wso2.com","prod.gw.wso2.com"]` | DNS entries for gateway listener certificate | -| wso2.apk.dp.gateway.autoscaling.enabled | bool | `false` | Enable autoscaling for Gateway | -| wso2.apk.dp.gateway.autoscaling.minReplicas | int | `1` | Minimum number of replicas for Gateway | -| wso2.apk.dp.gateway.autoscaling.maxReplicas | int | `2` | Maximum number of replicas for Gateway | -| wso2.apk.dp.gateway.autoscaling.targetMemory | int | `80` | Target memory utilization percentage for Gateway | -| wso2.apk.dp.gateway.autoscaling.targetCPU | int | `80` | Target CPU utilization percentage for Gateway | -| wso2.apk.dp.redis.type | string | `"single"` | Redis type | -| wso2.apk.dp.redis.url | string | `"redis-master:6379"` | Redis URL | -| wso2.apk.dp.redis.tls | bool | `false` | TLS enabled | -| wso2.apk.dp.redis.auth.certificatesSecret | string | `nil` | Redis ceritificate secret | -| wso2.apk.dp.redis.auth.secretKey | string | `nil` | Redis secret key | -| wso2.apk.dp.redis.poolSize | string | `nil` | Redis pool size | -| wso2.apk.dp.partitionServer.enabled | bool | `false` | Enable partition server for Data Plane. | -| wso2.apk.dp.partitionServer.host | string | `""` | Partition Server Service URL | -| wso2.apk.dp.partitionServer.serviceBasePath | string | `"/api/publisher/v1"` | Partition Server Service Base Path. | -| wso2.apk.dp.partitionServer.partitionName | string | `"default"` | Partition Name. | -| wso2.apk.dp.partitionServer.tls.secretName | string | `"managetment-server-cert"` | TLS secret name for Partition Server Public Certificate. | -| wso2.apk.dp.partitionServer.tls.fileName | string | `"certificate.crt"` | TLS certificate file name. | -| wso2.apk.dp.configdeployer.enabled | bool | `true` | | -| wso2.apk.dp.configdeployer.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| wso2.apk.dp.configdeployer.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| wso2.apk.dp.configdeployer.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| wso2.apk.dp.configdeployer.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| wso2.apk.dp.configdeployer.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.configdeployer.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.configdeployer.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.configdeployer.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.configdeployer.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.configdeployer.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.configdeployer.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.configdeployer.deployment.replicas | int | `1` | Number of replicas | -| wso2.apk.dp.configdeployer.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.configdeployer.deployment.image | string | `"wso2/apk-config-deployer-service:1.1.0-alpha"` | Image | -| wso2.apk.dp.configdeployer.deployment.configs.authorization | bool | `true` | Enable authorization for runtime api. | -| wso2.apk.dp.configdeployer.deployment.configs.baseUrl | string | `"https://api.am.wso2.com:9095/api/runtime"` | Baseurl for runtime api. | -| wso2.apk.dp.configdeployer.deployment.configs.tls.secretName | string | `""` | TLS secret name for runtime public certificate. | -| wso2.apk.dp.configdeployer.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.configdeployer.deployment.configs.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.configdeployer.vhosts | list | `[{"hosts":["gw.wso2.com"],"name":"default","type":"production"},{"hosts":["sandbox.gw.wso2.com"],"name":"default","type":"sandbox"}]` | List of vhost | -| wso2.apk.dp.adapter.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| wso2.apk.dp.adapter.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| wso2.apk.dp.adapter.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| wso2.apk.dp.adapter.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| wso2.apk.dp.adapter.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.adapter.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.adapter.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.adapter.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.adapter.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.adapter.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.adapter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.adapter.deployment.replicas | int | `1` | Number of replicas | -| wso2.apk.dp.adapter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.adapter.deployment.image | string | `"wso2/apk-adapter:1.1.0-alpha"` | Image | -| wso2.apk.dp.adapter.deployment.security.sslHostname | string | `"adapter"` | Enable security for adapter. | -| wso2.apk.dp.adapter.deployment.configs.apiNamespaces | string | `nil` | Optionally configure namespaces to watch for apis. | -| wso2.apk.dp.adapter.deployment.configs.tls.secretName | string | `""` | TLS secret name for adapter public certificate. | -| wso2.apk.dp.adapter.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.adapter.deployment.configs.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.adapter.logging.level | string | `"INFO"` | Optionally configure logging for adapter. LogLevels can be "DEBG", "FATL", "ERRO", "WARN", "INFO", "PANC" | -| wso2.apk.dp.adapter.logging.logFile | string | `"logs/adapter.log"` | Log file name | -| wso2.apk.dp.adapter.logging.logFormat | string | `"TEXT"` | Log format can be "JSON", "TEXT" | -| wso2.apk.dp.commonController.deployment.resources.requests.memory | string | `"128Mi"` | Memory request for the container | -| wso2.apk.dp.commonController.deployment.resources.requests.cpu | string | `"100m"` | CPU request for the container | -| wso2.apk.dp.commonController.deployment.resources.limits.memory | string | `"1028Mi"` | Memory limit for the container | -| wso2.apk.dp.commonController.deployment.resources.limits.cpu | string | `"1000m"` | CPU limit for the container | -| wso2.apk.dp.commonController.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readinessProbe probes are initiated. | -| wso2.apk.dp.commonController.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.commonController.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.commonController.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.commonController.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.commonController.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.commonController.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.commonController.deployment.replicas | int | `1` | Number of replicas | -| wso2.apk.dp.commonController.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.commonController.deployment.image | string | `"wso2/apk-common-controller:1.1.0-alpha"` | Image | -| wso2.apk.dp.commonController.deployment.security.sslHostname | string | `"commoncontroller"` | hostname for the common controller | -| wso2.apk.dp.commonController.deployment.configs.apiNamespaces | list | `["apk-v12"]` | Optionally configure namespaces to watch for apis,ratelimitpolicies,etc. | -| wso2.apk.dp.ratelimiter.enabled | bool | `true` | Enable the deployment of the Rate Limiter | -| wso2.apk.dp.ratelimiter.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| wso2.apk.dp.ratelimiter.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| wso2.apk.dp.ratelimiter.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| wso2.apk.dp.ratelimiter.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| wso2.apk.dp.ratelimiter.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.ratelimiter.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.ratelimiter.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.ratelimiter.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.ratelimiter.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.ratelimiter.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.ratelimiter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.ratelimiter.deployment.replicas | int | `1` | Number of replicas | -| wso2.apk.dp.ratelimiter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.ratelimiter.deployment.image | string | `"wso2/apk-ratelimiter:1.1.0-alpha"` | Image | -| wso2.apk.dp.ratelimiter.deployment.security.sslHostname | string | `"ratelimiter"` | hostname for the rate limiter | -| wso2.apk.dp.ratelimiter.deployment.configs.tls.secretName | string | `"ratelimiter-cert"` | TLS secret name for rate limiter public certificate. | -| wso2.apk.dp.ratelimiter.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.ratelimiter.deployment.configs.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.ratelimiter.deployment.configs.tls.certCAFilename | string | `""` | TLS CA certificate file name. | -| wso2.apk.dp.gatewayRuntime.service.annotations | object | `{"annotation1":"value1"}` | Gateway service related annotations. | -| wso2.apk.dp.gatewayRuntime.deployment.replicas | int | `1` | Number of replicas | -| wso2.apk.dp.gatewayRuntime.deployment.router.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| wso2.apk.dp.gatewayRuntime.deployment.router.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| wso2.apk.dp.gatewayRuntime.deployment.router.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| wso2.apk.dp.gatewayRuntime.deployment.router.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.gatewayRuntime.deployment.router.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.gatewayRuntime.deployment.router.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.gatewayRuntime.deployment.router.image | string | `"wso2/apk-router:1.1.0-alpha"` | Image | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.enforcerResponseTimeoutInSeconds | int | `20` | The timeout for response coming from enforcer to route per API request | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.useRemoteAddress | bool | `false` | If configured true, router appends the immediate downstream ip address to the x-forward-for header | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.systemHost | string | `"localhost"` | System hostname for system API resources (eg: /testkey and /health) | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.secretName | string | `"router-cert"` | TLS secret name for router public certificate. | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.tls.verifyHostName | bool | `true` | Enable/Disable Verifying host name | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.tls.disableSslVerification | bool | `false` | Disable SSL verification | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.dns.dnsRefreshRate | int | `5000` | DNS refresh rate in miliseconds | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.dns.respectDNSTtl | bool | `false` | set cluster’s DNS refresh rate to resource record’s TTL which comes from DNS resolution | -| wso2.apk.dp.gatewayRuntime.deployment.router.configs.enableIntelligentRouting | bool | `false` | Enable/Disable Semantic Versioning based Intelligent Routing | -| wso2.apk.dp.gatewayRuntime.deployment.router.logging.wireLogs | object | `{"enable":true}` | Optionally configure logging for router. | -| wso2.apk.dp.gatewayRuntime.deployment.router.logging.wireLogs.enable | bool | `true` | Enable wire logs for router. | -| wso2.apk.dp.gatewayRuntime.deployment.router.logging.accessLogs.enable | bool | `true` | Enable access logs for router. | -| wso2.apk.dp.gatewayRuntime.deployment.router.logging.accessLogs.logfile | string | `"/tmp/envoy.access.log"` | Log file name | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.strategy | string | `"RollingUpdate"` | Deployment strategy | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.imagePullPolicy | string | `"Always"` | Image pull policy | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.image | string | `"wso2/apk-enforcer:1.1.0-alpha"` | Image | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.security.sslHostname | string | `"enforcer"` | hostname for the enforcer | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.secretName | string | `""` | TLS secret name for enforcer public certificate. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation | bool | `false` | Specifies whether subscription validation is mandated for all APIs. | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.authService | object | `{"keepAliveTime":600,"maxHeaderLimit":8192,"maxMessageSize":1000000000,"threadPool":{"coreSize":400,"keepAliveTime":600,"maxSize":1000,"queueSize":2000}}` | The configurations of gRPC netty based server in Enforcer that handles the incoming requests from ext_authz | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.level | string | `"DEBUG"` | Log level can be one of DEBUG, INFO, WARN, ERROR, OFF | -| wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.logFile | string | `"logs/enforcer.log"` | Log file name | -| wso2.apk.dp.gatewayRuntime.tracing.enabled | bool | `true` | Enable/Disable tracing in gateway runtime. | -| wso2.apk.dp.gatewayRuntime.tracing.type | string | `"zipkin"` | Type of tracer exporter (e.g: azure, zipkin). Use zipkin type for Jaeger as well. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.host | string | `"jaeger"` | Jaeger/Zipkin host. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.port | string | `"9411"` | Jaeger/Zipkin port. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.endpoint | string | `"/api/v2/spans"` | Jaeger/Zipkin collector endpoint path. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.instrumentationName | string | `"APK"` | Library Name to be tagged in traces (`otel.library.name`). | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.maximumTracesPerSecond | string | `"2"` | Maximum number of sampled traces per second string. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.maxPathLength | string | `"256"` | Maximum length of the request path to extract and include in the HttpUrl tag. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.connectionString | string | `"https://otlp.nr-data.net"` | New Relic OTLP gRPC collector endpoint. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.authHeaderName | string | `"api-key"` | Auth header name. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.authHeaderValue | string | `""` | Auth header value. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.connectionTimeout | string | `"20"` | Connection timeout for the otlp service. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.enabled | bool | `true` | Enable/Disable TLS for the otlp service. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.secretName | string | `"ratelimiter-cert"` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.certFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.certCAFilename | string | `""` | TLS certificate file name. | -| wso2.apk.dp.gatewayRuntime.analytics.enabled | bool | `true` | Enable/Disable analytics in gateway runtime. | -| wso2.apk.dp.gatewayRuntime.analytics.type | string | `"Choreo"` | Type of analytics data publisher. Can be "Choreo" or "ELK". | -| wso2.apk.dp.gatewayRuntime.analytics.secretName | string | `"choreo-analytics-secret"` | Choreo analytics secret. | -| wso2.apk.dp.gatewayRuntime.analytics.logFileName | string | `"logs/enforcer_analytics.log"` | Optional: File name of the log file. | -| wso2.apk.dp.gatewayRuntime.analytics.logLevel | string | `"INFO"` | Optional: Log level the analytics data. Can be one of DEBUG, INFO, WARN, ERROR, OFF. | -| wso2.apk.dp.gatewayRuntime.analytics.receiver | object | `{"keepAliveTime":600,"maxHeaderLimit":8192,"maxMessageSize":1000000000,"threadPool":{"coreSize":10,"keepAliveTime":600,"maxSize":100,"queueSize":1000}}` | gRPC access log service within Enforcer | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.maxMessageSize | int | `1000000000` | Maximum message size in bytes | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.maxHeaderLimit | int | `8192` | Maximum header size in bytes | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.keepAliveTime | int | `600` | Keep alive time of gRPC access log connection | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool | object | `{"coreSize":10,"keepAliveTime":600,"maxSize":100,"queueSize":1000}` | Thread pool configuration for gRPC access log server | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.coreSize | int | `10` | Minimum number of workers to keep alive | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.maxSize | int | `100` | Maximum pool size | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.keepAliveTime | int | `600` | Timeout in seconds for idle threads waiting for work | -| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.queueSize | int | `1000` | Queue size of the worker threads | -| idp.enabled | bool | `true` | Enable Non production identity server | -| idp.listener.hostname | string | `"idp.am.wso2.com"` | identity server hostname | -| idp.listener.secretName | string | `"idp-tls"` | identity server certificate | -| idp.database.driver | string | `"org.postgresql.Driver"` | identity server database driver | -| idp.database.url | string | `"jdbc:postgresql://wso2apk-db-service:5432/WSO2AM_DB"` | identity server database url | -| idp.database.host | string | `"wso2apk-db-service"` | identity server database host | -| idp.database.port | int | `5432` | identity server database port | -| idp.database.databaseName | string | `"WSO2AM_DB"` | identity server database name | -| idp.database.username | string | `"wso2carbon"` | identity server database username | -| idp.database.secretName | string | `"apk-db-secret"` | identity server database password secret name | -| idp.database.secretKey | string | `"DB_PASSWORD"` | identity server database password secret key | -| idp.database.validationQuery | string | `"SELECT 1"` | identity server database validation query | -| idp.database.validationTimeout | int | `250` | identity server database validation timeout | -| idp.idpds.config.issuer | string | `"https://idp.am.wso2.com/token"` | identity server issuer url | -| idp.idpds.config.keyId | string | `"gateway_certificate_alias"` | identity server keyId | -| idp.idpds.config.hostname | string | `"idp.am.wso2.com"` | identity server hostname. | -| idp.idpds.config.loginPageURl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/login"` | identity server login page url | -| idp.idpds.config.loginErrorPageUrl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/error"` | identity server login error page url | -| idp.idpds.config.loginCallBackURl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/login-callback"` | identity server login callback page url | -| idp.idpds.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| idp.idpds.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| idp.idpds.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| idp.idpds.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| idp.idpds.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| idp.idpds.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| idp.idpds.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| idp.idpds.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| idp.idpds.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| idp.idpds.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| idp.idpds.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| idp.idpds.deployment.replicas | int | `1` | Number of replicas | -| idp.idpds.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| idp.idpds.deployment.image | string | `"wso2/apk-idp-domain-service:1.1.0-alpha"` | Image | -| idp.idpui.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | -| idp.idpui.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | -| idp.idpui.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | -| idp.idpui.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | -| idp.idpui.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| idp.idpui.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| idp.idpui.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| idp.idpui.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | -| idp.idpui.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | -| idp.idpui.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | -| idp.idpui.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | -| idp.idpui.deployment.replicas | int | `1` | Number of replicas | -| idp.idpui.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | -| idp.idpui.deployment.image | string | `"wso2/apk-idp-ui:1.1.0-alpha"` | Image | -| idp.idpui.configs.idpLoginUrl | string | `"https://idp.am.wso2.com:9095/commonauth/login"` | identity server Login URL | -| idp.idpui.configs.idpAuthCallBackUrl | string | `"https://idp.am.wso2.com:9095/oauth2/auth-callback"` | identity server authCallBackUrl | -| gatewaySystem.enabled | bool | `true` | Enable gateway system to install gateway system components | -| gatewaySystem.enableServiceAccountCreation | bool | `true` | | -| gatewaySystem.enableClusterRoleCreation | bool | `true` | | -| gatewaySystem.serviceAccountName | string | `"gateway-api-admission"` | | -| certmanager.enabled | bool | `true` | Enable certificate manager to generate certificates | -| certmanager.enableClusterIssuer | bool | `true` | Enable cluster issuer to generate certificates | -| certmanager.enableRootCa | bool | `true` | Enable root CA to generate certificates | -| certmanager.rootCaSecretName | string | `"apk-root-certificate"` | Enable CA certificate secret name. | -| certmanager.listeners.issuerName | string | `"selfsigned-issuer"` | Issuer name | -| certmanager.listeners.issuerKind | string | `"ClusterIssuer"` | Issuer kind | -| certmanager.servers.issuerName | string | `"selfsigned-issuer"` | Issuer name | -| certmanager.servers.issuerKind | string | `"ClusterIssuer"` | Issuer kind | -| postgresql.enabled | bool | `true` | Enable postgresql database | -| postgresql.fullnameOverride | string | `"wso2apk-db-service"` | String to fully override common.names.fullname template | -| postgresql.auth.database | string | `"WSO2AM_DB"` | Name for a custom database to create | -| postgresql.auth.postgresPassword | string | `"wso2carbon"` | Password for the "postgres" admin user. Ignored if auth.existingSecret is provided | -| postgresql.auth.username | string | `"wso2carbon"` | Name for a custom user to create | -| postgresql.auth.password | string | `"wso2carbon"` | Password for the custom user to create. Ignored if auth.existingSecret is provided | -| postgresql.primary.extendedConfiguration | string | `"max_connections = 400\n"` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | -| postgresql.primary.initdb.scriptsConfigMap | string | `"postgres-initdb-scripts-configmap"` | ConfigMap with PostgreSQL initialization scripts | -| postgresql.primary.initdb.user | string | `"wso2carbon"` | Specify the PostgreSQL username to execute the initdb scripts | -| postgresql.primary.initdb.password | string | `"wso2carbon"` | Specify the PostgreSQL password to execute the initdb scripts | -| postgresql.primary.service.ports.postgresql | int | `5432` | PostgreSQL service port | -| postgresql.primary.podSecurityContext.enabled | bool | `true` | Enable pod security context | -| postgresql.primary.podSecurityContext.fsGroup | string | `nil` | Pod security context fsGroup | -| postgresql.primary.podSecurityContext.runAsNonRoot | bool | `true` | Pod security context runAsNonRoot | -| postgresql.primary.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Pod security context seccomp profile type | -| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Enable container security context | -| postgresql.primary.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Container security context allow privilege escalation | -| postgresql.primary.containerSecurityContext.capabilities.drop | list | `["ALL"]` | Container security context capabilities drop | -| postgresql.primary.containerSecurityContext.runAsUser | string | `nil` | Container security context runAsUser | -| redis.enabled | bool | `true` | Enable redis | -| redis.architecture | string | `"standalone"` | Redis® architecture. Allowed values: standalone or replication. | -| redis.fullnameOverride | string | `"redis"` | String to fully override common.names.fullname template | -| redis.primary.service.ports.redis | int | `6379` | Redis service port | -| redis.master.podSecurityContext.enabled | bool | `true` | Enable pod security context | -| redis.master.podSecurityContext.fsGroup | string | `nil` | Pod security context fsGroup | -| redis.master.podSecurityContext.runAsNonRoot | bool | `true` | Pod security context runAsNonRoot | -| redis.master.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Pod security context seccomp profile type | -| redis.master.containerSecurityContext.enabled | bool | `true` | Enable container security context | -| redis.master.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Container security context allow privilege escalation | -| redis.master.containerSecurityContext.capabilities.drop | list | `["ALL"]` | Container security context capabilities drop | -| redis.master.containerSecurityContext.runAsUser | string | `nil` | Container security context runAsUser | -| redis.auth.enabled | bool | `false` | Enable password authentication | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| wso2.subscription.imagePullSecrets | string | `""` | Optionally specify image pull secrets. | +| wso2.apk.webhooks.validatingwebhookconfigurations | bool | `true` | | +| wso2.apk.webhooks.mutatingwebhookconfigurations | bool | `true` | | +| wso2.apk.auth.enabled | bool | `true` | Enable Service Account Creation | +| wso2.apk.auth.enableServiceAccountCreation | bool | `true` | Enable Service Account Creation | +| wso2.apk.auth.enableClusterRoleCreation | bool | `true` | Enable Cluster Role Creation | +| wso2.apk.auth.serviceAccountName | string | `"wso2apk-platform"` | Service Account name | +| wso2.apk.auth.roleName | string | `"wso2apk-role"` | Cluster Role name | +| wso2.apk.listener.hostname | string | `"api.am.wso2.com"` | System api listener hostname | +| wso2.apk.listener.port | int | `9095` | Gatewaylistener port | +| wso2.apk.listener.secretName | string | `"system-api-listener-cert"` | System api listener certificates. If you are using a custom certificate. | +| wso2.apk.idp.issuer | string | `"https://idp.am.wso2.com/token"` | IDP issuer value | +| wso2.apk.idp.usernameClaim | string | `"sub"` | | +| wso2.apk.idp.scopeClaim | string | `"scope"` | Optionally configure scope Claim in JWT. | +| wso2.apk.idp.organizationClaim | string | `"organization"` | Optionally configure organization Claim in JWT. | +| wso2.apk.idp.organizationResolver | string | `"none"` | Optionally configure organization Resolution method for APK (none)). | +| wso2.apk.idp.tls.configMapName | string | `""` | IDP public certificate configmap name | +| wso2.apk.idp.tls.secretName | string | `""` | IDP public certificate secret name | +| wso2.apk.idp.tls.fileName | string | `""` | IDP public certificate file name | +| wso2.apk.idp.signing.jwksEndpoint | string | `""` | IDP jwks endpoint (optional) | +| wso2.apk.idp.signing.configMapName | string | `""` | IDP jwt signing certificate configmap name | +| wso2.apk.idp.signing.secretName | string | `""` | IDP jwt signing certificate secret name | +| wso2.apk.idp.signing.fileName | string | `""` | IDP jwt signing certificate file name | +| wso2.apk.dp.enabled | bool | `true` | Enable the deployment of the Data Plane | +| wso2.apk.dp.environment.name | string | `"Development"` | Environment Name of the Data Plane | +| wso2.apk.dp.gatewayClass | object | `{"name":"wso2-apk-default"}` | GatewayClass custom resource name | +| wso2.apk.dp.gateway.name | string | `"wso2-apk-default"` | Gateway custom resource name | +| wso2.apk.dp.gateway.listener.hostname | string | `"gw.wso2.com"` | Gateway Listener Hostname | +| wso2.apk.dp.gateway.listener.secretName | string | `""` | Gateway Listener Certificate Secret Name | +| wso2.apk.dp.gateway.listener.dns | list | `["*.gw.wso2.com","*.sandbox.gw.wso2.com","prod.gw.wso2.com"]` | DNS entries for gateway listener certificate | +| wso2.apk.dp.gateway.httpListener.enabled | bool | `false` | HTTP listener enabled or not | +| wso2.apk.dp.gateway.httpListener.hostname | string | `"api.am.wso2.com"` | HTTP listener hostname | +| wso2.apk.dp.gateway.httpListener.port | int | `9080` | HTTP listener port | +| wso2.apk.dp.gateway.autoscaling.enabled | bool | `false` | Enable autoscaling for Gateway | +| wso2.apk.dp.gateway.autoscaling.minReplicas | int | `1` | Minimum number of replicas for Gateway | +| wso2.apk.dp.gateway.autoscaling.maxReplicas | int | `2` | Maximum number of replicas for Gateway | +| wso2.apk.dp.gateway.autoscaling.targetMemory | int | `80` | Target memory utilization percentage for Gateway | +| wso2.apk.dp.gateway.autoscaling.targetCPU | int | `80` | Target CPU utilization percentage for Gateway | +| wso2.apk.dp.redis.type | string | `"single"` | Redis type | +| wso2.apk.dp.redis.url | string | `"redis-master:6379"` | Redis URL | +| wso2.apk.dp.redis.tls | bool | `false` | TLS enabled | +| wso2.apk.dp.redis.auth.certificatesSecret | string | `nil` | Redis ceritificate secret | +| wso2.apk.dp.redis.auth.secretKey | string | `nil` | Redis secret key | +| wso2.apk.dp.redis.poolSize | string | `nil` | Redis pool size | +| wso2.apk.dp.partitionServer.enabled | bool | `false` | Enable partition server for Data Plane. | +| wso2.apk.dp.partitionServer.host | string | `""` | Partition Server Service URL | +| wso2.apk.dp.partitionServer.serviceBasePath | string | `"/api/publisher/v1"` | Partition Server Service Base Path. | +| wso2.apk.dp.partitionServer.partitionName | string | `"default"` | Partition Name. | +| wso2.apk.dp.partitionServer.tls.secretName | string | `"managetment-server-cert"` | TLS secret name for Partition Server Public Certificate. | +| wso2.apk.dp.partitionServer.tls.fileName | string | `"certificate.crt"` | TLS certificate file name. | +| wso2.apk.dp.configdeployer.enabled | bool | `true` | | +| wso2.apk.dp.configdeployer.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| wso2.apk.dp.configdeployer.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| wso2.apk.dp.configdeployer.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| wso2.apk.dp.configdeployer.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| wso2.apk.dp.configdeployer.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.configdeployer.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.configdeployer.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.configdeployer.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.configdeployer.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.configdeployer.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.configdeployer.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.configdeployer.deployment.replicas | int | `1` | Number of replicas | +| wso2.apk.dp.configdeployer.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.configdeployer.deployment.image | string | `"wso2/apk-config-deployer-service:1.1.0-alpha"` | Image | +| wso2.apk.dp.configdeployer.deployment.configs.authorization | bool | `true` | Enable authorization for runtime api. | +| wso2.apk.dp.configdeployer.deployment.configs.baseUrl | string | `"https://api.am.wso2.com:9095/api/runtime"` | Baseurl for runtime api. | +| wso2.apk.dp.configdeployer.deployment.configs.tls.secretName | string | `""` | TLS secret name for runtime public certificate. | +| wso2.apk.dp.configdeployer.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.configdeployer.deployment.configs.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.configdeployer.vhosts | list | `[{"hosts":["gw.wso2.com"],"name":"default","type":"production"},{"hosts":["sandbox.gw.wso2.com"],"name":"default","type":"sandbox"}]` | List of vhost | +| wso2.apk.dp.adapter.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| wso2.apk.dp.adapter.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| wso2.apk.dp.adapter.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| wso2.apk.dp.adapter.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| wso2.apk.dp.adapter.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.adapter.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.adapter.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.adapter.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.adapter.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.adapter.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.adapter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.adapter.deployment.replicas | int | `1` | Number of replicas | +| wso2.apk.dp.adapter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.adapter.deployment.image | string | `"wso2/apk-adapter:1.1.0-alpha"` | Image | +| wso2.apk.dp.adapter.deployment.security.sslHostname | string | `"adapter"` | Enable security for adapter. | +| wso2.apk.dp.adapter.configs.apiNamespaces | string | `nil` | Optionally configure namespaces to watch for apis. | +| wso2.apk.dp.adapter.configs.tls.secretName | string | `""` | TLS secret name for adapter public certificate. | +| wso2.apk.dp.adapter.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.adapter.configs.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.adapter.logging.level | string | `"INFO"` | Optionally configure logging for adapter. LogLevels can be "DEBG", "FATL", "ERRO", "WARN", "INFO", "PANC" | +| wso2.apk.dp.adapter.logging.logFile | string | `"logs/adapter.log"` | Log file name | +| wso2.apk.dp.adapter.logging.logFormat | string | `"TEXT"` | Log format can be "JSON", "TEXT" | +| wso2.apk.dp.commonController.deployment.resources.requests.memory | string | `"128Mi"` | Memory request for the container | +| wso2.apk.dp.commonController.deployment.resources.requests.cpu | string | `"100m"` | CPU request for the container | +| wso2.apk.dp.commonController.deployment.resources.limits.memory | string | `"1028Mi"` | Memory limit for the container | +| wso2.apk.dp.commonController.deployment.resources.limits.cpu | string | `"1000m"` | CPU limit for the container | +| wso2.apk.dp.commonController.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readinessProbe probes are initiated. | +| wso2.apk.dp.commonController.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.commonController.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.commonController.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.commonController.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.commonController.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.commonController.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.commonController.deployment.replicas | int | `1` | Number of replicas | +| wso2.apk.dp.commonController.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.commonController.deployment.image | string | `"wso2/apk-common-controller:1.1.0-alpha"` | Image | +| wso2.apk.dp.commonController.deployment.security.sslHostname | string | `"commoncontroller"` | hostname for the common controller | +| wso2.apk.dp.commonController.deployment.configs.apiNamespaces | list | `["apk-v12"]` | Optionally configure namespaces to watch for apis,ratelimitpolicies,etc. | +| wso2.apk.dp.commonController.deployment.redis.host | string | `"redis-master"` | Redis host | +| wso2.apk.dp.commonController.deployment.redis.port | string | `"6379"` | Redis port | +| wso2.apk.dp.commonController.deployment.redis.username | string | `"default"` | Redis user name | +| wso2.apk.dp.commonController.deployment.redis.password | string | `""` | Redis password | +| wso2.apk.dp.commonController.deployment.redis.tlsEnabled | bool | `false` | Redis TLS enabled or not | +| wso2.apk.dp.commonController.deployment.redis.userCertPath | string | `"/home/wso2/security/keystore/commoncontroller.crt"` | Redis user cert to use for redis connections | +| wso2.apk.dp.commonController.deployment.redis.userKeyPath | string | `"/home/wso2/security/keystore/commoncontroller.key"` | Redis user key to use for redis connections | +| wso2.apk.dp.commonController.deployment.redis.cACertPath | string | `"/home/wso2/security/keystore/commoncontroller.crt"` | Redis CA cert to use for redis connections | +| wso2.apk.dp.commonController.deployment.redis.channelName | string | `"wso2-apk-revoked-tokens-channel"` | Token revocation subscription channel name | +| wso2.apk.dp.commonController.deployment.controlplane.enabled | bool | `false` | Enable controlplane connection | +| wso2.apk.dp.commonController.deployment.controlplane.host | string | `"apim-apk-agent-service.apk.svc.cluster.local"` | Hostname of the APK agent service | +| wso2.apk.dp.commonController.deployment.controlplane.eventPort | int | `18000` | Port of the APK agent service for events | +| wso2.apk.dp.commonController.deployment.controlplane.skipSSLVerification | bool | `false` | Skip SSL verification | +| wso2.apk.dp.commonController.deployment.controlplane.persistence | object | `{"type":"K8s"}` | Provide persistence mode DB/K8s | +| wso2.apk.dp.commonController.deployment.database.enabled | bool | `false` | Enable Database mode for persistence | +| wso2.apk.dp.commonController.deployment.database.name | string | `"DATAPLANE"` | name of the database containing controlplane data for the use of dataplane | +| wso2.apk.dp.commonController.deployment.database.host | string | `"wso2apk-db-service.apk"` | | +| wso2.apk.dp.commonController.deployment.database.port | int | `5432` | | +| wso2.apk.dp.commonController.deployment.database.username | string | `"wso2carbon"` | | +| wso2.apk.dp.commonController.deployment.database.password | string | `"wso2carbon"` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConns | int | `4` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolMinConns | int | `0` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConnLifetime | string | `"1h"` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConnIdleTime | string | `"1h"` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolHealthCheckPeriod | string | `"1m"` | | +| wso2.apk.dp.commonController.deployment.database.poolOptions.poolMaxConnLifetimeJitter | string | `"1s"` | | +| wso2.apk.dp.ratelimiter.enabled | bool | `true` | Enable the deployment of the Rate Limiter | +| wso2.apk.dp.ratelimiter.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| wso2.apk.dp.ratelimiter.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| wso2.apk.dp.ratelimiter.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| wso2.apk.dp.ratelimiter.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| wso2.apk.dp.ratelimiter.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.ratelimiter.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.ratelimiter.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.ratelimiter.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.ratelimiter.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.ratelimiter.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.ratelimiter.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.ratelimiter.deployment.replicas | int | `1` | Number of replicas | +| wso2.apk.dp.ratelimiter.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.ratelimiter.deployment.image | string | `"wso2/apk-ratelimiter:1.1.0-alpha"` | Image | +| wso2.apk.dp.ratelimiter.deployment.security.sslHostname | string | `"ratelimiter"` | hostname for the rate limiter | +| wso2.apk.dp.ratelimiter.deployment.configs.tls.secretName | string | `"ratelimiter-cert"` | TLS secret name for rate limiter public certificate. | +| wso2.apk.dp.ratelimiter.deployment.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.ratelimiter.deployment.configs.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.ratelimiter.deployment.configs.tls.certCAFilename | string | `""` | TLS CA certificate file name. | +| wso2.apk.dp.gatewayRuntime.service.annotations | string | `nil` | Gateway service related annotations. | +| wso2.apk.dp.gatewayRuntime.deployment.replicas | int | `1` | Number of replicas | +| wso2.apk.dp.gatewayRuntime.deployment.router.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| wso2.apk.dp.gatewayRuntime.deployment.router.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| wso2.apk.dp.gatewayRuntime.deployment.router.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| wso2.apk.dp.gatewayRuntime.deployment.router.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.gatewayRuntime.deployment.router.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.gatewayRuntime.deployment.router.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.gatewayRuntime.deployment.router.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.gatewayRuntime.deployment.router.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.gatewayRuntime.deployment.router.image | string | `"wso2/apk-router:1.1.0-alpha"` | Image | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.enforcerResponseTimeoutInSeconds | int | `20` | The timeout for response coming from enforcer to route per API request | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.useRemoteAddress | bool | `false` | If configured true, router appends the immediate downstream ip address to the x-forward-for header | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.systemHost | string | `"localhost"` | System hostname for system API resources (eg: /testkey and /health) | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.enableIntelligentRouting | bool | `false` | Enable Semantic Versioning based Intelligent Routing for Gateway | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.secretName | string | `"router-cert"` | TLS secret name for router public certificate. | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.tls.verifyHostName | bool | `true` | Enable/Disable Verifying host name | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.tls.disableSslVerification | bool | `false` | Disable SSL verification | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.dns.dnsRefreshRate | int | `5000` | DNS refresh rate in miliseconds | +| wso2.apk.dp.gatewayRuntime.deployment.router.configs.upstream.dns.respectDNSTtl | bool | `false` | set cluster’s DNS refresh rate to resource record’s TTL which comes from DNS resolution | +| wso2.apk.dp.gatewayRuntime.deployment.router.logging.wireLogs | object | `{"enable":true}` | Optionally configure logging for router. | +| wso2.apk.dp.gatewayRuntime.deployment.router.logging.wireLogs.enable | bool | `true` | Enable wire logs for router. | +| wso2.apk.dp.gatewayRuntime.deployment.router.logging.accessLogs.enable | bool | `true` | Enable access logs for router. | +| wso2.apk.dp.gatewayRuntime.deployment.router.logging.accessLogs.logfile | string | `"/tmp/envoy.access.log"` | Log file name | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.strategy | string | `"RollingUpdate"` | Deployment strategy | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.imagePullPolicy | string | `"Always"` | Image pull policy | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.image | string | `"wso2/apk-enforcer:1.1.0-alpha"` | Image | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.security.sslHostname | string | `"enforcer"` | hostname for the enforcer | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.secretName | string | `""` | TLS secret name for enforcer public certificate. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certKeyFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.authService | object | `{"keepAliveTime":600,"maxHeaderLimit":8192,"maxMessageSize":1000000000,"threadPool":{"coreSize":400,"keepAliveTime":600,"maxSize":1000,"queueSize":2000}}` | The configurations of gRPC netty based server in Enforcer that handles the incoming requests from ext_authz | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.configs.mandateSubscriptionValidation | bool | `false` | Specifies whether subscription validation is mandated for all APIs. | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.level | string | `"DEBUG"` | Log level can be one of DEBUG, INFO, WARN, ERROR, OFF | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.logging.logFile | string | `"logs/enforcer.log"` | Log file name | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.host | string | `"redis-master"` | Redis host | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.port | string | `"6379"` | Redis port | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.username | string | `"default"` | Redis user name | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.password | string | `""` | Redis password | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.tlsEnabled | bool | `false` | Redis TLS enabled or not | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.userCertPath | string | `"/home/wso2/security/keystore/commoncontroller.crt"` | | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.userKeyPath | string | `"/home/wso2/security/keystore/commoncontroller.key"` | Redis user key to use for redis connections | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.cACertPath | string | `"/home/wso2/security/keystore/commoncontroller.crt"` | Redis CA cert to use for redis connections | +| wso2.apk.dp.gatewayRuntime.deployment.enforcer.redis.channelName | string | `"wso2-apk-revoked-tokens-channel"` | Token revocation subscription channel name | +| wso2.apk.dp.gatewayRuntime.tracing.enabled | bool | `true` | Enable/Disable tracing in gateway runtime. | +| wso2.apk.dp.gatewayRuntime.tracing.type | string | `"zipkin"` | Type of tracer exporter (e.g: azure, zipkin). Use zipkin type for Jaeger as well. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.host | string | `"jaeger"` | Jaeger/Zipkin host. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.port | string | `"9411"` | Jaeger/Zipkin port. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.endpoint | string | `"/api/v2/spans"` | Jaeger/Zipkin collector endpoint path. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.instrumentationName | string | `"APK"` | Library Name to be tagged in traces (`otel.library.name`). | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.maximumTracesPerSecond | string | `"2"` | Maximum number of sampled traces per second string. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.maxPathLength | string | `"256"` | Maximum length of the request path to extract and include in the HttpUrl tag. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.connectionString | string | `"https://otlp.nr-data.net"` | New Relic OTLP gRPC collector endpoint. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.authHeaderName | string | `"api-key"` | Auth header name. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.authHeaderValue | string | `""` | Auth header value. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.connectionTimeout | string | `"20"` | Connection timeout for the otlp service. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.enabled | bool | `true` | Enable/Disable TLS for the otlp service. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.secretName | string | `"ratelimiter-cert"` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.certFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.certCAFilename | string | `""` | TLS certificate file name. | +| wso2.apk.dp.gatewayRuntime.analytics.enabled | bool | `true` | Enable/Disable analytics in gateway runtime. | +| wso2.apk.dp.gatewayRuntime.analytics.type | string | `"Choreo"` | Type of analytics data publisher. Can be "Choreo" or "ELK". | +| wso2.apk.dp.gatewayRuntime.analytics.secretName | string | `"choreo-analytics-secret"` | Choreo analytics secret. | +| wso2.apk.dp.gatewayRuntime.analytics.properties | object | `{"property_name":"property_value"}` | Property values for the analytics. | +| wso2.apk.dp.gatewayRuntime.analytics.publishers | list | `[{"configProperties":{"auth.api.token":"$env{analytics_authToken}","auth.api.url":"$env{analytics_authURL}"},"enabled":true,"type":"default"},{"enabled":true,"type":"elk"}]` | Analytics Publishers | +| wso2.apk.dp.gatewayRuntime.analytics.logFileName | string | `"logs/enforcer_analytics.log"` | Optional: File name of the log file. | +| wso2.apk.dp.gatewayRuntime.analytics.logLevel | string | `"INFO"` | Optional: Log level the analytics data. Can be one of DEBUG, INFO, WARN, ERROR, OFF. | +| wso2.apk.dp.gatewayRuntime.analytics.receiver | object | `{"keepAliveTime":600,"maxHeaderLimit":8192,"maxMessageSize":1000000000,"threadPool":{"coreSize":10,"keepAliveTime":600,"maxSize":100,"queueSize":1000}}` | gRPC access log service within Enforcer | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.maxMessageSize | int | `1000000000` | Maximum message size in bytes | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.maxHeaderLimit | int | `8192` | Maximum header size in bytes | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.keepAliveTime | int | `600` | Keep alive time of gRPC access log connection | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool | object | `{"coreSize":10,"keepAliveTime":600,"maxSize":100,"queueSize":1000}` | Thread pool configuration for gRPC access log server | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.coreSize | int | `10` | Minimum number of workers to keep alive | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.maxSize | int | `100` | Maximum pool size | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.keepAliveTime | int | `600` | Timeout in seconds for idle threads waiting for work | +| wso2.apk.dp.gatewayRuntime.analytics.receiver.threadPool.queueSize | int | `1000` | Queue size of the worker threads | +| wso2.apk.metrics.enabled | bool | `false` | Enable Prometheus metrics | +| idp.enabled | bool | `true` | Enable Non production identity server | +| idp.listener.hostname | string | `"idp.am.wso2.com"` | identity server hostname | +| idp.listener.secretName | string | `"idp-tls"` | identity server certificate | +| idp.database.driver | string | `"org.postgresql.Driver"` | identity server database driver | +| idp.database.url | string | `"jdbc:postgresql://wso2apk-db-service:5432/WSO2AM_DB"` | identity server database url | +| idp.database.host | string | `"wso2apk-db-service"` | identity server database host | +| idp.database.port | int | `5432` | identity server database port | +| idp.database.databaseName | string | `"WSO2AM_DB"` | identity server database name | +| idp.database.username | string | `"wso2carbon"` | identity server database username | +| idp.database.secretName | string | `"apk-db-secret"` | identity server database password secret name | +| idp.database.secretKey | string | `"DB_PASSWORD"` | identity server database password secret key | +| idp.database.validationQuery | string | `"SELECT 1"` | identity server database validation query | +| idp.database.validationTimeout | int | `250` | identity server database validation timeout | +| idp.idpds.config.issuer | string | `"https://idp.am.wso2.com/token"` | identity server issuer url | +| idp.idpds.config.keyId | string | `"gateway_certificate_alias"` | identity server keyId | +| idp.idpds.config.hostname | string | `"idp.am.wso2.com"` | identity server hostname. | +| idp.idpds.config.loginPageURl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/login"` | identity server login page url | +| idp.idpds.config.loginErrorPageUrl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/error"` | identity server login error page url | +| idp.idpds.config.loginCallBackURl | string | `"https://idp.am.wso2.com:9095/authenticationEndpoint/login-callback"` | identity server login callback page url | +| idp.idpds.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| idp.idpds.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| idp.idpds.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| idp.idpds.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| idp.idpds.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| idp.idpds.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| idp.idpds.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| idp.idpds.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| idp.idpds.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| idp.idpds.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| idp.idpds.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| idp.idpds.deployment.replicas | int | `1` | Number of replicas | +| idp.idpds.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| idp.idpds.deployment.image | string | `"wso2/apk-idp-domain-service:1.1.0-alpha"` | Image | +| idp.idpui.deployment.resources.requests.memory | string | `"128Mi"` | CPU request for the container | +| idp.idpui.deployment.resources.requests.cpu | string | `"100m"` | Memory request for the container | +| idp.idpui.deployment.resources.limits.memory | string | `"1028Mi"` | CPU limit for the container | +| idp.idpui.deployment.resources.limits.cpu | string | `"1000m"` | Memory limit for the container | +| idp.idpui.deployment.readinessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| idp.idpui.deployment.readinessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| idp.idpui.deployment.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| idp.idpui.deployment.livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before liveness probes are initiated. | +| idp.idpui.deployment.livenessProbe.periodSeconds | int | `20` | How often (in seconds) to perform the probe. | +| idp.idpui.deployment.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | +| idp.idpui.deployment.strategy | string | `"RollingUpdate"` | Deployment strategy | +| idp.idpui.deployment.replicas | int | `1` | Number of replicas | +| idp.idpui.deployment.imagePullPolicy | string | `"Always"` | Image pull policy | +| idp.idpui.deployment.image | string | `"wso2/apk-idp-ui:1.1.0-alpha"` | Image | +| idp.idpui.configs.idpLoginUrl | string | `"https://idp.am.wso2.com:9095/commonauth/login"` | identity server Login URL | +| idp.idpui.configs.idpAuthCallBackUrl | string | `"https://idp.am.wso2.com:9095/oauth2/auth-callback"` | identity server authCallBackUrl | +| gatewaySystem.enabled | bool | `true` | Enable gateway system to install gateway system components | +| gatewaySystem.enableServiceAccountCreation | bool | `true` | | +| gatewaySystem.enableClusterRoleCreation | bool | `true` | | +| gatewaySystem.serviceAccountName | string | `"gateway-api-admission"` | | +| certmanager.enabled | bool | `true` | Enable certificate manager to generate certificates | +| certmanager.enableClusterIssuer | bool | `true` | Enable cluster issuer to generate certificates | +| certmanager.enableRootCa | bool | `true` | Enable root CA to generate certificates | +| certmanager.rootCaSecretName | string | `"apk-root-certificate"` | Enable CA certificate secret name. | +| certmanager.listeners.issuerName | string | `"selfsigned-issuer"` | Issuer name | +| certmanager.listeners.issuerKind | string | `"ClusterIssuer"` | Issuer kind | +| certmanager.servers.issuerName | string | `"selfsigned-issuer"` | Issuer name | +| certmanager.servers.issuerKind | string | `"ClusterIssuer"` | Issuer kind | +| postgresql.enabled | bool | `true` | Enable postgresql database | +| postgresql.fullnameOverride | string | `"wso2apk-db-service"` | String to fully override common.names.fullname template | +| postgresql.auth.database | string | `"WSO2AM_DB"` | Name for a custom database to create | +| postgresql.auth.postgresPassword | string | `"wso2carbon"` | Password for the "postgres" admin user. Ignored if auth.existingSecret is provided | +| postgresql.auth.username | string | `"wso2carbon"` | Name for a custom user to create | +| postgresql.auth.password | string | `"wso2carbon"` | Password for the custom user to create. Ignored if auth.existingSecret is provided | +| postgresql.primary.extendedConfiguration | string | `"max_connections = 400\n"` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | +| postgresql.primary.initdb.scriptsConfigMap | string | `"postgres-initdb-scripts-configmap"` | ConfigMap with PostgreSQL initialization scripts | +| postgresql.primary.initdb.user | string | `"wso2carbon"` | Specify the PostgreSQL username to execute the initdb scripts | +| postgresql.primary.initdb.password | string | `"wso2carbon"` | Specify the PostgreSQL password to execute the initdb scripts | +| postgresql.primary.service.ports.postgresql | int | `5432` | PostgreSQL service port | +| postgresql.primary.podSecurityContext.enabled | bool | `true` | Enable pod security context | +| postgresql.primary.podSecurityContext.fsGroup | string | `nil` | Pod security context fsGroup | +| postgresql.primary.podSecurityContext.runAsNonRoot | bool | `true` | Pod security context runAsNonRoot | +| postgresql.primary.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Pod security context seccomp profile type | +| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Enable container security context | +| postgresql.primary.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Container security context allow privilege escalation | +| postgresql.primary.containerSecurityContext.capabilities.drop | list | `["ALL"]` | Container security context capabilities drop | +| postgresql.primary.containerSecurityContext.runAsUser | string | `nil` | Container security context runAsUser | +| redis.enabled | bool | `true` | Enable redis | +| redis.architecture | string | `"standalone"` | Redis® architecture. Allowed values: standalone or replication. | +| redis.fullnameOverride | string | `"redis"` | String to fully override common.names.fullname template | +| redis.primary.service.ports.redis | int | `6379` | Redis service port | +| redis.master.podSecurityContext.enabled | bool | `true` | Enable pod security context | +| redis.master.podSecurityContext.fsGroup | string | `nil` | Pod security context fsGroup | +| redis.master.podSecurityContext.runAsNonRoot | bool | `true` | Pod security context runAsNonRoot | +| redis.master.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Pod security context seccomp profile type | +| redis.master.containerSecurityContext.enabled | bool | `true` | Enable container security context | +| redis.master.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Container security context allow privilege escalation | +| redis.master.containerSecurityContext.capabilities.drop | list | `["ALL"]` | Container security context capabilities drop | +| redis.master.containerSecurityContext.runAsUser | string | `nil` | Container security context runAsUser | +| redis.auth.enabled | bool | `false` | Enable password authentication | +| skipCrds | bool | `false` | Skip generate of CRD templates | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/Version-Upgrade.md b/helm-charts/Version-Upgrade.md new file mode 100644 index 000000000..fd96a0725 --- /dev/null +++ b/helm-charts/Version-Upgrade.md @@ -0,0 +1,3 @@ +# Version Upgrade APK + +helm template test . -f version-upgrade-values.yaml && helm show crds . > t.yaml \ No newline at end of file diff --git a/helm-charts/templates/crds/dp.wso2.com_apis.yaml b/helm-charts/templates/crds/dp.wso2.com_apis.yaml index ebf9aac1d..04c41c643 100644 --- a/helm-charts/templates/crds/dp.wso2.com_apis.yaml +++ b/helm-charts/templates/crds/dp.wso2.com_apis.yaml @@ -1,4 +1,4 @@ ---- +{{- if not .Values.skipCrds }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -374,3 +374,4 @@ spec: storage: true subresources: status: {} +{{- end}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-prometheus-jmx-configmap.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-prometheus-jmx-configmap.yaml index de2731309..b700549a2 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-prometheus-jmx-configmap.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-prometheus-jmx-configmap.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} # Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. # # WSO2 LLC. licenses this file to you under the Apache License, @@ -29,3 +30,4 @@ data: help: Operating System $1 attrNameSnakeCase: true type: GAUGE +{{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/gateway-components/adapter/gateway-class.yaml b/helm-charts/templates/data-plane/gateway-components/adapter/gateway-class.yaml index c1f731f96..0936685dc 100644 --- a/helm-charts/templates/data-plane/gateway-components/adapter/gateway-class.yaml +++ b/helm-charts/templates/data-plane/gateway-components/adapter/gateway-class.yaml @@ -1,3 +1,20 @@ +{{- if or .Values.wso2.apk.dp.enabled .Values.wso2.apk.cp.enabled }} +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: @@ -8,3 +25,4 @@ metadata: {{- end }} spec: controllerName: "wso2.com/apk-gateway-default" +{{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-sts-shared-auth-key.yaml b/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-sts-shared-auth-key.yaml index f6dfecf99..3a2cb0912 100644 --- a/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-sts-shared-auth-key.yaml +++ b/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-sts-shared-auth-key.yaml @@ -1,3 +1,5 @@ +{{- if or .Values.wso2.apk.dp.enabled .Values.wso2.apk.cp.enabled }} + # Copyright (c) 2023, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. # # WSO2 LLC. licenses this file to you under the Apache License, @@ -22,3 +24,4 @@ metadata: name: {{ template "apk-helm.resource.prefix" . }}-sts-shared-auth-key namespace: {{ .Release.Namespace }} type: Opaque +{{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/prometheus-jmx-configmap.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/prometheus-jmx-configmap.yaml index 4f45e2d4f..b7d676e47 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/prometheus-jmx-configmap.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/prometheus-jmx-configmap.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} # Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. # # WSO2 LLC. licenses this file to you under the Apache License, @@ -44,4 +45,5 @@ data: name: os_$1 help: Operating System $1 attrNameSnakeCase: true - type: GAUGE \ No newline at end of file + type: GAUGE +{{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/idp/idp-ds/idp-ds-prometheus-jmx-configmap.yaml b/helm-charts/templates/idp/idp-ds/idp-ds-prometheus-jmx-configmap.yaml index 773615b87..5bd061472 100644 --- a/helm-charts/templates/idp/idp-ds/idp-ds-prometheus-jmx-configmap.yaml +++ b/helm-charts/templates/idp/idp-ds/idp-ds-prometheus-jmx-configmap.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} # Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. # # WSO2 LLC. licenses this file to you under the Apache License, @@ -29,3 +30,4 @@ data: help: Operating System $1 attrNameSnakeCase: true type: GAUGE +{{- end -}} \ No newline at end of file diff --git a/helm-charts/values.yaml.template b/helm-charts/values.yaml.template index f4e122a11..3d562d2c0 100644 --- a/helm-charts/values.yaml.template +++ b/helm-charts/values.yaml.template @@ -353,8 +353,6 @@ wso2: level: "INFO" # -- Log format can be "JSON", "TEXT" logFormat: "TEXT" - - type ratelimiter: # -- Enable the deployment of the Rate Limiter enabled: true @@ -889,3 +887,6 @@ redis: auth: # -- Enable password authentication enabled: false + +# -- Skip generate of CRD templates +skipCrds: false diff --git a/helm-charts/version-upgrade-values.yaml b/helm-charts/version-upgrade-values.yaml new file mode 100644 index 000000000..a405606fc --- /dev/null +++ b/helm-charts/version-upgrade-values.yaml @@ -0,0 +1,48 @@ +# Copyright (c) 2024, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +wso2: + apk: + cp: + enabled: false + webhooks: + validatingwebhookconfigurations: false + mutatingwebhookconfigurations: false + auth: + enabled: false + enableServiceAccountCreation: false + enableClusterRoleCreation: false + dp: + enabled: false + +idp: + enabled: false + +gatewaySystem: + enabled: false + enableServiceAccountCreation: false + enableClusterRoleCreation: false + +certmanager: + enabled: false + enableClusterIssuer: false + enableRootCa: false + +postgresql: + enabled: false + +redis: + enabled: false From 8e8879d0e5f1ec390b1f2108e1927f4d531db461 Mon Sep 17 00:00:00 2001 From: Pubudu Gunatilaka Date: Sat, 30 Mar 2024 20:07:14 +0530 Subject: [PATCH 2/3] Add in-place upgrade for APK upgrading --- helm-charts/README.md | 1 + helm-charts/Version-Upgrade.md | 28 +- ...e-values.yaml => crds-upgrade-values.yaml} | 1 + helm-charts/in-place-upgrade-values.yaml | 408 ++++++++++++++++++ .../adapter-server-certificate.yaml | 2 +- .../common-controller-server-certificate.yaml | 2 +- .../config-deployer-server-certificate.yaml | 2 +- .../enforcer-server-certificate.yaml | 2 +- .../gateway-server-certificate.yaml | 2 +- .../certificates/gw-listener-certificate.yaml | 2 +- .../idp-listener-certificate.yaml | 2 +- .../certificates/idp-server-certificate.yaml | 2 +- .../idp-ui-server-certificate.yaml | 2 +- .../localhost-listener-certificate.yaml | 2 +- .../ratelimiter-server-certificate.yaml | 2 +- .../runtime-domain-server-certificate.yaml | 2 +- .../system-api-listener-certificate.yaml | 2 +- .../webhook-server-certificate.yaml | 2 +- .../issuers/self-signed-issuer.yaml | 2 +- .../config-deployer/config-ds-configmap.yaml | 11 +- .../config-deployer/config-ds-deployment.yaml | 9 + .../data-plane/gateway-api/gateway-api.yaml | 4 + .../gateway-components/adapter/gateway.yaml | 2 +- .../idp/idp-ds/idp-ds-deployment.yaml | 9 + .../templates/postgres/initdb-conf.yaml | 2 +- helm-charts/values.yaml | 3 +- helm-charts/values.yaml.template | 2 +- idp/idp-domain-service/docker/Dockerfile | 1 + idp/idp-domain-service/docker/idp/idp.sh | 8 +- .../config-deployer-service/docker/Dockerfile | 1 + .../docker/config-deployer/config.sh | 8 +- 31 files changed, 501 insertions(+), 27 deletions(-) rename helm-charts/{version-upgrade-values.yaml => crds-upgrade-values.yaml} (97%) create mode 100644 helm-charts/in-place-upgrade-values.yaml diff --git a/helm-charts/README.md b/helm-charts/README.md index bd5e3c383..0c0088342 100644 --- a/helm-charts/README.md +++ b/helm-charts/README.md @@ -317,6 +317,7 @@ A Helm chart for APK components | gatewaySystem.enableServiceAccountCreation | bool | `true` | | | gatewaySystem.enableClusterRoleCreation | bool | `true` | | | gatewaySystem.serviceAccountName | string | `"gateway-api-admission"` | | +| gatewaySystem.applyGatewayWehbhookJobs | bool | `true` | | | certmanager.enabled | bool | `true` | Enable certificate manager to generate certificates | | certmanager.enableClusterIssuer | bool | `true` | Enable cluster issuer to generate certificates | | certmanager.enableRootCa | bool | `true` | Enable root CA to generate certificates | diff --git a/helm-charts/Version-Upgrade.md b/helm-charts/Version-Upgrade.md index fd96a0725..a320bd1ed 100644 --- a/helm-charts/Version-Upgrade.md +++ b/helm-charts/Version-Upgrade.md @@ -1,3 +1,27 @@ -# Version Upgrade APK +# Updating APK Version -helm template test . -f version-upgrade-values.yaml && helm show crds . > t.yaml \ No newline at end of file +This guide outlines the process of upgrading from APK v1.0.0 installation to APK v1.1.0 installation. + +## In-Place Upgrade + +The in-place upgrade process transitions your existing APK v1.0.0 installation to APK v1.1.0. Prior to implementing these steps in a production environment, it is advised to apply and validate them in lower environments. + +- Ensure APK v1.0.0 is currently installed in the cluster. + + **Note:** The steps provided below assume that APK v1.0.0 is installed in the `default` namespace under the release name `apk`. Replace the dot (.) with the appropriate APK v1.1.0 Helm chart name and version, which is `wso2apk/apk-helm --version 1.1.0`. + +- Install/Update CRDs for APK v1.1.0. + + ```bash + (helm template apk . -f crds-upgrade-values.yaml -n default && helm show crds .) > apk-v1.1.0-crds.yaml + + kubectl apply -f apk-v1.1.0-crds.yaml + ``` + +- Upgrade the existing APK v1.0.0 installation to APK v1.1.0. + + ```bash + helm upgrade --reuse-values apk . -f ./in-place-upgrade-values.yaml --set skipCrds=true + ``` + +These steps will seamlessly transition your APK installation to the latest version, ensuring continued functionality and compatibility. \ No newline at end of file diff --git a/helm-charts/version-upgrade-values.yaml b/helm-charts/crds-upgrade-values.yaml similarity index 97% rename from helm-charts/version-upgrade-values.yaml rename to helm-charts/crds-upgrade-values.yaml index a405606fc..b91ebdbf8 100644 --- a/helm-charts/version-upgrade-values.yaml +++ b/helm-charts/crds-upgrade-values.yaml @@ -35,6 +35,7 @@ gatewaySystem: enabled: false enableServiceAccountCreation: false enableClusterRoleCreation: false + applyGatewayWehbhookJobs: false certmanager: enabled: false diff --git a/helm-charts/in-place-upgrade-values.yaml b/helm-charts/in-place-upgrade-values.yaml new file mode 100644 index 000000000..62afed313 --- /dev/null +++ b/helm-charts/in-place-upgrade-values.yaml @@ -0,0 +1,408 @@ +# Copyright (c) 2022, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +wso2: + subscription: + imagePullSecrets: "" + + apk: + webhooks: + validatingwebhookconfigurations: true + mutatingwebhookconfigurations: true + auth: + enabled: true + enableServiceAccountCreation: true + enableClusterRoleCreation: true + serviceAccountName: wso2apk-platform + roleName: wso2apk-role + listener: + hostname: "api.am.wso2.com" + port: 9095 + # secretName: "idp-tls" + idp: + issuer: "https://idp.am.wso2.com/token" + usernameClaim: "sub" + organizationClaim: "organization" + groupsClaim: "groups" + consumerKeyClaim: "clientId" + # organizationResolver: "controlPlane" # controlplane,none + # tls: + # secretName: "wso2apk-idp-certificates" + # fileName: "idp.crt" + # signing: + # jwksEndpoint: "https://idp.am.wso2.com:9095/oauth2/jwks" + # secretName: "wso2apk-idp-signing" + # fileName: "idp.crt" + dp: + enabled: true + gateway: + name: default + listener: + hostname: "gw.wso2.com" + # secretName: "idp-tls" + # partitionServer: + # enabled: false + # host: "https://control-plane-wso2-apk-partition-server.control-plane.svc.cluster.local" + # serviceBasePath: "/api/publisher/v1" + # partitionName: "default" + # hostnameVerificationEnable: true + # tls: + # secretName: "partition-server-cert" + # fileName: "certificate.crt" + # headers: + # - name: "apiKey" + # value: "123-456-789" + configdeployer: + enabled: true + deployment: + + resources: + requests: + memory: "512Mi" + cpu: "200m" + limits: + memory: "1024Mi" + cpu: "500m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-config-deployer-service:latest + # configs: + # tls: + # secretName: "my-secret" + # certKeyFilename: "tls.key" + # certFilename: "certchain.crt" + adapter: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "200m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-adapter:latest + security: + sslHostname: "adapter" + # logging: + # level: "INFO" # LogLevels can be "DEBG", "FATL", "ERRO", "WARN", "INFO", "PANC" + # # logFormat: "TEXT" # Values can be "JSON", "TEXT" + # configs: + # apiNamespaces: + # - "apk-v12" + # tls: + # secretName: "adapter-cert" + # certKeyFilename: "" + # certFilename: "" + commonController: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "200m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-common-controller:latest + security: + sslHostname: "commoncontroller" +# controlplane: +# enabled: true +# host: "apim-apk-agent-service.apk.svc.cluster.local" +# skipSSLVerification: true + # configs: + # apiNamespaces: + # - "apk-v12" + ratelimiter: + enabled: true + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-ratelimiter:latest + security: + sslHostname: "ratelimiter" + # configs: + # tls: + # secretName: "ratelimiter-cert" + # certKeyFilename: "" + # certFilename: "" + # certCAFilename: "" + gatewayRuntime: + deployment: + replicas: 1 + router: + resources: + requests: + memory: "128Mi" + cpu: "200m" + limits: + memory: "1028Mi" + cpu: "1000m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + imagePullPolicy: Always + image: wso2/apk-router:latest + # configs: + # tls: + # secretName: "router-cert" + # certKeyFilename: "" + # certFilename: "" + # logging: + # wireLogs: + # enable: true + # accessLogs: + # enable: true + # env: + # TRAILING_ARGS: "--log-level trace" + enforcer: + resources: + requests: + memory: "512Mi" + cpu: "500m" + limits: + memory: "1028Mi" + cpu: "1000m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + imagePullPolicy: Always + image: wso2/apk-enforcer:latest + security: + sslHostname: "enforcer" +# logging: +# level: DEBUG +# configs: +# tls: +# secretName: "router-cert" +# certKeyFilename: "" +# certFilename: "" +# JWKSClient: +# skipSSLVerification: false +# hostnameVerifier: "AllowAll" + + metrics: + enabled: false + # configDSBalHost: 0.0.0.0 + # idpDSBalHost: 0.0.0.0 + # statsd: + # image: + # repository: prom/statsd-exporter + # tag: v0.26.0 + # imagePullPolicy: IfNotPresent + # resources: + # limits: + # memory: 128Mi + # requests: + # cpu: 0.1 + # memory: 64Mi +idp: + enabled: true + listener: + hostname: "idp.am.wso2.com" + # secretName: "idp-tls" + database: + driver: "org.postgresql.Driver" + url: "jdbc:postgresql://wso2apk-db-service:5432/WSO2AM_DB" + host: "wso2apk-db-service" + port: 5432 + databaseName: "WSO2AM_DB" + username: "wso2carbon" + secretName: "apk-db-secret" + secretKey: "DB_PASSWORD" + validationQuery: "SELECT 1" + validationTimeout: 250 + idpds: + configs: + issuer: "https://idp.am.wso2.com/token" + keyId: "gateway_certificate_alias" + hostname: "idp.am.wso2.com" + loginPageURl: "https://idp.am.wso2.com:9095/authenticationEndpoint/login" + loginErrorPageUrl: "https://idp.am.wso2.com:9095/authenticationEndpoint/error" + loginCallBackURl: "https://idp.am.wso2.com:9095/authenticationEndpoint/login-callback" + deployment: + resources: + requests: + memory: "512Mi" + cpu: "200m" + limits: + memory: "1024Mi" + cpu: "500m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-idp-domain-service:latest + idpui: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "256Mi" + cpu: "100m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-idp-ui:latest + configs: + idpLoginUrl: "https://idp.am.wso2.com:9095/commonauth/login" + idpAuthCallBackUrl: "https://idp.am.wso2.com:9095/oauth2/auth-callback" + +gatewaySystem: + enabled: true + enableServiceAccountCreation: true + enableClusterRoleCreation: true + serviceAccountName: gateway-api-admission + applyGatewayWehbhookJobs: false + +certmanager: + enabled: true + enableClusterIssuer: true + enableRootCa: true + rootCaSecretName: "apk-root-certificate" + +postgresql: + enabled: true + fullnameOverride: "wso2apk-db-service" + auth: + database: WSO2AM_DB + postgresPassword: wso2carbon + username: wso2carbon + password: wso2carbon + primary: + extendedConfiguration: | + max_connections = 400 + initdb: + scriptsConfigMap: postgres-initdb-scripts-configmap + user: wso2carbon + password: wso2carbon + service: + ports: + postgresql: 5432 + podSecurityContext: + enabled: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsUser: null + + image: + debug: true + +redis: + enabled: true + architecture: standalone + fullnameOverride: redis + primary: + service: + ports: + redis: 6379 + master: + podSecurityContext: + enabled: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsUser: null + auth: + enabled: false + image: + debug: true diff --git a/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml index d0d5ef6c9..264fbf7bd 100644 --- a/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-adapter-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml index 37c7e76ba..3fe1cc388 100644 --- a/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-common-controller-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml index 9f3411769..4a33b3675 100644 --- a/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-config-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml index b52002d2c..92887d659 100644 --- a/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-enforcer-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml index a187729ca..3171c1ce8 100644 --- a/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-gateway-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml index 751e94101..509a2b3c7 100644 --- a/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml @@ -31,7 +31,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-gw-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml index f84e3a86a..f797b7776 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml index cb49548fc..1017d6731 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml index 615eea64d..be6bc5acc 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-ui-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml index 59119c08f..5063ec4cf 100644 --- a/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml @@ -31,7 +31,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-localhost-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml index 158e4db28..3c3b0475d 100644 --- a/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-ratelimiter-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml index 9c92767ba..83b442579 100644 --- a/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-runtime-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml index 9277e1846..be83de81c 100644 --- a/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-system-api-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml index 9dff750b5..63da23056 100644 --- a/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-webhook-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml b/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml index 746617d26..85adf9636 100644 --- a/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml +++ b/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml @@ -17,7 +17,7 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: selfsigned-issuer + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer spec: ca: secretName: {{.Values.certmanager.rootCaSecretName}} diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml index bf2f22fb3..30d074d21 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml @@ -28,15 +28,18 @@ data: traceLogConsole = false {{if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled}} [ballerina.observe] - metricsEnabled=true - metricsReporter="prometheus" + metricsEnabled = true + metricsReporter = "prometheus" [ballerinax.prometheus] port=18006 {{if .Values.wso2.apk.metrics.configDSBalHost}} - host="{{ .Values.wso2.apk.metrics.configDSBalHost}}" + host = "{{ .Values.wso2.apk.metrics.configDSBalHost}}" {{else}} - host="0.0.0.0" + host = "0.0.0.0" {{end}} + {{else}} + [ballerina.observe] + metricsEnabled = false {{end}} [wso2.config_deployer_service.keyStores.tls] keyFilePath = "/home/wso2apk/config-deployer/security/config.key" diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml index 09db2721f..8108175a3 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml @@ -48,6 +48,11 @@ spec: - containerPort: 18007 protocol: "TCP" {{ end }} +{{ include "apk-helm.deployment.env" .Values.wso2.apk.dp.configdeployer.deployment.env | indent 10 }} + {{ if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} + - name: METRICS_ENABLED + value: "true" + {{ end }} readinessProbe: httpGet: path: /health @@ -67,9 +72,11 @@ spec: - mountPath: /home/wso2apk/config-deployer/conf/Config.toml name: config-toml-volume subPath: Config.toml + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume mountPath: /tmp/metrics/prometheus-jmx-config-configds.yml subPath: prometheus-jmx-config-configds.yml + {{- end }} - name: config-ds-tls-volume mountPath: /home/wso2apk/config-deployer/security/config.key {{- if and .Values.wso2.apk.dp.configdeployer.deployment.configs .Values.wso2.apk.dp.configdeployer.deployment.configs.tls }} @@ -114,9 +121,11 @@ spec: - name: config-toml-volume configMap: name: {{ template "apk-helm.resource.prefix" . }}-config-ds-configmap + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume configMap: name: prometheus-jmx-config-configds + {{- end }} - name: config-ds-tls-volume secret: {{ if and .Values.wso2.apk.dp.configdeployer.deployment.configs .Values.wso2.apk.dp.configdeployer.deployment.configs.tls }} diff --git a/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml b/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml index afc1ba11b..66b2f0dba 100644 --- a/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml +++ b/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml @@ -192,6 +192,7 @@ subjects: name: gateway-api-admission namespace: {{ .Release.Namespace }} --- +{{ if and .Values.gatewaySystem .Values.gatewaySystem.applyGatewayWehbhookJobs}} apiVersion: batch/v1 kind: Job metadata: @@ -242,7 +243,9 @@ spec: runAsNonRoot: true seccompProfile: type: "RuntimeDefault" +{{ end }} --- +{{ if and .Values.gatewaySystem .Values.gatewaySystem.applyGatewayWehbhookJobs}} apiVersion: batch/v1 kind: Job metadata: @@ -295,4 +298,5 @@ spec: runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000 +{{ end }} {{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml b/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml index 9d496f349..f90068d11 100644 --- a/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml +++ b/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml @@ -5,7 +5,7 @@ metadata: name: {{ .Values.wso2.apk.dp.gateway.name | default "wso2-apk-default" }} namespace: {{ .Release.Namespace }} annotations: - cert-manager.io/issuer: selfsigned-issuer + cert-manager.io/issuer: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer spec: {{- if .Values.wso2.apk.dp.gatewayClass }} gatewayClassName: {{ .Values.wso2.apk.dp.gatewayClass.name | default "wso2-apk-default" }} diff --git a/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml b/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml index 466b4da4a..7ea0722d0 100644 --- a/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml +++ b/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml @@ -56,6 +56,11 @@ spec: protocol: "TCP" - containerPort: 18007 protocol: "TCP" + {{ end }} +{{ include "apk-helm.deployment.env" .Values.idp.idpds.deployment.env | indent 10 }} + {{ if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} + - name: METRICS_ENABLED + value: "true" {{ end }} readinessProbe: httpGet: @@ -82,9 +87,11 @@ spec: - mountPath: /home/wso2apk/idp/security/wso2carbon.pem name: idp-signing-keystore-volume subPath: wso2carbon.pem + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume mountPath: /tmp/metrics/prometheus-jmx-config-idpds.yml subPath: prometheus-jmx-config-idpds.yml + {{- end }} - name: idp-ds-tls-volume mountPath: /home/wso2apk/idp/security/idp.key {{- if and .Values.idp.idpds.configs .Values.idp.idpds.configs.tls }} @@ -120,9 +127,11 @@ spec: - name: config-toml-volume configMap: name: {{ template "apk-helm.resource.prefix" . }}-idp-ds-configmap + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume configMap: name: prometheus-jmx-config-idpds + {{- end }} - name: idp-signing-keystore-volume secret: secretName: {{ template "apk-helm.resource.prefix" . }}-idp-signing-keystore-secret diff --git a/helm-charts/templates/postgres/initdb-conf.yaml b/helm-charts/templates/postgres/initdb-conf.yaml index e94313fc7..27fefd708 100644 --- a/helm-charts/templates/postgres/initdb-conf.yaml +++ b/helm-charts/templates/postgres/initdb-conf.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: postgres-initdb-scripts-configmap + name: {{ .Values.postgresql.primary.initdb.scriptsConfigMap }} namespace: {{ .Release.Namespace }} data: setup1.sql: | diff --git a/helm-charts/values.yaml b/helm-charts/values.yaml index 5ae28d7bd..0ca8fce49 100644 --- a/helm-charts/values.yaml +++ b/helm-charts/values.yaml @@ -339,7 +339,8 @@ gatewaySystem: enableServiceAccountCreation: true enableClusterRoleCreation: true serviceAccountName: gateway-api-admission - + applyGatewayWehbhookJobs: true + certmanager: enabled: true enableClusterIssuer: true diff --git a/helm-charts/values.yaml.template b/helm-charts/values.yaml.template index 3d562d2c0..9750b0a7e 100644 --- a/helm-charts/values.yaml.template +++ b/helm-charts/values.yaml.template @@ -780,7 +780,7 @@ gatewaySystem: enableServiceAccountCreation: true enableClusterRoleCreation: true serviceAccountName: gateway-api-admission - + applyGatewayWehbhookJobs: true certmanager: # -- Enable certificate manager to generate certificates diff --git a/idp/idp-domain-service/docker/Dockerfile b/idp/idp-domain-service/docker/Dockerfile index f07cf7498..2ae43f2e3 100644 --- a/idp/idp-domain-service/docker/Dockerfile +++ b/idp/idp-domain-service/docker/Dockerfile @@ -60,6 +60,7 @@ RUN set -eux; \ ENV JAVA_HOME=/opt/java/openjdk \ PATH="/opt/java/openjdk/bin:$PATH" +ENV METRICS_ENABLED=false ARG USER=wso2apk ARG USER_ID=10001 diff --git a/idp/idp-domain-service/docker/idp/idp.sh b/idp/idp-domain-service/docker/idp/idp.sh index dc8c6e8bc..33c97227a 100755 --- a/idp/idp-domain-service/docker/idp/idp.sh +++ b/idp/idp-domain-service/docker/idp/idp.sh @@ -97,11 +97,17 @@ if [ -z "$JVM_MEM_OPTS" ]; then fi echo "Using Java memory options: $JVM_MEM_OPTS" +JAVA_AGENT="" +if [ "$METRICS_ENABLED" = "true" ]; then + echo "METRICS_ENABLED is set to true." + JAVA_AGENT="-javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-idpds.yml" +fi + $JAVACMD \ $JVM_MEM_OPTS \ $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Djava.io.tmpdir="$IDP_HOME/tmp" \ - -javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-idpds.yml \ + $JAVA_AGENT \ -jar idp_domain_service.jar $* status=$? diff --git a/runtime/config-deployer-service/docker/Dockerfile b/runtime/config-deployer-service/docker/Dockerfile index a7df67708..25c55b529 100644 --- a/runtime/config-deployer-service/docker/Dockerfile +++ b/runtime/config-deployer-service/docker/Dockerfile @@ -41,6 +41,7 @@ RUN set -eux; \ ENV JAVA_HOME=/opt/java/openjdk \ PATH="/opt/java/openjdk/bin:$PATH" +ENV METRICS_ENABLED=false ARG USER=wso2apk ARG USER_ID=10001 diff --git a/runtime/config-deployer-service/docker/config-deployer/config.sh b/runtime/config-deployer-service/docker/config-deployer/config.sh index 3d9253f7e..e80aecf5b 100644 --- a/runtime/config-deployer-service/docker/config-deployer/config.sh +++ b/runtime/config-deployer-service/docker/config-deployer/config.sh @@ -98,11 +98,17 @@ if [ -z "$JVM_MEM_OPTS" ]; then fi echo "Using Java memory options: $JVM_MEM_OPTS" +JAVA_AGENT="" +if [ "$METRICS_ENABLED" = "true" ]; then + echo "METRICS_ENABLED is set to true." + JAVA_AGENT="-javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-configds.yml" +fi + $JAVACMD \ $JVM_MEM_OPTS \ $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Djava.io.tmpdir="$RUNTIME_HOME/tmp" \ - -javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-configds.yml \ + $JAVA_AGENT \ -jar config_deployer_service.jar $* status=$? From cc9d84baa8a477c5582c64a2f78e3ffa8365d9ad Mon Sep 17 00:00:00 2001 From: Pubudu Gunatilaka Date: Sun, 31 Mar 2024 11:36:16 +0530 Subject: [PATCH 3/3] Fix null pointer exception when getting jwt validator based on the issuer --- .../security/jwt/Oauth2Authenticator.java | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java index 0c20eb00b..586ca8814 100644 --- a/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java +++ b/gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/Oauth2Authenticator.java @@ -48,6 +48,7 @@ import org.wso2.apk.enforcer.security.jwt.validator.JWTValidator; import org.wso2.apk.enforcer.security.jwt.validator.RevokedJWTDataHolder; import org.wso2.apk.enforcer.subscription.SubscriptionDataHolder; +import org.wso2.apk.enforcer.subscription.SubscriptionDataStore; import org.wso2.apk.enforcer.server.RevokedTokenRedisClient; import org.wso2.apk.enforcer.tracing.TracingConstants; import org.wso2.apk.enforcer.tracing.TracingSpan; @@ -472,8 +473,21 @@ private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organizat try { // Get issuer String issuer = jwtClaimsSet.getIssuer(); - JWTValidator jwtValidator = SubscriptionDataHolder.getInstance().getSubscriptionDataStore(organization) - .getJWTValidatorByIssuer(issuer, environment); + SubscriptionDataStore subscriptionDataStore = SubscriptionDataHolder.getInstance() + .getSubscriptionDataStore(organization); + if (subscriptionDataStore == null) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + JWTValidator jwtValidator = subscriptionDataStore.getJWTValidatorByIssuer(issuer, environment); + // If no validator found for the issuer, we are not caching the token. + if (jwtValidator == null) { + throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, + APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE); + } + // If no validator found for the issuer, we are not caching the token. if (jwtValidator == null) { throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),