charts/gateway/values.yaml

nameOverride: ""
fullnameOverride: ""
global:
  schedulerName:

# Use set file to place a Gateway license here
license:
  value:
  accept: false
  # existingSecretName: ssg-license

image:
  registry: docker.io
  repository: caapim/gateway
  tag: 11.0.00
  pullPolicy: IfNotPresent

# If you are using a Hazelcast 3.x server then you need to set hazelcast.legacy.enabled=true
# and use the following Gateway image docker.io/caapim/gateway:10.1.00_20220802
# image:
#   registry: docker.io
#   repository: caapim/gateway
#   tag: 10.1.00_20220802
#   pullPolicy: IfNotPresent

# Set this if you would like to add an image pull secret directly to the Gateway deployment
# Alternatively, leave this disabled and reference a service account that has the image pull secret associated with it.
imagePullSecret:
  enabled: false
  # existingSecretName: private-registry-secret
  username:
  password:

# Additional Annotations apply to all deployed objects
additionalAnnotations: {}

# Additional Labels apply to all deployed objects
additionalLabels: {}

## Pod Labels for the Gateway Pod
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}

# Pod Annotations apply to the Gateway Pod
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}

serviceAccount:
  # name:
  create: true
# If pmtagger is enabled the Gateway Service Account will need to have
# list/patch permissions for Pods.
rbac:
  create: true

# Number of Gateways to deploy
replicas: 1
# Update strategy
updateStrategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 1
    maxUnavailable: 0

pmtagger:
  enabled: true
  replicas: 1
  image:
    registry: docker.io
    repository: layer7api/pm-tagger
    tag: 1.0.1
    pullPolicy: IfNotPresent
# Uses the image pull secret configured for the Gateway.
  imagePullSecret:
    enabled: false
  resources:
    requests:
      memory: 32Mi
      cpu: 200m
    limits:
      memory: 64Mi
      cpu: 250m
  ## Pod Labels for the PM Tagger Pod
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  podLabels: {}

  # Pod Annotations apply to the PM Tagger Pod
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  podAnnotations: {}

  # ref:https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # nodeSelector: {}
  # affinity: {}

  # ref:https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods
  topologySpreadConstraints: []

  # ref:https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []

  # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  podSecurityContext: {}

  # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  containerSecurityContext: {}

# Override all lifecycle hooks. This will take precedence over the preStopScript section below.
lifecycleHooks: {}
  # postStart: {}
  # preStop: {}

# This preStop script checks for open connections and delays pod termination for the specified timeout seconds
# Enabling this mounts the script to /opt/docker/gracefulshutdown.sh and adds a preStop lifecycle hook to the Gateway Deployment
preStopScript:
  enabled: false        # Enable/Disable
  periodSeconds: 3      # Time between checks
  timeoutSeconds: 60    # Timeout - must be lower than terminationGracePeriodSeconds
  excludedPorts:
  - 2124
  - 8777

## terminationGracePeriodSeconds default duration in seconds kubernetes waits for container to exit before sending kill signal.
## Defaults to 30 if not set
# terminationGracePeriodSeconds: 90

# Configure autoscaling
# this makes use of autoscaling/v2beta2 and autoscaling/v2 for v1.23 and later
# Metrics server will need to be configured for this to work correctly
# most cloud vendors provide metrics server by default
# https://github.com/kubernetes-sigs/metrics-server
autoscaling:
  enabled: false
  hpa:
    minReplicas: 1
    maxReplicas: 3
    metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 60
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
        - type: Pods
          value: 1
          periodSeconds: 60
      scaleUp:
        stabilizationWindowSeconds: 0
        policies:
        - type: Percent
          value: 100
          periodSeconds: 15

resources:
  # There are no resource limits set by default, this is a consicious choice for the user and
  # increases the chance of these running on environments with fewer resources available
  # Remove the curly braces and uncomment cpu/memory to set.
  limits: {}
  #   cpu: 2000m
  #   memory: 4Gi
  requests: {}
  #   cpu: 2000m
  #   memory: 4Gi

config:
  # Heap Size should be a percentage of the memory configured in resource limits
  # by default it is 50% - you should not go above 75%
  heapSize: "2g"
  javaArgs:
    - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
    - -Dcom.l7tech.server.audit.message.saveToInternal=false
    - -Dcom.l7tech.server.audit.admin.saveToInternal=false
    - -Dcom.l7tech.server.audit.system.saveToInternal=false
    - -Dcom.l7tech.server.audit.log.format=json
    - -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties
    - -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true
    - -Dcom.l7tech.security.ssl.hostAllowWildcard=true
  log:
    override: true
    properties: |-
      handlers = com.l7tech.server.log.GatewayRootLoggingHandler, com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler
      com.l7tech.server.log.GatewayRootLoggingHandler.formatter = com.l7tech.util.JsonLogFormatter
      java.util.logging.SimpleFormatter.format=
      com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.formatter = com.l7tech.util.JsonLogFormatter
      com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.level = CONFIG
  cwp:
    enabled: false
    properties:
      - name: io.httpsHostAllowWildcard
        value: true
      - name: log.levels
        value: |
          com.l7tech.level = CONFIG
          com.l7tech.server.policy.variable.ServerVariables.level = SEVERE
          com.l7tech.external.assertions.odata.server.producer.jdbc.GenerateSqlQuery.level = SEVERE
          com.l7tech.server.policy.assertion.ServerSetVariableAssertion.level = SEVERE
          com.l7tech.external.assertions.comparison.server.ServerComparisonAssertion = SEVERE
      - name: audit.setDetailLevel.FINE
        value: 152 7101 7103 9648 9645 7026 7027 4155 150 4716 4114 6306 4100 9655 150 151 11000 4104
  systemProperties: |-
    # Default Gateway system properties
    # Configuration properties for shared state extensions.
    com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast
    com.l7tech.server.extension.sharedCounterProvider=ssgdb
    com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb
    # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for
    # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible.
    com.safelogic.cryptocomply.rsa.allow_multi_use=true
    # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway.
    # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12.
    javax.net.ssl.trustStoreType=jks
    # Period of time before the Gateway removes inactive nodes.
    com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400
    # Additional properties go here

 # If enabled this will override the default listen ports and their configuration in the API Gateway
  listenPorts:
    custom:
      enabled: false
    ports:
      - name: Default HTTPS (8443)
        port: 8443
        enabled: true
        protocol: HTTPS
        managementFeatures:
        - Published service message input
        # - Administrative access
        # - Browser-based administration
        # - Built-in services
        properties: []
        # - name: server
        #   value: A
        tls:
          enabled: true
        # privateKey: 00000000000000000000000000000002:ssl
          clientAuthentication: Optional
          versions:
        # - TLSv1.0
        # - TLSv1.1
          - TLSv1.2
          - TLSv1.3
          useCipherSuitesOrder: true
          cipherSuites:
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
          - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
          - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          - TLS_AES_256_GCM_SHA384
          - TLS_AES_128_GCM_SHA256
        # - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        # - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        # - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
        # - TLS_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_RSA_WITH_AES_256_CBC_SHA256
        # - TLS_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
        # - TLS_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_RSA_WITH_AES_128_CBC_SHA
      - name: Default HTTPS (9443)
        port: 9443
        enabled: true
        protocol: HTTPS
        managementFeatures:
        - Published service message input
        - Administrative access
        - Browser-based administration
        - Built-in services
        properties: []
        # - name: server
        #   value: B
        tls:
          enabled: true
        # privateKey: 00000000000000000000000000000002:ssl
          clientAuthentication: Optional
          versions:
        # - TLSv1.0
        # - TLSv1.1
          - TLSv1.2
          - TLSv1.3
          useCipherSuitesOrder: true
          cipherSuites:
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
          - TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
          - TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          - TLS_AES_256_GCM_SHA384
          - TLS_AES_128_GCM_SHA256
        # - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        # - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        # - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
        # - TLS_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_RSA_WITH_AES_256_CBC_SHA256
        # - TLS_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
        # - TLS_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_RSA_WITH_AES_128_CBC_SHA
      - name: Default HTTP (8080)
        port: 8080
        enabled: false
        protocol: HTTP
        managementFeatures:
        - Published service message input
        # - Administrative access
        # - Browser-based administration
        # - Built-in services
        tls:
          enabled: false

## Reference an existing secret for sensitive Gateway fields
## Note that additionalSecret will no longer take effect when existingGatewaySecret is set.

# existingGatewaySecretName: ssg-secret

## The folllowing must be included
  # SSG_ADMIN_USERNAME
  # SSG_ADMIN_PASSWORD
  # SSG_CLUSTER_PASSWORD
## If using a Database
  # SSG_DATABASE_USER
  # SSG_DATABASE_PASSWORD

# Cluster Hostname
clusterHostname: my.localdomain

# Database configuration
database:
  # DB Backed or ephemeral
  enabled: true
  # A MySQL Database is configured with this Chart, set to false and set jdbcURL to use your own DB server
  # Do not use this demo database in production!!!
  create: true
  # jdbcURL: jdbc:mysql://<host>:<port>/<database> | jdbc:mysql://<host>:<port>,<host>:<port>/<database>,...
  # Configurable, update the mysql.auth.<settings> if you change this and would like to use the demo database server.
  username: gateway
  password: mypassword
  name: ssg

## If loading a TLS Key/Pair
# This key will become the default ssl key. Can only have one.
# use with helm command: --set-file tls.key=/path/to/ssl.p12 --set tls.pass=keypass
## Reference an existing secret for the Gateway Private Key, the secret needs to contain the following.
  # SSG_SSL_KEY - decoded value needs to be base64 encoded. (cat ssl.p12 | base64 --wrap=0)
  # SSG_SSL_KEY_PASS
tls:
  useSignedCertificates: false
  # existingSecretName: ssg-tls
# It is not recommendeded to load private keys in values.yaml, use an existingTlsSecret.
  key:
  pass:

# Cluster Password
clusterPassword: mypassword

# This enables/disables Policy Manager Access and sets the SSG_ADMIN username and password
# Credentials will be moved to a secret object in the next push..
management:
  enabled: true
  # Enable Restman, if DBbacked this setting will persist until manually deleted via Policy Manager.
  restman:
    enabled: false
  # Enable Graphman (placeholder)
  graphman:
    enabled: false
  # This is the username/password used for Policy Manager/Gateway Management.
  username: admin
  password: mypassword
  # This optionally loads the Kubernetes Service Account token as a secure password for use in Policy.
  kubernetes:
    loadServiceAccountToken: false
  service:
    enabled: true
    type: LoadBalancer
    ## Load Balancer sources
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    annotations: {}
      # cloud.google.com/load-balancer-type: "Internal"
    ports:
      # - name: https
      #   internal: 8443
      #   external: 8443
      #   protocol: TCP
      - name: management
        internal: 9443
        external: 9443
        protocol: TCP
    # Uncomment the following section to enable session affinity
    # sessionAffinity: ClientIP
    # sessionAffinityConfig:
    #   clientIP:
    #     timeoutSeconds: 10800

    # Internal Traffic Policy - https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy
    # internalTrafficPolicy: Cluster
    # External Traffic Policy - https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    # externalTrafficPolicy: Cluster

service:
  # Service Type, ClusterIP, NodePort, LoadBalancer
  type: LoadBalancer
  ## Load Balancer sources
  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
  # loadBalancerSourceRanges:
  # - 10.10.10.0/24
  ## Set the ExternalIPs
  # externalIPs:
  ## Set the LoadBalancerIP
  # loadBalancerIP:

  # Update this port list if additional ports need to be exposed
  ports:
    - name: https
      internal: 8443
      external: 8443
      protocol: TCP
    # - name: management
    #   internal: 9443
    #   external: 9443
    #   protocol: TCP
  # Additional Service annotations, the example below shows configuration for an internal load balancer on GCP
  # See the docs for more ==> https://kubernetes.io/docs/concepts/services-networking/service/
  annotations: {}
    # cloud.google.com/load-balancer-type: "Internal"
    # service.beta.kubernetes.io/azure-load-balancer-internal: "true"

  # Uncomment the following section to enable session affinity
  # sessionAffinity: ClientIP
  # sessionAffinityConfig:
  #   clientIP:
  #     timeoutSeconds: 10800

  # Internal Traffic Policy - https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/#using-service-internal-traffic-policy
  # internalTrafficPolicy: Cluster
  # External Traffic Policy - https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
  # externalTrafficPolicy: Cluster

# This enables/disables otk install or upgrade.
# Prerequisites.
#  1. OTK DB is installed.
#  2. restman is enabled. Can be disabled once the install/upgrage is complete (management.restman.enabled: true)
# Note: In dual gateway installation, restart the pods after OTK install or upgrade.
otk:
  enabled: false
  # OTK installation type - SINGLE, DMZ or INTERNAL
  type: SINGLE

  # Force install or upgrade by uninstalling existing otk soluction kit and install.
  # forceInstallOrUpgrade: false

  # Not applicable for DMZ and INTERNAL OTK types
  # enablePortalIngeration: false
  # skipPostInstallationTasks: false

  # Specify internal gateway host and port for DMZ OTK type
  # internalGatewayHost:
  # internalGatewayPort:

  # Specify DMZ gateway host and port for interal OTK type
  # dmzGatewayHost:
  # dmzGatewayPort:

  # List of comma seperated sub soluction Kits to install or upgrade.
  # subSolutionKitNames:

  job:
    image:
      repository: caapim/otk-install
      tag: 4.6.1
      pullPolicy: IfNotPresent
    labels: {}
    # nodeSelector: {}
    # tolerations: []
    ## Pod Labels for the OTK install Pod
    ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
    podLabels: {}

    # Pod Annotations apply to the OTK install Pod
    ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
    podAnnotations: {}
  database:
    # OTK database type - mysql/oracle/cassandra
    type: mysql
    # connectionName: OAuth
    # existingSecretName: otkdb-secret
    username: root
    password: 7layer
    # properties: {"maximumPoolSize":15, "minimumPoolSize":3}
    # properties: {"localDataCenterName" : "DC1"}
    sql:
      # jdbcURL: jdbc:mysql://<host>:<port>/<database>
      jdbcURL:
      jdbcDriverClass: com.l7tech.jdbc.mysql.MySQLDriver
      # Oracle database name
      # databaseName:
    # cassandra:
    #   connectionPoints: localhost
    #   port:
    #   keyspace:
    # For Cassandra driverConfig is supported from GW 11.0. Either otk.database.cassandra.driverConfig or otk.database.properties should be provided
    #   driverConfig: {"localDataCenterName" : "DC1"}

  # Install OTK Health check bundle on gateway. Uses config map.
  # Alternatively the bundle can be loaded using config map external to helm (useExisting: true)
  # The bundle content can be found at https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/bundles/otk-healthcheck.bundle
  healthCheckBundle:
    enabled: true
    useExisting: false
    name: otk-health-check-bundle-config

  # OTK Specific configuration:
  # - The liveliness probe is not supported for OTK 4.6 & below versions.
  # - Only valid for SINGLE and INTERNAL OTK types. Not be enabled for a DMZ OTK type.
  # - In a dual gateway OTK setup, it is recomended enable liveness probe after the pods restart.
  # - Should be enabled after otk installation.
  # - otk.livenessProbe.type as httpGet
  # - otk.livenessProbe.path /auth/oauth/health
  # - otk.livenessProbe.port 8443
  # - otk.livenessProbe.scheme https
  livenessProbe:
    enabled: false
    type: httpGet
    httpGet:
      path:
      port:
  # OTK Specific configuration:
  # - The readinessProbe probe is not supported for OTK 4.6 & below versions.
  # - Only valid for SINGLE and INTERNAL OTK types. Not be enabled for a DMZ OTK type.
  # - In a dual gateway OTK setup, it is recomended enable readiness probe after the pods restart.
  # - Should be enabled after otk installation.
  # - otk.readinessProbe.type as httpGet
  # - otk.readinessProbe.path /auth/oauth/health
  # - otk.readinessProbe.port 8443
  # - otk.readinessProbe.scheme https
  readinessProbe:
    enabled: false
    type: httpGet
    httpGet:
      path:
      port:

# This project does not currently support Google's GCE controller.
# The default way to expose the Gateway is via L4 Load Balancer because it goes far beyond the HTTP(S) limitation ingress currently imposes
# Certificates are not created here, please specify an existing cert secret to use if enabling TLS
ingress:
  # Set to true to create ingress object
  enabled: false
  # Ingress Class Name
  ingressClassName: nginx
  # Ingress annotations
  annotations:
  # Ingress class
   # kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  # When the ingress is enabled, a host pointing to this will be created
  # By default clusterHostname is used, only set this if you want to use a different host
   ## Enable TLS configuration for the hostname defined at ingress.hostname/clusterHostname parameter
  tls:
  - hosts:
    - dev.ca.com
    secretName: default
  # - hosts:
  #   - dev1.ca.com
  #   secretName: default

  rules:
  - host: dev.ca.com
    path: "/"
    service:
      port:
        name: https
      # number:
  #  - host: dev1.ca.com
  #    path: "/"
  #    service:
  #      port:
  #        name: anotherport
  #       #number:

# Additional Environment variables to be added to the Gateway Configmap
additionalEnv: {}
# key1: value
# key2: value

# Additional Secret variables to be added to the Gateway Secret
additionalSecret: {}
# key1: value
# key2: value

# This mounts one or more bundles that exist as secrets or configmaps in your Kubernetes Cluster.
# When creating these secrets/configmaps the format should be
# key: bundle1.bundle value: <xml value>
# Each bundle that you create as a ConfigMap can not exceed 1MB in size.

# Bundles that contain sensitive information can be mounted using the Kubernetes CSI Driver
existingBundle:
  enabled: false
  configMaps: []
 # - name: mybundle1
    # configMap:
    #   defaultMode: 420
    #   optional: false
    #   name: mybundle1
 # - name: mybundle2
  secrets: []
  # - name: mysecretbundle1
  #   csi:
  #     driver: secrets-store.csi.k8s.io
  #     readOnly: true
  #     volumeAttributes:
  #       secretProviderClass: "secret-provider-class-name"
 # - name: mysecretbundle2

# This is limited to a single configmap or secret. ConfigMaps and Secrets can hold multiple scripts.
# See an example here - https://github.com/Layer7-Community/Utilities/tree/main/gateway-init-container-examples
# NOTE: if you set a configMap and a Secret only one of them will be applied to your API Gateway.
existingHealthCheck:
  enabled: false
  configMap: {}
    # name: healthcheck-scripts-configmap
    # defaultMode: 292
    # optional: false
  secret: {}
    # name: healthcheck-scripts-secret
    # csi:
    #   driver: secrets-store.csi.k8s.io
    #   readOnly: true
    #   volumeAttributes:
    #     secretProviderClass: "vault-database"

# Certain folders on the Container Gateway are not writeable by design.
# This configuration allows you to mount configMap/Secret keys to specific paths on the Gateway without
# the need for a root user or a custom/derived image.
customConfig:
  enabled: false
  # mounts:
  # - name: sampletrafficloggerca-override
  #   mountPath: /opt/SecureSpan/Gateway/node/default/etc/conf/sampletrafficloggerca.properties
  #   subPath: sampletrafficloggerca.properties
  #   secret:
  #     name: config-override-secret
  #     item:
  #       key: sampletrafficloggerca.properties
  #       path: sampletrafficloggerca.properties

# This mounts a bundle folder to the Gateway. This requires you to clone the chart repo and populate the bundle folder.
# Note that there is a 1MB limit for Configmaps/Secrets so if your bundles exceed that total, the Chart will fail to install/upgrade.
# Helm also keeps a revision of each deployment that will include the bundle definition, if that exceeds 1MB then the same error will occur.
# We recommend using the existingBundle configuration below. This allows you to manage Gateway Deployment Config and Services separately.
bundle:
  enabled: false
  path: "bundles/*.bundle"

livenessProbe:
  enabled: true
  type: command
  command: /opt/docker/rc.d/diagnostic/health_check.sh
# type: httpGet
# path: /ssg/ping
# port: 8443
# scheme: HTTPS
# httpHeaders: []
  initialDelaySeconds: 40
  timeoutSeconds: 1
  periodSeconds: 15
  successThreshold: 1
  failureThreshold: 15

readinessProbe:
  enabled: true
  type: command
  command: /opt/docker/rc.d/diagnostic/health_check.sh
# type: httpGet
# path: /ssg/ping
# port: 8443
# scheme: HTTPS
# httpHeaders: []
  initialDelaySeconds: 40
  timeoutSeconds: 1
  periodSeconds: 15
  successThreshold: 1
  failureThreshold: 15

# nodeSelector: {}
# affinity: {}

# ref:https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraints-for-pods
topologySpreadConstraints: []
# topologySpreadConstraints:
#   - maxSkew: 1
#     topologyKey: topology.kubernetes.io/zone
#     whenUnsatisfiable: DoNotSchedule
#     labelSelector:
#       matchLabels:
#         app: <releasename>-gateway

# ref:https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

# ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext: {}

# ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext: {}

# This script reads files in /opt/docker/custom and moves them into the correct location
# for Gateway startup. Enabling this with an empty /opt/docker/custom folder will have no effect.
#################################################################################################
# We recommend using an initContainer with a shared volume to populate the /opt/docker/custom folder.
# The initContainer can either be built with all of the required files, or dynamically retrieve files
# from an external location.
# See the Readme for details and examples.
bootstrap:
  script:
    enabled: false

# Add initContainers to the Gateway
initContainers: []
# initContainers:
# - name: simple-init
#   image: docker.io/layer7api/simple-init:1.0.1
#   imagePullPolicy: Always
#   volumeMounts:
#   - name: config-directory
#     mountPath: /opt/docker/custom

## Add sidecars to the Gateway Deployment.
sidecars: []
## Example:
## sidecars:
##   - name: your-image-name
##     image: your-image
##     imagePullPolicy: Always
##     ports:
##       - name: portname
##         containerPort: 1234
##

# Configure custom hosts
customHosts:
  enabled: false
  hostAliases: []
  # - hostnames:
  #   - "dev.ca.com"
  #   - "dev1.ca.com"
  #   ip: "0.0.0.0"
  # - hostnames:
  #   - "example.ca.com"
  #   ip: "0.0.0.0"

## Demo - enable/disable the background metrics processing task
## Enabling this creates a policy on the Gateway and routes service metrics to influxDbUrl
## Disabling on upgrade will have no effect on the deployed policy
## To be replaced with a user defined bundle relevant to the endpoint they wish to relay service metrics to.
## InfluxDbUrl and tags are Cluster-Wide-Properties.
serviceMetrics:
  enabled: false
  ## By default influxdb is not deployed with this Chart.
  ## Set influxdb.enabled in the subchart section to true to deploy it.
  external: false
  influxDbUrl: http://influxdb:8086
  influxDbDatabase: serviceMetricsDb
  tags: env=dev

# Install Gateway solution kit(s) using restman.
#   Prerequisites:
#     1) restman is enabled
#     2) .sskar file(s) exist on Gateway container image under /tmp (e.g. /tmp/OAuthSolutionKit-4.4.1-4425.sskar)
#   Description of solution kit(s):
#     1) OAuth Solution Kit: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/install-the-oauth-solution-kit.html
installSolutionKits:
  enabled: false
  restmanPort: 8443
  restmanReadyWait: 150s
  solutionKits:

##
## Subchart Configuration
##

# MySQL Bitnami chart - https://github.com/bitnami/charts/tree/master/bitnami/mysql (DO NOT USE IN PRODUCTION!!)
mysql:
  image:
    registry: docker.io
    repository: bitnami/mysql
    tag: 8.0.22-debian-10-r75
    pullPolicy: IfNotPresent
    # pullSecrets:
    # - myRegistryKeySecretName
  auth:
    username: gateway
    password: mypassword
    database: ssg
    rootPassword: mypassword
  primary:
    # persistence:
    #   enabled: true
    #   size: 8Gi
    configuration: |-
      [client]
      port=3306
      socket=/opt/bitnami/mysql/tmp/mysql.sock
      default-character-set=UTF8
      plugin_dir=/opt/bitnami/mysql/plugin
      [mysqld]
      default_authentication_plugin=mysql_native_password
      log-bin-trust-function-creators=1
      skip-name-resolve
      explicit_defaults_for_timestamp
      basedir=/opt/bitnami/mysql
      plugin_dir=/opt/bitnami/mysql/plugin
      port=3306
      socket=/opt/bitnami/mysql/tmp/mysql.sock
      datadir=/bitnami/mysql/data
      tmpdir=/opt/bitnami/mysql/tmp
      collation-server=utf8_general_ci
      character-set-server=UTF8
      innodb_log_buffer_size=32M
      innodb_log_file_size=80M
      max_allowed_packet=20M
      sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
      bind-address=0.0.0.0
      pid-file=/opt/bitnami/mysql/tmp/mysqld.pid
      log-error=/opt/bitnami/mysql/logs/mysqld.log
      [manager]
      port=3306
      socket=/opt/bitnami/mysql/tmp/mysql.sock
      pid-file=/opt/bitnami/mysql/tmp/mysqld.pid

# Settings for Hazelcast - https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml
# The Gateway currently supports Hazelcast 4.x & 5.x servers
hazelcast:
  # Older versions of the API Gateway will still support 3.x servers
  legacy:
    # set this to true if your Gateway version does not support 4.x and 5.x
    enabled: true
  # If you wish to connect to an existing Hazelcast instance set enabled to false
  # external to true, and uncomment and set url.
  enabled: false
  external: false
  # url: hazelcast.example.com:5701
  image:
    repository: "hazelcast/hazelcast"
    tag: "5.2.1"
    pullPolicy: IfNotPresent
    # pullSecrets:
    # - myRegistryKeySecretName
  cluster:
    memberCount: 2
  mancenter:
    enabled: false
  hazelcast:
    yaml:
      hazelcast:
        network:
          join:
            multicast:
              enabled: false
            kubernetes:
              enabled: true
              service-name: ${serviceName}
              namespace: ${namespace}
              resolve-not-ready-addresses: true

# Settings for InfluxDB - https://github.com/influxdata/helm-charts/tree/master/charts/influxdb
# This is not a production implementation!
influxdb:
  enabled: false
  image:
    repository: "influxdb"
    tag: "1.8.10-alpine"
    pullPolicy: IfNotPresent
    # pullSecrets:
    #   - registry-secret
  service:
    port: 8086
  persistence:
    enabled: true
   # storageClass:
    size: 8Gi
  env:
    - name: INFLUXDB_DB
      value: "serviceMetricsDb"

# Settings for Grafana - https://github.com/bitnami/charts/tree/master/bitnami/grafana
grafana:
  enabled: false
  image:
    registry: docker.io
    repository: bitnami/grafana
    tag: 9.0.7-debian-11-r0
    pullPolicy: IfNotPresent
    # pullSecrets:
    # - myRegistryKeySecretName
  # Change this to update the UI Password
  admin:
    user: admin
    password: password
  dashboardsProvider:
    enabled: true
  customDashboard:
    value:
  dashboardsConfigMaps:
    - configMapName: grafana-configmap
      fileName: gateway-service-metrics.json
  datasources:
    secretName: grafana-secret