Merge 895f935 into 0ecc5c1

vramperez · web-flow · commit 3afb60ad67e5 · 2026-03-05T15:49:04.000Z
diff --git a/README.md b/README.md
@@ -26,6 +26,11 @@ This project is part of [FIWARE](https://www.fiware.org/). For more information
     - [Deployment with Helm](#deployment-with-helm)
   - [Testing](#testing)
   - [APISIX Deployment Modes](#apisix-deployment-modes)
+    - [Comparison Table](#comparison-table)
+    - [1. With ETCD and with the Ingress Controller](#1-with-etcd-and-with-the-ingress-controller)
+    - [2. With ETCD and without the Ingress Controller](#2-with-etcd-and-without-the-ingress-controller)
+    - [3. Without ETCD and with the Ingress Controller](#3-without-etcd-and-with-the-ingress-controller)
+    - [4. Without ETCD and without the Ingress Controller](#4-without-etcd-and-without-the-ingress-controller)
   - [Values](#values)
   - [How to contribute](#how-to-contribute)
   - [License](#license)
@@ -125,6 +130,106 @@ the [test-scenarios](./it/src/test/resources/it/mvds_basic.feature) against it.
 
 APISIX can operate in four distinct deployment modes. Each mode determines how routes are stored, managed, and persisted, as well as which components are responsible for maintaining the routing configuration.
 
+### Comparison Table
+
+| Mode                                               | ETCD | Ingress Controller | Route Source                               | Persistence                    | Notes                                      |
+| -------------------------------------------------- | ---- | ------------------ | ------------------------------------------ | ------------------------------ | ------------------------------------------ |
+| **1. With ETCD and with Ingress Controller**       | ✔️   | ✔️                 | APISIX CRDs, Kubernetes Ingress, Admin API | ✔️ Persisted in ETCD           | Recommended for Kubernetes-native setups   |
+| **2. With ETCD and without Ingress Controller**    | ✔️   | ❌                  | Admin API only                             | ✔️ Persisted in ETCD           | Chart-defined routes are *not* initialized |
+| **3. Without ETCD and with Ingress Controller**    | ❌    | ✔️                 | APISIX CRDs, Kubernetes Ingress, Admin API | ❌ In-memory only               | Requires at least one route to start       |
+| **4. Without ETCD and without Ingress Controller** | ❌    | ❌                  | Static ConfigMap (`apisix.yaml`)           | ✔️ Persisted only in ConfigMap | **Under development**; installation may fail but upgrades will work                 |
+
+---
+
+### 1. With ETCD and with the Ingress Controller
+
+In this mode, APISIX persists all route definitions in ETCD. Routes may be defined via APISIX CRDs, standard Kubernetes Ingress resources, or the Admin API.
+Because the configuration is stored in ETCD, all routes—including those created through the Admin API—will **remain available after restarts**.
+
+```yaml
+apisix:
+  ingress-controller:
+    enabled: true
+  apisix:
+    deployment:
+      role: traditional
+      role_traditional:
+        config_provider: yaml
+	  standalone:
+		existingConfigMap: ""
+  etcd:
+    enabled: true
+```
+
+---
+
+### 2. With ETCD and without the Ingress Controller
+
+In this configuration, ETCD persists the routes, but no Ingress Controller is available to manage them. As a result, routes can **only** be created or updated using the APISIX Admin API.
+Chart-defined routes are **not** initialized automatically.
+
+```yaml
+apisix:
+  ingress-controller:
+    enabled: false
+  apisix:
+    deployment:
+      role: traditional
+      role_traditional:
+        config_provider: yaml
+  etcd:
+    enabled: true
+```
+
+---
+
+### 3. Without ETCD and with the Ingress Controller
+
+When ETCD is disabled, APISIX loads all routes from APISIX CRDs and stores them in memory. The Ingress Controller continuously synchronizes APISIX with these CRDs.
+Although the Admin API can still modify routes, such changes **will not persist across restarts**.
+Kubernetes Ingress objects may also be used to define new routes.
+
+> [!WARNING]
+> APISIX requires at least one route to exist for the service to start correctly.
+
+```yaml
+apisix:
+  ingress-controller:
+    enabled: true
+  apisix:
+    deployment:
+      role: traditional
+      role_traditional:
+        config_provider: yaml
+	  standalone:
+		existingConfigMap: ""
+  etcd:
+    enabled: false
+```
+
+---
+
+### 4. Without ETCD and without the Ingress Controller
+
+In this mode, routes are defined statically within the `apisix-routes` ConfigMap. APISIX loads these routes at startup, and the configuration remains unchanged unless the ConfigMap or Helm values are manually updated.
+This mode is suitable for simple or fully static environments.
+
+```yaml
+apisix:
+  ingress-controller:
+    enabled: false
+  apisix:
+    deployment:
+      mode: standalone
+      role: data_plane
+      role_data_plane:
+        config_provider: "yaml"
+      standalone:
+        existingConfigMap: "apisix-routes"
+  etcd:
+    enabled: false
+```
+
 For mor information, please check the oficial APISIX documentation on [deployment modes](https://apisix.apache.org/docs/apisix/deployment-modes/) and the [APISIX Helm Chart documentation](https://github.com/apache/apisix-helm-chart/tree/master) for configuration details.
 
 <!-- BEGIN HELM DOCS -->
diff --git a/charts/odrl-authorization/Chart.yaml b/charts/odrl-authorization/Chart.yaml
@@ -2,12 +2,12 @@ apiVersion: v2
 name: odrl-authorization
 description: Umbrella chart to deploy FIWARE ODRL Authorization
 type: application
-version: 2.0.0
+version: 2.1.0
 dependencies:
   # authorization
   - name: odrl-pap
     condition: odrl-pap.enabled
-    version: 2.3.2
+    version: 2.9.1
     repository: https://fiware.github.io/helm-charts
   - name: apisix
     condition: apisix.enabled
diff --git a/charts/odrl-authorization/templates/routes.yaml b/charts/odrl-authorization/templates/routes.yaml
@@ -0,0 +1,72 @@
+{{ $ingressConfig := (index .Values.apisix "ingress-controller") }}
+{{- if $ingressConfig.enabled }}
+{{ $ingressClassName := default "apisix" $ingressConfig.config.kubernetes.ingressClass }}
+{{- range $idx, $route := .Values.apisix.routes }}
+{{ $routeName := default (printf "%s-%d" ($route.host | replace "." "-") $idx) $route.name }}
+{{ $upstreamName := printf "%s-%s" $routeName "upstream" }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: {{ printf "%s-%s" $routeName "route" }}
+  namespace: {{ default $.Release.Namespace $route.namespace | quote }}
+spec:
+  ingressClassName: {{ $ingressClassName }}
+  http:
+  - name: {{ printf "%s-%s" $routeName "route" }}
+    match:
+      hosts:
+        - {{ $route.host }}
+      paths:
+        - {{ $route.uri }}
+    {{- range $key, $value := $route.upstream.nodes }}
+    {{- $url := include "odrl-auth.parseURL" $key | fromYaml }}
+    backends:
+      - serviceName: {{ $url.host }}
+        servicePort: {{ $url.port }}
+        weight: {{ $value }}
+    {{- end }}
+    {{- if $route.plugins }}
+    plugins:
+    {{- range $key, $value := $route.plugins }}
+      - name: {{ $key }}
+        enable: true
+        config:
+          {{- $value | toYaml | nindent 10 }}
+    {{- end }}
+    {{- end }}
+---
+{{- end }}
+{{- else }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apisix-routes
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{- include "odrl-auth.labels" . | nindent 4 }}
+data:
+  apisix.yaml: |-
+    routes:
+    {{- if .Values.apisix.catchAllRoute.enabled }}
+      - uri: /*
+        upstream:
+            nodes:
+                {{ .Values.apisix.catchAllRoute.upstream.url}}: 1
+            type: roundrobin
+        plugins:
+          openid-connect:
+            client_id: {{ .Values.apisix.catchAllRoute.oidc.clientId }}
+            client_secret: the-secret
+            bearer_only: true
+            use_jwks: true
+            discovery: {{ .Values.apisix.catchAllRoute.oidc.discoveryEndpoint }}
+          opa:
+            host: {{ required "Open Agent Policy host is required when catchAllRoute is enabled" .Values.apisix.catchAllRoute.opa.host}}
+            policy: policy/main
+            with_body: true
+    {{- end }}
+    {{- if .Values.apisix.routes }}
+      {{- .Values.apisix.routes | toYaml | nindent 6 }}
+    {{- end }}
+    #END
+{{- end }}
diff --git a/charts/odrl-authorization/values.yaml b/charts/odrl-authorization/values.yaml
@@ -7,7 +7,7 @@ apisix:
   enabled: true
   ingress-controller:
     # -- Enable the ingress controller pod to read Kubernetes Ingress resources. See [chart documentation](https://artifacthub.io/packages/helm/apisix/apisix-ingress-controller) for more details
-    enabled: true
+    enabled: false
     gatewayProxy:
       # -- Controls whether to create a default GatewayProxy custom resource.
       createDefault: true
@@ -25,25 +25,16 @@ apisix:
       #
       # ref: https://apisix.apache.org/docs/apisix/deployment-modes/
       role: "data_plane"
-      role_traditional:
+      role_data_plane:
         # enum: etcd, yaml
         config_provider: "yaml"
       # -- Standalone rules configuration
       #
       # ref: https://apisix.apache.org/docs/apisix/deployment-modes/#standalone
       standalone:
-        # -- Rules which are set to the default apisix.yaml configmap.
-        # If apisix.deployment.standalone.existingConfigMap is empty, these are used.
-        config: |
-          routes:
-          - uri: /hi
-            upstream:
-              nodes:
-                "127.0.0.1:1980": 1
-              type: roundrobin
         # -- Specifies the name of the ConfigMap that contains the rule configurations.
         # The configuration must be set to the key named `apisix.yaml` in the configmap.
-        existingConfigMap: ""
+        existingConfigMap: "apisix-routes"
     admin:
       enabled: true
     customPlugins:
@@ -108,6 +99,32 @@ apisix:
       host: 'http://localhost:8181'
       policy: policy/main
       with_body: true
+  # -- (dict) Configuration of routes for apisix
+  # @raw
+  #
+  # ```yaml
+  # uri: /*
+  #   host: host-name-test
+  #   type: Service
+  #   namespace: super-ns # release namespace by default
+  #   upstream:
+  #     nodes:
+  #       data-service-test:9090: 1
+  #     type: roundrobin
+  #   plugins:
+  #     openid-connect:
+  #       bearer_only: true
+  #       use_jwks: true
+  #       client_id: data-service
+  #       client_secret: unused
+  #       discovery: https://verifier:8080/services/data-service/.well-known/openid-configuration
+  #     opa:
+  #       host: "http://localhost:8181"
+  #       policy: policy/main
+  #       with_body: true
+  # ```
+  #
+  routes: []
   etcd:
     enabled: true
 
diff --git a/deploy/helmfile.yaml b/deploy/helmfile.yaml
@@ -81,37 +81,31 @@ releases:
               type: apisix-standalone
         apisix:
           deployment:
+            role: "traditional"
+            role_traditional:
+              config_provider: "yaml"
             standalone:
-              config: |
-                routes:
-                  - host: apisix.127.0.0.1.nip.io
-                    uri: "/*"
-                    upstream:
-                      nodes:
-                        mockserver:8080: 1
-                      type: roundrobin
-                    plugins:
-                      openid-connect:
-                        client_id: ""
-                        client_secret: the-secret
-                        bearer_only: true
-                        use_jwks: true
-                        discovery: http://mockserver:8080/.well-known/openid-configuration
-                      opa:
-                        host: http://localhost:8181
-                        policy: policy/main
-                        with_body: true
-                  - host: pap.127.0.0.1.nip.io
-                    uri: /*
-                    upstream:
-                      nodes:
-                        odrl-pap:8080: 1
+              existingConfigMap: ""
+        routes:
+          - host: apisix.127.0.0.1.nip.io
+            uri: "/*"
+            upstream:
+              nodes:
+                mockserver:8080: 1
+              type: roundrobin
+            plugins:
+              openid-connect:
+                client_id: ""
+                client_secret: the-secret
+                bearer_only: true
+                use_jwks: true
+                discovery: http://mockserver:8080/.well-known/openid-configuration
+              opa:
+                host: http://localhost:8181
+                policy: policy/main
+                with_body: true
         ingress:
-          enabled: true
-          hostname: apisix.127.0.0.1.nip.io
-          hosts:
-            - host: apisix.127.0.0.1.nip.io
-              paths: ["/"]
+          enabled: false
         service:
           http:
             nodePort: 30080
@@ -138,6 +132,8 @@ releases:
             key: password
         ingress:
           enabled: true
+          annotations:
+            kubernetes.io/ingress.class: "apisix"
           hosts:
           - host: pap.127.0.0.1.nip.io
             paths:
