values.yaml

global:
  # e.g.
  # imagePullSecrets:
  #   - my-registry-secrets
  #   - other-registry-secrets
  # -- Global Docker registry secret names as an array
  imagePullSecrets: []

api7ee:
  telemetry:
    # -- enable telemetry data report to the control plane
    enable: true
    # -- interval in seconds to send telemetry data to the control plane
    interval: 15
    # -- max size in bytes(default 32M) of the metrics data sent to the control plane, if the size exceeds, the data will be truncated
    max_metrics_size: 33554432
  # -- healthcheck data report interval in seconds
  healthcheck_report_interval: 120

  status_endpoint:
    # -- When enabled, APISIX will provide `/status` and `/status/ready` endpoints, /status endpoint will return 200 status code if APISIX has successfully started and running correctly, /status/ready endpoint will return 503 status code if none of the configured etcd (dp_manager) are available.
    enabled: false
    # -- The IP address and port on which the status endpoint will listen.
    ip: 0.0.0.0
    # -- The port on which the status endpoint will listen.
    port: 7085

  # -- A global switch for healthcheck. Defaults to false. When set to true, it overrides all upstream healthcheck configurations and globally disabling healthchecks.
  disable_upstream_healthcheck: false

apisix:
  # -- Enable or disable API7 Gateway itself
  enabled: true

  # -- Enable nginx IPv6 resolver
  enableIPv6: true

  # -- Whether the APISIX version number should be shown in Server header
  enableServerTokens: true

  # -- Use Pod metadata.uid as the APISIX id.
  setIDFromPodUID: false

  meta:
    luaSharedDict:
      prometheus-metrics: 15m

  stream:
    luaSharedDict:
      etcd-cluster-health-check-stream: 10m
      lrucache-lock-stream: 10m
      plugin-limit-conn-stream: 10m
      worker-events-stream: 10m
      tars-stream: 1m
      config-stream: 5m

  http:
    luaSharedDict:
      internal-status: 10m
      plugin-limit-req: 10m
      plugin-limit-count: 10m
      plugin-limit-conn: 10m
      plugin-graphql-limit-count: 10m
      plugin-graphql-limit-count-reset-header: 10m
      upstream-healthcheck: 10m
      worker-events: 10m
      lrucache-lock: 10m
      balancer-ewma: 10m
      balancer-ewma-locks: 10m
      balancer-ewma-last-touched-at: 10m
      plugin-limit-count-redis-cluster-slot-lock: 1m
      plugin-limit-count-advanced: 10m
      plugin-limit-count-advanced-redis-cluster-slot-lock: 1m
      tracing_buffer: 10m
      plugin-api-breaker: 10m
      etcd-cluster-health-check: 10m
      discovery: 1m
      jwks: 1m
      introspection: 10m
      access-tokens: 1m
      ext-plugin: 1m
      tars: 1m
      cas-auth: 10m
      saml_sessions: 10m
      status_report: 1m

  # -- fine tune the parameters of LRU cache for some features like secret
  lru:
    secret:
      # -- in seconds
      ttl: 300
      count: 512
      # -- in seconds
      neg_ttl: 60
      neg_count: 512

  # -- Add custom [lua_shared_dict](https://github.com/openresty/lua-nginx-module#toc88) settings,
  # click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
  customLuaSharedDicts: []
    # - name: kubernetes
    #   size: 20m
    # - name: nacos
    #   size: 20m
    # - name: foo
    #   size: 10k
    # - name: bar
    #   size: 1m

  extraLuaPath: ""
  extraLuaCPath: ""

  # -- Delete the '/' at the end of the URI
  deleteURITailSlash: false
  # -- The URI normalization in servlet is a little different from the RFC's.
  # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
  # which is used under Tomcat.
  # Turn this option on if you want to be compatible with servlet when matching URI path.
  normalizeURILikeServlet: false
  # -- Defines how apisix handles routing:
  # - radixtree_uri: match route by uri(base on radixtree)
  # - radixtree_host_uri: match route by host + uri(base on radixtree)
  # - radixtree_uri_with_parameter: match route by uri with parameters
  httpRouter: radixtree_host_uri

  # -- Enable full customized config.yaml
  enableCustomizedConfig: false
  # -- If apisix.enableCustomizedConfig is true, full customized config.yaml.
  # Please note that other settings about APISIX config will be ignored
  customizedConfig: {}

  image:
    # -- API7 Gateway image repository
    repository: api7/api7-ee-3-gateway
    # -- API7 Gateway image pull policy
    pullPolicy: Always
    # -- API7 Gateway image tag
    # Overrides the image tag whose default is the chart appVersion.
    tag: 3.8.19

  # -- Use a `DaemonSet` or `Deployment`
  kind: Deployment
  # -- kind is DaemonSet, replicaCount not become effective
  replicaCount: 1

  # -- Set [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for API7 Gateway pods
  priorityClassName: ""
  # -- Annotations to add to each pod
  podAnnotations: {}
  # -- Labels to add to each pod
  podLabels: {}
  # -- Set the securityContext for API7 Gateway pods
  podSecurityContext: {}
    # fsGroup: 2000
  # -- Set the securityContext for API7 Gateway container
  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: true
    # runAsUser: 1000

  # -- See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
  podDisruptionBudget:
    # -- Enable or disable podDisruptionBudget
    enabled: false
    # -- Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget.
    # See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
    # for more details
    minAvailable: 90%
    # -- Set the maxUnavailable of podDisruptionBudget
    maxUnavailable: 1

  # -- Topology Spread Constraints for pod assignment
  # https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
  # The value is evaluated as a template
  topologySpreadConstraints: []

  # -- Set pod resource requests & limits
  resources: {}
    # -- Use the host's network namespace

    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  hostNetwork: false

  # -- Node labels for API7 Gateway pod assignment
  nodeSelector: {}
  # -- List of node taints to tolerate
  tolerations: []
  # -- Set affinity for API7 Gateway deploy
  affinity: {}

  # -- timezone is the timezone where apisix uses.
  # For example: "UTC" or "Asia/Shanghai"
  # This value will be set on apisix container's environment variable TZ.
  # You may need to set the timezone to be consistent with your local time zone,
  # otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
  timezone: ""

  # -- extraEnvVars An array to add extra env vars
  # e.g:
  # extraEnvVars:
  #   - name: FOO
  #     value: "bar"
  #   - name: FOO2
  #     valueFrom:
  #       secretKeyRef:
  #         name: SECRET_NAME
  #         key: KEY
  extraEnvVars: []
  ## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
  ##
  extraEnvVarsCM: ""
  ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
  ##
  extraEnvVarsSecret: ""

nameOverride: ""
fullnameOverride: ""

serviceAccount:
  create: false
  annotations: {}
  name: ""

rbac:
  create: false

deployment:
  # -- use cloud storage as the fallback control plane,
  # should be consistent with the same configuration in control plane side.
  fallback_cp: {}
  #  aws_s3:
  #    access_key: "access"
  #    secret_key: "secret"
  #    region: "ap-south-1"
  #    resource_bucket: "to-push-resource-data"
  #    config_bucket: "to-push-config-data"
  #  azure_blob:
  #    account_name: "$YOUR_ACCOUNT_NAME"
  #    account_key: "$YOUR_ACCOUNT_KEY"
  #    resource_container: yaml
  #    config_container: config
  #    endpoint: "$YOUR_AZURE_BLOB_ENDPOINT"

  # -- certs used for certificates in decoupled mode
  certs:
    # -- secret name used for decoupled mode
    certsSecret: ""
    # -- cert name in certsSecret
    cert: ""
    # -- cert key in certsSecret
    cert_key: ""

    # -- trusted_ca_cert name in certsSecret
    mTLSCACertSecret: ""
    # -- mTLS CA cert filename in mTLSCACertSecret
    mTLSCACert: ""

gateway:
  # -- API7 Gateway service type for user access itself
  type: NodePort
  # -- Setting how the Service route external traffic
  # If you want to keep the client source IP, you can set this to Local.

  # ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
  externalTrafficPolicy: Cluster
  # type: LoadBalancer
  # loadBalancerClass: "my-loadbalancer-class"
  # loadBalancerIP: a.b.c.d
  # loadBalancerSourceRanges:
  #   - "143.231.0.0/16"
  # -- IPs for which nodes in the cluster will also accept traffic for the servic
  # annotations:
  #   service.beta.kubernetes.io/aws-load-balancer-type: nlb
  externalIPs: []
  # -- kubernetes readiness probe, we will provide a probe based on tcpSocket to gateway's HTTP port by default.
  readinessProbe: {}
  # -- kubernetes liveness probe.
  livenessProbe: {}
  # -- API7 Gateway service settings for http
  http:
    enabled: true
    # -- which ip to listen on for API7 Gateway http service.
    ip: 0.0.0.0
    servicePort: 80
    containerPort: 9080
    # backlog: 1024  # sets the backlog parameter in the listen() call that limits, the maximum length for the queue of pending connections. By default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS, and to 511 on other platforms.
    # -- Support multiple http ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
    additionalContainerPorts: []
      # - port: 9081
      #   enable_http2: true          # If not set, the default value is `false`.
      #   backlog: 1024
      # - ip: 127.0.0.2               # Specific IP, If not set, the default value is `0.0.0.0`.
      #   port: 9082
      #   enable_http2: true
      #   backlog: 1024
  # -- API7 Gateway service settings for tls
  tls:
    enabled: true
    # -- which ip to listen on for API7 Gateway https service.
    ip: 0.0.0.0
    servicePort: 443
    containerPort: 9443
    # backlog: 1024
    # -- Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
    additionalContainerPorts: []
      # - ip: 127.0.0.3           # Specific IP, If not set, the default value is `0.0.0.0`.
      #   port: 9445
      #   enable_http2: true
      #   backlog: 1024
    # -- Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd)
    existingCASecret: ""
    # -- Filename be used in the gateway.tls.existingCASecret
    certCAFilename: ""
    http2:
      enabled: true
    # -- TLS protocols allowed to use.
    sslProtocols: "TLSv1.2 TLSv1.3"
    # -- If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead
    fallbackSNI: ""
  # -- API7 Gateway service settings for stream. L4 proxy (TCP/UDP)
  stream:
    enabled: false
    only: false
    tcp: []
    udp: []
  # -- Using ingress access API7 Gateway service
  ingress:
    enabled: false
    # -- Ingress annotations
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: apisix.local
        paths: []
    tls: []
  #  - secretName: apisix-tls
  #    hosts:
  #      - chart-example.local
  # -- Override default labels assigned to API7 Gateway gateway resources
  labelsOverride: {}
  # labelsOverride:
  #   app.kubernetes.io/name: "{{ .Release.Name }}"
  #   app.kubernetes.io/instance: '{{ include "apisix.name" . }}'
admin:
  # -- Enable Admin API
  enabled: false
  # -- admin service type
  type: ClusterIP
  # loadBalancerClass: "my-loadbalancer-class"
  # loadBalancerIP: a.b.c.d
  # loadBalancerSourceRanges:
  #   - "143.231.0.0/16"
  # -- IPs for which nodes in the cluster will also accept traffic for the servic
  externalIPs: []
  # -- which ip to listen on for API7 Gateway admin API. Set to `"[::]"` when on IPv6 single stack
  ip: 0.0.0.0
  # -- which port to use for API7 Gateway admin API
  port: 9180
  # -- Service port to use for API7 Gateway admin API
  servicePort: 9180
  # -- Admin API support CORS response headers
  cors: true
  # -- Admin API credentials
  credentials:
    # -- API7 Gateway admin API admin role credentials
    admin: edd1c9f034335f136f87ad84b625c8f1
    # -- API7 Gateway admin API viewer role credentials
    viewer: 4054f7cf07e344346cd3f287985e76a2

    # -- The APISIX Helm chart supports storing user credentials in a secret.
    # The secret needs to contain two keys, admin and viewer, with their respective values set.
    secretName: ""

  allow:
    # -- The client IP CIDR allowed to access API7 Gateway Admin API service.
    ipList:
      - 127.0.0.1/24
  # -- Using ingress access API7 Gateway admin service
  ingress:
    enabled: false
    # -- Ingress annotations
    annotations:
      {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: apisix-admin.local
        paths:
          - "/apisix"
    tls: []
  #  - secretName: apisix-tls
  #    hosts:
  #      - chart-example.local

nginx:
  workerRlimitNofile: "20480"
  workerConnections: "10620"
  workerProcesses: auto
  enableCPUAffinity: true
  envs: []

# -- Set APISIX plugin attributes, see [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L376) for more details
pluginAttrs: {}

updateStrategy: {}
  # type: RollingUpdate

# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
extraVolumes: []
# - name: extras
#   emptyDir: {}

# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
extraVolumeMounts: []
# - name: extras
#   mountPath: /usr/share/extras
#   readOnly: true

# -- Additional `initContainers`, See [Kubernetes initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for the detail.
extraInitContainers: []
# - name: init-myservice
#   image: busybox:1.28
#   command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]

discovery:
  # -- Enable or disable API7 Gateway integration service discovery
  enabled: false
  # -- Registry is the same to the one in APISIX [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L281),
  # and refer to such file for more setting details. also refer to [this documentation for integration service discovery](https://apisix.apache.org/docs/apisix/discovery)
  registry: {}
    # Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
    # reference:
    # https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
    # https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
    # https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
    #
    # an eureka example:
    # ```
    # eureka:
    #   host:
    #     - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
    #     - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
    #   prefix: "/eureka/"
    #   fetch_interval: 30
    #   weight: 100
    #   timeout:
    #     connect: 2000
    #     send: 2000
    #     read: 5000
    # ```

# access log and error log configuration
logs:
  # -- Enable access log or not, default true
  enableAccessLog: true
  # -- Access log path
  accessLog: "/dev/stdout"
  # -- Access log format
  accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
  # -- Allows setting json or default characters escaping in variables
  accessLogFormatEscape: default
  # -- Error log path
  errorLog: "/dev/stderr"
  # -- Error log level, Allowed values: `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, `or` `emerg`
  errorLogLevel: "warn"

dns:
  resolvers:
    - 127.0.0.1
    - 172.20.0.10
    - 114.114.114.114
    - 223.5.5.5
    - 1.1.1.1
    - 8.8.8.8
  validity: 30
  timeout: 5

initContainer:
  # -- Init container image
  image: busybox
  # -- Init container tag
  tag: 1.28

autoscaling:
  enabled: false
  # -- HPA version, the value is "v2" or "v2beta1", default "v2"
  version: v2
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80

# -- Custom configuration snippet.
configurationSnippet:
  main: |

  httpStart: |

  httpEnd: |

  httpSrv: |

  httpSrvLocation: |

  httpAdmin: |

  stream: |

# -- Observability configuration.
# ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
serviceMonitor:
  # -- Enable or disable API7 Gateway serviceMonitor
  enabled: false
  # -- namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
  namespace: ""
  # -- name of the serviceMonitor, by default, it is the same as the apisix fullname
  name: ""
  # -- interval at which metrics should be scraped
  interval: 15s
  # -- path of the metrics endpoint
  path: /apisix/prometheus/metrics
  # -- prefix of the metrics
  metricPrefix: apisix_
  # -- container port where the metrics are exposed
  containerPort: 9091
  # -- @param serviceMonitor.labels ServiceMonitor extra labels
  labels: {}
  # -- @param serviceMonitor.annotations ServiceMonitor annotations
  annotations: {}

# -- etcd configuration
# use the FQDN address or the IP of the etcd
etcd:
  # -- install etcd(v3) by default, set false if do not want to install etcd(v3) together
  enabled: false
  image:
    repository: api7/etcd
  # -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379.
  host:
    # host or ip e.g. http://172.20.128.89:2379
    - http://etcd.host:2379
  # -- if etcd.enabled is false, username for external etcd. If etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
  user: ""
  # -- if etcd.enabled is false, password for external etcd. If etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
  password: ""
  # -- apisix configurations prefix
  prefix: "/apisix"
  # -- Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster
  timeout: 30

  # -- if etcd.enabled is true, set more values of bitnami/etcd helm chart
  auth:
    rbac:
      # -- No authentication by default. Switch to enable RBAC authentication
      create: false
      # -- root password for etcd. Requires etcd.auth.rbac.create to be true.
      rootPassword: ""
    tls:
      # -- enable etcd client certificate
      enabled: false
      # -- name of the secret contains etcd client cert
      existingSecret: ""
      # -- etcd client cert filename using in etcd.auth.tls.existingSecret
      certFilename: ""
      # -- etcd client cert key filename using in etcd.auth.tls.existingSecret
      certKeyFilename: ""
      # -- whether to verify the etcd endpoint certificate when setup a TLS connection to etcd
      verify: false
      # -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
      sni: ""

  service:
    port: 2379

  replicaCount: 3

vault:
  # -- Enable or disable the vault integration
  enabled: false
  # -- The host address where the vault server is running.
  host: ""
  # -- HTTP timeout for each request.
  timeout: 10
  # -- The generated token from vault instance that can grant access to read data from the vault.
  token: ""
  # -- Prefix allows you to better enforcement of policies.
  prefix: ""

soapProxy:
  # -- Enable or disable the SOAP proxy, this component is disabled by default,
  # when use soap-proxy plugin in API7, you need to enable this component.
  enabled: false
  image:
    # -- SOAP proxy image repository
    repository: api7/soap-proxy
    # -- SOAP proxy image tag
    tag: 1.0.0
    # -- SOAP proxy image pull policy
    pullPolicy: IfNotPresent

control:
  # -- Enable Control API
  enabled: true
  # -- which ip to listen on for Control API
  ip: "127.0.0.1"
  # -- which port to use for Control API
  port: 9090