API7 Gateway is a dynamic, real-time, high-performance API gateway.
API7 Gateway provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more.
You can use API7 Gateway to handle traditional north-south traffic, as well as east-west traffic between services.
This chart bootstraps all the components needed to run API7 Gateway on a Kubernetes Cluster using Helm.
- Kubernetes v1.14+
- Helm v3+
helm repo add api7 https://charts.api7.ai
helm repo update
helm install [RELEASE_NAME] api7/gateway --namespace api7 --create-namespacehelm delete [RELEASE_NAME] --namespace api7The command removes all the Kubernetes components associated with the chart and deletes the release.
| Key | Type | Default | Description |
|---|---|---|---|
| admin.allow.ipList | list | ["127.0.0.1/24"] |
The client IP CIDR allowed to access API7 Gateway Admin API service. |
| admin.cors | bool | true |
Admin API support CORS response headers |
| admin.credentials | object | {"admin":"edd1c9f034335f136f87ad84b625c8f1","secretName":"","viewer":"4054f7cf07e344346cd3f287985e76a2"} |
Admin API credentials |
| admin.credentials.admin | string | "edd1c9f034335f136f87ad84b625c8f1" |
API7 Gateway admin API admin role credentials |
| admin.credentials.secretName | string | "" |
The APISIX Helm chart supports storing user credentials in a secret. The secret needs to contain two keys, admin and viewer, with their respective values set. |
| admin.credentials.viewer | string | "4054f7cf07e344346cd3f287985e76a2" |
API7 Gateway admin API viewer role credentials |
| admin.enabled | bool | false |
Enable Admin API |
| admin.externalIPs | list | [] |
IPs for which nodes in the cluster will also accept traffic for the servic |
| admin.ingress | object | {"annotations":{},"enabled":false,"hosts":[{"host":"apisix-admin.local","paths":["/apisix"]}],"tls":[]} |
Using ingress access API7 Gateway admin service |
| admin.ingress.annotations | object | {} |
Ingress annotations |
| admin.ip | string | "0.0.0.0" |
which ip to listen on for API7 Gateway admin API. Set to "[::]" when on IPv6 single stack |
| admin.port | int | 9180 |
which port to use for API7 Gateway admin API |
| admin.servicePort | int | 9180 |
Service port to use for API7 Gateway admin API |
| admin.type | string | "ClusterIP" |
admin service type |
| api7ee.healthcheck_report_interval | int | 120 |
healthcheck data report interval in seconds |
| api7ee.telemetry.enable | bool | true |
enable telemetry data report to the control plane |
| api7ee.telemetry.interval | int | 15 |
interval in seconds to send telemetry data to the control plane |
| api7ee.telemetry.max_metrics_size | int | 33554432 |
max size in bytes(default 32M) of the metrics data sent to the control plane, if the size exceeds, the data will be truncated |
| apisix.affinity | object | {} |
Set affinity for API7 Gateway deploy |
| apisix.customLuaSharedDicts | list | [] |
Add custom lua_shared_dict settings, click here to learn the format of a shared dict |
| apisix.customizedConfig | object | {} |
If apisix.enableCustomizedConfig is true, full customized config.yaml. Please note that other settings about APISIX config will be ignored |
| apisix.enableCustomizedConfig | bool | false |
Enable full customized config.yaml |
| apisix.enableIPv6 | bool | true |
Enable nginx IPv6 resolver |
| apisix.enableServerTokens | bool | true |
Whether the APISIX version number should be shown in Server header |
| apisix.enabled | bool | true |
Enable or disable API7 Gateway itself |
| apisix.extraEnvVars | list | [] |
extraEnvVars An array to add extra env vars e.g: extraEnvVars: - name: FOO value: "bar" - name: FOO2 valueFrom: secretKeyRef: name: SECRET_NAME key: KEY |
| apisix.extraEnvVarsCM | string | "" |
|
| apisix.extraEnvVarsSecret | string | "" |
|
| apisix.hostNetwork | bool | false |
|
| apisix.http.luaSharedDict.access-tokens | string | "1m" |
|
| apisix.http.luaSharedDict.balancer-ewma | string | "10m" |
|
| apisix.http.luaSharedDict.balancer-ewma-last-touched-at | string | "10m" |
|
| apisix.http.luaSharedDict.balancer-ewma-locks | string | "10m" |
|
| apisix.http.luaSharedDict.cas-auth | string | "10m" |
|
| apisix.http.luaSharedDict.discovery | string | "1m" |
|
| apisix.http.luaSharedDict.etcd-cluster-health-check | string | "10m" |
|
| apisix.http.luaSharedDict.ext-plugin | string | "1m" |
|
| apisix.http.luaSharedDict.internal-status | string | "10m" |
|
| apisix.http.luaSharedDict.introspection | string | "10m" |
|
| apisix.http.luaSharedDict.jwks | string | "1m" |
|
| apisix.http.luaSharedDict.lrucache-lock | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-api-breaker | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-graphql-limit-count | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-graphql-limit-count-reset-header | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-limit-conn | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-limit-count | string | "10m" |
|
| apisix.http.luaSharedDict.plugin-limit-count-redis-cluster-slot-lock | string | "1m" |
|
| apisix.http.luaSharedDict.plugin-limit-req | string | "10m" |
|
| apisix.http.luaSharedDict.saml_sessions | string | "10m" |
|
| apisix.http.luaSharedDict.tars | string | "1m" |
|
| apisix.http.luaSharedDict.tracing_buffer | string | "10m" |
|
| apisix.http.luaSharedDict.upstream-healthcheck | string | "10m" |
|
| apisix.http.luaSharedDict.worker-events | string | "10m" |
|
| apisix.httpRouter | string | "radixtree_host_uri" |
Defines how apisix handles routing: - radixtree_uri: match route by uri(base on radixtree) - radixtree_host_uri: match route by host + uri(base on radixtree) - radixtree_uri_with_parameter: match route by uri with parameters |
| apisix.image.pullPolicy | string | "Always" |
API7 Gateway image pull policy |
| apisix.image.repository | string | "api7/api7-ee-3-gateway" |
API7 Gateway image repository |
| apisix.image.tag | string | "3.2.16.3" |
API7 Gateway image tag Overrides the image tag whose default is the chart appVersion. |
| apisix.kind | string | "Deployment" |
Use a DaemonSet or Deployment |
| apisix.luaModuleHook | object | {"configMapRef":{"mounts":[{"key":"","path":""}],"name":""},"enabled":false,"hookPoint":"","luaPath":""} |
Whether to add a custom lua module |
| apisix.luaModuleHook.configMapRef | object | {"mounts":[{"key":"","path":""}],"name":""} |
configmap that stores the codes |
| apisix.luaModuleHook.configMapRef.mounts[0] | object | {"key":"","path":""} |
Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the lua module code path. |
| apisix.luaModuleHook.configMapRef.mounts[0].path | string | "" |
Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the lua module code path. |
| apisix.luaModuleHook.configMapRef.name | string | "" |
Name of the ConfigMap where the lua module codes store |
| apisix.luaModuleHook.hookPoint | string | "" |
the hook module which will be used to inject third party code into APISIX use the lua require style like: "module.say_hello" |
| apisix.luaModuleHook.luaPath | string | "" |
extend lua_package_path to load third party code |
| apisix.meta.luaSharedDict.prometheus-metrics | string | "15m" |
|
| apisix.nodeSelector | object | {} |
Node labels for API7 Gateway pod assignment |
| apisix.podAnnotations | object | {} |
Annotations to add to each pod |
| apisix.podDisruptionBudget | object | {"enabled":false,"maxUnavailable":1,"minAvailable":"90%"} |
See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details |
| apisix.podDisruptionBudget.enabled | bool | false |
Enable or disable podDisruptionBudget |
| apisix.podDisruptionBudget.maxUnavailable | int | 1 |
Set the maxUnavailable of podDisruptionBudget |
| apisix.podDisruptionBudget.minAvailable | string | "90%" |
Set the minAvailable of podDisruptionBudget. You can specify only one of maxUnavailable and minAvailable in a single PodDisruptionBudget. See Specifying a Disruption Budget for your Application for more details |
| apisix.podSecurityContext | object | {} |
Set the securityContext for API7 Gateway pods |
| apisix.priorityClassName | string | "" |
Set priorityClassName for API7 Gateway pods |
| apisix.replicaCount | int | 1 |
kind is DaemonSet, replicaCount not become effective |
| apisix.resources | object | {} |
Set pod resource requests & limits |
| apisix.securityContext | object | {} |
Set the securityContext for API7 Gateway container |
| apisix.setIDFromPodUID | bool | false |
Use Pod metadata.uid as the APISIX id. |
| apisix.stream.luaSharedDict.config-stream | string | "5m" |
|
| apisix.stream.luaSharedDict.etcd-cluster-health-check-stream | string | "10m" |
|
| apisix.stream.luaSharedDict.lrucache-lock-stream | string | "10m" |
|
| apisix.stream.luaSharedDict.plugin-limit-conn-stream | string | "10m" |
|
| apisix.stream.luaSharedDict.tars-stream | string | "1m" |
|
| apisix.stream.luaSharedDict.worker-events-stream | string | "10m" |
|
| apisix.timezone | string | "" |
timezone is the timezone where apisix uses. For example: "UTC" or "Asia/Shanghai" This value will be set on apisix container's environment variable TZ. You may need to set the timezone to be consistent with your local time zone, otherwise the apisix's logs may used to retrieve event maybe in wrong timezone. |
| apisix.tolerations | list | [] |
List of node taints to tolerate |
| autoscaling.enabled | bool | false |
|
| autoscaling.maxReplicas | int | 100 |
|
| autoscaling.minReplicas | int | 1 |
|
| autoscaling.targetCPUUtilizationPercentage | int | 80 |
|
| autoscaling.targetMemoryUtilizationPercentage | int | 80 |
|
| autoscaling.version | string | "v2" |
HPA version, the value is "v2" or "v2beta1", default "v2" |
| configurationSnippet | object | {"httpAdmin":"","httpEnd":"","httpSrv":"","httpSrvLocation":"","httpStart":"","main":"","stream":""} |
Custom configuration snippet. |
| deployment.certs | object | {"cert":"","cert_key":"","certsSecret":"","mTLSCACert":"","mTLSCACertSecret":""} |
certs used for certificates in decoupled mode |
| deployment.certs.cert | string | "" |
cert name in certsSecret |
| deployment.certs.cert_key | string | "" |
cert key in certsSecret |
| deployment.certs.certsSecret | string | "" |
secret name used for decoupled mode |
| deployment.certs.mTLSCACert | string | "" |
mTLS CA cert filename in mTLSCACertSecret |
| deployment.certs.mTLSCACertSecret | string | "" |
trusted_ca_cert name in certsSecret |
| deployment.controlPlane | object | {"cert":"","certKey":"","certsSecret":"","confServerPort":"9280"} |
used for control_plane deployment mode |
| deployment.controlPlane.cert | string | "" |
conf Server CA cert name in certsSecret |
| deployment.controlPlane.certKey | string | "" |
conf Server cert key name in certsSecret |
| deployment.controlPlane.certsSecret | string | "" |
secret name used by conf Server |
| deployment.controlPlane.confServerPort | string | "9280" |
conf Server address |
| deployment.dataPlane | object | {"controlPlane":{"host":[],"prefix":"/apisix","timeout":30}} |
used for data_plane deployment mode |
| deployment.dataPlane.controlPlane.host | list | [] |
The hosts of the control_plane used by the data_plane |
| deployment.dataPlane.controlPlane.prefix | string | "/apisix" |
The prefix of the control_plane used by the data_plane |
| deployment.dataPlane.controlPlane.timeout | int | 30 |
Timeout when the data plane connects to the control plane |
| deployment.mode | string | "traditional" |
API7 Gateway deployment mode Optional: traditional, decoupled ref: https://apisix.apache.org/docs/apisix/deployment-modes/ |
| deployment.role | string | "traditional" |
Deployment role Optional: traditional, data_plane, control_plane ref: https://apisix.apache.org/docs/apisix/deployment-modes/ |
| discovery.enabled | bool | false |
Enable or disable API7 Gateway integration service discovery |
| discovery.registry | object | {} |
Registry is the same to the one in APISIX config-default.yaml, and refer to such file for more setting details. also refer to this documentation for integration service discovery |
| dns.resolvers[0] | string | "127.0.0.1" |
|
| dns.resolvers[1] | string | "172.20.0.10" |
|
| dns.resolvers[2] | string | "114.114.114.114" |
|
| dns.resolvers[3] | string | "223.5.5.5" |
|
| dns.resolvers[4] | string | "1.1.1.1" |
|
| dns.resolvers[5] | string | "8.8.8.8" |
|
| dns.timeout | int | 5 |
|
| dns.validity | int | 30 |
|
| etcd | object | {"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":false}},"enabled":false,"host":["http://etcd.host:2379"],"password":"","prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30,"user":""} |
etcd configuration use the FQDN address or the IP of the etcd |
| etcd.auth | object | {"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":false}} |
if etcd.enabled is true, set more values of bitnami/etcd helm chart |
| etcd.auth.rbac.create | bool | false |
No authentication by default. Switch to enable RBAC authentication |
| etcd.auth.rbac.rootPassword | string | "" |
root password for etcd. Requires etcd.auth.rbac.create to be true. |
| etcd.auth.tls.certFilename | string | "" |
etcd client cert filename using in etcd.auth.tls.existingSecret |
| etcd.auth.tls.certKeyFilename | string | "" |
etcd client cert key filename using in etcd.auth.tls.existingSecret |
| etcd.auth.tls.enabled | bool | false |
enable etcd client certificate |
| etcd.auth.tls.existingSecret | string | "" |
name of the secret contains etcd client cert |
| etcd.auth.tls.sni | string | "" |
specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset. |
| etcd.auth.tls.verify | bool | false |
whether to verify the etcd endpoint certificate when setup a TLS connection to etcd |
| etcd.enabled | bool | false |
install etcd(v3) by default, set false if do not want to install etcd(v3) together |
| etcd.host | list | ["http://etcd.host:2379"] |
if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379. |
| etcd.password | string | "" |
if etcd.enabled is false, password for external etcd. If etcd.enabled is true, use etcd.auth.rbac.rootPassword instead. |
| etcd.prefix | string | "/apisix" |
apisix configurations prefix |
| etcd.timeout | int | 30 |
Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster |
| etcd.user | string | "" |
if etcd.enabled is false, username for external etcd. If etcd.enabled is true, use etcd.auth.rbac.rootPassword instead. |
| extraInitContainers | list | [] |
Additional initContainers, See Kubernetes initContainers for the detail. |
| extraVolumeMounts | list | [] |
Additional volume, See Kubernetes Volumes for the detail. |
| extraVolumes | list | [] |
Additional volume, See Kubernetes Volumes for the detail. |
| fullnameOverride | string | "" |
|
| gateway.externalIPs | list | [] |
|
| gateway.externalTrafficPolicy | string | "Cluster" |
|
| gateway.http | object | {"additionalContainerPorts":[],"containerPort":9080,"enabled":true,"servicePort":80} |
API7 Gateway service settings for http |
| gateway.http.additionalContainerPorts | list | [] |
Support multiple http ports, See Configuration |
| gateway.ingress | object | {"annotations":{},"enabled":false,"hosts":[{"host":"apisix.local","paths":[]}],"tls":[]} |
Using ingress access API7 Gateway service |
| gateway.ingress.annotations | object | {} |
Ingress annotations |
| gateway.labelsOverride | object | {} |
Override default labels assigned to API7 Gateway gateway resources |
| gateway.stream | object | {"enabled":false,"only":false,"tcp":[],"udp":[]} |
API7 Gateway service settings for stream. L4 proxy (TCP/UDP) |
| gateway.tls | object | {"additionalContainerPorts":[],"certCAFilename":"","containerPort":9443,"enabled":true,"existingCASecret":"","http2":{"enabled":true},"servicePort":443,"sslProtocols":"TLSv1.2 TLSv1.3"} |
API7 Gateway service settings for tls |
| gateway.tls.additionalContainerPorts | list | [] |
Support multiple https ports, See Configuration |
| gateway.tls.certCAFilename | string | "" |
Filename be used in the gateway.tls.existingCASecret |
| gateway.tls.existingCASecret | string | "" |
Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) |
| gateway.tls.sslProtocols | string | "TLSv1.2 TLSv1.3" |
TLS protocols allowed to use. |
| gateway.type | string | "NodePort" |
API7 Gateway service type for user access itself |
| global.imagePullSecrets | list | [] |
Global Docker registry secret names as an array |
| initContainer.image | string | "busybox" |
Init container image |
| initContainer.tag | float | 1.28 |
Init container tag |
| logs.accessLog | string | "/dev/stdout" |
Access log path |
| logs.accessLogFormat | string | "$remote_addr - $remote_user [$time_local] $http_host \\\"$request\\\" $status $body_bytes_sent $request_time \\\"$http_referer\\\" \\\"$http_user_agent\\\" $upstream_addr $upstream_status $upstream_response_time \\\"$upstream_scheme://$upstream_host$upstream_uri\\\"" |
Access log format |
| logs.accessLogFormatEscape | string | "default" |
Allows setting json or default characters escaping in variables |
| logs.enableAccessLog | bool | true |
Enable access log or not, default true |
| logs.errorLog | string | "/dev/stderr" |
Error log path |
| logs.errorLogLevel | string | "warn" |
Error log level |
| nameOverride | string | "" |
|
| nginx.enableCPUAffinity | bool | true |
|
| nginx.envs | list | [] |
|
| nginx.workerConnections | string | "10620" |
|
| nginx.workerProcesses | string | "auto" |
|
| nginx.workerRlimitNofile | string | "20480" |
|
| pluginAttrs | object | {} |
Set APISIX plugin attributes, see config-default.yaml for more details |
| rbac.create | bool | false |
|
| serviceAccount.annotations | object | {} |
|
| serviceAccount.create | bool | false |
|
| serviceAccount.name | string | "" |
|
| serviceMonitor | object | {"annotations":{},"containerPort":9091,"enabled":false,"interval":"15s","labels":{},"metricPrefix":"apisix_","name":"","namespace":"","path":"/apisix/prometheus/metrics"} |
Observability configuration. ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/ |
| serviceMonitor.annotations | object | {} |
@param serviceMonitor.annotations ServiceMonitor annotations |
| serviceMonitor.containerPort | int | 9091 |
container port where the metrics are exposed |
| serviceMonitor.enabled | bool | false |
Enable or disable API7 Gateway serviceMonitor |
| serviceMonitor.interval | string | "15s" |
interval at which metrics should be scraped |
| serviceMonitor.labels | object | {} |
@param serviceMonitor.labels ServiceMonitor extra labels |
| serviceMonitor.metricPrefix | string | "apisix_" |
prefix of the metrics |
| serviceMonitor.name | string | "" |
name of the serviceMonitor, by default, it is the same as the apisix fullname |
| serviceMonitor.namespace | string | "" |
namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix |
| serviceMonitor.path | string | "/apisix/prometheus/metrics" |
path of the metrics endpoint |
| updateStrategy | object | {} |
|
| vault.enabled | bool | false |
Enable or disable the vault integration |
| vault.host | string | "" |
The host address where the vault server is running. |
| vault.prefix | string | "" |
Prefix allows you to better enforcement of policies. |
| vault.timeout | int | 10 |
HTTP timeout for each request. |
| vault.token | string | "" |
The generated token from vault instance that can grant access to read data from the vault. |
Remove configuration items such as plugins, stream_plugins, and custom_plugins that are no longer needed in API7 EE.
This version of the helm chart needs to be used with API7 EE gateway version 3.2.16.3 or above.