From 9d17ab98d2dbde2f8129fa28922b61c7f659fed7 Mon Sep 17 00:00:00 2001 From: thr Date: Wed, 6 Dec 2023 20:00:08 +0100 Subject: [PATCH 01/14] update wording --- microservicesruntime/helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/microservicesruntime/helm/values.yaml b/microservicesruntime/helm/values.yaml index e6eca9b..93be07f 100644 --- a/microservicesruntime/helm/values.yaml +++ b/microservicesruntime/helm/values.yaml @@ -250,7 +250,7 @@ tolerations: [] affinity: {} -# -- Instanciate Nginx as external LB +# -- Deploy Nginx as external LB externalLoadBalancer: false # Use persistent volume for IS packages, configuration settings and logs ... From 9e582256a2fe1adb7de101146df432143cdd84e0 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 08:49:08 +0100 Subject: [PATCH 02/14] update git commands --- .github/workflows/gen-readme-values.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gen-readme-values.yml b/.github/workflows/gen-readme-values.yml index 1e777f1..7fa2f49 100644 --- a/.github/workflows/gen-readme-values.yml +++ b/.github/workflows/gen-readme-values.yml @@ -22,15 +22,22 @@ jobs: with: fetch-depth: 0 + - name: Git clone + run: | + git config --global user.name "${{ github.event.head_commit.committer.name }}" + git config --global user.email "${{ github.event.head_commit.committer.email }}" + git clone git@github.com:SoftwareAG/webmethods-helm-charts.git -b ${{ github.ref_name }} + + - name: Generate Helm README Documentation with jnorwood run: | + cd webmethods-helm-charts/ sudo docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:latest - name: Push new generated README run: | - git config --global user.name "${{ github.event.head_commit.committer.name }}" - git config --global user.email "${{ github.event.head_commit.committer.email }}" + cd webmethods-helm-charts/ git add . - git commit -am "${{ github.event.head_commit.message }} // update README from values.yaml" + git commit -am "${{ github.event.head_commit.message }} and updating helm/README.me from values.yaml" git branch -M ${{ github.ref_name }} git push -f origin ${{ github.ref_name }} From ff34552559c6af4e5cddbe910a0d4aeff72ee286 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 09:01:40 +0100 Subject: [PATCH 03/14] update doc --- universalmessaging/helm/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/universalmessaging/helm/values.yaml b/universalmessaging/helm/values.yaml index 0f99fb0..a30f244 100644 --- a/universalmessaging/helm/values.yaml +++ b/universalmessaging/helm/values.yaml @@ -155,6 +155,7 @@ ingress: # hosts: # - chart-example.local +# -- Define CPU und memory resources UM and Nginx containers. resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 7d3f9de191ff83267914c55e8141917f7194ae55 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 09:02:10 +0100 Subject: [PATCH 04/14] update doc and updating helm/README.me from values.yaml --- apigateway/helm/README.md | 211 ++++++++-------------------- microservicesruntime/helm/README.md | 23 +-- mywebmethodsserver/helm/README.md | 2 +- universalmessaging/helm/README.md | 12 +- 4 files changed, 76 insertions(+), 172 deletions(-) diff --git a/apigateway/helm/README.md b/apigateway/helm/README.md index 4c8f484..1cce9b0 100644 --- a/apigateway/helm/README.md +++ b/apigateway/helm/README.md @@ -1,151 +1,15 @@ -# API Gateway Cluster Helm Chart +# apigateway -## Overview +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.15](https://img.shields.io/badge/AppVersion-10.15-informational?style=flat-square) -This chart sets up an API Gateway cluster which by default consists of -* 1 API Gateway cluster nodes, -* 1 ElasticSearch cluster with 1 node, -* 1 Kibana node, -* 1 Ingress providing public access to the API Gateay UI and runtime ports. +API Gateway Helm Chart for Kubernetes -![API Gateway Cluster](../docs/diagrams/api_gateway.png) +## Requirements -### TLDR; - -The minimum prerequisite that has to be fulfilled is, that the **ECK operator** is installed. See section [Prerequisites](#ECK / Elasticsearch) for details. - -You can install the default configuration of the API Gateway cluster with the following command: - -``` -helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml -``` - -This will install the API Gateway cluster with the following default configuration as depicted above. Make sure that the licenseKey.xml points to a valid license file. - -## Prerequisites - -### ECK / Elasticsearch - -This deployment uses the ECK Operator to deploy Elasticsearch. You can use Helm to deploy the operator with the following commands: - -#### Register the Elasticsearch Helm Repository - -``` -helm repo add elastic https://helm.elastic.co -helm repo update -``` - -#### Install ECK (Cluster-wide) - -``` -helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace -``` - -For more information please see: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html - -## Licenses - -API Gateway requires a license file. These license is supposed to be -provided as configmap. - -Hence before running `helm install` create the configmap: - -``` -kubectl create configmap apigw-license-config --from-file=licenseKey.xml= -``` - -Optionally you can directly provide the license file at the time of running `helm install`: - -``` -helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml -``` - -Note: the license key config map will not be removed when the helm release is deleted. - -## Image Pull Secret - -Provide an image pull secret for the registry where the desired images for API Gateway, -ElasticSearch, and Kibana are to be pulled from. - -``` -kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email= -``` - -## Access to the API Gateway cluster - -By default, this chart establishes an Ingress to provide access to the API Gateway UI and runtime ports from outside the Kubernetes cluster. -The Ingress refers to services which in turn refer to the API Gateway pods. Due to the API Gateway UI requiring sticky sessions ([see also below](#sticky-ui-sessions)) the Ingress -is configured accordingly. However this default setup works only if the Kubernetes cluster runs with the wide-spread nginx-ingress controller which -can handle sticky sessions. - -If the nginx-ingress controller is not present, or another ingress controller is preferred, an accordingly configured external load balancer can be used to -achieve sticky sessions. The chart can easily be switched to use a load balancer, for details see the [chart readme](apigateway/README.md). -When doing so, the chart will still establish an Ingress which then refers to the load balancer service, and the load balancer in turn is -configured as a proxy for the API Gateway services. - -For the latter purpose the chart comes with an nginx deployment and appropriate configuration. Please note that API Gateway does not -rely on or prefer nginx. In order to use a different load balancer the chart needs to be adapted manually: replace the `nginx-*.yaml` files -in the [template folder](apigateway/templates) as desired, and keep in mind to configure the load balancer with sticky sessions for the -API Gateway UI port. - -### Sticky UI sessions - -The API Gateway web interface requires sticky sessions in order to function correctly. This is achieved by configuring the API Gateway service -for the UI port as well as the Ingress with sticky behaviour. The relevant parts of the service and the Ingress look like this: - -``` ---- -# apigateway-ui-svc.yaml -apiVersion: v1 -kind: Service -spec: - sessionAffinity: ClientIP - sessionAffinityConfig: - clientIP: - timeoutSeconds: 1000 - ---- -# apigateway-ingress.yaml -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/affinity: "cookie" -``` - -Note, if you are using the default configuration and nginx as your ingress controller, sticky sessions will be enabled by default for the UI port and ingress. Change the ingress annotations accordingly for other ingress controllers like Traefik. - - -## Using an external load balancer - -The Ingress provides two entrypoints for accessing the API Gateway cluster, one for the UI port to -allow access to the administration UI, and another one for the runtime port to allow for example REST access -to the services. - -The API Gateway UI requires session stickiness and therefore both the Ingress and the Kubernetes -service in front of the API Gateway pods are correspondingly configured. - -In some cases, typically if the nginx-ingress controller is not available in the Kubernetes system, the stickiness -settings are not correctly respected, and the API Gateway UI will not work. In particular the login to the UI -will fail. - -This can be handled by using an external load balancer which is configured to use the API Gateway as -backend. And the Ingress is then defined against the load balancer service. - -In order to enable the external load balancer provide the following configuration value: - -``` ---set loadBalancer.enabled=true -``` - -## TLS for API Gateway - -If desired you may deploy API Gateway with your own TLS key and cert. The Template contains a TLS manifest which will look for the keys: ingress.tls.key and ingress.tls.cert. In your deployment environment you can redirect the output of a certificate and key file (e.g. using secure files from Azure) and directly deploy the TLS configuration for the API Gateway. - -```bash -helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( /usr/share/message"] postStart: exec: command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | | metering.accumulationPeriod | string | `"1800"` | The period in seconds for which data is accumulated before a log record is produced. | | metering.enabled | bool | `true` | enable metering | @@ -259,7 +157,10 @@ helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$(-apigateway-sag-user-es. Adjust accordingly if your release name is different. | | prometheus.path | string | `"/metrics"` | | | prometheus.port | string | `"5555"` | | | prometheus.scheme | string | `"http"` | | @@ -273,11 +174,15 @@ helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( +kubectl create configmap microservicesruntime-license-key --from-file=licenseKey.xml= ``` -Optionally you can also provide the license directly when installing your release (see also below). - - ## Examples for Use-cases Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. @@ -64,12 +61,6 @@ Install release with pulling image and setting secret (to pull image) ... helm install wm-msr webmethods/microservicesruntime \ ``` -... (optionally) provide the license key at installation time (can be ommitted for upgrade later) - -```shell ---set-file=licensekey= -``` - ... Ingress is enabled per default. Define Ingress service host ... ```shell @@ -96,12 +87,12 @@ helm install wm-msr webmethods/microservicesruntime \ | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | containerName | string | `nil` | The name of the main container, by default this will be msr- | -| externalLoadBalancer | bool | `false` | Instanciate Nginx as external LB | +| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB | | extraCommand | string | `""` | Extra command, which is executed before the startContainer entrypoint script of the Microservice Runtime | | extraConfigMaps | list | `[]` | Extra config maps for addtional configurations such as extra ports, etc. | -| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar | +| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar - name: do-something image: busybox command: ['do', 'something'] | | extraEnvs | list | `[]` | Exta environment properties to be passed on to the microservice runtime | -| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container | +| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container - name: do-something image: busybox command: ['do', 'something'] | | extraLabels | object | `{}` | Extra Labels | | extraPorts | list | `[]` | Extra Ports to be defined, note: these ports need to be created | | extraVolumeMounts | list | `[]` | Extra volume mounts | @@ -171,7 +162,7 @@ helm install wm-msr webmethods/microservicesruntime \ | service.port | int | `5555` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.create | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | startupProbe | object | `{"failureThreshold":60,"periodSeconds":30,"tcpSocket":{"port":"http"}}` | startup probe for container | | statefulSet | bool | `false` | StatefulSet or Deployment. You should only change this if you require Client Side queuing (CSQ) or functionality in IS which requires stable hostnames and filesystems. Default is false => Deployment. Keep in mind, you must disable CSQ on each webMethods messaging and JMS connection if you don't use stateful-sets. See examples in Process Engine deployment for disableing QSC. | diff --git a/mywebmethodsserver/helm/README.md b/mywebmethodsserver/helm/README.md index eb3e7b7..5a82148 100644 --- a/mywebmethodsserver/helm/README.md +++ b/mywebmethodsserver/helm/README.md @@ -52,7 +52,7 @@ helm install wm-mws microservicesruntime | extraContainers | string | `nil` | Extra containers which should run in addtion to the main container as a sidecar - name: do-something image: busybox command: ['do', 'something'] | | extraEnvs | object | `{}` | Exta environment properties to be passed on to the MyWebMethods Server | | extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container - name: do-something image: busybox command: ['do', 'something'] | -| extraLabels | object | `{}` | Extra Labels | +| extraLabels | object | `{}` | Extra Labels for API Gateway | | extraVolumeClaimTemplates | list | `[]` | Exta volumes that should be mounted. Example: - metadata: name: shared-volume spec: accessModes: ["ReadWriteMany"] storageClassName: nfs resources: requests: storage: 10 | | extraVolumeMounts | list | `[]` | Extra volume mounts - name: extras mountPath: /usr/share/extras readOnly: true | | fullnameOverride | string | `""` | Overwrites full workload name. As default, the workload name is release name + '-' + Chart name. | diff --git a/universalmessaging/helm/README.md b/universalmessaging/helm/README.md index 71100b7..51c3de2 100644 --- a/universalmessaging/helm/README.md +++ b/universalmessaging/helm/README.md @@ -38,13 +38,21 @@ Install release helm install um webmethods/universalmessaging ``` +## Version History + +| Version | Changes and Description | +|-----|------| +| `1.0.0' | Initial release | +| `1.0.1' | Update JMX Exporter configuration file with . Bigfix: Mount configuration files into container. Nginx added. | + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | | customMetricExporterConfig | object | `{"content":""}` | Custom metric JMX exporter configuration. Overwriting the default content of file [jmx_exporter.yaml](./files/jmx_exporter.yaml). See [Prometheus JMX exporter configuration](https://github.com/SoftwareAG/universalmessaging-prometheus-jmx-exporter-config) for more configuration samples. | -| customServerConfig | object | `{"content":""}` | Custom server configuration file | +| customServerConfig | object | `{"content":""}` | Custom server configuration file. Overwriting the content of file `Custom_Server_Common.conf` in container. | +| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB. The LB will be configured to dispatch incoming requests to all `replicaCount` replicas. Nginx is configured by example from [Universal Messaging documentation](https://documentation.softwareag.com/universal_messaging/num10-15/webhelp/num-webhelp/#page/num-webhelp%2Fre-configure_nginx_to_serve_http_requests.html%23) | | extraConfigMaps | list | `[]` | Extra config maps for additional configurations such as extra ports, etc. | | extraContainers | list | `[]` | Extra containers which should run in addition to the main container as a sidecar | | extraEnvs | object | `{}` | Exta environment properties to be passed on to the container | @@ -77,7 +85,7 @@ helm install um webmethods/universalmessaging | podSecurityContext.fsGroup | int | `1724` | | | readinessProbe | object | `{"failureThreshold":5,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":60}` | Configure readiness probe | | replicaCount | int | `1` | Number of replicas | -| resources | object | `{}` | | +| resources | object | `{}` | Define CPU und memory resources UM and Nginx containers. | | securityContext | object | `{}` | | | service.metricPort | int | `9200` | Metrics port | | service.port | int | `9000` | Universal Messaging default port | From 8648aea98402af667de620f058243c04b787284f Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 09:12:59 +0100 Subject: [PATCH 05/14] update docu --- mywebmethodsserver/helm/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mywebmethodsserver/helm/values.yaml b/mywebmethodsserver/helm/values.yaml index f52dd56..a0d7ec2 100644 --- a/mywebmethodsserver/helm/values.yaml +++ b/mywebmethodsserver/helm/values.yaml @@ -19,7 +19,7 @@ fullnameOverride: "" serviceAccount: create: false -# -- Extra Labels for API Gateway +# -- Extra Labels extraLabels: {} # -- Exta environment properties to be passed on to the MyWebMethods Server @@ -110,6 +110,7 @@ ingress: # hosts: # - chart-example.local +# -- Define CPU and memory resources for container resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From b7a55568bde1a6468635edb61cfbac2369e14c37 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 09:41:31 +0100 Subject: [PATCH 06/14] update license key handling --- microservicesruntime/helm/README.md.gotmpl | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/microservicesruntime/helm/README.md.gotmpl b/microservicesruntime/helm/README.md.gotmpl index 83eea35..62fe680 100644 --- a/microservicesruntime/helm/README.md.gotmpl +++ b/microservicesruntime/helm/README.md.gotmpl @@ -33,9 +33,11 @@ Microservices Runtime requires a license file. These license is supposed to be p Hence before running `helm install`, create the configmap: ``` -kubectl create configmap microservicesruntime-license-key --from-file=licenseKey.xml= +kubectl create configmap microservicesruntime-license-key --from-file=licensekey= ``` +Optionally you can also provide the license directly when installing your release (see also below). + ## Examples for Use-cases Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. @@ -61,6 +63,12 @@ Install release with pulling image and setting secret (to pull image) ... helm install wm-msr webmethods/microservicesruntime \ ``` +... (optionally) provide the license key at installation time (can be ommitted for upgrade later) + +```shell +--set-file=licensekey= +``` + ... Ingress is enabled per default. Define Ingress service host ... ```shell From 2653e9d148280fa9d24daa7b23c48e2b418d1d4f Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:02:13 +0100 Subject: [PATCH 07/14] Revert "update doc and updating helm/README.me from values.yaml" This reverts commit 7d3f9de191ff83267914c55e8141917f7194ae55. --- apigateway/helm/README.md | 211 ++++++++++++++++++++-------- microservicesruntime/helm/README.md | 23 ++- mywebmethodsserver/helm/README.md | 2 +- universalmessaging/helm/README.md | 12 +- 4 files changed, 172 insertions(+), 76 deletions(-) diff --git a/apigateway/helm/README.md b/apigateway/helm/README.md index 1cce9b0..4c8f484 100644 --- a/apigateway/helm/README.md +++ b/apigateway/helm/README.md @@ -1,15 +1,151 @@ -# apigateway +# API Gateway Cluster Helm Chart -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.15](https://img.shields.io/badge/AppVersion-10.15-informational?style=flat-square) +## Overview -API Gateway Helm Chart for Kubernetes +This chart sets up an API Gateway cluster which by default consists of +* 1 API Gateway cluster nodes, +* 1 ElasticSearch cluster with 1 node, +* 1 Kibana node, +* 1 Ingress providing public access to the API Gateay UI and runtime ports. -## Requirements +![API Gateway Cluster](../docs/diagrams/api_gateway.png) -| Repository | Name | Version | -|------------|------|---------| -| https://open-source.softwareag.com/webmethods-helm-charts/charts | common | 1.x.x | -| https://prometheus-community.github.io/helm-charts | prometheus-elasticsearch-exporter | 5.0.0 | +### TLDR; + +The minimum prerequisite that has to be fulfilled is, that the **ECK operator** is installed. See section [Prerequisites](#ECK / Elasticsearch) for details. + +You can install the default configuration of the API Gateway cluster with the following command: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +This will install the API Gateway cluster with the following default configuration as depicted above. Make sure that the licenseKey.xml points to a valid license file. + +## Prerequisites + +### ECK / Elasticsearch + +This deployment uses the ECK Operator to deploy Elasticsearch. You can use Helm to deploy the operator with the following commands: + +#### Register the Elasticsearch Helm Repository + +``` +helm repo add elastic https://helm.elastic.co +helm repo update +``` + +#### Install ECK (Cluster-wide) + +``` +helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace +``` + +For more information please see: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html + +## Licenses + +API Gateway requires a license file. These license is supposed to be +provided as configmap. + +Hence before running `helm install` create the configmap: + +``` +kubectl create configmap apigw-license-config --from-file=licenseKey.xml= +``` + +Optionally you can directly provide the license file at the time of running `helm install`: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +Note: the license key config map will not be removed when the helm release is deleted. + +## Image Pull Secret + +Provide an image pull secret for the registry where the desired images for API Gateway, +ElasticSearch, and Kibana are to be pulled from. + +``` +kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email= +``` + +## Access to the API Gateway cluster + +By default, this chart establishes an Ingress to provide access to the API Gateway UI and runtime ports from outside the Kubernetes cluster. +The Ingress refers to services which in turn refer to the API Gateway pods. Due to the API Gateway UI requiring sticky sessions ([see also below](#sticky-ui-sessions)) the Ingress +is configured accordingly. However this default setup works only if the Kubernetes cluster runs with the wide-spread nginx-ingress controller which +can handle sticky sessions. + +If the nginx-ingress controller is not present, or another ingress controller is preferred, an accordingly configured external load balancer can be used to +achieve sticky sessions. The chart can easily be switched to use a load balancer, for details see the [chart readme](apigateway/README.md). +When doing so, the chart will still establish an Ingress which then refers to the load balancer service, and the load balancer in turn is +configured as a proxy for the API Gateway services. + +For the latter purpose the chart comes with an nginx deployment and appropriate configuration. Please note that API Gateway does not +rely on or prefer nginx. In order to use a different load balancer the chart needs to be adapted manually: replace the `nginx-*.yaml` files +in the [template folder](apigateway/templates) as desired, and keep in mind to configure the load balancer with sticky sessions for the +API Gateway UI port. + +### Sticky UI sessions + +The API Gateway web interface requires sticky sessions in order to function correctly. This is achieved by configuring the API Gateway service +for the UI port as well as the Ingress with sticky behaviour. The relevant parts of the service and the Ingress look like this: + +``` +--- +# apigateway-ui-svc.yaml +apiVersion: v1 +kind: Service +spec: + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 1000 + +--- +# apigateway-ingress.yaml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/affinity: "cookie" +``` + +Note, if you are using the default configuration and nginx as your ingress controller, sticky sessions will be enabled by default for the UI port and ingress. Change the ingress annotations accordingly for other ingress controllers like Traefik. + + +## Using an external load balancer + +The Ingress provides two entrypoints for accessing the API Gateway cluster, one for the UI port to +allow access to the administration UI, and another one for the runtime port to allow for example REST access +to the services. + +The API Gateway UI requires session stickiness and therefore both the Ingress and the Kubernetes +service in front of the API Gateway pods are correspondingly configured. + +In some cases, typically if the nginx-ingress controller is not available in the Kubernetes system, the stickiness +settings are not correctly respected, and the API Gateway UI will not work. In particular the login to the UI +will fail. + +This can be handled by using an external load balancer which is configured to use the API Gateway as +backend. And the Ingress is then defined against the load balancer service. + +In order to enable the external load balancer provide the following configuration value: + +``` +--set loadBalancer.enabled=true +``` + +## TLS for API Gateway + +If desired you may deploy API Gateway with your own TLS key and cert. The Template contains a TLS manifest which will look for the keys: ingress.tls.key and ingress.tls.cert. In your deployment environment you can redirect the output of a certificate and key file (e.g. using secure files from Azure) and directly deploy the TLS configuration for the API Gateway. + +```bash +helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( /usr/share/message"] postStart: exec: command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | | metering.accumulationPeriod | string | `"1800"` | The period in seconds for which data is accumulated before a log record is produced. | | metering.enabled | bool | `true` | enable metering | @@ -157,10 +259,7 @@ API Gateway Helm Chart for Kubernetes | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | -| prometheus-elasticsearch-exporter | object | `{"enabled":true,"es":{"uri":"http://$(ES_USER):$(ES_PASSWORD)@apigw-apigateway-es-http:9200"},"extraEnvSecrets":{"ES_PASSWORD":{"key":"password","secret":"apigw-apigateway-sag-user-es"},"ES_USER":{"key":"username","secret":"apigw-apigateway-sag-user-es"}},"serviceMonitor":{"enabled":true}}` | Elasticsearch exporter settings. See https://github.com/prometheus-community/elasticsearch_exporter for details. | -| prometheus-elasticsearch-exporter.enabled | bool | `true` | Deploy the prometheus exporter for elasticsearch | -| prometheus-elasticsearch-exporter.es.uri | string | `"http://$(ES_USER):$(ES_PASSWORD)@apigw-apigateway-es-http:9200"` | The uri of the elasticsearch service. By default this is null and the environment variable ES_URI is used instead. Overwrite this if you are using an external Elasticsearch instance | -| prometheus-elasticsearch-exporter.extraEnvSecrets | object | `{"ES_PASSWORD":{"key":"password","secret":"apigw-apigateway-sag-user-es"},"ES_USER":{"key":"username","secret":"apigw-apigateway-sag-user-es"}}` | secret for elasticsearch user. Will need to adjust the secret's name. By default the secret name is -apigateway-sag-user-es. Adjust accordingly if your release name is different. | +| prometheus-elasticsearch-exporter.es.uri | string | `"{{ .Release.Name }}-apigateway-es-http:9200"` | | | prometheus.path | string | `"/metrics"` | | | prometheus.port | string | `"5555"` | | | prometheus.scheme | string | `"http"` | | @@ -174,15 +273,11 @@ API Gateway Helm Chart for Kubernetes | resources.apigwInitContainer.limits.memory | string | `"100Mi"` | | | resources.apigwInitContainer.requests.cpu | string | `"100m"` | | | resources.apigwInitContainer.requests.memory | string | `"50Mi"` | | -| secrets | object | `{"generateAdminSecret":true,"generateElasticSecrets":true}` | Controls if secrets should be generated automatically. | | securityContext | object | `{}` | | | service.port | int | `80` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "common.names.roleName" . }} rules: - apiGroups: - "" resources: - pods - endpoints verbs: - get - list - watch | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | serviceAccount.roleName | string | `""` | | -| tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +| tolerations | list | `[]` | | \ No newline at end of file diff --git a/microservicesruntime/helm/README.md b/microservicesruntime/helm/README.md index 12b5249..469d6e3 100644 --- a/microservicesruntime/helm/README.md +++ b/microservicesruntime/helm/README.md @@ -20,11 +20,11 @@ A Service Monitor CRD can be created optional. Anywhere, the custom kind `Servic kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/bundle.yaml ``` -### Create Image for Microservices Runtime +### Build Image for Microservices Runtime The default is to pull the image from Software AG Containers Registry `sagcr.azurecr.io/webmethods-microservicesruntime`. -If you need to create an own image with additional webMethods product components, you can use the utility [image-creator-using-Azure-DevOps](../../utils/image-creator-using-azure-devops/README.md). On starting the pipeline, you can define a list of product components. You should set in field `List of product components ...` the value `MSC,PIEContainerExternalRDBMS` (as minimum) to create an image with product Microservices Runtime and Database Drivers to connect external databases. +If you need to build an own image with additional webMethods product components, you can use the utility [image-builder-using-Azure-DevOps](../../utils/image-builder-using-azure-devops/README.md). On starting the pipeline, you can define a list of product components. You should set in field `List of product components ...` the value `MSC,PIEContainerExternalRDBMS` (as minimum) to create an image with product Microservices Runtime and Database Drivers to connect external databases. ### Licenses @@ -33,9 +33,12 @@ Microservices Runtime requires a license file. These license is supposed to be p Hence before running `helm install`, create the configmap: ``` -kubectl create configmap microservicesruntime-license-key --from-file=licenseKey.xml= +kubectl create configmap microservicesruntime-license-key --from-file=licensekey= ``` +Optionally you can also provide the license directly when installing your release (see also below). + + ## Examples for Use-cases Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. @@ -61,6 +64,12 @@ Install release with pulling image and setting secret (to pull image) ... helm install wm-msr webmethods/microservicesruntime \ ``` +... (optionally) provide the license key at installation time (can be ommitted for upgrade later) + +```shell +--set-file=licensekey= +``` + ... Ingress is enabled per default. Define Ingress service host ... ```shell @@ -87,12 +96,12 @@ helm install wm-msr webmethods/microservicesruntime \ | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | containerName | string | `nil` | The name of the main container, by default this will be msr- | -| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB | +| externalLoadBalancer | bool | `false` | Instanciate Nginx as external LB | | extraCommand | string | `""` | Extra command, which is executed before the startContainer entrypoint script of the Microservice Runtime | | extraConfigMaps | list | `[]` | Extra config maps for addtional configurations such as extra ports, etc. | -| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar - name: do-something image: busybox command: ['do', 'something'] | +| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar | | extraEnvs | list | `[]` | Exta environment properties to be passed on to the microservice runtime | -| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container - name: do-something image: busybox command: ['do', 'something'] | +| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container | | extraLabels | object | `{}` | Extra Labels | | extraPorts | list | `[]` | Extra Ports to be defined, note: these ports need to be created | | extraVolumeMounts | list | `[]` | Extra volume mounts | @@ -162,7 +171,7 @@ helm install wm-msr webmethods/microservicesruntime \ | service.port | int | `5555` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `false` | Specifies whether a service account should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | startupProbe | object | `{"failureThreshold":60,"periodSeconds":30,"tcpSocket":{"port":"http"}}` | startup probe for container | | statefulSet | bool | `false` | StatefulSet or Deployment. You should only change this if you require Client Side queuing (CSQ) or functionality in IS which requires stable hostnames and filesystems. Default is false => Deployment. Keep in mind, you must disable CSQ on each webMethods messaging and JMS connection if you don't use stateful-sets. See examples in Process Engine deployment for disableing QSC. | diff --git a/mywebmethodsserver/helm/README.md b/mywebmethodsserver/helm/README.md index 5a82148..eb3e7b7 100644 --- a/mywebmethodsserver/helm/README.md +++ b/mywebmethodsserver/helm/README.md @@ -52,7 +52,7 @@ helm install wm-mws microservicesruntime | extraContainers | string | `nil` | Extra containers which should run in addtion to the main container as a sidecar - name: do-something image: busybox command: ['do', 'something'] | | extraEnvs | object | `{}` | Exta environment properties to be passed on to the MyWebMethods Server | | extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container - name: do-something image: busybox command: ['do', 'something'] | -| extraLabels | object | `{}` | Extra Labels for API Gateway | +| extraLabels | object | `{}` | Extra Labels | | extraVolumeClaimTemplates | list | `[]` | Exta volumes that should be mounted. Example: - metadata: name: shared-volume spec: accessModes: ["ReadWriteMany"] storageClassName: nfs resources: requests: storage: 10 | | extraVolumeMounts | list | `[]` | Extra volume mounts - name: extras mountPath: /usr/share/extras readOnly: true | | fullnameOverride | string | `""` | Overwrites full workload name. As default, the workload name is release name + '-' + Chart name. | diff --git a/universalmessaging/helm/README.md b/universalmessaging/helm/README.md index 51c3de2..71100b7 100644 --- a/universalmessaging/helm/README.md +++ b/universalmessaging/helm/README.md @@ -38,21 +38,13 @@ Install release helm install um webmethods/universalmessaging ``` -## Version History - -| Version | Changes and Description | -|-----|------| -| `1.0.0' | Initial release | -| `1.0.1' | Update JMX Exporter configuration file with . Bigfix: Mount configuration files into container. Nginx added. | - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | | customMetricExporterConfig | object | `{"content":""}` | Custom metric JMX exporter configuration. Overwriting the default content of file [jmx_exporter.yaml](./files/jmx_exporter.yaml). See [Prometheus JMX exporter configuration](https://github.com/SoftwareAG/universalmessaging-prometheus-jmx-exporter-config) for more configuration samples. | -| customServerConfig | object | `{"content":""}` | Custom server configuration file. Overwriting the content of file `Custom_Server_Common.conf` in container. | -| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB. The LB will be configured to dispatch incoming requests to all `replicaCount` replicas. Nginx is configured by example from [Universal Messaging documentation](https://documentation.softwareag.com/universal_messaging/num10-15/webhelp/num-webhelp/#page/num-webhelp%2Fre-configure_nginx_to_serve_http_requests.html%23) | +| customServerConfig | object | `{"content":""}` | Custom server configuration file | | extraConfigMaps | list | `[]` | Extra config maps for additional configurations such as extra ports, etc. | | extraContainers | list | `[]` | Extra containers which should run in addition to the main container as a sidecar | | extraEnvs | object | `{}` | Exta environment properties to be passed on to the container | @@ -85,7 +77,7 @@ helm install um webmethods/universalmessaging | podSecurityContext.fsGroup | int | `1724` | | | readinessProbe | object | `{"failureThreshold":5,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":60}` | Configure readiness probe | | replicaCount | int | `1` | Number of replicas | -| resources | object | `{}` | Define CPU und memory resources UM and Nginx containers. | +| resources | object | `{}` | | | securityContext | object | `{}` | | | service.metricPort | int | `9200` | Metrics port | | service.port | int | `9000` | Universal Messaging default port | From 47e98bc015dd07fea26354c5c9cb4479fb3ab372 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:10:40 +0100 Subject: [PATCH 08/14] update from values.yaml --- microservicesruntime/helm/README.md | 13 ++++++------- microservicesruntime/helm/README.md.gotmpl | 7 +++---- mywebmethodsserver/helm/README.md | 2 +- universalmessaging/helm/README.md | 5 +++-- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/microservicesruntime/helm/README.md b/microservicesruntime/helm/README.md index 469d6e3..1a4d131 100644 --- a/microservicesruntime/helm/README.md +++ b/microservicesruntime/helm/README.md @@ -20,11 +20,11 @@ A Service Monitor CRD can be created optional. Anywhere, the custom kind `Servic kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/bundle.yaml ``` -### Build Image for Microservices Runtime +### Create Image for Microservices Runtime The default is to pull the image from Software AG Containers Registry `sagcr.azurecr.io/webmethods-microservicesruntime`. -If you need to build an own image with additional webMethods product components, you can use the utility [image-builder-using-Azure-DevOps](../../utils/image-builder-using-azure-devops/README.md). On starting the pipeline, you can define a list of product components. You should set in field `List of product components ...` the value `MSC,PIEContainerExternalRDBMS` (as minimum) to create an image with product Microservices Runtime and Database Drivers to connect external databases. +If you need to create an own image with additional webMethods product components, you can use the utility [image-creator-using-Azure-DevOps](../../utils/image-creator-using-azure-devops/README.md). On starting the pipeline, you can define a list of product components. You should set in field `List of product components ...` the value `MSC,PIEContainerExternalRDBMS` (as minimum) to create an image with product Microservices Runtime and Database Drivers to connect external databases. ### Licenses @@ -38,7 +38,6 @@ kubectl create configmap microservicesruntime-license-key --from-file=licensekey Optionally you can also provide the license directly when installing your release (see also below). - ## Examples for Use-cases Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. @@ -96,12 +95,12 @@ helm install wm-msr webmethods/microservicesruntime \ | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | containerName | string | `nil` | The name of the main container, by default this will be msr- | -| externalLoadBalancer | bool | `false` | Instanciate Nginx as external LB | +| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB | | extraCommand | string | `""` | Extra command, which is executed before the startContainer entrypoint script of the Microservice Runtime | | extraConfigMaps | list | `[]` | Extra config maps for addtional configurations such as extra ports, etc. | -| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar | +| extraContainers | list | `[]` | Extra containers which should run in addtion to the main container as a sidecar - name: do-something image: busybox command: ['do', 'something'] | | extraEnvs | list | `[]` | Exta environment properties to be passed on to the microservice runtime | -| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container | +| extraInitContainers | list | `[]` | Extra init containers that are executed before starting the main container - name: do-something image: busybox command: ['do', 'something'] | | extraLabels | object | `{}` | Extra Labels | | extraPorts | list | `[]` | Extra Ports to be defined, note: these ports need to be created | | extraVolumeMounts | list | `[]` | Extra volume mounts | @@ -171,7 +170,7 @@ helm install wm-msr webmethods/microservicesruntime \ | service.port | int | `5555` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.create | bool | `false` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | startupProbe | object | `{"failureThreshold":60,"periodSeconds":30,"tcpSocket":{"port":"http"}}` | startup probe for container | | statefulSet | bool | `false` | StatefulSet or Deployment. You should only change this if you require Client Side queuing (CSQ) or functionality in IS which requires stable hostnames and filesystems. Default is false => Deployment. Keep in mind, you must disable CSQ on each webMethods messaging and JMS connection if you don't use stateful-sets. See examples in Process Engine deployment for disableing QSC. | diff --git a/microservicesruntime/helm/README.md.gotmpl b/microservicesruntime/helm/README.md.gotmpl index 62fe680..2f9428c 100644 --- a/microservicesruntime/helm/README.md.gotmpl +++ b/microservicesruntime/helm/README.md.gotmpl @@ -1,6 +1,6 @@ # webMethods Microservices Runtime Helm Chart -This Helm Chart installs and configures a Microservices Runtime (MSR) container. It is starting with a simple example and provides more complex scenarios in the *Examples for Use-cases* section. +This Helm Chart installs and configures a Microservices Runtime (MSR) container. It is starting with a simple example and provides more complex scenarios in the *Examples for Use-cases* section. ## Prerequisites @@ -14,7 +14,7 @@ kubectl create secret docker-registry regcred --docker-server=sagcr.azurecr.io - ### Service Monitor -A Service Monitor CRD can be created optional. Anywhere, the custom kind `ServiceMonitor` must be registered as Kubernetes object. If not, you can apply it with ... +A Service Monitor CRD can be created optional. Anywhere, the custom kind `ServiceMonitor` must be registered as Kubernetes object. If not, you can apply it with ... ``` kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/bundle.yaml @@ -40,7 +40,7 @@ Optionally you can also provide the license directly when installing your releas ## Examples for Use-cases -Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. +Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. | Use-case | Description | |-----|------| @@ -80,7 +80,6 @@ helm install wm-msr webmethods/microservicesruntime \ ... instead of using default image, use your own ... - ```shell --set "image.repository=/wm-msr-db" \ --set "image.tag=10.15" diff --git a/mywebmethodsserver/helm/README.md b/mywebmethodsserver/helm/README.md index eb3e7b7..5beb851 100644 --- a/mywebmethodsserver/helm/README.md +++ b/mywebmethodsserver/helm/README.md @@ -80,7 +80,7 @@ helm install wm-mws microservicesruntime | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | | replicaCount | int | `1` | | -| resources | object | `{}` | | +| resources | object | `{}` | Define CPU and memory resources for container | | securityContext | object | `{}` | The security context the pods should run in. capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 | | service | object | `{"port":8585,"type":"ClusterIP"}` | The service type of the MyWebMethodsServer service | | serviceAccount.create | bool | `false` | | diff --git a/universalmessaging/helm/README.md b/universalmessaging/helm/README.md index 71100b7..5db7025 100644 --- a/universalmessaging/helm/README.md +++ b/universalmessaging/helm/README.md @@ -44,7 +44,8 @@ helm install um webmethods/universalmessaging |-----|------|---------|-------------| | affinity | object | `{}` | | | customMetricExporterConfig | object | `{"content":""}` | Custom metric JMX exporter configuration. Overwriting the default content of file [jmx_exporter.yaml](./files/jmx_exporter.yaml). See [Prometheus JMX exporter configuration](https://github.com/SoftwareAG/universalmessaging-prometheus-jmx-exporter-config) for more configuration samples. | -| customServerConfig | object | `{"content":""}` | Custom server configuration file | +| customServerConfig | object | `{"content":""}` | Custom server configuration file. Overwriting the content of file `Custom_Server_Common.conf` in container. | +| externalLoadBalancer | bool | `false` | Deploy Nginx as external LB. The LB will be configured to dispatch incoming requests to all `replicaCount` replicas. Nginx is configured by example from [Universal Messaging documentation](https://documentation.softwareag.com/universal_messaging/num10-15/webhelp/num-webhelp/#page/num-webhelp%2Fre-configure_nginx_to_serve_http_requests.html%23) | | extraConfigMaps | list | `[]` | Extra config maps for additional configurations such as extra ports, etc. | | extraContainers | list | `[]` | Extra containers which should run in addition to the main container as a sidecar | | extraEnvs | object | `{}` | Exta environment properties to be passed on to the container | @@ -77,7 +78,7 @@ helm install um webmethods/universalmessaging | podSecurityContext.fsGroup | int | `1724` | | | readinessProbe | object | `{"failureThreshold":5,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":60}` | Configure readiness probe | | replicaCount | int | `1` | Number of replicas | -| resources | object | `{}` | | +| resources | object | `{}` | Define CPU und memory resources UM and Nginx containers. | | securityContext | object | `{}` | | | service.metricPort | int | `9200` | Metrics port | | service.port | int | `9000` | Universal Messaging default port | From e385e4d95914e54621d5206493585c900a86f0f3 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:21:44 +0100 Subject: [PATCH 09/14] update from values.yaml and updating helm/README.me from values.yaml --- apigateway/helm/README.md | 211 ++++++++---------------------- universalmessaging/helm/README.md | 7 + 2 files changed, 65 insertions(+), 153 deletions(-) diff --git a/apigateway/helm/README.md b/apigateway/helm/README.md index 4c8f484..1cce9b0 100644 --- a/apigateway/helm/README.md +++ b/apigateway/helm/README.md @@ -1,151 +1,15 @@ -# API Gateway Cluster Helm Chart +# apigateway -## Overview +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.15](https://img.shields.io/badge/AppVersion-10.15-informational?style=flat-square) -This chart sets up an API Gateway cluster which by default consists of -* 1 API Gateway cluster nodes, -* 1 ElasticSearch cluster with 1 node, -* 1 Kibana node, -* 1 Ingress providing public access to the API Gateay UI and runtime ports. +API Gateway Helm Chart for Kubernetes -![API Gateway Cluster](../docs/diagrams/api_gateway.png) +## Requirements -### TLDR; - -The minimum prerequisite that has to be fulfilled is, that the **ECK operator** is installed. See section [Prerequisites](#ECK / Elasticsearch) for details. - -You can install the default configuration of the API Gateway cluster with the following command: - -``` -helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml -``` - -This will install the API Gateway cluster with the following default configuration as depicted above. Make sure that the licenseKey.xml points to a valid license file. - -## Prerequisites - -### ECK / Elasticsearch - -This deployment uses the ECK Operator to deploy Elasticsearch. You can use Helm to deploy the operator with the following commands: - -#### Register the Elasticsearch Helm Repository - -``` -helm repo add elastic https://helm.elastic.co -helm repo update -``` - -#### Install ECK (Cluster-wide) - -``` -helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace -``` - -For more information please see: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html - -## Licenses - -API Gateway requires a license file. These license is supposed to be -provided as configmap. - -Hence before running `helm install` create the configmap: - -``` -kubectl create configmap apigw-license-config --from-file=licenseKey.xml= -``` - -Optionally you can directly provide the license file at the time of running `helm install`: - -``` -helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml -``` - -Note: the license key config map will not be removed when the helm release is deleted. - -## Image Pull Secret - -Provide an image pull secret for the registry where the desired images for API Gateway, -ElasticSearch, and Kibana are to be pulled from. - -``` -kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email= -``` - -## Access to the API Gateway cluster - -By default, this chart establishes an Ingress to provide access to the API Gateway UI and runtime ports from outside the Kubernetes cluster. -The Ingress refers to services which in turn refer to the API Gateway pods. Due to the API Gateway UI requiring sticky sessions ([see also below](#sticky-ui-sessions)) the Ingress -is configured accordingly. However this default setup works only if the Kubernetes cluster runs with the wide-spread nginx-ingress controller which -can handle sticky sessions. - -If the nginx-ingress controller is not present, or another ingress controller is preferred, an accordingly configured external load balancer can be used to -achieve sticky sessions. The chart can easily be switched to use a load balancer, for details see the [chart readme](apigateway/README.md). -When doing so, the chart will still establish an Ingress which then refers to the load balancer service, and the load balancer in turn is -configured as a proxy for the API Gateway services. - -For the latter purpose the chart comes with an nginx deployment and appropriate configuration. Please note that API Gateway does not -rely on or prefer nginx. In order to use a different load balancer the chart needs to be adapted manually: replace the `nginx-*.yaml` files -in the [template folder](apigateway/templates) as desired, and keep in mind to configure the load balancer with sticky sessions for the -API Gateway UI port. - -### Sticky UI sessions - -The API Gateway web interface requires sticky sessions in order to function correctly. This is achieved by configuring the API Gateway service -for the UI port as well as the Ingress with sticky behaviour. The relevant parts of the service and the Ingress look like this: - -``` ---- -# apigateway-ui-svc.yaml -apiVersion: v1 -kind: Service -spec: - sessionAffinity: ClientIP - sessionAffinityConfig: - clientIP: - timeoutSeconds: 1000 - ---- -# apigateway-ingress.yaml -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/affinity: "cookie" -``` - -Note, if you are using the default configuration and nginx as your ingress controller, sticky sessions will be enabled by default for the UI port and ingress. Change the ingress annotations accordingly for other ingress controllers like Traefik. - - -## Using an external load balancer - -The Ingress provides two entrypoints for accessing the API Gateway cluster, one for the UI port to -allow access to the administration UI, and another one for the runtime port to allow for example REST access -to the services. - -The API Gateway UI requires session stickiness and therefore both the Ingress and the Kubernetes -service in front of the API Gateway pods are correspondingly configured. - -In some cases, typically if the nginx-ingress controller is not available in the Kubernetes system, the stickiness -settings are not correctly respected, and the API Gateway UI will not work. In particular the login to the UI -will fail. - -This can be handled by using an external load balancer which is configured to use the API Gateway as -backend. And the Ingress is then defined against the load balancer service. - -In order to enable the external load balancer provide the following configuration value: - -``` ---set loadBalancer.enabled=true -``` - -## TLS for API Gateway - -If desired you may deploy API Gateway with your own TLS key and cert. The Template contains a TLS manifest which will look for the keys: ingress.tls.key and ingress.tls.cert. In your deployment environment you can redirect the output of a certificate and key file (e.g. using secure files from Azure) and directly deploy the TLS configuration for the API Gateway. - -```bash -helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( /usr/share/message"] postStart: exec: command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | | metering.accumulationPeriod | string | `"1800"` | The period in seconds for which data is accumulated before a log record is produced. | | metering.enabled | bool | `true` | enable metering | @@ -259,7 +157,10 @@ helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$(-apigateway-sag-user-es. Adjust accordingly if your release name is different. | | prometheus.path | string | `"/metrics"` | | | prometheus.port | string | `"5555"` | | | prometheus.scheme | string | `"http"` | | @@ -273,11 +174,15 @@ helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( Date: Thu, 7 Dec 2023 10:25:51 +0100 Subject: [PATCH 10/14] Revert "update from values.yaml and updating helm/README.me from values.yaml" This reverts commit e385e4d95914e54621d5206493585c900a86f0f3. --- apigateway/helm/README.md | 211 ++++++++++++++++++++++-------- universalmessaging/helm/README.md | 7 - 2 files changed, 153 insertions(+), 65 deletions(-) diff --git a/apigateway/helm/README.md b/apigateway/helm/README.md index 1cce9b0..4c8f484 100644 --- a/apigateway/helm/README.md +++ b/apigateway/helm/README.md @@ -1,15 +1,151 @@ -# apigateway +# API Gateway Cluster Helm Chart -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.15](https://img.shields.io/badge/AppVersion-10.15-informational?style=flat-square) +## Overview -API Gateway Helm Chart for Kubernetes +This chart sets up an API Gateway cluster which by default consists of +* 1 API Gateway cluster nodes, +* 1 ElasticSearch cluster with 1 node, +* 1 Kibana node, +* 1 Ingress providing public access to the API Gateay UI and runtime ports. -## Requirements +![API Gateway Cluster](../docs/diagrams/api_gateway.png) -| Repository | Name | Version | -|------------|------|---------| -| https://open-source.softwareag.com/webmethods-helm-charts/charts | common | 1.x.x | -| https://prometheus-community.github.io/helm-charts | prometheus-elasticsearch-exporter | 5.0.0 | +### TLDR; + +The minimum prerequisite that has to be fulfilled is, that the **ECK operator** is installed. See section [Prerequisites](#ECK / Elasticsearch) for details. + +You can install the default configuration of the API Gateway cluster with the following command: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +This will install the API Gateway cluster with the following default configuration as depicted above. Make sure that the licenseKey.xml points to a valid license file. + +## Prerequisites + +### ECK / Elasticsearch + +This deployment uses the ECK Operator to deploy Elasticsearch. You can use Helm to deploy the operator with the following commands: + +#### Register the Elasticsearch Helm Repository + +``` +helm repo add elastic https://helm.elastic.co +helm repo update +``` + +#### Install ECK (Cluster-wide) + +``` +helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace +``` + +For more information please see: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html + +## Licenses + +API Gateway requires a license file. These license is supposed to be +provided as configmap. + +Hence before running `helm install` create the configmap: + +``` +kubectl create configmap apigw-license-config --from-file=licenseKey.xml= +``` + +Optionally you can directly provide the license file at the time of running `helm install`: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +Note: the license key config map will not be removed when the helm release is deleted. + +## Image Pull Secret + +Provide an image pull secret for the registry where the desired images for API Gateway, +ElasticSearch, and Kibana are to be pulled from. + +``` +kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email= +``` + +## Access to the API Gateway cluster + +By default, this chart establishes an Ingress to provide access to the API Gateway UI and runtime ports from outside the Kubernetes cluster. +The Ingress refers to services which in turn refer to the API Gateway pods. Due to the API Gateway UI requiring sticky sessions ([see also below](#sticky-ui-sessions)) the Ingress +is configured accordingly. However this default setup works only if the Kubernetes cluster runs with the wide-spread nginx-ingress controller which +can handle sticky sessions. + +If the nginx-ingress controller is not present, or another ingress controller is preferred, an accordingly configured external load balancer can be used to +achieve sticky sessions. The chart can easily be switched to use a load balancer, for details see the [chart readme](apigateway/README.md). +When doing so, the chart will still establish an Ingress which then refers to the load balancer service, and the load balancer in turn is +configured as a proxy for the API Gateway services. + +For the latter purpose the chart comes with an nginx deployment and appropriate configuration. Please note that API Gateway does not +rely on or prefer nginx. In order to use a different load balancer the chart needs to be adapted manually: replace the `nginx-*.yaml` files +in the [template folder](apigateway/templates) as desired, and keep in mind to configure the load balancer with sticky sessions for the +API Gateway UI port. + +### Sticky UI sessions + +The API Gateway web interface requires sticky sessions in order to function correctly. This is achieved by configuring the API Gateway service +for the UI port as well as the Ingress with sticky behaviour. The relevant parts of the service and the Ingress look like this: + +``` +--- +# apigateway-ui-svc.yaml +apiVersion: v1 +kind: Service +spec: + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 1000 + +--- +# apigateway-ingress.yaml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/affinity: "cookie" +``` + +Note, if you are using the default configuration and nginx as your ingress controller, sticky sessions will be enabled by default for the UI port and ingress. Change the ingress annotations accordingly for other ingress controllers like Traefik. + + +## Using an external load balancer + +The Ingress provides two entrypoints for accessing the API Gateway cluster, one for the UI port to +allow access to the administration UI, and another one for the runtime port to allow for example REST access +to the services. + +The API Gateway UI requires session stickiness and therefore both the Ingress and the Kubernetes +service in front of the API Gateway pods are correspondingly configured. + +In some cases, typically if the nginx-ingress controller is not available in the Kubernetes system, the stickiness +settings are not correctly respected, and the API Gateway UI will not work. In particular the login to the UI +will fail. + +This can be handled by using an external load balancer which is configured to use the API Gateway as +backend. And the Ingress is then defined against the load balancer service. + +In order to enable the external load balancer provide the following configuration value: + +``` +--set loadBalancer.enabled=true +``` + +## TLS for API Gateway + +If desired you may deploy API Gateway with your own TLS key and cert. The Template contains a TLS manifest which will look for the keys: ingress.tls.key and ingress.tls.cert. In your deployment environment you can redirect the output of a certificate and key file (e.g. using secure files from Azure) and directly deploy the TLS configuration for the API Gateway. + +```bash +helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( /usr/share/message"] postStart: exec: command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | | metering.accumulationPeriod | string | `"1800"` | The period in seconds for which data is accumulated before a log record is produced. | | metering.enabled | bool | `true` | enable metering | @@ -157,10 +259,7 @@ API Gateway Helm Chart for Kubernetes | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podSecurityContext | object | `{}` | | -| prometheus-elasticsearch-exporter | object | `{"enabled":true,"es":{"uri":"http://$(ES_USER):$(ES_PASSWORD)@apigw-apigateway-es-http:9200"},"extraEnvSecrets":{"ES_PASSWORD":{"key":"password","secret":"apigw-apigateway-sag-user-es"},"ES_USER":{"key":"username","secret":"apigw-apigateway-sag-user-es"}},"serviceMonitor":{"enabled":true}}` | Elasticsearch exporter settings. See https://github.com/prometheus-community/elasticsearch_exporter for details. | -| prometheus-elasticsearch-exporter.enabled | bool | `true` | Deploy the prometheus exporter for elasticsearch | -| prometheus-elasticsearch-exporter.es.uri | string | `"http://$(ES_USER):$(ES_PASSWORD)@apigw-apigateway-es-http:9200"` | The uri of the elasticsearch service. By default this is null and the environment variable ES_URI is used instead. Overwrite this if you are using an external Elasticsearch instance | -| prometheus-elasticsearch-exporter.extraEnvSecrets | object | `{"ES_PASSWORD":{"key":"password","secret":"apigw-apigateway-sag-user-es"},"ES_USER":{"key":"username","secret":"apigw-apigateway-sag-user-es"}}` | secret for elasticsearch user. Will need to adjust the secret's name. By default the secret name is -apigateway-sag-user-es. Adjust accordingly if your release name is different. | +| prometheus-elasticsearch-exporter.es.uri | string | `"{{ .Release.Name }}-apigateway-es-http:9200"` | | | prometheus.path | string | `"/metrics"` | | | prometheus.port | string | `"5555"` | | | prometheus.scheme | string | `"http"` | | @@ -174,15 +273,11 @@ API Gateway Helm Chart for Kubernetes | resources.apigwInitContainer.limits.memory | string | `"100Mi"` | | | resources.apigwInitContainer.requests.cpu | string | `"100m"` | | | resources.apigwInitContainer.requests.memory | string | `"50Mi"` | | -| secrets | object | `{"generateAdminSecret":true,"generateElasticSecrets":true}` | Controls if secrets should be generated automatically. | | securityContext | object | `{}` | | | service.port | int | `80` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "common.names.roleName" . }} rules: - apiGroups: - "" resources: - pods - endpoints verbs: - get - list - watch | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | serviceAccount.roleName | string | `""` | | -| tolerations | list | `[]` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +| tolerations | list | `[]` | | \ No newline at end of file diff --git a/universalmessaging/helm/README.md b/universalmessaging/helm/README.md index 51c3de2..5db7025 100644 --- a/universalmessaging/helm/README.md +++ b/universalmessaging/helm/README.md @@ -38,13 +38,6 @@ Install release helm install um webmethods/universalmessaging ``` -## Version History - -| Version | Changes and Description | -|-----|------| -| `1.0.0' | Initial release | -| `1.0.1' | Update JMX Exporter configuration file with . Bigfix: Mount configuration files into container. Nginx added. | - ## Values | Key | Type | Default | Description | From 7d6e74d60c87cf9ea4de3c38444ced9e7bc4db83 Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:28:42 +0100 Subject: [PATCH 11/14] make it equal --- universalmessaging/helm/README.md | 7 +++++++ universalmessaging/helm/README.md.gotmpl | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/universalmessaging/helm/README.md b/universalmessaging/helm/README.md index 5db7025..51c3de2 100644 --- a/universalmessaging/helm/README.md +++ b/universalmessaging/helm/README.md @@ -38,6 +38,13 @@ Install release helm install um webmethods/universalmessaging ``` +## Version History + +| Version | Changes and Description | +|-----|------| +| `1.0.0' | Initial release | +| `1.0.1' | Update JMX Exporter configuration file with . Bigfix: Mount configuration files into container. Nginx added. | + ## Values | Key | Type | Default | Description | diff --git a/universalmessaging/helm/README.md.gotmpl b/universalmessaging/helm/README.md.gotmpl index ddb64f1..f4254ab 100644 --- a/universalmessaging/helm/README.md.gotmpl +++ b/universalmessaging/helm/README.md.gotmpl @@ -24,7 +24,7 @@ kubectl create configmap universalmessaging-licence-key --from-file=licence.xml= ## Examples for Use-cases -Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. +Sub-folder `examples` contains some *values* examples for more use-cases. To use the use-case, adapt and add the provided `values.yaml` to your values. | Use-case | Description | |-----|------| From 2221f8856bd079d4bc2bdebd65d2769743f8cd0a Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:38:42 +0100 Subject: [PATCH 12/14] initial copied from README.md --- apigateway/helm/README.md.gotmpl | 150 +++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 apigateway/helm/README.md.gotmpl diff --git a/apigateway/helm/README.md.gotmpl b/apigateway/helm/README.md.gotmpl new file mode 100644 index 0000000..c4d6195 --- /dev/null +++ b/apigateway/helm/README.md.gotmpl @@ -0,0 +1,150 @@ +# API Gateway Cluster Helm Chart + +## Overview + +This chart sets up an API Gateway cluster which by default consists of +* 1 API Gateway cluster nodes, +* 1 ElasticSearch cluster with 1 node, +* 1 Kibana node, +* 1 Ingress providing public access to the API Gateay UI and runtime ports. + +![API Gateway Cluster](../docs/diagrams/api_gateway.png) + +### TLDR; + +The minimum prerequisite that has to be fulfilled is, that the **ECK operator** is installed. See section [Prerequisites](#ECK / Elasticsearch) for details. + +You can install the default configuration of the API Gateway cluster with the following command: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +This will install the API Gateway cluster with the following default configuration as depicted above. Make sure that the licenseKey.xml points to a valid license file. + +## Prerequisites + +### ECK / Elasticsearch + +This deployment uses the ECK Operator to deploy Elasticsearch. You can use Helm to deploy the operator with the following commands: + +#### Register the Elasticsearch Helm Repository + +``` +helm repo add elastic https://helm.elastic.co +helm repo update +``` + +#### Install ECK (Cluster-wide) + +``` +helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace +``` + +For more information please see: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-install-helm.html + +## Licenses + +API Gateway requires a license file. These license is supposed to be +provided as configmap. + +Hence before running `helm install` create the configmap: + +``` +kubectl create configmap apigw-license-config --from-file=licenseKey.xml= +``` + +Optionally you can directly provide the license file at the time of running `helm install`: + +``` +helm install webmethods/apigateway -f my-values.yaml --set-file license=licenseKey.xml +``` + +Note: the license key config map will not be removed when the helm release is deleted. + +## Image Pull Secret + +Provide an image pull secret for the registry where the desired images for API Gateway, +ElasticSearch, and Kibana are to be pulled from. + +``` +kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email= +``` + +## Access to the API Gateway cluster + +By default, this chart establishes an Ingress to provide access to the API Gateway UI and runtime ports from outside the Kubernetes cluster. +The Ingress refers to services which in turn refer to the API Gateway pods. Due to the API Gateway UI requiring sticky sessions ([see also below](#sticky-ui-sessions)) the Ingress +is configured accordingly. However this default setup works only if the Kubernetes cluster runs with the wide-spread nginx-ingress controller which +can handle sticky sessions. + +If the nginx-ingress controller is not present, or another ingress controller is preferred, an accordingly configured external load balancer can be used to +achieve sticky sessions. The chart can easily be switched to use a load balancer, for details see the [chart readme](apigateway/README.md). +When doing so, the chart will still establish an Ingress which then refers to the load balancer service, and the load balancer in turn is +configured as a proxy for the API Gateway services. + +For the latter purpose the chart comes with an nginx deployment and appropriate configuration. Please note that API Gateway does not +rely on or prefer nginx. In order to use a different load balancer the chart needs to be adapted manually: replace the `nginx-*.yaml` files +in the [template folder](apigateway/templates) as desired, and keep in mind to configure the load balancer with sticky sessions for the +API Gateway UI port. + +### Sticky UI sessions + +The API Gateway web interface requires sticky sessions in order to function correctly. This is achieved by configuring the API Gateway service +for the UI port as well as the Ingress with sticky behaviour. The relevant parts of the service and the Ingress look like this: + +``` +--- +# apigateway-ui-svc.yaml +apiVersion: v1 +kind: Service +spec: + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 1000 + +--- +# apigateway-ingress.yaml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/affinity: "cookie" +``` + +Note, if you are using the default configuration and nginx as your ingress controller, sticky sessions will be enabled by default for the UI port and ingress. Change the ingress annotations accordingly for other ingress controllers like Traefik. + + +## Using an external load balancer + +The Ingress provides two entrypoints for accessing the API Gateway cluster, one for the UI port to +allow access to the administration UI, and another one for the runtime port to allow for example REST access +to the services. + +The API Gateway UI requires session stickiness and therefore both the Ingress and the Kubernetes +service in front of the API Gateway pods are correspondingly configured. + +In some cases, typically if the nginx-ingress controller is not available in the Kubernetes system, the stickiness +settings are not correctly respected, and the API Gateway UI will not work. In particular the login to the UI +will fail. + +This can be handled by using an external load balancer which is configured to use the API Gateway as +backend. And the Ingress is then defined against the load balancer service. + +In order to enable the external load balancer provide the following configuration value: + +``` +--set loadBalancer.enabled=true +``` + +## TLS for API Gateway + +If desired you may deploy API Gateway with your own TLS key and cert. The Template contains a TLS manifest which will look for the keys: ingress.tls.key and ingress.tls.cert. In your deployment environment you can redirect the output of a certificate and key file (e.g. using secure files from Azure) and directly deploy the TLS configuration for the API Gateway. + +```bash +helm upgrade -i -f myvalues.yaml --set ingress.tls.key="$( Date: Thu, 7 Dec 2023 10:43:27 +0100 Subject: [PATCH 13/14] Nginx support --- universalmessaging/helm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/universalmessaging/helm/Chart.yaml b/universalmessaging/helm/Chart.yaml index 4ba2ede..5e07eb6 100644 --- a/universalmessaging/helm/Chart.yaml +++ b/universalmessaging/helm/Chart.yaml @@ -24,7 +24,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.0 +version: 1.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From cffaeec30bd104649aacec08cd55a1a1d57089df Mon Sep 17 00:00:00 2001 From: thr Date: Thu, 7 Dec 2023 10:44:16 +0100 Subject: [PATCH 14/14] incorrect place --- apigateway/values.yaml | 448 ----------------------------------------- 1 file changed, 448 deletions(-) delete mode 100644 apigateway/values.yaml diff --git a/apigateway/values.yaml b/apigateway/values.yaml deleted file mode 100644 index c1a4221..0000000 --- a/apigateway/values.yaml +++ /dev/null @@ -1,448 +0,0 @@ -replicaCount: 1 - -image: - # -- The repository for the image. By default, - # this points to the Software AG container repository. - # Change this for air-gapped installations or custom images. - # For the Software AG container repository you need to have a - # valid access token stored as registry credentials - repository: sagcr.azurecr.io/apigateway-minimal - pullPolicy: IfNotPresent - # -- The image tag of the apigateway image default this will be the latest version. - # For realworld scenarios SAG recommends to use a - # specific version to not accidently change production versions with newer images. - tag: "10.15" - -# -- Image pull secret reference. By default looks for `regcred`. -imagePullSecrets: - - name: regcred - -# -- Controls if secrets should be generated automatically. -secrets: - generateAdminSecret: true - generateElasticSecrets: true - -# -- Overwrites Chart name of release name in workload name. As default, the workload name is release name + '-' + Chart name. The workload name is at the end release name + '-' + value of `nameOverride`. -nameOverride: "" -# -- Overwrites full workload name. As default, the workload name is release name + '-' + Chart name. -fullnameOverride: "" - -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # If not set and create is true, a name is generated using the fullname template - roleName: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -# multiple ingresses for ui, admin, ext and rt -ingresses: - ui: - defaultHost: "" - enabled: true - svcName: "" - svcPort: "" - className: "" - annotations: - nginx.ingress.kubernetes.io/affinity: "cookie" - # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - hosts: - - host: - paths: - - path: / - pathType: Prefix - tls: - - secretName: - hosts: - rt: - defaultHost: - enabled: true - svcName: "" - svcPort: "" - className: "" - annotations: {} - # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - hosts: - - host: - paths: - - path: /gateway - pathType: Prefix - tls: - - secretName: - hosts: - admin: - defaultHost: "" - enabled: true - svcName: "" - svcPort: "" - className: "" - annotations: - nginx.ingress.kubernetes.io/affinity: "cookie" - hosts: - - host: default - paths: - - path: / - pathType: Prefix - tls: - - secretName: - hosts: - - default - -# global ingress settings for tls secret name, cert and key -ingress: - defaultDomain: my-domain.com - tls: - # -- default secret name for TLS. By default empty, - # will look for tls". - secretName: "" - cert: "" - key: "" - -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - apigwInitContainer: - requests: - cpu: 100m - memory: 50Mi - limits: - cpu: 200m - memory: 100Mi - - apigwContainer: - requests: - cpu: 500m - memory: 4Gi - limits: - # use a high cpu limit to avaoid the container being throttled - cpu: 8 - memory: 8Gi - - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -global: - curlImage: "curlimages/curl" - # -- Protocol for health check for kibana startup, must be http / https - apigwHealthProtocol: "http" - # -- Service name for health check for kibana startup, must same value as apigwAdminService - apigwHealthService: "apigw-admin-svc" - # -- Port for health check for kibana startup, must same value as apigwAdminPort - apigwHealthPort: 5555 - - # -- Elasticsearch global settings - # Required for Prometheus Exporter Sub Chart - elasticsearch: - # -- The elasticsearch http service name that API Gateway uses. - # The default is compiled of the fullname (releasename + chart name) + "-http" - # You MUST override this if you use an external elastic search service and do not deploy the embedded elastic CRD from this chart. - serviceName: "" - port: 9200 - -# -- Extra Labels for API Gateway -extraLabels: {} - -# -- Exta environment properties to be passed on to the container -extraEnvs: {} - -# -- Exta volumes that should be mounted. -# - name: extras -# emptyDir: {} -extraVolumes: [] - -# -- Extra volume mounts -# - name: extras -# mountPath: /usr/share/extras -# readOnly: true -extraVolumeMounts: [] - -# -- Extra containers which should run in addition to the main container as a sidecar -# - name: do-something -# image: busybox -# command: ['do', 'something'] -extraContainers: [] - -# -- Extra init containers that are executed before starting the main container -# - name: do-something -# image: busybox -# command: ['do', 'something'] -extraInitContainers: [] - -# -- Extra config maps for additional configurations such as extra ports, etc. -extraConfigMaps: [] - -# -- lifecycle hooks to execute on preStop / postStart,... -# preStop: -# exec: -# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] -# postStart: -# exec: -# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] -lifecycle: {} - -apigw: - # -- Deploy Elasticsearch. Depends on Elasic Search Helm Charts. See https://github.com/elastic/helm-charts/blob/main/elasticsearch - elasticSearchDeployment: true - - initMemory: 1024Mi - maxMemory: 1024Mi - - # -- The API Gateway runtime port for API invocations. By default API Gateway images do not have this port setup. - # You must manually set up this port or create post init job that creates this port after API Gateway was initialized. - runtimePort: 5556 - # -- The API Diagnostics port. - diagPort: 9999 - # -- The default API Administration UI port - uiPort: 9072 - # -- The default administration port. Note in a default installation this port will also be used for runtime traffic. - adminPort: 5555 - # -- External Runtime Port for Reverse Invoke Setups. This port must be manually setup after API Gateway was initizalized. - runtimeExternalPort: 6555 - readinessProbe: - # -- The readinessprobe scheme (https or http). - scheme: "HTTP" - serviceName: "apigw" - - # -- Specifies the location and name of the configuration variables template - # or the directory containing templates for use with Microservices Runtime or - # an Integration Server with licensed Microservices functionality. Use a - # comma-separated list to specify multiple templates and/or directories. - # See: https://documentation.softwareag.com/webmethods/integration_server/pie10-15/webhelp/pie-webhelp/index.html#page/pie-webhelp%2Fto-sag_environment_variables_2.html - # Note: should only be used for passing simple configurations such as extended - # settings. For all other configurations of API Gateway, use the official - # Admin REST API. - sagIsConfigProperties: "/config/application.properties" - - uiService: "apigw-ui-svc" - rtService: "apigw-rt-svc" - rtExternalService: "apigw-rt-ext-svc" - apigwAdminService: "apigw-admin-svc" - - # -- The secret that holds the admin password - # Depends on secrets.genereateAdminSecret; if true the setting will be ignored. - adminSecretName: "" - - # -- Application Properties to overwrite default API Gateway settings. Please check - # Handle with care - Most settings should be set via the UI, Admin API, configSources values, or via environment variables. - # By default only the default Administrator password is set through this mechanism if nothing is set here. - # Other examples are extended settings which can be set through this mechanism. - # Examples: - # - # Set the default Administrator password from environment variable - # user.Administrator.password=$env{ADMINISTRATOR_PASSWORD} - # - # Avoid archiving audit log files ... - # settings.watt.server.audit.logFilesToKeep=1 - # - # Avoid archiving server log files ... - # settings.watt.server.serverlogFilesToKeep=1 - # - # Avoid archiving statistic files ... - # settings.watt.server.stats.logFilesToKeep=1 - # - # Value for 1 to 9 to set debug level of server log ... - # settings.watt.debug.level= - # - # Set the maximum number of permitted service threads in the global pool ... - # settings.watt.server.threadPool=750 - # - # Set the default request/response content-type ... - # settings.watt.net.default.content-type=json - # - # Avoid IS internal statistic data collector ... - # statisticsdatacollector.monitorConfig.enabled=false - applicationProperties: | - - # -- configuration source files for API Gateway - configSources: - - elasticsearch: - tenantId: default - hosts: "{{ default (printf \"%s-%s-es-http\" .Release.Name .Chart.Name) .Values.global.elasticsearch.serviceName }}:{{ .Values.global.elasticsearch.port }}" - - - - -prometheus: - path: "/metrics" - port: "5555" - scheme: "http" - scrape: "true" - -metering: - - # -- enable metering - enabled: true - # -- The URL of the metering aggregator server REST API. - serverUrl: "https://metering.softwareag.cloud/api/measurements" - # -- Тhe type of the proxy that the metering client uses. - # Valid values are: - # *DIRECT (default). - # *HTTP - # *SOCKS - # Indicates that the metering client does not use a proxy. - proxyType: "DIRECT" - # -- The proxy address in a : format that the metering client uses. - # Configure this property only if you use a metering proxy. - proxyAddress: - # -- The proxy password that the metering client uses. - # Configure this property only if you use a metering proxy with authentication. - # Depending on the method that you use to provide a password, ensure that you escape password characters that are specific for the selected method. - # Valid characters: - # *Letters: A-Z, a-z - # *Numbers: 0-9 - # *Special characters: !@#$%^&*()_+-=[]{}\/?,.<>; - proxyPass: - # -- Тhe time in milliseconds to establish the initial TCP connection when the metering client calls the server REST endpoint. This is also the time to start the request. - serverConnectTimeout: "60000" - # -- The maximum time in milliseconds without data transfer over the TCP connection to the server. This is also the time that it takes for the server to respond. When this time passes, the request fails. - serverReadTimeout: "300000" - # -- The period in seconds for which data is accumulated before a log record is produced. - accumulationPeriod: "1800" - reportPeriod: "3600" - # -- An alias of the webMethods product instance or a group of instances, for which usage data is measured. - runtimeAlias: - # -- The level of log messages that are logged on the console. - # Valid values are: - # *error - logs only ERROR messages. - # *warn (default) - logs ERROR and WARN messages. - # *info - logs ERROR, WARN, and INFO messages. - # *debug - logs ERROR, WARN, INFO, and DEBUG messages. Use as a Java system property or an environment variable to see the debug messages of the configuration initialization. - logLevel: - # -- The absolute path to the metering client truststore that is used for HTTPS connections. Add this value in any of the following cases: - # *If you use the Software AG Metering Server on premises (via HTTPS) and the certificates in the truststore do not match the certificates configured in Software AG Runtime (CTP). - # *If you use a metering proxy that terminates the SSL connection to the Metering Server in Software AG Cloud. - trustStoreFile: - # -- The password for the metering client truststore. - # Configure this property only if you use a truststore. - trustStorePassword: - -elasticsearch: - - # -- Deploy elastic search instance - deploy: true - - # -- The ECK version to be used - version: 8.2.3 - - # -- The image that should be used. - # By default ECK will use the official Elasticsearch images. - # Overwrite this to use an image from an internal registry or any custom images. - # Make sure that the image corresponds to the version field. - image: - - # -- The secret name that holds the sag es user for API Gateway. - secretName: "" - - # -- Whether the communication from APIGW and Kibana should be HTTPS - # Note: you will need to create certificate and a separate truststore for the communication. - tlsEnabled: false - - # -- The secret name that holds the keystore password - keystoreSecretName: "" - - # -- The name of the secret holding the tls secret - # By default the name will be fullname of release + "es-tls-secret" - certificateSecretName: "{{ include \"common.names.fullname\" .}}-es-tls-secret" - - # -- Node sets. See official ElasticSearch documentation at: - # https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-orchestration.html - # if you specify node sets here the defaultNodeSet will not be used. - nodeSets: {} - - # -- Default Node Set - defaultNodeSet: - - # -- the number of replicas for Elastic Search - count: 1 - # -- Set this to true for production workloads, this will also - # use an init container to increase the vm.max_map_count to 262144 on the nodes. - memoryMapping: false - - # -- Controls whether to start an init container that increases the vm.max_map_count to 262144 on the node. - # Set memoryMapping to true and this setting also to true to run the init container. - # Note that this requires the ability to run privileged containers, which is likely not the case on many secure clusters. - setMaxMapCount: true - installMapperSizePlugin: true - - # -- Extra configuration parameters for Elasticsearch nodes to be appended to the default (none). - # See https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-node-configuration.html - extraConfig: {} - - # -- Extra init containers to be started before Elasticsearch nodes are started. - # See https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-init-containers-plugin-downloads.html - extraInitContainers: {} - - # -- Annotations for Elasticsearch - annotations: {} - - -kibana: - # -- The ECK version to be used - version: 8.2.3 - - # -- The default Kibana Port - port: 5601 - - # -- Annotations for Kibana - annotations: {} - -# -- Elasticsearch exporter settings. See https://github.com/prometheus-community/elasticsearch_exporter for details. -prometheus-elasticsearch-exporter: - - # -- secret for elasticsearch user. Will need to adjust the secret's name. By default the secret name is -apigateway-sag-user-es. - # Adjust accordingly if your release name is different. - extraEnvSecrets: - ES_PASSWORD: - secret: apigw-apigateway-sag-user-es - key: password - ES_USER: - secret: apigw-apigateway-sag-user-es - key: username - - es: - # -- The uri of the elasticsearch service. By default this is null and the environment variable ES_URI is used instead. - # Overwrite this if you are using an external Elasticsearch instance - uri: "http://$(ES_USER):$(ES_PASSWORD)@apigw-apigateway-es-http:9200" - - serviceMonitor: - enabled: true