exercise9-resources/gateway.yaml

apiVersion: security.brcmlabs.com/v1
kind: Gateway
metadata:
  name: ssg
spec:
  version: "11.1.00"
  license:
    accept: true
    secretName: gateway-license
  app:
    replicas: 1
    image: docker.io/caapim/gateway:11.1.00
    imagePullPolicy: IfNotPresent
    updateStrategy:
      type: rollingUpdate
      rollingUpdate:
        maxUnavailable: 1
        maxSurge: 0
    resources:
      requests:
        memory: 4Gi
        cpu: 2
      limits:
        memory: 4Gi
        cpu: 2
    externalSecrets: []
    bundle:
      - type: restman
        source: secret
        name: restman-cluster-property-bundle
      - type: graphman
        source: secret
        name: graphman-cluster-property-bundle
    bootstrap:
      script:
        enabled: true
    singletonExtraction: false
    repositoryReferences:
      - name: l7-gw-myframework
        enabled: true
        type: static
        encryption:
          existingSecret: graphman-encryption-secret
          key: FRAMEWORK_ENCRYPTION_PASSPHRASE
      - name: l7-gw-myapis
        enabled: true
        type: dynamic
        encryption:
          existingSecret: graphman-encryption-secret
          key: APIS_ENCRYPTION_PASSPHRASE
      - name: l7-gw-mysubscriptions
        enabled: true
        type: dynamic
        encryption:
          existingSecret: graphman-encryption-secret
          key: SUBSCRIPTIONS_ENCRYPTION_PASSPHRASE
    initContainers:
    - name: workshop-init
      image: docker.io/layer7api/workshop-init:1.0.0
      imagePullPolicy: IfNotPresent
      volumeMounts:
      - name: config-directory
        mountPath: /opt/docker/custom
    management:
      secretName: gateway-secret
      service:
        enabled: false
        type: ClusterIP
        ports:
        - name: management
          port: 9443
          targetPort: 9443
          protocol: TCP   
      restman:
        enabled: false
      graphman:
        enabled: true
        initContainerImage: docker.io/layer7api/graphman-static-init:1.0.1
      cluster:
        #password: 7layer
        hostname: gateway.brcmlabs.com
      database:
        enabled: false # this runs the gateway in dbbacked/ephemeral mode
      #  jdbcUrl: "jdbc:mysql://cluster1-haproxy.pxc.svc.cluster.local:3306/ssg"
      #  username: "gateway"
      #  password: "ACm8BDr3Rfk2Flx9V"
    java:
      jvmHeap:
        calculate: true
        percentage: 75
        default: 2g
      extraArgs:
      - -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
      - -Dcom.l7tech.server.audit.message.saveToInternal=false
      - -Dcom.l7tech.server.audit.admin.saveToInternal=false
      - -Dcom.l7tech.server.audit.system.saveToInternal=false
      - -Dcom.l7tech.server.audit.log.format=json
      - -Djava.util.logging.config.file=/opt/SecureSpan/Gateway/node/default/etc/conf/log-override.properties
      - -Dcom.l7tech.server.pkix.useDefaultTrustAnchors=true 
      - -Dcom.l7tech.security.ssl.hostAllowWildcard=true
    listenPorts:
      harden: false
      custom:
        enabled: false
      ports: []
    cwp:
      enabled: true
      properties:
        - name: io.httpsHostAllowWildcard
          value: "true"
        - name: log.levels
          value: |
            com.l7tech.level = CONFIG
            com.l7tech.server.policy.variable.ServerVariables.level = SEVERE
            com.l7tech.external.assertions.odata.server.producer.jdbc.GenerateSqlQuery.level = SEVERE
            com.l7tech.server.policy.assertion.ServerSetVariableAssertion.level = SEVERE
            com.l7tech.external.assertions.comparison.server.ServerComparisonAssertion.level = SEVERE
        - name: audit.setDetailLevel.FINE
          value: 152 7101 7103 9648 9645 7026 7027 4155 150 4716 4114 6306 4100 9655 150 151 11000 4104
    system:
      properties: |-
        # Default Gateway system properties
        # Configuration properties for shared state extensions.
        com.l7tech.server.extension.sharedKeyValueStoreProvider=embeddedhazelcast
        com.l7tech.server.extension.sharedCounterProvider=ssgdb
        com.l7tech.server.extension.sharedClusterInfoProvider=ssgdb
        # By default, FIPS module will block an RSA modulus from being used for encryption if it has been used for
        # signing, or visa-versa. Set true to disable this default behaviour and remain backwards compatible.
        com.safelogic.cryptocomply.rsa.allow_multi_use=true
        # Specifies the type of Trust Store (JKS/PKCS12) provided by AdoptOpenJDK that is used by Gateway.
        # Must be set correctly when Gateway is running in FIPS mode. If not specified it will default to PKCS12.
        javax.net.ssl.trustStoreType=jks
        com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds=86400
        # Additional properties go here
    log:
      override: true
      properties: |-
        handlers = com.l7tech.server.log.GatewayRootLoggingHandler, com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler
        com.l7tech.server.log.GatewayRootLoggingHandler.formatter = com.l7tech.util.JsonLogFormatter
        java.util.logging.SimpleFormatter.format=
        com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.formatter = com.l7tech.util.JsonLogFormatter
        com.l7tech.server.log.ConsoleMessageSink$L7ConsoleHandler.level = CONFIG
    service:
      # annotations:
      type: LoadBalancer
      ports:
      - name: https
        port: 8443
        targetPort: 8443
        protocol: TCP
      - name: management
        port: 9443
        targetPort: 9443
        protocol: TCP
    ingress:
      enabled: false
    # containerSecurityContext:
    #   runAsNonRoot: true
    #   runAsUser: 1000669998
    #   capabilities:
    #     drop:
    #     - ALL
    #   allowPrivilegeEscalation: false
    # podSecurityContext:
    #   runAsUser: 1000669998
    #   runAsGroup: 1000669998