You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
List of image pull secrets to be used on the managed Deployments ServiceAccounts. See imagePullSecrets field in K8s ServiceAccount documentation for details on Image pull secrets. If not specified, threescale-registry-auth is used. Secret names that contain dockercfg- or token- anywhere in part of its name cannot be specified. If an update to this attribute is performed the corresponding Deployment pods have to be redeployed by the user to make the changes effective
ResourceRequirementsEnabled
resourceRequirementsEnabled
bool
No
true
When true, 3Scale API management solution is deployed with the optimal resource requirements and limits. Setting this to false removes those resource requirements. Warning Only set it to false for development and evaluation environments. When set to true, default compute resources are set for the APIManager components. See Default APIManager components compute resources to see the default assigned values
Notes:
To enable Redis TLS communication for system and/or backend 3scale components, the corresponding Redis flags must be set to true in the APIManager Custom Resource (CR):
SystemRedisTLSEnabled in SystemSpec
BackendRedisTLSEnabled in BackendSpec
QueuesRedisTLSEnabled BackendSpec
These flags are prerequisites for enabling Redis TLS. However, additional configuration is required to establish Redis TLS communication. This includes:
Correct definition of Redis certificates and URLs in the backend-redis and/or system-redis secrets, which are required to set the necessary Redis TLS environment variables in the pods. These environment variables will be used by the system and backend to establish the TLS connection.
8443 only when httpsCertificateSecretRef is provided
Controls on which port APIcast should start listening for HTTPS connections. Do not use 8080 as HTTPS port (see docs)
HTTPSVerifyDepth
httpsVerifyDepth
int
No
N/A
Defines the maximum length of the client certificate chain. (see docs)
HTTPSCertificateSecretRef
httpsCertificateSecretRef
LocalObjectReference
No
APIcast has a default certificate used when httpsPort is provided
References secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key
AllProxy
allProxy
string
No
N/A
Specifies a HTTP(S) proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPProxy
httpProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTP services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPSProxy
httpsProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTPS services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
NoProxy
noProxy
string
No
N/A
Specifies a comma-separated list of hostnames and domain names for which the requests should not be proxied. Setting to a single * character, which matches all hosts, effectively disables the proxy (see docs)
ServiceCacheSize
serviceCacheSize
int
No
N/A
Specifies the number of services that APICast can store in the internal cache (see docs)
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
8443 only when httpsCertificateSecretRef is provided
Controls on which port APIcast should start listening for HTTPS connections. Do not use 8080 as HTTPS port (see docs)
HTTPSVerifyDepth
httpsVerifyDepth
int
No
N/A
Defines the maximum length of the client certificate chain. (see docs)
HTTPSCertificateSecretRef
httpsCertificateSecretRef
LocalObjectReference
No
APIcast has a default certificate used when httpsPort is provided
References secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key
AllProxy
allProxy
string
No
N/A
Specifies a HTTP(S) proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPProxy
httpProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTP services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPSProxy
httpsProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTPS services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
NoProxy
noProxy
string
No
N/A
Specifies a comma-separated list of hostnames and domain names for which the requests should not be proxied. Setting to a single * character, which matches all hosts, effectively disables the proxy (see docs)
ServiceCacheSize
serviceCacheSize
int
No
N/A
Specifies the number of services that APICast can store in the internal cache (see docs)
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Controls which OpenTracing library is loaded. At the moment the supported values are: jaeger. If not set, jaeger will be used
TracingConfigSecretRef
tracingConfigSecretRef
LocalObjectReference
No
tracing library-specific default
Secret reference with the tracing library-specific configuration. Each supported tracing library provides a default configuration file which is used if tracingConfigSecretRef is not specified. See APIcastTracingConfigSecret for more information.
OpenTelemetrySpec
json/yaml field
Type
Required
Default value
Description
enabled
bool
No
false
Controls whether opentelemetry based gateway instrumentation is enabled or not. By default it is disabled
If unspecified, the first secret key in lexicographical order will be referenced as tracing configuration
The secret key used as tracing configuration
Watch for secret changes
By default, content changes in the secret will not be noticed by the 3scale operator.
The 3scale operator allows monitoring the secret for changes adding the apimanager.apps.3scale.net/watched-by=apimanager label.
With that label in place, when the content of the secret is changed, the operator will get notified.
Then, the operator will rollout apicast deployment to make the changes effective.
The operator will not take ownership of the watched secret in any way.
APIcastTracingConfigSecret
Field
Description
config
Tracing library-specific configuration
NOTE: Once apicast has been deployed, the content of the secret should not be updated externally.
If the content of the secret is updated externally, after apicast has been deployed, the container can automatically see the changes.
However, apicast has the environment already loaded and it does not change the behavior.
If the custom environment content needs to be changed, there are two options:
[recommended way] Create another secret with a different name and update the APIcast custom resource field spec.apicast.<apicast-environment>.openTracing.tracingConfigSecretRef.name. The operator will trigger a rolling update loading the new custom environment content.
Update the existing secret content and redeploy apicast turning spec.replicas to 0 and then back to the previous value.
CustomEnvironmentSpec
json/yaml field
Type
Required
Default value
Description
secretRef
LocalObjectReference
Yes
N/A
Secret reference with the custom environment content. See CustomEnvironmentSecret for more information.
CustomEnvironmentSecret
Generic (opaque) type secret holding one or more custom environments.
The operator will load in the APIcast container all the files (keys) found in the secret.
This flag enables Redis Backend TLS communication. When set to true, and after successful backend-redis secret validation, Redis Backend TLS environment variables are injected into the backend pods: CONFIG_REDIS_CA_FILE, CONFIG_REDIS_CERT, CONFIG_REDIS_PRIVATE_KEY, and CONFIG_REDIS_SSL is set to true. These environment variables are required to establish Redis TLS communication.
QueuesRedisTLSEnabled
queuesRedisTLSEnabled
bool
No
nil
This flag enables Redis Queues TLS communication. When set to true, and after successful backend-redis secret validation, Redis Queues TLS environment variables are injected into the backend pods: CONFIG_QUEUES_CA_FILE, CONFIG_QUEUES_CERT, CONFIG_QUEUES_PRIVATE_KEY, and CONFIG_QUEUES_SSL is set to true. These environment variables are required to establish Redis TLS communication.
BackendRedisPersistentVolumeClaimSpec
Field
json/yaml field
Type
Required
Default value
Description
StorageClassName
storageClassName
string
No
nil
[DEPRECATED] Use external databases only
BackendListenerSpec
Field
json/yaml field
Type
Required
Default value
Description
Replicas
replicas
integer
No
1
Number of Pod replicas of the backend-listener deployment
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
This flag enables Redis System TLS communication. When set to true, and with the secret validation successfully passed, Redis TLS environment variables are injected into the system-app and system-sidekiq pods: REDIS_CA_FILE, REDIS_CLIENT_CERT, REDIS_PRIVATE_KEY, and REDIS_SSL is set to true. These environment variables are required to establish system Redis TLS communication. Important: To establish System Redis TLS communication, the REDIS_SSL_CA, REDIS_SSL_CERT, and REDIS_SSL_KEY fields must be populated with valid certificates, not only in the system-redis secret but also in the backend-redis secret
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
Local object reference to the secret to be used where the AWS configuration is stored. See LocalObjectReference on how to specify the local object reference to the secret
The secret name specified in the configurationSecretRef field must be
pre-created by the user before creating the APIManager custom resource.
Otherwise the operator will complain about it. See the
fileStorage S3 credentials secret
specification to see what fields the secret should have and the values
that should be set on it.
STSSpec
yaml Field
Type
Required
Default value
Description
enabled
bool
No
false
Enable Secure Token Service for short-term, limited-privilege security credentials
audience
string
No
openshift
The ID the token is intended for. This field does not have any effect when STS is not enabled.
DeprecatedSystemS3Spec
DEPRECATED Setting fields here has no effect. Use SystemS3Spec instead
Note: Deploying databases internally with this section is meant for evaluation purposes. Check ExternalComponentsSpec for production ready recommended deployments.
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
PersistentVolumeClaim spec for the System Searchd component
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
ZyncSpec
Field
json/yaml field
Type
Required
Default value
Description
Enabled
enabled
bool
No
true
Zync components are enabled by default. Set to false to disable all Zync components. If disabled, all other zync related settings will be ignored. When enabling from disabled, you must manually re-generate the routes if you wish to have the routes re-created
Image
image
string
No
nil
Used to overwrite the desired container image for Zync
PostgreSQLImage
postgreSQLImage
string
No
nil
Used to overwrite the desired PostgreSQL image for the PostgreSQL used by Zync. Does not take effect when the database is managed externally
DatabaseResources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior. Does not take effect when the database is managed externally
DatabasePriorityClassName
databasePriorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Resources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior
PriorityClassName
priorityClassName
string
No
N/A
If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see docs)
Enable to use external system database, backend redis, and system redis databases
ExternalZyncDatabaseEnabled
externalZyncDatabaseEnabled
bool
No
false
Enable to user external zync database. The value of this field only takes effect when spec.highAvailability.enabled is set to true
When HighAvailability is enabled the following secrets have to be pre-created by the user:
backend-redis with the REDIS_STORAGE_URL and
REDIS_QUEUES_URL fields with values pointing to the desired external
databases. The databases should be configured
in high-availability mode
system-database with the URL field with the value
pointing to the desired external database. The database should be configured
in high-availability mode
system-redis with the URL field
with the value pointing to the desired external database. The database
should be configured in high-availability mode
Additionally, when HighAvailability is enabled, if the externalZyncDatabaseEnabled field is
also enabled the user has to pre-create the following secret too:
zync with the DATABASE_URL and DATABASE_PASSWORD fields
with the values pointing to the desired external database settings.
The database should be configured in high-availability mode
Use of slaves for Internal Redis is not supported.
Used by the Operator/Kubernetes to control the state of the APIManager.
an APIManager status field should never be modified by the user.
Field
json/yaml field
Type
Info
Available
available
v1.Condition
Indicates whether the APIManager is in Available state. See ConditionSpec for a description on the meaning of Available
ConditionSpec
The status object has an array of Conditions through which the Product has or has not passed.
Each element of the Condition array has the following fields:
The lastTransitionTime field provides a timestamp for when the entity last transitioned from one status to another.
The message field is a human-readable message indicating details about the transition.
The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
The status field is a string, with possible values True, False, and Unknown.
The type field is a string indicating the type of the condition. The types are:
Available: An APIManager is in Available state when all of the following scenarios are true:
All expected Deployments to be deployed exist and have the Available condition set to true
All 3scale default OpenShift routes exist and have the Admitted condition set to true. The default routes are:
Master route
Backend Listener route
Default tenant admin route, developer route, APIcast staging and production routes beloinging to the default tenant
Note: If you had zync disabled and then re-enabled it, the routes must be manually re-created for the APIManager to report status completed.
Additionally, if desired, several sensitive APIManager configuration options
can be controlled by pre-creating some Kubernetes secrets before deploying the
APIManager Custom Resource.
The available configurable secrets are:
backend-internal-api
Field
Description
Default value
username
Backend internal API username. Backend internal API is used by System
3scale_api_user
password
Backend internal API password. Backend internal API is used by System
Autogenerated value
backend-listener
Field
Description
Default value
service_endpoint
Backend listener service endpoint. Used by System and Apicast
http://backend-listener:3000
route_endpoint
Backend listener route endpoint. Used by System
https://backend-<tenantName>.<wildcardDomain>
backend-redis
Field
Description
Default value
REDIS_STORAGE_URL
Backend's redis storage database URL.
Mandatory when the instance is managed externally. Otherwise the default value is: redis://backend-redis:6379/0
REDIS_STORAGE_USERNAME
Backend's redis ACL creds - username.
""
REDIS_STORAGE_PASSWORD
Backend's redis ACL creds - password.
""
REDIS_STORAGE_SENTINEL_ROLE
Backend's redis storage sentinel role name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_STORAGE_SENTINEL_HOSTS
Backend's redis storage sentinel hosts name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_STORAGE_SENTINEL_USERNAME
Backend's redis sentinel ACL creds - username.
""
REDIS_STORAGE_SENTINEL_PASSWORD
Backend's redis sentinel ACL creds - password.
""
REDIS_SSL_CA
Redis Certificate Authority (CA) certificate
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_CERT
Redis client certificate
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_KEY
The private key for the Redis client certificate
Required to set TLS Redis connection. Only for TLS
REDIS_QUEUES_URL
Backend's redis queues database URL
Mandatory when the instance is managed externally. Otherwise the default value is: redis://backend-redis:6379/1
REDIS_QUEUES_USERNAME
Backend's redis queues ACL creds - username.
""
REDIS_QUEUES_PASSWORD
Backend's redis queues ACL creds - password.
""
REDIS_QUEUES_SENTINEL_ROLE
Backend's redis queues sentinel role name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_QUEUES_SENTINEL_HOSTS
Backend's redis queues sentinel hosts name. Used only when Redis sentinel is configured in the Redis database being used
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_QUEUES_CERT
Redis Queues client certificate
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_QUEUES_KEY
The private key for the Redis Queues client certificate
Required to set TLS Redis connection. Only for TLS
Notes
If Redis TLS is enabled (backendRedisTLSEnabled or/and queuesRedisTLSEnabled fields are set to true in APIManafer CR BackendSpec) - Sentinel must also use TLS communication. REDIS_STORAGE_SENTINEL_HOSTS or/and REDIS_QUEUES_SENTINEL_HOSTS should contain redis secure urls prefixes: rediss://. If only one of the Sentinel hosts is secure, it may work, but it is not reliable (in case that secure sentinel host fails). It is strongly recommended to secure all Sentinel hosts for optimal reliability.
If Sentinel is not set, Redis clients will communicate directly with the Redis Master over TLS, bypassing Sentinel. This is a valid configuration when Sentinel is not needed
system-app
Field
Description
Default value
SECRET_KEY_BASE
System application secret key base
Autogenerated value
USER_SESSION_TTL
System user's login session length (TTL) in seconds. The empty value means 2 weeks
""
system-database
For Mysql:
Field
Description
Default value
URL
URL of the Porta database. Format: mysql2://<AdminUser>:<AdminPassword>@<DatabaseHost>/<DatabaseName>, where <AdminUser> must be an already existing user in the external database with full permissions on the specified <DatabaseName> logical database and <DatabaseName> must be an already existing logical database in the external database.
Mandatory when the instance is managed externally. A default is only set when database is managed internally. When managed internally: mysql2://root:<AutogeneratedValue>@system-mysql/mysql.
DB_USER
Not used by 3scale components. Only used when the database is managed internally to create a new user granted with superuser permissions for the database specified in the URL field.
mysql
DB_PASSWORD
Not used by 3scale components. Only used when the database is managed internally to create a new user granted with superuser permissions for the database specified in the URL field.
Required to set TLS Database connection. Only for TLS
DB_SSL_CA
SSL CA certificate
Required to set TLS Database connection. Only for TLS
DB_SSL_CERT
SSL CERT certificate
Required to set TLS Database connection. Only for TLS
DB_SSL_KEY
SSL Key
Required to set TLS Database connection. Only for TLS
For Postgresql:
Field
Description
Default value
URL
URL of the Porta database. Format: postgresql://<AdminUser>:<AdminPassword>@<DatabaseHost>/<DatabaseName>, where <AdminUser> must be an already existing user in the external database with full permissions on the specified <DatabaseName> logical database and <DatabaseName> must be an already existing logical database in the external database.
Mandatory when the instance is managed externally. A default is only set when database is managed internally. When managed internally: postgresql://system:<AutoGeneratedValue>@system-postgresql/system.
DB_USER
Not used by 3scale components. Only used when the database is managed internally to create a user with superuser power.
system
DB_PASSWORD
Not used by 3scale components. Only used when the database is managed internally to create a user with superuser power.
Required to set TLS Database connection. Only for TLS
DB_SSL_CA
SSL CA certificate
Required to set TLS Database connection. Only for TLS
DB_SSL_CERT
SSL CERT certificate
Required to set TLS Database connection. Only for TLS
DB_SSL_KEY
SSL Key
Required to set TLS Database connection. Only for TLS
For Oracle:
Field
Description
Default value
URL
URL of the Porta database. Mandatory for Oracle based deployments. Format: oracle-enhanced://<AdminUser>:<AdminPassword>@<DatabaseHost>/<DatabaseName>, where <AdminUser> must be an already existing user in the external database with full permissions on the specified <DatabaseName> logical database and <DatabaseName> must be an already existing logical database in the external database.
-
ORACLE_SYSTEM_PASSWORD
Password of Oracle's SYSTEM administrative user. Required and only used when system's database provided in URL field is an external Oracle database
N/A
system-events-hook
Field
Description
Default value
URL
The URL to System's event reports endpoint, used by Backend to report its events
http://system-master:3000/master/events/import
PASSWORD
Shared secret to import events from backend to system
Autogenerated value
system-master-apicast
Field
Description
Default value
ACCESS_TOKEN
Read only access token that APIcast uses to download its configuration from System
Autogenerated value
BASE_URL
URL of the 3scale portal admin endpoint with authentication part
http://<ACCESS_TOKEN>@system-master:3000
PROXY_CONFIGS_ENDPOINT
URL of the available configs for all System's services
reCAPTCHA site key (used in spam protection) for System
""
PRIVATE_KEY
reCAPTCHA secret key (used in spam protection) for System
""
system-redis
Field
Description
Default value
URL
System's Redis database URL
Mandatory when instance is managed externally. Otherwise the default value is: redis://system-redis:6379/1
REDIS_USERNAME
System's redis ACL creds - username.
""
REDIS_PASSWORD
System's redis ACL creds - password.
""
NAMESPACE
Define the namespace to be used by System's Redis Database. The empty value means not namespaced
""
SENTINEL_HOSTS
System's Redis sentinel hosts. Used only when Redis sentinel is configured
""
SENTINEL_ROLE
System's Redis sentinel role name. Used only when Redis sentinel is configured
""
REDIS_SENTINEL_USERNAME
System's redis sentinel ACL creds - username.
""
REDIS_SENTINEL_PASSWORD
System's redis sentinel ACL creds - password.
""
REDIS_SSL_CA
Redis Certificate Authority (CA) certificate
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_CERT
Redis client certificate
Required to set TLS Redis connection. Only for TLS
REDIS_SSL_KEY
The private key for the Redis client certificate
Required to set TLS Redis connection. Only for TLS
Notes
If Redis TLS is enabled (systemRedisTLSEnabled is set to true in APIManafer CR SystemSpec) - Sentinel must also use TLS communication. In this case,SENTINEL_HOSTS if populated, must have the rediss:// URL prefix. If only one of the Sentinel hosts is secure, it may work, but it is not reliable (in case that host fails). It is strongly recommended to secure all Sentinel hosts for optimal reliability.
If Sentinel is not set, Redis clients will communicate directly with the Redis Master over TLS, bypassing Sentinel. This is a valid configuration when Sentinel is not needed.
system-seed
Field
Description
Default value
MASTER_USER
System's master username
master
MASTER_PASSWORD
System's master password
Autogenerated value
MASTER_ACCESS_TOKEN
System's master access token
Autogenerated value
MASTER_DOMAIN
System's master domain name
master
ADMIN_USER
System's admin user of the tenant created by default
admin
ADMIN_PASSWORD
System's admin password of the tenant created by default
Autogenerated value
ADMIN_ACCESS_TOKEN
System's admin access token of the tenant created by default
Autogenerated value
TENANT_NAME
Tenant name under the root that Admin UI will be available with -admin suffix
<tenantName>
zync
Field
Description
Default value
DATABASE_URL
PostgreSQL database used by Zync. Only used when the database is managed externally
Format: postgresql://<zync-db-username>:<ZYNC_DATABASE_PASSWORD>@<zync-db-host>:<zync-db-port>/zync_production, where <zync-db-username> must be an already existing user in the external database with full permissions on the zync_production logical database, zync_production logical database must be an already existing logical database in the external database and the specified value of <ZYNC_DATABASE_PASSWORD> must be the same as the ZYNC_DATABASE_PASSWORD parameter in this secret. Otherwise it has a default value, which is postgresql://zync:<ZYNC_DATABASE_PASSWORD>@zync-database:5432/zync_production
ZYNC_DATABASE_PASSWORD
Database password associated to the user specified in the DATABASE_URL parameter
When the database is managed externally, this parameter is mandatory and must have the same value as the password part of the DATABASE_URL parameter in this secret. Otherwise the default value is an autogenerated value if not defined
SECRET_KEY_BASE
Zync's application key generator to encrypt communications
Autogenerated value
ZYNC_AUTHENTICATION_TOKEN
Authentication token used to authenticate System when calling Zync
Default: false - When set to true, the bucket name is always left in the request URI and never moved to the host as a sub-domain
N
N
AWS_ROLE_ARN
ARN of the Role which has a policy attached to authenticate using AWS STS
N
Y
AWS_WEB_IDENTITY_TOKEN_FILE
Path to mounted token file location e.g. /var/run/secrets/openshift/serviceaccount/token
N
Y
system-smtp
Field
Description
Default value
address
Address (hostname or IP) of the remote mail server to use. If set to a value different than "" System will use the mail server to send mails related to events that happen in the API management solution
""
port
Port of the remote mail server to use
""
domain
In case the mail server requires a HELO domain
""
authentication
In case the mail server requires authentication, set this setting to the authentication type here. plain to send the password in the clear, login to send password Base64 encoded, or cram_md5 to combine a Challenge/Response mechanism based on the HMAC-MD5 algorithm
""
username
In case the mail server requires authentication and the authentication type requires it
""
password
In case the mail server requires authentication and the authentication type requires it
""
openssl.verify.mode
When using TLS, you can set how OpenSSL checks the certificate. This is really useful if you need to validate a self-signed and/or a wildcard certificate. You can use the name of an OpenSSL verify constant: none or peer
""
from_address
from address value for the no-reply mail
""
Default APIManager components compute resources
When APIManager's spec.resourceRequirementsEnabled attribute is set to
true, default compute resources are set for the APIManager components.
The specific compute resources default values that are set for the
APIManager components are the following ones: