You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
List of image pull secrets to be used on the managed DeploymentConfigs ServiceAccounts. See imagePullSecrets field in K8s ServiceAccount documentation for details on Image pull secrets. If not specified, threescale-registry-auth is used. Secret names that contain dockercfg- or token- anywhere in part of its name cannot be specified. If an update to this attribute is performed the corresponding DeploymentConfig pods have to be redeployed by the user to make the changes effective
ResourceRequirementsEnabled
resourceRequirementsEnabled
bool
No
true
When true, 3Scale API management solution is deployed with the optimal resource requirements and limits. Setting this to false removes those resource requirements. Warning Only set it to false for development and evaluation environments. When set to true, default compute resources are set for the APIManager components. See Default APIManager components compute resources to see the default assigned values
8443 only when httpsCertificateSecretRef is provided
Controls on which port APIcast should start listening for HTTPS connections. Do not use 8080 as HTTPS port (see docs)
HTTPSVerifyDepth
httpsVerifyDepth
int
No
N/A
Defines the maximum length of the client certificate chain. (see docs)
HTTPSCertificateSecretRef
httpsCertificateSecretRef
LocalObjectReference
No
APIcast has a default certificate used when httpsPort is provided
References secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key
AllProxy
allProxy
string
No
N/A
Specifies a HTTP(S) proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPProxy
httpProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTP services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPSProxy
httpsProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTPS services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
NoProxy
noProxy
string
No
N/A
Specifies a comma-separated list of hostnames and domain names for which the requests should not be proxied. Setting to a single * character, which matches all hosts, effectively disables the proxy (see docs)
ServiceCacheSize
serviceCacheSize
int
No
N/A
Specifies the number of services that APICast can store in the internal cache (see docs)
ApicastStagingSpec
Field
json/yaml field
Type
Required
Default value
Description
Replicas
replicas
integer
No
1
Number of Pod replicas of the apicast-staging deployment
8443 only when httpsCertificateSecretRef is provided
Controls on which port APIcast should start listening for HTTPS connections. Do not use 8080 as HTTPS port (see docs)
HTTPSVerifyDepth
httpsVerifyDepth
int
No
N/A
Defines the maximum length of the client certificate chain. (see docs)
HTTPSCertificateSecretRef
httpsCertificateSecretRef
LocalObjectReference
No
APIcast has a default certificate used when httpsPort is provided
References secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key
AllProxy
allProxy
string
No
N/A
Specifies a HTTP(S) proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPProxy
httpProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTP services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
HTTPSProxy
httpsProxy
string
No
N/A
Specifies a HTTP(S) Proxy to be used for connecting to HTTPS services. Authentication is not supported. Format is: <scheme>://<host>:<port> (see docs)
NoProxy
noProxy
string
No
N/A
Specifies a comma-separated list of hostnames and domain names for which the requests should not be proxied. Setting to a single * character, which matches all hosts, effectively disables the proxy (see docs)
ServiceCacheSize
serviceCacheSize
int
No
N/A
Specifies the number of services that APICast can store in the internal cache (see docs)
CustomPolicySpec
json/yaml field
Type
Required
Default value
Description
name
string
Yes
N/A
Name
version
string
Yes
N/A
Version
secretRef
LocalObjectReference
Yes
N/A
Secret reference with the policy content. See CustomPolicySecret for more information.
CustomPolicySecret
Contains custom policy specific content. Two files, init.lua and apicast-policy.json, are required, but more can be added optionally.
Controls whether OpenTracing integration with APIcast is enabled. By default it is not enabled
TracingLibrary
tracingLibrary
string
No
jaeger
Controls which OpenTracing library is loaded. At the moment the supported values are: jaeger. If not set, jaeger will be used
TracingConfigSecretRef
tracingConfigSecretRef
LocalObjectReference
No
tracing library-specific default
Secret reference with the tracing library-specific configuration. Each supported tracing library provides a default configuration file which is used if tracingConfigSecretRef is not specified. See APIcastTracingConfigSecret for more information.
APIcastTracingConfigSecret
Field
Description
config
Tracing library-specific configuration
NOTE: Once apicast has been deployed, the content of the secret should not be updated externally.
If the content of the secret is updated externally, after apicast has been deployed, the container can automatically see the changes.
However, apicast has the environment already loaded and it does not change the behavior.
If the custom environment content needs to be changed, there are two options:
[recommended way] Create another secret with a different name and update the APIcast custom resource field spec.apicast.<apicast-environment>.openTracing.tracingConfigSecretRef.name. The operator will trigger a rolling update loading the new custom environment content.
Update the existing secret content and redeploy apicast turning spec.replicas to 0 and then back to the previous value.
CustomEnvironmentSpec
json/yaml field
Type
Required
Default value
Description
secretRef
LocalObjectReference
Yes
N/A
Secret reference with the custom environment content. See CustomEnvironmentSecret for more information.
CustomEnvironmentSecret
Generic (opaque) type secret holding one or more custom environments.
The operator will load in the APIcast container all the files (keys) found in the secret.
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
Local object reference to the secret to be used where the AWS configuration is stored. See LocalObjectReference on how to specify the local object reference to the secret
The secret name specified in the configurationSecretRef field must be
pre-created by the user before creating the APIManager custom resource.
Otherwise the operator will complain about it. See the
fileStorage S3 credentials secret
specification to see what fields the secret should have and the values
that should be set on it.
STSSpec
yaml Field
Type
Required
Default value
Description
enabled
bool
No
false
Enable Secure Token Service for short-term, limited-privilege security credentials
audience
string
No
openshift
The ID the token is intended for. This field does not have any effect when STS is not enabled.
DeprecatedSystemS3Spec
DEPRECATED Setting fields here has no effect. Use SystemS3Spec instead
Note: Deploying databases internally with this section is meant for evaluation purposes. Check ExternalComponentsSpec for production ready recommended deployments.
Field
json/yaml field
Type
Required
Default value
Description
MySQL
mysql
*SystemMySQLSpec
No
nil
Enable MySQL database as System's database. Only takes effect when the instance is not managed externally. See MySQLSpec specification
PostgreSQL
postgresql
*SystemPostgreSQLSpec
No
nil
Enable PostgreSQL database as System's database. Only takes effect when the instance is not managed externally. See PostgreSQLSpec
MySQLSpec
Field
json/yaml field
Type
Required
Default value
Description
Image
image
string
No
nil
Used to overwrite the desired container image for System's MySQL database
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
PostgreSQLSpec
Field
json/yaml field
Type
Required
Default value
Description
Image
image
string
No
nil
Used to overwrite the desired container image for System's PostgreSQL database
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
SystemAppSpec
Field
json/yaml field
Type
Required
Default value
Description
Replicas
replicas
integer
No
1
Number of Pod replicas of the system-app deployment
The minimum resources the volume should have. Resources will not take any effect when VolumeName is provided. This parameter is not updateable when the underlying PV is not resizable.
VolumeName
volumeName
string
No
nil
The binding reference to the existing PersistentVolume backing this claim
ZyncSpec
Field
json/yaml field
Type
Required
Default value
Description
Image
image
string
No
nil
Used to overwrite the desired container image for Zync
PostgreSQLImage
postgreSQLImage
string
No
nil
Used to overwrite the desired PostgreSQL image for the PostgreSQL used by Zync. Does not take effect when the database is managed externally
DatabaseResources describes the compute resource requirements. Takes precedence over spec.resourceRequirementsEnabled with replace behavior. Does not take effect when the database is managed externally
Enable to use external system database, backend redis, and system redis databases
ExternalZyncDatabaseEnabled
externalZyncDatabaseEnabled
bool
No
false
Enable to user external zync database. The value of this field only takes effect when spec.highAvailability.enabled is set to true
When HighAvailability is enabled the following secrets have to be pre-created by the user:
backend-redis with the REDIS_STORAGE_URL and
REDIS_QUEUES_URL fields with values pointing to the desired external
databases. The databases should be configured
in high-availability mode
system-database with the URL field with the value
pointing to the desired external database. The database should be configured
in high-availability mode
system-redis with the URL field
with the value pointing to the desired external database. The database
should be configured in high-availability mode
Additionally, when HighAvailability is enabled, if the externalZyncDatabaseEnabled field is
also enabled the user has to pre-create the following secret too:
zync with the DATABASE_URL and DATABASE_PASSWORD fields
with the values pointing to the desired external database settings.
The database should be configured in high-availability mode
Used by the Operator/Kubernetes to control the state of the APIManager.
an APIManager status field should never be modified by the user.
Field
json/yaml field
Type
Info
Available
available
v1.Condition
Indicates whether the APIManager is in Available state. See ConditionSpec for a description on the meaning of Available
ConditionSpec
The status object has an array of Conditions through which the Product has or has not passed.
Each element of the Condition array has the following fields:
The lastTransitionTime field provides a timestamp for when the entity last transitioned from one status to another.
The message field is a human-readable message indicating details about the transition.
The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
The status field is a string, with possible values True, False, and Unknown.
The type field is a string indicating the type of the condition. The types are:
Available: An APIManager is in Available state when all of the following scenarios are true:
All expected DeploymentConfigs to be deployed exist and have the Available condition set to true
All 3scale default OpenShift routes exist and have the Admitted condition set to true. The default routes are:
Master route
Backend Listener route
Default tenant admin route, developer route, APIcast staging and production routes beloinging to the default tenant
Additionally, if desired, several sensitive APIManager configuration options
can be controlled by pre-creating some Kubernetes secrets before deploying the
APIManager Custom Resource.
The available configurable secrets are:
backend-internal-api
Field
Description
Default value
username
Backend internal API username. Backend internal API is used by System
3scale_api_user
password
Backend internal API password. Backend internal API is used by System
Autogenerated value
backend-listener
Field
Description
Default value
service_endpoint
Backend listener service endpoint. Used by System and Apicast
http://backend-listener:3000
route_endpoint
Backend listener route endpoint. Used by System
https://backend-<tenantName>.<wildcardDomain>
backend-redis
Field
Description
Default value
REDIS_STORAGE_URL
Backend's redis storage database URL.
Mandatory when the instance is managed externally. Otherwise the default value is: redis://backend-redis:6379/0
REDIS_STORAGE_SENTINEL_ROLE
Backend's redis storage sentinel role name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_STORAGE_SENTINEL_HOSTS
Backend's redis storage sentinel hosts name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_QUEUES_URL
Backend's redis queues database URL
Mandatory when the instance is managed externally. Otherwise the default value is: redis://backend-redis:6379/1
REDIS_QUEUES_SENTINEL_ROLE
Backend's redis queues sentinel role name. Used only when Redis sentinel is configured in the Redis database being used
""
REDIS_QUEUES_SENTINEL_HOSTS
Backend's redis queues sentinel hosts name. Used only when Redis sentinel is configured in the Redis database being used
""
system-app
Field
Description
Default value
SECRET_KEY_BASE
System application secret key base
Autogenerated value
USER_SESSION_TTL
System user's login session length (TTL) in seconds. The empty value means 2 weeks
""
system-database
Field
Description
Default value
URL
URL of the Porta database. Mandatory when the instance is managed externally. The format of the URL must be: <DBScheme>://<AdminUser>:<AdminPassword>@<DatabaseHost>/<DatabaseName>, where <AdminUser> must be an already existing user in the external database with full permissions on the specified <DatabaseName> logical database and <DatabaseName> must be an already existing logical database in the external database. When the database is managed internally, the <AdminPassword> part of the URL can be set instead of an autogenerated one. In order to do that (if desired) set URL as the value specified in the Default Value column with the <AutoGeneratedValue> placeholder replaced with the desired value.
A default is only set when database is managed internally. Otherwise it is a mandatory field. When managed internally: If MySQL is used as System's database (the default behavior): mysql2://root:<AutogeneratedValue>@system-mysql/mysql. If PostgreSQL is used(when .spec.system.database.postgresql is set): postgresql://root:<AutoGeneratedValue>@system-postgresql/system.
DB_USER
Non-administrative database username. Only used when the database is managed externally
mysql
DB_PASSWORD
Password of the non-administrative database user. Only used when the database is managed externally
Autogenerated value
ORACLE_SYSTEM_PASSWORD
Password of Oracle's SYSTEM administrative user. Required and only used when system's database provided in URL field is an external Oracle database
N/A
system-events-hook
Field
Description
Default value
URL
The URL to System's event reports endpoint, used by Backend to report its events
http://system-master:3000/master/events/import
PASSWORD
Shared secret to import events from backend to system
Autogenerated value
system-master-apicast
Field
Description
Default value
ACCESS_TOKEN
Read only access token that APIcast uses to download its configuration from System
Autogenerated value
BASE_URL
URL of the 3scale portal admin endpoint with authentication part
http://<ACCESS_TOKEN>@system-master:3000
PROXY_CONFIGS_ENDPOINT
URL of the available configs for all System's services
reCAPTCHA site key (used in spam protection) for System
""
PRIVATE_KEY
reCAPTCHA secret key (used in spam protection) for System
""
system-redis
Field
Description
Default value
URL
System's Redis database URL
Mandatory when instance is managed externally. Otherwise the default value is: redis://system-redis:6379/1
NAMESPACE
Define the namespace to be used by System's Redis Database. The empty value means not namespaced
""
SENTINEL_HOSTS
System's Redis sentinel hosts. Used only when Redis sentinel is configured
""
SENTINEL_ROLE
System's Redis sentinel role name. Used only when Redis sentinel is configured
""
system-seed
Field
Description
Default value
MASTER_USER
System's master username
master
MASTER_PASSWORD
System's master password
Autogenerated value
MASTER_ACCESS_TOKEN
System's master access token
Autogenerated value
MASTER_DOMAIN
System's master domain name
master
ADMIN_USER
System's admin user of the tenant created by default
admin
ADMIN_PASSWORD
System's admin password of the tenant created by default
Autogenerated value
ADMIN_ACCESS_TOKEN
System's admin access token of the tenant created by default
Autogenerated value
TENANT_NAME
Tenant name under the root that Admin UI will be available with -admin suffix
<tenantName>
zync
Field
Description
Default value
DATABASE_URL
PostgreSQL database used by Zync. Only used when the database is managed externally
Format: postgresql://<zync-db-username>:<ZYNC_DATABASE_PASSWORD>@<zync-db-host>:<zync-db-port>/zync_production, where <zync-db-username> must be an already existing user in the external database with full permissions on the zync_production logical database, zync_production logical database must be an already existing logical database in the external database and the specified value of <ZYNC_DATABASE_PASSWORD> must be the same as the ZYNC_DATABASE_PASSWORD parameter in this secret. Otherwise it has a default value, which is postgresql://zync:<ZYNC_DATABASE_PASSWORD>@zync-database:5432/zync_production
ZYNC_DATABASE_PASSWORD
Database password associated to the user specified in the DATABASE_URL parameter
When the database is managed externally, this parameter is mandatory and must have the same value as the password part of the DATABASE_URL parameter in this secret. Otherwise the default value is an autogenerated value if not defined
SECRET_KEY_BASE
Zync's application key generator to encrypt communications
Autogenerated value
ZYNC_AUTHENTICATION_TOKEN
Authentication token used to authenticate System when calling Zync
Autogenerated value
fileStorage-S3-credentials-secret
The name of this secret can be any name as long as does not collide with other
existing secret names.
Field
Description
Required for IAM
Required for STS
AWS_ACCESS_KEY_ID
AWS Access Key ID to use in S3 Storage for System's file storage
Y
N
AWS_SECRET_ACCESS_KEY
AWS Access Key Secret to use in S3 Storage for System's file storage
Y
N
AWS_BUCKET
S3 bucket to be used as System's FileStorage for assets
Y
Y
AWS_REGION
Region of the S3 bucket to be used as System's FileStorage for assets
Default: false - When set to true, the bucket name is always left in the request URI and never moved to the host as a sub-domain
N
N
AWS_ROLE_ARN
ARN of the Role which has a policy attached to authenticate using AWS STS
N
Y
AWS_WEB_IDENTITY_TOKEN_FILE
Path to mounted token file location e.g. /var/run/secrets/openshift/serviceaccount/token
N
Y
system-smtp
Field
Description
Default value
address
Address (hostname or IP) of the remote mail server to use. If set to a value different than "" System will use the mail server to send mails related to events that happen in the API management solution
""
port
Port of the remote mail server to use
""
domain
In case the mail server requires a HELO domain
""
authentication
In case the mail server requires authentication, set this setting to the authentication type here. plain to send the password in the clear, login to send password Base64 encoded, or cram_md5 to combine a Challenge/Response mechanism based on the HMAC-MD5 algorithm
""
username
In case the mail server requires authentication and the authentication type requires it
""
password
In case the mail server requires authentication and the authentication type requires it
""
openssl.verify.mode
When using TLS, you can set how OpenSSL checks the certificate. This is really useful if you need to validate a self-signed and/or a wildcard certificate. You can use the name of an OpenSSL verify constant: none or peer
""
from_address
from address value for the no-reply mail
""
Default APIManager components compute resources
When APIManager's spec.resourceRequirementsEnabled attribute is set to
true, default compute resources are set for the APIManager components.
The specific compute resources default values that are set for the
APIManager components are the following ones: