caapim / apim-charts Goto Github PK

Which chart:
gateway

Is your feature request related to a problem? Please describe.
When Using the gateway in Solution like Kubernetes, we have found the problem that if we have more than one Gateway Policy Manager is not keeping the connection stable as the Load balancer start to jump into the available gateway.

Describe the solution you'd like
A sticky session that will keep the gateway connect to the same gateway when Using Policy manager, o any other solution that keep us connected to the Gateway with Policy manager

Describe alternatives you've considered
Create a second load balancer or tagging in Kubernetes

.

it looks like the timeout is short and the pod fail to start,
The time has been increase and the pod works fine

Which chart:
Portal and Gateway

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
A line that is something like "certManager: true" in the chart

If true, there can be a specific secret name in the tls section that uses the cert-manager output. Additionally, the service should generate all certs using cert-manager if certManager is true and useSignedCertificates is set to false for all self-signed. You could add additional capabilities to add things where the deployer creates their own issuer (cluster or namespace scoped) that the chart uses to create any certs. The internal vs external should continue to be separated based on that as well

Describe alternatives you've considered
Alternative is manual process like today

Additional context
None other than cert-manager is becoming a highly used option.

Guys maybe is me only but when I put the value none for tls.job.rotate the certificate for pssg still getting change..

1. Deploy portal
2. create tenant and enroll gateway
3. Stop portal for ( stop all pods or removed the deplyment, I got external db)
4. redeploy Portal.. the portal start ok but the gateways enrolled cannot sync.
5. check the error in gateway and is noticed that is the ssl cert for PSSG.. ( this was change while redeployment).

after we introduce the the none value in the rotation of the cert.
6. Stop portal for ( stop all pods or removed the deplyment, I got external db)
7. change the value in the repo for Rotate = none
8. redeploy Portal.. the portal start ok but the gateways enrolled still can't sync with the portal due a another new cert was create.

to reassure I was maybe going to get the none from this time.
9. Stop portal for ( stop all pods or removed the deplyment, I got external db)
10. check the value in the repo for Rotate = none
11. redeploy Portal.. the portal start ok but the gateways enrolled still can't sync with the portal due a another new cert was create. .. I also check that the value non was passed during deployment, and was there,, but the pssg cert change..

if you have test this let me know..

Thank you

Hello !

I'm receving the error below when I try deploy the Gateway Chart

logs apim-gateway-796f98fbd-q4x2r -f
Using MySQL database
SSG_DATABASE_WAIT_TIMEOUT set to 300 seconds.
SSG_JVM_HEAP will be 2g
SSG_CLUSTER_HOST will be my.localdomain
SSG_GC_ARGS will be -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=20M -Xloggc:/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log -XX:+PrintTenuringDistribution
Waiting for one of the databases to come up...
Liquibase 'status' Successful
Unexpected error running Liquibase: Error executing SQL CREATE TABLE ssg.resource_entry (goid BINARY(16) NOT NULL, version INT(10) NOT NULL, description VARCHAR(2048) NULL, uri VARCHAR(4096) NOT NULL, uri_hash VARCHAR(128) NOT NULL, type VARCHAR(32) NOT NULL, content_type VARCHAR(1024) NOT NULL, content MEDIUMTEXT NOT NULL, resource_key1 VARCHAR(4096) NULL, resource_key2 VARCHAR(4096) NULL, resource_key3 VARCHAR(4096) NULL, security_zone_goid BINARY(16) NULL): Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs

ERROR - Failed to create or update the Gateway's database

I have MYSQL 8 on GCP with the flags below

Is a blank DB

Regards

Which chart:
portal

Describe the bug
Portal chart does not work with kubernetes 1.19 due to v1beta1 in templates/ingress/ingress.yaml

To Reproduce
kind create cluster --name layer7 --image kindest/node:v1.19.1
helm repo add layer7 https://caapim.github.io/apim-charts/
helm repo update
helm install my-portal --set-file "portal.registryCredentials=/home/mau/Downloads/docker-secret.yaml" layer7/portal

4. See error
   W0421 12:01:17.561975 525573 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
   W0421 12:01:17.566282 525573 warnings.go:70] admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration
   Timeout

Expected behavior
It should succeed and I should have all the pods running, but none are pulled

Version of Helm and Kubernetes:
kubernetes 1.19.1

• Output of helm version:

version.BuildInfo{Version:"v3.5.4", GitCommit:"1b5edb69df3d3a08df77c9902dc17af864ff05d1", GitTreeState:"clean", GoVersion:"go1.15.11"}

• Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-16T18:16:59Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-14T07:30:52Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.21) and server (1.19) exceeds the supported minor version skew of +/-1

Additional context
Add any other context about the problem here.

Which chart: Gateway version 2.0.4
The name (and version) of the affected chart.

Is your feature request related to a problem? Please describe.
We are unable to edit the /opt/SecureSpan/Gateway/runtime/etc/ssg.policy which is required for us.
See the following knowledge base article
https://knowledge.broadcom.com/external/article/129740/can-not-get-json-data-from-message-targe.html

Describe the solution you'd like
A way to configure the /opt/SecureSpan/Gateway/runtime/etc/ssg.policy

Describe alternatives you've considered
I don't see any way unless feature request my other feature request (#138) is implemented However I think that would be unnecessary if configuration is added to the charts similar as done for the system.properties

Which chart: Gateway version 2.0.4
The name (and version) of the affected chart.

Is your feature request related to a problem? Please describe.
We need to inject some jar files (com.ibm.mq.allclient.jar , com.ibm.mq.traceControl.jar , fscontext.jar , jms.jar , providerutil.jar )in the gateway pod for the MQ Native queues. These libraries need to be placed in /opt/SecureSpan/Gateway/runtime/lib/ext/ where jms-1-1.jar already resides and need to be present before the gateway starts.

We are trying to load these files using an initcontainer . However we run into multiple issues.
The com.ibm.mq.allclient.jar is about 7MB. So we can't use configmaps since these are limited to 1MB.
We also can't use secrets since 4MB is the limit there for a file.

The init container also only seems to support emptydir as volume (based on the deployment.yaml).
Testing with the other smaller files using secrets or configmap does not work. The volume remains empty.

example initcontainer statement as we used for secrets :

initContainers:

• name: gateway-init
  image: bintray.az.unix.corp:5000/base-images-docker-all/ubi8:latest
  imagePullPolicy: IfNotPresent
  command: ["/bin/sh"]
  args: ["-c", "sleep 10"]
  volumeMounts:
  • name: install-volume
    mountPath: /customizations
    volumes:
• name: install-volume
  secret:
  secretName: ssg-mq
  optional: false
  defaultMode: 0640

Using the emptydir as volume we are able to get the files into the pod. However this is not viable since we need to place them inside and already existing directory with an existing file. The existing file then disappears. We would need to use subpath in the volumeMounts but since we start with emptyDir this is not possible. The files do not exist there yet when mounting so they end up as directories.

Describe the solution you'd like
A way to inject files in any existing directory (or at least the /opt/SecureSpan/Gateway/runtime/lib/ext/ directory) which already contain files. A possible solution would be to support PersistantVolumeClaims and subPath in the volumeMounts in the initcontainer and gateway container. We could then load files from there and mount them using the subPath statement

Describe alternatives you've considered
Currently I am out of options here. I see no way to get these files in the proper location before the gateway starts.
This is preventing is from migrating our workloads from the virtual appliance gateways to containers gateways.

Which chart:
Portal

Is your feature request related to a problem? Please describe.
no

Describe the solution you'd like
in the README.md file, could you please have a simple table listing the pods required for the Portal to work?
We are working in a very secure environment and we need to allow only specific repositories and have to pull the images manually to then push them to an internal repository.
It would be great to have a ready list of such pods so that we can quickly verify that we have all the components required

Describe alternatives you've considered
we have to grep the list from the latest chart and make sure that all required images are listed.

Additional context
Add any other context or screenshots about the feature request here.

I am trying to set a HA per AZ, I have tree zones, while with this confugration It will try to check from 0 - 3, whci becuase I am putting afinity to zones. ( 3 zones) one pod for mino will be pending and the pod running will restarting becuase it can find the pod pending..

now if I put my replicas to 3 on minio. it will create 3 pods as required but will still trying to reach the minio missing. and then the pods start to restart..