Configuration Reference for API7 Gateway Control Plane
The API7 Gateway Control Plane is the central management component that stores configurations and coordinates with Data Plane (DP) nodes. It is composed of two services, each with its own configuration file:
- Dashboard — serves the web UI and the Admin API. Configured via
dashboard_conf/conf.yaml. - DP Manager — handles configuration synchronization and telemetry exchange with DP nodes. Configured via
dp_manager_conf/conf.yaml.
Both files are mounted into their respective containers (or pods) at deployment time. This page documents the most common fields used in these configuration files, not an exhaustive schema. For full deployment instructions, see Deploy with Docker Compose or Deploy on Kubernetes.
Dashboard Configuration (dashboard_conf/conf.yaml)
The Dashboard can expose both the web UI and the Admin API on any enabled listener; in production, use the TLS listener and disable the plain HTTP listener unless it is specifically needed. A typical configuration looks like:
dashboard_conf/conf.yaml
server:
listen:
disable: true # Disable the plain HTTP listener in production.
host: "0.0.0.0"
port: 7080
tls:
disable: false
host: "0.0.0.0"
port: 7443 # Admin API and HTTPS UI listener.
key_file: "" # Path to the TLS private key. Leave empty to use the built-in self-signed certificate.
cert_file: "" # Path to the TLS certificate.
status:
disable: false
host: "127.0.0.1"
port: 7081 # Health and readiness probes.
log:
level: warn # One of: debug, info, warn, error.
output: stderr # stderr, stdout, or an absolute file path.
database:
dsn: "postgres://api7ee:changeme@192.168.31.10:5432/api7ee"
session_options_config:
same_site: "lax" # SameSite cookie mode: lax, strict, or none.
secure: false # Set to true when serving the UI over HTTPS only.
max_age: 86400 # Session lifetime in seconds.
prometheus:
addr: "http://192.168.31.11:9090"
whitelist:
- "/api/v1/query_range"
- "/api/v1/query"
- "/api/v1/format_query"
- "/api/v1/series"
- "/api/v1/labels"
- "/api/v1/labels/.*/values"
# basic_auth:
# username: ""
# password: ""
# tls:
# server_name: ""
# insecure_skip_verify: false
# enable_client_cert: false
# key_file: ""
# cert_file: ""
# ca_file: ""
consumer_proxy:
enable: false
cache_success_count: 512
cache_success_ttl: 60
cache_failure_count: 512
cache_failure_ttl: 60
Field reference
| Field | Description |
|---|---|
server.listen | Plain HTTP listener for the Dashboard UI. Set disable: true and rely on the TLS listener in production. |
server.tls | HTTPS listener that serves both the UI and the Admin API. Provide key_file and cert_file to use your own certificate; otherwise the Dashboard generates a self-signed certificate at startup. |
server.status | Endpoint used by orchestrators for liveness and readiness probes. |
log.level | Log verbosity. Use info or debug while troubleshooting. |
log.output | Destination of log messages. Set to an absolute path to write to a file. |
database.dsn | PostgreSQL connection string. The Dashboard automatically creates and migrates its schema on first start. |
session_options_config | Controls the session cookie issued to UI users. Set secure: true when the UI is only reachable over HTTPS. |
prometheus.addr | URL of the Prometheus instance that the Dashboard queries to render analytics. |
prometheus.whitelist | Regex list of Prometheus query API paths the Dashboard is allowed to call. |
prometheus.basic_auth / prometheus.tls | Optional authentication and TLS settings used when contacting Prometheus. |
consumer_proxy | Enables and tunes caching of consumer lookups proxied from DP nodes through the Control Plane. |
DP Manager Configuration (dp_manager_conf/conf.yaml)
The DP Manager terminates the mTLS connection from each Data Plane node, distributes configuration updates, and ingests telemetry. A typical configuration looks like:
dp_manager_conf/conf.yaml
server:
listen:
host: "0.0.0.0"
port: 7900
tls:
host: "0.0.0.0"
port: 7943 # mTLS endpoint that Data Plane nodes connect to.
status:
disable: false
host: "127.0.0.1"
port: 7901
log:
level: warn
output: stderr
database:
dsn: "postgres://api7ee:changeme@192.168.31.10:5432/api7ee"
prometheus:
addr: "http://192.168.31.11:9090"
# basic_auth:
# username: ""
# password: ""
# tls:
# server_name: ""
# insecure_skip_verify: false
# enable_client_cert: false
# key_file: ""
# cert_file: ""
# ca_file: ""
rate_limit:
enable: false
time_window: 1 # Sliding window length in seconds.
count: 1000 # Maximum requests allowed per window per DP node.
Field reference
| Field | Description |
|---|---|
server.listen | Plain HTTP listener used for internal traffic. |
server.tls | TLS listener on port 7943 that Data Plane nodes connect to. The DP Manager presents its own certificate to each DP and validates the DP client certificate against the same trust chain. Certificates are managed by the Control Plane; issuance is automatic, but rotation is a manual operation — see Mutual TLS between CP and DP. |
server.status | Endpoint used by orchestrators for liveness and readiness probes. |
log.level, log.output | Same semantics as the Dashboard. |
database.dsn | PostgreSQL connection string. Must point to the same database as the Dashboard. |
prometheus | Prometheus connection used to push DP-side telemetry. The basic_auth and tls blocks have the same shape as in the Dashboard configuration. |
rate_limit.enable | Enables a per-DP rate limit on configuration sync requests. Useful when many DP nodes share a single DP Manager. |
rate_limit.time_window, rate_limit.count | Sliding window length and request budget when rate_limit.enable: true. |