Environment Variables
API7 Gateway supports the use of environment variables for consumer credentials, SSL certificates, and certain plugins. There are a few environment variables reserved for special purposes, and others that can be created with custom names and referenced.
Reserved Environment Variables
API7 Gateway currently reserves the following environment variables:
| Variable Name | Description |
|---|---|
APISIX_DEPLOYMENT_ETCD_HOST | etcd host address. |
APISIX_WORKER_PROCESSES | Number of worker processes. |
To use these configurations, assign values to the environment variables before starting the gateway.
Custom Environment Variables
You can use custom environment variables in configuration files and for certain plugins.
Environment variables are configured directly on each data plane (gateway instance) and take effect immediately upon restart. Due to this configuration method, you cannot view the actual values from the control plane. Additionally, inconsistencies in environment variable configurations across different gateway instances within a gateway group can lead to unpredictable behavior and potential API failures.
Consumer Credentials
The following sensitive fields in consumer credentials can be stored in environment variables through the NGINX env directive:
keyin Key Authentication credentialpasswordin Basic Authentication credentialsecret,public keyin JWT Authentication credentialsecret keyin HMAC Authentication credential
The following example demonstrates how you can configure the key authentication credential to fetch a user authentication key from an environment variable.
Set Environment Variables
- Docker
- Kubernetes
Set the environment variable when deploying the gateway instance. Follow Deploy with Docker Compose, then add the environment variables to the generated script.
Docker example, add custom environment variables to the docker run command:
docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e ALICE_AUTH_KEY=alice-key \
-e API7_CONTROL_PLANE_CERT="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----" \
-e API7_CONTROL_PLANE_KEY="-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CA="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----" \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:latest
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Set the environment variable when deploying the gateway instance. Follow Deploy on Kubernetes, then add the environment variables to the generated script/YAML.
Script example, add custom environment variables to the helm upgrade command:
helm repo add api7 https://charts.api7.ai
helm repo update
# ... existing setup ...
helm upgrade --install -n test --create-namespace api7-ee-3-gateway api7/gateway \
--set "etcd.auth.tls.enabled=true" \
--set "etcd.auth.tls.existingSecret=api7-ee-3-gateway-tls" \
--set "etcd.auth.tls.certFilename=tls.crt" \
--set "etcd.auth.tls.certKeyFilename=tls.key" \
--set "etcd.auth.tls.verify=true" \
--set "gateway.tls.existingCASecret=api7-ee-3-gateway-tls" \
--set "gateway.tls.certCAFilename=ca.crt" \
--set "apisix.extraEnvVars[0].name=API7_GATEWAY_GROUP_SHORT_ID" \
--set "apisix.extraEnvVars[0].value=default" \
--set "apisix.extraEnvVars[1].name=ALICE_AUTH_KEY" \
--set "apisix.extraEnvVars[1].value=alice-key" \
--set "etcd.host[0]=https://your-host-or-ip:443" \
--set "apisix.replicaCount=1" \
--set "apisix.image.repository=api7/api7-ee-3-gateway" \
--set "apisix.image.tag=latest"
YAML example:
apiVersion: v1
kind: Secret
metadata:
namespace: test
name: api7-ee-3-gateway-tls
type: kubernetes.io/tls
# ...
---
apisix:
replicaCount: 1
image:
repository: api7/api7-ee-3-gateway
tag: latest
extraEnvVars:
- name: API7_GATEWAY_GROUP_SHORT_ID
value: "default"
- name: ALICE_AUTH_KEY
value: "alice-key"
etcd:
host:
- "https://your-host-or-ip:443"
auth:
tls:
enabled: true
existingSecret: api7-ee-3-gateway-tls
certFilename: tls.crt
certKeyFilename: tls.key
verify: true
gateway:
tls:
existingCASecret: api7-ee-3-gateway-tls
certCAFilename: ca.crt
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Configure Consumer Credential with Environment Variable
- Select Consumers of your gateway group from the side navigation bar.
- Click + Add Consumer.
- In the dialog box, do the following:
- In the Name field, enter
Alice. - Click Add.
- In the Name field, enter
- Under the Credentials tab, click + Add Key Authentication Credential.
- In the dialog box, do the following:
- In the Name field, enter
primary-key. - In the Key field, choose Manually Input, then enter
$env://ALICE_AUTH_KEY. - Click Add.
- In the Name field, enter
- To validate, enable the
key-authplugin at the service level (see Consumers and Credentials), then send a request with the API key to verify authentication works.
SSL Certificates
The sensitive fields private key and certificate in SSL Certificates can be stored in environment variables through the NGINX env directive.
The following example demonstrates how you can configure the SSL certificate to fetch sensitive data from an environment variable.
Set Environment Variables
- Docker
- Kubernetes
Set the environment variable when deploying the gateway instance. Follow Deploy with Docker Compose, then add the environment variables to the generated script.
Docker example, add custom environment variables to the docker run command:
docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e SSL_CERTIFICATE="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----" \
-e SSL_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CERT="..." \
-e API7_CONTROL_PLANE_KEY="..." \
-e API7_CONTROL_PLANE_CA="..." \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:latest
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Set the environment variable when deploying the gateway instance. Follow Deploy on Kubernetes, then incorporate environment variables as Kubernetes Secrets into the generated script or YAML file.
Script example:
# ... existing setup ...
kubectl apply -n demo -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
namespace: demo
name: env-secrets
type: Opaque
data:
SSL_CERTIFICATE: <base64-encoded-cert>
SSL_PRIVATE_KEY: <base64-encoded-key>
EOF
helm upgrade --install -n demo --create-namespace api7-ee-3-gateway api7/gateway \
--set "apisix.extraEnvVarsSecret=env-secrets" \
# ... other settings ...
YAML example:
apiVersion: v1
kind: Secret
metadata:
name: env-secrets
namespace: demo
type: Opaque
data:
SSL_CERTIFICATE: <base64-encoded-cert>
SSL_PRIVATE_KEY: <base64-encoded-key>
---
apisix:
replicaCount: 1
extraEnvVarsSecret: env-secrets
# ...
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Configure SSL Certificate with Environment Variables
- Select SSL Certificates of your gateway group from the side navigation bar.
- Click + Add SSL Certificate.
- In the dialog box, do the following:
- In the Certificate field, enter
$env://SSL_CERTIFICATE. - In the Key field, enter
$env://SSL_PRIVATE_KEY. - Click Add.
- In the Certificate field, enter