Environment Variables
API7 Enterprise supports the use of consumer credentials, SSL certificate, and certain plugins. There are a few environment variables reserved for special purposes, and others that can be created with custom names and referenced.
Reserved Environment Variables
API7 Enterprise currently reserves the following environment variables:
Variable Name | Description |
---|---|
APISIX_DEPLOYMENT_ETCD_HOST | etcd host address. |
APISIX_WORKER_PROCESSES | Number of worker processes. |
To use these configurations, assign values to the environment variables before starting APISIX.
Custom Environment Variables
You can use custom environment variables in configuration files and for certain plugins.
Environment variables are configured directly on each data plane(gateway instance) and take effect immediately upon restart. Due to this configuration method, you cannot view the actual values from the control plane. Additionally, inconsistencies in environment variable configurations across different gateway instances within a gateway group can lead to unpredictable behavior and potential API failures.
Consumer Credentials
The following sensitive field in consumer credentials can be stored in environment variables, through the NGINX env
directive:
key
in Key Authentication credentialpassword
in Basic Authentication credentialsecret
,public key
in JWT Authentication credentialsecret key
in HMAC Authentication credential
The following example demonstrates how you can configure the key authentication credential to fetch user authentication key from an environment variable.
Set Environment Variables
- Docker
- Kubernetes
Set the environment variable when deploy the gateway instance. Follow add gateway instance, then add the environment variables to the generated script.
Docker example, add custom environment variables to the docker run
command:
docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e ALICE_AUTH_KEY=alice-key \
-e API7_CONTROL_PLANE_CERT="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e API7_CONTROL_PLANE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CA="-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----" \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:dev
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Set the environment variable when deploy the gateway instance. Follow add gateway instance, then add the environment variables to the generated script/YAML.
Script example, add custom environment variables to the helm upgrade
command:
helm repo add api7 https://charts.api7.ai
helm repo update
cat > /tmp/tls.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMjM2NDZaFw0yNTExMjgwMjM2NDZaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQC/VNWu
FG+9OiY1/oq3FQerIY5EPIxf/IBOwtVjwBB2gqNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQ3NDdjMTRiZS1jMjkxLTQ4
MzktYmY1OC1hOGI5NzEyMzFlNGUwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQBmdE9t
Y33uJexnJ268Hk8RhMP/tO5ieogCwvlv2Hdv9r5FMZ+i/46k/aCOExoy+APGh95v
R0Hdari+JQeub7oB
-----END CERTIFICATE-----
EOF
cat > /tmp/tls.key <<EOF
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIPq6J0PDW7N4p0lTpPpsbNhYXF6mTCQWcoDC0je5xHAO
-----END PRIVATE KEY-----
EOF
cat > /tmp/ca.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----
EOF
kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic -n test api7-ee-3-gateway-tls --from-file=tls.crt=/tmp/tls.crt --from-file=tls.key=/tmp/tls.key --from-file=ca.crt=/tmp/ca.crt
helm upgrade --install -n test --create-namespace api7-ee-3-gateway api7/gateway \
--set "etcd.auth.tls.enabled=true" \
--set "etcd.auth.tls.existingSecret=api7-ee-3-gateway-tls" \
--set "etcd.auth.tls.certFilename=tls.crt" \
--set "etcd.auth.tls.certKeyFilename=tls.key" \
--set "etcd.auth.tls.verify=true" \
--set "gateway.tls.existingCASecret=api7-ee-3-gateway-tls" \
--set "gateway.tls.certCAFilename=ca.crt" \
--set "apisix.extraEnvVars[0].name=API7_GATEWAY_GROUP_SHORT_ID" \
--set "apisix.extraEnvVars[0].value=default" \
--set "apisix.extraEnvVars[1].name=ALICE_AUTH_TOKEN" \
--set "apisix.extraEnvVars[1].value=alice-key" \
--set "etcd.host[0]=https://your-host-or-ip:443" \
--set "apisix.replicaCount=1" \
--set "apisix.image.repository=api7/api7-ee-3-gateway" \
--set "apisix.image.tag=dev"
YAML example:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dNak0yTkRaYUZ3MHlOVEV4TWpnd01qTTJORFphTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFBZTlJR3UKUFphOVcwS3RYcnVNRmpXMEdvUjdsc3oxNUVwQ1B3bnhnTU9ENWFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRd09UbGlOVGcyTXkwNU1XSXlMVFF3Ck5HSXRZamsxTnkxa01UbGlaRE13TmpZek1HSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFEVVpsOTYKZTJOUUd6QXNwaUQ5Y0FlY2w5QmZTNFdTWFIwb1R3M1NBZytEN0lYVTVzT09meWlWVjR1SnRBeldIOVJaN3lNSwo5dkR1V2RlWEFhTlI4T01DCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUdkTTBGT2VMNGk4T2dLTjNGd3JhL1NZQnNWWnZoWWVHVXlKd05YdnIwdXUKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVNlZ0F3SUJBZ0lRVlhxVEZ1L2hINGNhWnB0S2RHcDA0ekFGQmdNclpYQXdSREVMTUFrR0ExVUUKQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3hFVEFQQmdOVgpCQU1UQ0VGUVNUY2dTVzVqTUI0WERUSTBNRGt3TnpBNE1UYzBOVm9YRFRNME1Ea3dOVEE0TVRjME5Wb3dSREVMCk1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3gKRVRBUEJnTlZCQU1UQ0VGUVNUY2dTVzVqTUNvd0JRWURLMlZ3QXlFQWtUajQ0N2JwenRHMWRjMEhWVzc0emErdgpORUFoVTdteVNZU21VU3dkUmZDakx6QXRNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQVBCZ05WSFJNQkFmOEVCVEFECkFRSC9NQW9HQTFVZERnUURCQUV3TUFVR0F5dGxjQU5CQUt4eEJnL0NFbk9veFFuVmQ4aXhIS0pDZ0NoWjJJWkUKQkxDSGFRVEVibWZ5OFJRK3BvMGNLT3RoV0ZEeDhnc3gyQWpka0xPNVBQYUhQdWpJWHlmejhRST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
kind: Secret
metadata:
name: api7-ee-3-gateway-tls
namespace: test
type: kubernetes.io/tls
---
apisix:
replicaCount: 1
image:
repository: api7/api7-ee-3-gateway
tag: dev
extraEnvVars:
- name: API7_GATEWAY_GROUP_SHORT_ID
value: "default"
- name: ALICE_AUTH_KEY
value: "alice-key"
etcd:
host:
- "https://your-host-or-ip:443"
auth:
tls:
enabled: true
existingSecret: api7-ee-3-gateway-tls
certFilename: tls.crt
certKeyFilename: tls.key
verify: true
gateway:
tls:
existingCASecret: api7-ee-3-gateway-tls
certCAFilename: ca.crt
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Configure Consumer Credential with Environment Variable
- Select Consumers of your gateway group from the side navigation bar.
- Click + Add Consumer.
- In the dialog box, do the following:
- In the Name field, enter
Alice
. - Click Add.
- Under the Credentials tab, click + Add Key Authentication Credential.
- In the dialog box, do the following:
- In the Name field, enter
primary-key
. - In the Key field, choose Manually Input, then enter
$env://ALICE_AUTH_KEY
- Click Add.
- To validate, see enable key authentication for APIs for instruction, and enable the Key Auth Plugin on the service level. Then follow validate key authentication instruction.
SSL Certificates
The sensitive field private key
and certificate
in SSL Certificates can be stored in environment variables, through the NGINX env
directive.
The following example demonstrates how you can configure the SSL certificate to fetch sensitive data from an environment variable.
Set Environment Variables
- Docker
- Kubernetes
Set the environment variable when deploying the gateway instance. Follow add gateway instance, then add the environment variables to the generated script.
Docker example, add custom environment variables to the docker run
command:
docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e SSL_CERTIFICATE="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e SSL_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CERT="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e API7_CONTROL_PLANE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CA="-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----" \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:dev
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Set the environment variable when deploying the gateway instance. Follow add gateway instance, then incorporate environment variables as Kubernetes Secrets into the generated script or YAML file.
Script example:
helm repo add api7 https://charts.api7.ai
helm repo update
cat > /tmp/tls.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwOTE3NThaFw0yNTExMjgwOTE3NThaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQDT/g4a
WVWigZG2oWGlDLTtTKBtHVystWQxj6XhG1vANaNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCRhMDQ2NGY4YS1kM2FhLTRk
MTMtODk5MC0xYmE0MWM1NGYxMTgwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQActMzf
rggeykNFWKlqqyyQoqK8c9fFmplSHY7zYbUEydmq0LNLnnZAp2LmesUDVh4cbJCK
9haqhJ7oCgKk5psG
-----END CERTIFICATE-----
EOF
cat > /tmp/tls.key <<EOF
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIA9uC9kLMs11oG50sFpUFrcbHvRu/BtwUGfKISzYiXV+
-----END PRIVATE KEY-----
EOF
cat > /tmp/ca.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----
EOF
kubectl create namespace demo --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic -n demo api7-ee-3-gateway-tls --from-file=tls.crt=/tmp/tls.crt --from-file=tls.key=/tmp/tls.key --from-file=ca.crt=/tmp/ca.crt
kubectl apply -n demo -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: env-secrets
type: Opaque
data:
SSL_CERTIFICATE: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dPVEUwTlRSYUZ3MHlOVEV4TWpnd09URTBOVFJhTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFDcitTZ1gKVW5HT0NZbjRtb3RiRWRLbWpPUkhuMFRjVHBwc1VqVE5BRFdMbmFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRNE5EZzBNVFkyT1MweVpqQTNMVFF6Ck9UTXRPR0poWWkwMU5tVTRNekEzWm1NNFpXSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFDbTFxcmsKMkJ2cDRJdGpiWS82bWJZQlEzbndJRTRjbWxISityb0RDNk9GUVdkMG8rSmNMYjljS1ZnM1J5Q21mWmZVYUZXRQpVRkFocjJ3ZnllNXl1WThKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
SSL_PRIVATE_KEY:
TUM0Q0FRQXdCUVlESzJWd0JDSUVJQTl1QzlrTE1zMTFvRzUwc0ZwVUZyY2JIdlJ1L0J0d1VHZktJU3pZaVhWKw==
EOF
helm upgrade --install -n demo --create-namespace api7-ee-3-gateway api7/gateway \
--set "etcd.auth.tls.enabled=true" \
--set "etcd.auth.tls.existingSecret=api7-ee-3-gateway-tls" \
--set "etcd.auth.tls.certFilename=tls.crt" \
--set "etcd.auth.tls.certKeyFilename=tls.key" \
--set "etcd.auth.tls.verify=true" \
--set "gateway.tls.existingCASecret=api7-ee-3-gateway-tls" \
--set "gateway.tls.certCAFilename=ca.crt" \
--set "apisix.extraEnvVars[0].name=API7_GATEWAY_GROUP_SHORT_ID" \
--set "apisix.extraEnvVars[0].value=default" \
--set "apisix.extraEnvVarsSecret=env-secrets" \
--set "etcd.host[0]=https://your-host-or-ip:443" \
--set "apisix.replicaCount=1" \
--set "apisix.image.repository=api7/api7-ee-3-gateway" \
--set "apisix.image.tag=dev"
YAML example:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dNak0yTkRaYUZ3MHlOVEV4TWpnd01qTTJORFphTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFBZTlJR3UKUFphOVcwS3RYcnVNRmpXMEdvUjdsc3oxNUVwQ1B3bnhnTU9ENWFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRd09UbGlOVGcyTXkwNU1XSXlMVFF3Ck5HSXRZamsxTnkxa01UbGlaRE13TmpZek1HSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFEVVpsOTYKZTJOUUd6QXNwaUQ5Y0FlY2w5QmZTNFdTWFIwb1R3M1NBZytEN0lYVTVzT09meWlWVjR1SnRBeldIOVJaN3lNSwo5dkR1V2RlWEFhTlI4T01DCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUdkTTBGT2VMNGk4T2dLTjNGd3JhL1NZQnNWWnZoWWVHVXlKd05YdnIwdXUKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVNlZ0F3SUJBZ0lRVlhxVEZ1L2hINGNhWnB0S2RHcDA0ekFGQmdNclpYQXdSREVMTUFrR0ExVUUKQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3hFVEFQQmdOVgpCQU1UQ0VGUVNUY2dTVzVqTUI0WERUSTBNRGt3TnpBNE1UYzBOVm9YRFRNME1Ea3dOVEE0TVRjME5Wb3dSREVMCk1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3gKRVRBUEJnTlZCQU1UQ0VGUVNUY2dTVzVqTUNvd0JRWURLMlZ3QXlFQWtUajQ0N2JwenRHMWRjMEhWVzc0emErdgpORUFoVTdteVNZU21VU3dkUmZDakx6QXRNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQVBCZ05WSFJNQkFmOEVCVEFECkFRSC9NQW9HQTFVZERnUURCQUV3TUFVR0F5dGxjQU5CQUt4eEJnL0NFbk9veFFuVmQ4aXhIS0pDZ0NoWjJJWkUKQkxDSGFRVEVibWZ5OFJRK3BvMGNLT3RoV0ZEeDhnc3gyQWpka0xPNVBQYUhQdWpJWHlmejhRST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
kind: Secret
metadata:
name: api7-ee-3-gateway-tls
namespace: test
type: kubernetes.io/tls
---
apiVersion: v1
kind: Secret
metadata:
name: env-secrets
namespace: demo
type: Opaque
data:
SSL_CERTIFICATE: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dPVEUwTlRSYUZ3MHlOVEV4TWpnd09URTBOVFJhTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFDcitTZ1gKVW5HT0NZbjRtb3RiRWRLbWpPUkhuMFRjVHBwc1VqVE5BRFdMbmFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRNE5EZzBNVFkyT1MweVpqQTNMVFF6Ck9UTXRPR0poWWkwMU5tVTRNekEzWm1NNFpXSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFDbTFxcmsKMkJ2cDRJdGpiWS82bWJZQlEzbndJRTRjbWxISityb0RDNk9GUVdkMG8rSmNMYjljS1ZnM1J5Q21mWmZVYUZXRQpVRkFocjJ3ZnllNXl1WThKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
SSL_PRIVATE_KEY:
TUM0Q0FRQXdCUVlESzJWd0JDSUVJQTl1QzlrTE1zMTFvRzUwc0ZwVUZyY2JIdlJ1L0J0d1VHZktJU3pZaVhWKw==
---
apisix:
replicaCount: 1
image:
repository: api7/api7-ee-3-gateway
tag: dev
extraEnvVars:
- name: API7_GATEWAY_GROUP_SHORT_ID
value: "default"
extraEnvVarsSecret: env-secrets
etcd:
host:
- "https://your-host-or-ip:443"
auth:
tls:
enabled: true
existingSecret: api7-ee-3-gateway-tls
certFilename: tls.crt
certKeyFilename: tls.key
verify: true
gateway:
tls:
existingCASecret: api7-ee-3-gateway-tls
certCAFilename: ca.crt
Once deployed, gateway instance environment variables cannot be modified without restarting the instance.
Configure SSL Certificate with Environment Variables
- Select SSL Certificates of your gateway group from the side navigation bar.
- Click + Add SSL Certificate.
- In the dialog box, do the following:
- In the Certificate field, enter
$env://SSL_CERTIFICATE
. - In the Key field, enter
$env://SSL_PRIVATE_KEY
- Click Add.