Pattern 6: All-in-One with WSO2 IS as Key Manager¶

This pattern deploys WSO2 API Manager as a single All-in-One node with WSO2 Identity Server 7.x acting as a third-party Key Manager. Token issuance and validation are delegated to WSO2 IS, which runs as a separate component in the same Kubernetes cluster.

How Pattern 6 Differs from Earlier Patterns¶

	Pattern 1	Pattern 5	Pattern 6
Control Plane	Embedded in All-in-One	Embedded in All-in-One	Embedded in All-in-One
Gateway	Embedded	Dedicated, independently scalable	Embedded
Key Manager	Embedded in All-in-One	Dedicated KM (WSO2 APIM KM)	WSO2 Identity Server 7.x
Custom images	Required (All-in-One)	Required (All-in-One); KM reuses ACP image	Required (APIM + IS)
High availability	Yes (2 pods)	Gateway: Yes; KM: Yes; AIO: Optional	Optional

Note

WSO2 IS 7.x in this pattern acts as a third-party Key Manager only. The following limitations apply:

Tenancy is not supported.
WSO2 IS 7.x cannot be configured as the Resident Key Manager — only as a third-party Key Manager.
Role creation in WSO2 IS 7.x requires WSO2 API Manager 4.4.0.5 update level or later.

Pattern 6 requires the following before deploying:

An external database — H2 is not supported for production. Set up an external database before deploying.
Two custom Docker images — one for WSO2 API Manager (with JDBC driver) and one for WSO2 Identity Server (with the APIM notification event handler JAR).
Database schema initialised — run the WSO2 schema scripts against both databases before the APIM pods start.

Quick Start¶

Step 1 — Install Required Tools¶

Ensure the following tools are installed on your machine:

Tool	Purpose	Install Guide
`kubectl`	Kubernetes CLI for managing cluster resources	Install
`helm` (v3)	Package manager for deploying WSO2 Helm charts	Install
`docker`	Required to build and push custom WSO2 images	Install

Verify all tools are installed and check their versions:
```
kubectl version --client
helm version
docker info
```
Version Compatibility

Ensure your tool versions are within the supported ranges listed in the Prerequisites page before proceeding.

Step 2 — Verify Your Cluster is Running¶

Ensure your Kubernetes cluster is up and running:
```
kubectl cluster-info
kubectl get nodes
```
All nodes should show a Ready status.

Step 3 — Add the WSO2 Helm Repository¶

Add the WSO2 Helm repository and update it:

helm repo add wso2 https://helm.wso2.com && helm repo update

Step 4 — Install a Routing Controller¶

WSO2 API Manager 4.7.0 uses Envoy Gateway by default for routing and it is the recommended option. NGINX Ingress Controller is also available for users who require it.

Envoy Gateway (Recommended)NGINX Ingress Controller (Deprecated)

Install Envoy Gateway:

helm install envoy-gateway oci://docker.io/envoyproxy/gateway-helm \
  --version v1.7.0 -n envoy-gateway-system \
  --set config.envoyGateway.extensionApis.enableBackend=true \
  --set envoyGateway.gateway.experimentalFeatures.enabled=true \
  --create-namespace

Create the apim namespace and apply the sample Gateway manifest:

kubectl create namespace apim
kubectl apply \
  -f https://raw.githubusercontent.com/wso2/helm-apim/4.7.x/resources/assets/sample-gateway.yaml \
  -n apim

Verify the gateway is ready:
```
kubectl get gateway -n apim
```

See Section 4 — Routing Controller for full Envoy Gateway values configuration.

Install the NGINX ingress controller into your cluster:

Local cluster (Minikube / Rancher Desktop)Managed cluster (AKS / GKE)

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace \
  --set controller.service.externalTrafficPolicy=Local

Note

externalTrafficPolicy=Local is required on managed Kubernetes services. Without it, the cloud load balancer health probes fail and traffic never reaches the ingress controller.

Verify the controller is running:
```
kubectl get pods -n ingress-nginx
```
The NGINX pod should show 1/1 Running before proceeding.

Step 5 — Build and Push Custom Docker Images¶

Pattern 6 requires two custom Docker images — one for WSO2 API Manager and one for WSO2 Identity Server.

5.1 — Create the WSO2 API Manager Dockerfile

Choosing a base image

DockerHub (wso2/wso2am:4.7.0) — packages the GA release. Suitable for evaluation and development.
WSO2 Private Registry (registry.wso2.com/wso2-apim/am:4.7.0.0) — includes WSO2 Updates and is recommended for production. Requires an active WSO2 Subscription.

Create a directory for the custom images:

mkdir wso2am-custom && cd wso2am-custom

Create a Dockerfile.apim with the MySQL JDBC driver — adjust the URL for other databases:

FROM wso2/wso2am:4.7.0

ADD --chown=wso2carbon:wso2 \
  https://repo1.maven.org/maven2/mysql/mysql-connector-java/8.0.28/mysql-connector-java-8.0.28.jar \
  /home/wso2carbon/wso2am-4.7.0/repository/components/lib/

5.2 — Create the WSO2 Identity Server Dockerfile

WSO2 IS 7.x needs a custom image that includes the APIM notification event handler JAR. This JAR enables IS to notify APIM when tokens are revoked.

Choosing a base image

DockerHub (wso2/wso2is:7.2.0) — packages the GA release. Suitable for evaluation and development.
WSO2 Private Registry (registry.wso2.com/wso2-is/is:7.2.0.0) — includes WSO2 Updates and is recommended for production. Requires an active WSO2 Subscription.

Create a Dockerfile.is:

FROM wso2/wso2is:7.2.0

ADD --chown=wso2carbon:wso2 \
  https://maven.wso2.org/nexus/content/repositories/releases/org/wso2/km/ext/wso2is/wso2is.notification.event.handlers/2.1.3/wso2is.notification.event.handlers-2.1.3.jar \
  /home/wso2carbon/wso2is-7.2.0/repository/components/dropins/

5.3 — Build and Push Both Images

Build and push both images, replacing <REGISTRY> and <TAG> with your values:
```
docker buildx build --platform linux/amd64 -f Dockerfile.apim -t <REGISTRY>/wso2am-mysql:<TAG> .
docker buildx build --platform linux/amd64 -f Dockerfile.is -t <REGISTRY>/wso2is-km:<TAG> .

docker push <REGISTRY>/wso2am-mysql:<TAG>
docker push <REGISTRY>/wso2is-km:<TAG>
```
Matching your cluster architecture

The --platform flag ensures the image is built for the architecture your cluster nodes run on. Most managed clusters (AKS, GKE) and Linux servers use linux/amd64. If you are building on Apple Silicon (M1/M2/M3/M4) without this flag, the pod will fail to start with no match for platform in manifest.

To check your cluster node architecture:
```
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.architecture}'
```

Get the image digests — you will need them when configuring values files:

docker inspect <REGISTRY>/wso2am-mysql:<TAG> \
  --format='{{index .RepoDigests 0}}'

docker inspect <REGISTRY>/wso2is-km:<TAG> \
  --format='{{index .RepoDigests 0}}'

Step 6 — Extract APIM Keystores¶

WSO2 IS uses a self-signed certificate for its HTTPS endpoints. APIM calls IS over the Kubernetes service name is-identity-server:9443, so APIM must trust that certificate before it starts. Extract the default APIM keystores now so you can import the IS certificate into the truststore after IS is running in Step 8.

Extract the default keystores from your APIM image:

mkdir -p keystores

docker run --rm -v "$(pwd)/keystores:/keystores" --entrypoint bash <REGISTRY>/wso2am-mysql:<TAG> -c \
  "cp /home/wso2carbon/wso2am-4.7.0/repository/resources/security/wso2carbon.jks \
      /home/wso2carbon/wso2am-4.7.0/repository/resources/security/client-truststore.jks \
      /keystores/"

You will import the IS certificate into client-truststore.jks and create the Kubernetes secret in Step 8 after IS is deployed.

Step 7 — Deploy WSO2 Identity Server¶

Download the default IS values file:

helm show values wso2/identity-server > values-is.yaml

Open values-is.yaml and update the following sections before deploying.

Custom image — point to the IS image you built in Step 5:
```
wso2:
  deployment:
    image:
      registry: "docker.io"
      repository: "<your-username>/wso2is-km"
      tag: "<TAG>"
      digest: "sha256:abcdef..."
```
APIM notification configuration — add the following block so IS can notify APIM when tokens are revoked. Replace <APIM_SERVICE_NAME> with the Kubernetes service name of the APIM pod (typically apim-wso2am-all-in-one-service if you use release name apim):
```
deploymentToml:
  extraConfigs: |
    oauth.authorize_all_scopes = true

    [[resource.access_control]]
    context="(.*)/scim2/Me"
    secure=true
    http_method="GET"
    cross_tenant=true

    [[event_listener]]
    id = "token_revocation"
    type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
    name = "org.wso2.is.notification.ApimOauthEventInterceptor"
    order = 1
    [event_listener.properties]
    notification_endpoint = "https://<APIM_SERVICE_NAME>:9443/internal/data/v1/notify"
    username = "${admin.username}"
    password = "${admin.password}"
    'header.X-WSO2-KEY-MANAGER' = "WSO2-IS"
```
Use dotted key form for the oauth setting

The IS Helm chart's base deployment.toml already defines [oauth.token_cleanup] and [oauth.token_generation]. Redeclaring [oauth] as a section header in extraConfigs causes a TOML parser crash (StackOverflowError) at startup. Use oauth.authorize_all_scopes = true (dotted key form) instead of a [oauth] section block.

Note

The notification_endpoint must use the APIM pod's internal Kubernetes service name, not the ingress hostname — IS communicates with APIM from inside the cluster. With the default release name apim, the service name is apim-wso2am-all-in-one-am-service. Verify with kubectl get svc -n apim after deploying APIM.

Deploy WSO2 Identity Server:

helm install is wso2/identity-server \
  --namespace apim --create-namespace \
  -f values-is.yaml

Wait for the IS pod to be ready:
```
kubectl get pods -n apim -w
```
The IS pod should show 1/1 Running before deploying APIM. This may take several minutes on the first run.

Step 8 — Import IS Certificate and Create Keystore Secret¶

APIM calls IS over HTTPS using the Kubernetes service name is-identity-server:9443. Because IS uses a self-signed certificate, APIM fails with a PKIX path building failed error unless that certificate is imported into APIM's truststore before APIM starts.

Port-forward the IS service to your local machine:
```
kubectl port-forward -n apim svc/is-identity-server 9444:9443 &
```
Wait until you see Forwarding from 127.0.0.1:9444 -> 9443 before running the next command.
Extract the IS certificate:
```
openssl s_client -connect localhost:9444 -servername wso2is.km < /dev/null 2>/dev/null | openssl x509 > is-cert.pem
```
Then stop the port-forward:
```
kill %1
```
Warning

Run the port-forward and openssl as separate commands — do not chain them together. If you run them in the same line, openssl starts before the tunnel is ready and the extraction fails with Could not find certificate from <stdin>.

Verify the certificate was captured — the output should start with -----BEGIN CERTIFICATE-----:
```
cat is-cert.pem
```

Import the IS certificate into the APIM truststore you extracted in Step 6:

keytool -importcert -trustcacerts -alias wso2is -file is-cert.pem \
  -keystore keystores/client-truststore.jks -storepass wso2carbon -noprompt

Create the apim-keystore-secret Kubernetes secret with the updated truststore:

kubectl create secret generic apim-keystore-secret \
  --from-file=wso2carbon.jks=keystores/wso2carbon.jks \
  --from-file=client-truststore.jks=keystores/client-truststore.jks \
  -n apim

Generate the encryption key — you will need it in the next step:
```
openssl rand -hex 32
```
Encryption key is mandatory

WSO2 API Manager 4.7.0 requires a 256-bit encryption key before first startup. Store this key securely — you will need the same key if you redeploy.

openssl is not available on Windows by default. Windows users can generate the key using PowerShell's System.Security.Cryptography.RandomNumberGenerator class.

Create values-apim.yaml with the following content, replacing all placeholder values:

wso2:
  deployment:
    image:
      registry: "docker.io"
      repository: "<your-username>/wso2am-mysql"
      tag: "<TAG>"
      digest: "sha256:<digest>"
  apim:
    configurations:
      encryption:
        key: "<generated-64-char-hex-key>"
      security:
        jksSecretName: "apim-keystore-secret"
        truststore:
          password: "wso2carbon"

Replace: - Image fields with the values from Step 5 (docker inspect output) - <generated-64-char-hex-key> with the openssl rand -hex 32 output above

Note

jksSecretName tells the Helm chart to mount the keystore secret into the APIM pod. Without this setting, APIM uses its embedded default keystores and ignores apim-keystore-secret.

Adding an external database

The template above uses the embedded H2 database from the default values file, which is sufficient for evaluation. For production deployments, add a databases block to values-apim.yaml:

      databases:
        apim_db:
          url: "<JDBC_URL_FOR_APIM_DB>"
          username: "<DB_USERNAME>"
          password: "<DB_PASSWORD>"
        shared_db:
          url: "<JDBC_URL_FOR_SHARED_DB>"
          username: "<DB_USERNAME>"
          password: "<DB_PASSWORD>"

For JDBC URL formats per database type, see Setting Up Databases.

Step 9 — Deploy WSO2 API Manager¶

Deploy WSO2 API Manager using the default values file and the values-apim.yaml you created in Step 8:
```
helm install apim wso2/wso2am-all-in-one \
  --version 4.7.0-1 \
  --namespace apim \
  -f https://raw.githubusercontent.com/wso2/helm-apim/4.7.x/resources/am-pattern-0-all-in-one/default_values.yaml \
  -f values-apim.yaml \
  --set wso2.apim.configurations.encryption.key=$(openssl rand -hex 32)
```
Encryption key is mandatory

WSO2 API Manager 4.7.0 requires a 256-bit encryption key before first startup. The command above generates one automatically. For production or shared environments, generate the key separately, store it securely, and set it explicitly in your values-apim.yaml under wso2.apim.configurations.encryption.key.

openssl is not available on Windows by default. Windows users can generate the key using PowerShell's System.Security.Cryptography.RandomNumberGenerator class.
Wait for the APIM pod to be ready:
```
kubectl get pods -n apim -w
```
The APIM pod should show 1/1 Running before proceeding. This may take several minutes on the first run.

Step 10 — Configure DNS¶

Windows users

On Windows, the hosts file is at C:\Windows\System32\drivers\etc\hosts. Open Notepad (or another text editor) as Administrator to edit it.

MinikubeRancher DesktopManaged cluster (AKS / GKE)

Run the following command in a separate terminal and keep it running:
```
minikube tunnel
```
Note

minikube tunnel requires sudo privileges to expose ports 80 and 443. You will be prompted for your system password. Once entered, the tunnel will stay running silently — this is expected. Do not close this terminal. Open a new terminal for the next steps.
Get the external IP:
Envoy Gateway (Recommended)NGINX Ingress Controller (Deprecated)
kubectl get gateway -n apim
kubectl get ing -n apim
The ADDRESS column should now show 127.0.0.1.

Add the following entry to your /etc/hosts file:

127.0.0.1 am.wso2.com gw.wso2.com websocket.wso2.com websub.wso2.com wso2is.km

Get the external IP:
Envoy Gateway (Recommended)NGINX Ingress Controller (Deprecated)
kubectl get gateway -n apim
kubectl get ing -n apim
Add the following entry to your /etc/hosts file, replacing <EXTERNAL-IP> with the value from the output above:
```
<EXTERNAL-IP> am.wso2.com gw.wso2.com websocket.wso2.com websub.wso2.com wso2is.km
```

Get the external IP:
Envoy Gateway (Recommended)NGINX Ingress Controller (Deprecated)
kubectl get gateway -n apim
kubectl get ing -n apim
For quick testing, add the ADDRESS value to your /etc/hosts:
```
<EXTERNAL-IP> am.wso2.com gw.wso2.com websocket.wso2.com websub.wso2.com wso2is.km
```
For a production setup, create DNS records in your DNS provider mapping these hostnames to the external IP.

Note

These are the default hostnames. If you customised the hostnames in your values.yaml, use those values here instead:

Envoy Gateway: kubernetes.gatewayAPI.management.hostname, kubernetes.gatewayAPI.gateway.hostname, etc.
NGINX: ingress.controlPlane.hostname, ingress.gateway.hostname, etc.
wso2is.km is the default IS hostname (configure in values-is.yaml).

Step 11 — Register IS as Key Manager¶

Once both APIM and IS are running and DNS is configured, register IS as a Key Manager through the APIM Admin Portal.

Open the Admin Portal at https://am.wso2.com/admin and log in with admin / admin.
Navigate to Key Managers and click Add Key Manager.

Configure the Key Manager with the following settings:

Field	Value
Name	WSO2IS7
Display Name	WSO2 Identity Server 7
Key Manager Type	WSO2 Identity Server 7
Well-known URL	`https://is-identity-server:9443/oauth2/token/.well-known/openid-configuration`
Issuer	`https://is-identity-server:9443/oauth2/token`
Client Registration Endpoint	`https://is-identity-server:9443/api/identity/oauth2/dcr/v1.1/register`
Introspection Endpoint	`https://is-identity-server:9443/oauth2/introspect`
Token Endpoint	`https://is-identity-server:9443/oauth2/token`
Display Token Endpoint	`https://wso2is.km:9443/oauth2/token`
Revoke Endpoint	`https://is-identity-server:9443/oauth2/revoke`
Display Revoke Endpoint	`https://wso2is.km:9443/oauth2/revoke`
UserInfo Endpoint	`https://is-identity-server:9443/scim2/Me`
Authorize Endpoint	`https://wso2is.km:9443/oauth2/authorize`
Scope Management Endpoint	`https://is-identity-server:9443/api/identity/oauth2/v1.0/scopes`
Certificate Type	JWKS
JWKS URL	`https://is-identity-server:9443/oauth2/jwks`
Username (connector config)	admin
Password (connector config)	admin
WSO2 IS 7 API Resource Management Endpoint	`https://is-identity-server:9443/api/server/v1/api-resources`
WSO2 IS 7 Roles Endpoint	`https://is-identity-server:9443/scim2/v2/Roles`

Use the Kubernetes service name for operational endpoints

Operational endpoints (Well-known URL, Token Endpoint, Revoke Endpoint, etc.) must use is-identity-server:9443 — the Kubernetes cluster DNS name for the IS service. APIM calls these from inside the cluster and cannot resolve /etc/hosts entries that map wso2is.km to an external IP.

Display endpoints (Display Token Endpoint, Display Revoke Endpoint, Authorize Endpoint) use wso2is.km:9443 because they are opened by end users in a browser, where the external hostname resolves correctly.

Click Add to save.

Step 12 — Access the Portals¶

Once DNS is configured, open the following URLs in your browser:

Envoy Gateway (Recommended)NGINX Ingress Controller (Deprecated)

Portal	URL
Publisher	`https://<kubernetes.gatewayAPI.management.hostname>/publisher`
Developer Portal	`https://<kubernetes.gatewayAPI.management.hostname>/devportal`
Admin Portal	`https://<kubernetes.gatewayAPI.management.hostname>/admin`
Carbon Console	`https://<kubernetes.gatewayAPI.management.hostname>/carbon`
IS Management Console	`https://wso2is.km/console`

Portal	URL
Publisher	`https://<kubernetes.ingress.management.hostname>/publisher`
Developer Portal	`https://<kubernetes.ingress.management.hostname>/devportal`
Admin Portal	`https://<kubernetes.ingress.management.hostname>/admin`
Carbon Console	`https://<kubernetes.ingress.management.hostname>/carbon`
IS Management Console	`https://wso2is.km/console`

Replace the hostname placeholders with the actual values from your values.yaml. With default values, the management hostname resolves to am.wso2.com.

Chrome may block access

Chrome enforces HSTS preloading for *.wso2.com domains, which removes the option to bypass the self-signed certificate warning entirely. Use Firefox or Safari instead, and click through the certificate warning when prompted.

Default credentials: admin / admin

Complete Step 11 — register IS as Key Manager in the Admin Portal — if you have not done so already.

Customized Configurations¶

All configurations in this section are made by editing your values-apim.yaml or values-is.yaml files.

Note

Once all changes are in place, deploy using Deploy with Custom Values.

The Helm charts for WSO2 API Manager are available in the WSO2 Helm Chart Repository. For WSO2 Identity Server, refer to the WSO2 IS Kubernetes deployment documentation.

Resource Naming Convention

Kubernetes resources created by the Helm charts follow this naming pattern:

<RELEASE_NAME>-<CHART_NAME>-<RESOURCE_NAME>

1. Image and Registry¶

1.1 Private Registry Authentication

If your registry is private and requires authentication, enable imagePullSecrets in both values files:

wso2:
  deployment:
    image:
      imagePullSecrets:
        enabled: true
        username: ""
        password: ""

2. Database and Credentials¶

2.1 Configure Admin Credentials

The default admin credentials are admin/admin. Change these before deploying to any shared or production environment.

wso2:
  apim:
    configurations:
      adminUsername: ""
      adminPassword: ""

2.2 Update Keystore Passwords

If you are mounting custom keystores (see section 3.1), update the passwords here to match.

wso2:
  apim:
    configurations:
      security:
        keystores:
          primary:
            password: ""
            keyPassword: ""
          internal:
            password: ""
            keyPassword: ""
          tls:
            password: ""
            keyPassword: ""
        truststore:
          password: ""

Note

keyPassword must equal password for each keystore. WSO2 API Manager requires these to be identical due to a limitation in internal third-party components — setting them to different values will cause startup failures.

2.3 Component Configuration References

All-in-One Helm chart

3. Security¶

3.1 Mount Keystore and Truststore

In Step 8, you created apim-keystore-secret using the default WSO2 keystores with the IS certificate imported. Those are self-signed certificates suitable for evaluation only.

For production-level keystore setup, refer to Configuring Keystores in WSO2 API Manager. Then recreate the secret with your own certificates:

kubectl create secret generic apim-keystore-secret \
  --from-file=wso2carbon.jks \
  --from-file=client-truststore.jks \
  -n apim

For mutual certificate trust between APIM and IS, import each product's public certificate into the other's truststore. Refer to the Importing certificates to the truststore guide.

For more details on configuring keystores, see Configuring Keystores in WSO2 API Manager.

3.2 Configure the Internal Encryption Key

Mandatory in 4.7.0

The internal encryption key is required in WSO2 API Manager 4.7.0. You must set this before the first startup — changing it afterwards will cause decryption failures for any data already encrypted.

Generate a unique 256-bit key:
```
openssl rand -hex 32
```
Note

openssl is not available on Windows by default. Windows users can generate the key using PowerShell's System.Security.Cryptography.RandomNumberGenerator class.
Add the key to your values-apim.yaml:
```
wso2:
  apim:
    configurations:
      encryption:
        key: "<generated-64-char-hex-key>"
```
If you encrypt secrets using the cipher tool and secure vault (see Section 3.3), also encrypt the internal encryption key and set the encrypted value here instead of the plaintext key.

3.3 Encrypt Secrets

By default, database passwords and other sensitive values are stored as plain text in the values files. This is acceptable for local testing but a security risk in production.

Option 1: Cipher Tool

Use the cipher tool from the product pack to encrypt secrets:

sh ciphertool.sh -Dconfigure -Dsymmetric -Dkey.based.encryption

Option 2: apictl

You can also use apictl to encrypt secrets. For further guidance, refer to Encrypting Secrets with apictl.

Initialize apictl using the trust store:

apictl secret init

Example:

apictl secret init
Enter Key Store location: /home/wso2carbon/wso2am-4.7.0/repository/resources/security/wso2carbon.jks
Enter Key Store password: 
Enter Key alias: wso2carbon
Enter Key password: 

Key Store initialization completed

Encrypt each of the following values using apictl secret create:
- admin_password
- keystore_password
- keystore_key_password
- ssl_keystore_password
- ssl_key_password
- internal_keystore_password
- internal_keystore_key_password
- truststore_password
- apim_db_password
- shared_db_password
Example:
```
apictl secret create
Enter plain alias for secret: db_password
Enter plain text secret: 
Repeat plain text secret: 

db_password : eKALmLVA+HFVl7vxxxxxxxxxxxxxxxxxxxxxxxxxxxjakhHN
```
Replace the plain text values in your values files with the encrypted values.

Enable secure vault:

# -- Secure vault enabled
secureVaultEnabled: true

If you are using a cloud provider secret manager, store the secret encryption key there and reference it so the runtime can fetch and use it to decrypt secrets:

aws:
  secretsManager:
    secretIdentifiers:
      secretEncryptionKey:
        # -- Secret name in the cloud provider's secret manager
        secretName: ""
        # -- Secret key in the cloud provider's secret manager
        secretKey: ""

Note

Currently, AWS, Azure, and GCP Secrets Managers are supported.

3.4 Configure SSL

For WSO2 recommended SSL best practices when exposing services outside the cluster, refer to the WSO2 container guide.

4. Routing Controller¶

4.1 Configure Envoy Gateway (Default in 4.7.x)

Envoy Gateway is the default routing controller in WSO2 API Manager 4.7.0. It uses the Kubernetes Gateway API, which provides more flexibility than traditional Ingress resources.

Step 1: Create a TLS secret

kubectl create secret tls apim-tls-secret \
  --key <private-key-file> \
  --cert <certificate-file> \
  -n apim

Step 2: Install Envoy Gateway (if not already done in Step 4 of the Quick Start)

helm install envoy-gateway oci://docker.io/envoyproxy/gateway-helm \
  --version v1.7.0 -n envoy-gateway-system \
  --set config.envoyGateway.extensionApis.enableBackend=true \
  --set envoyGateway.gateway.experimentalFeatures.enabled=true \
  --create-namespace

Step 3: Apply the Gateway manifest

kubectl apply \
  -f https://raw.githubusercontent.com/wso2/helm-apim/4.7.x/resources/assets/sample-gateway.yaml \
  -n apim

Step 4: (Optional) Create a CA ConfigMap for backend TLS

If you want Envoy Gateway to verify backend TLS certificates, create a ConfigMap with your CA certificate:

kubectl create configmap wso2-ca-cert \
  --from-file=ca.crt=<path-to-ca-cert> \
  -n apim

Step 5: Configure Envoy Gateway in values.yaml

kubernetes:
  gatewayAPI:
    enabled: true
    gatewayName: "wso2-apim-gateway"
    defaultConfigMapCreation: false
    management:
      enabled: true
      hostname: "am.wso2.com"
    gateway:
      enabled: true
      hostname: "gw.wso2.com"
    websocket:
      enabled: true
      hostname: "websocket.wso2.com"
    websub:
      enabled: true
      hostname: "websub.wso2.com"
    backendTLSPolicy:
      enabled: true
      caCertificateConfigMap: "wso2-ca-cert"
      hostname: "<hostname used in the TLS certificate>"
    backendTrafficPolicy:
      enabled: true
      cookie:
        name: "WSO2_CP_STICKY_SESSION"
        ttl: "0s"

4.2 Configure NGINX Ingress Controller

Use this section if you are using NGINX Ingress Controller instead of Envoy Gateway.

Configure ingress annotations

You may need to customise these if you want to enable sticky sessions, change the backend protocol, or apply rate limiting.

ingressClass: "nginx"
ingress:
  tlsSecret: ""
  ratelimit:
    enabled: false
    zoneName: ""
    burstLimit: ""
  controlPlane:
    hostname: "am.wso2.com"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/affinity: "cookie"
      nginx.ingress.kubernetes.io/session-cookie-name: "route"
      nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"

Refer to the NGINX ingress annotations documentation for the full list of supported options.

Configure TLS for Ingress

kubectl create secret tls my-tls-secret \
  --key <private-key-file> \
  --cert <certificate-file> \
  -n apim

Then set the secret name in your values.yaml under ingress.tlsSecret. Refer to the Kubernetes ingress TLS documentation for more details.

5. High Availability¶

5.1 Enable High Availability for APIM

To run two All-in-One pods in an active-active configuration, set:

wso2:
  deployment:
    highAvailability: true

5.2 Configure User Store Properties

userStore:
  type: "database_unique_id"
  properties:
    ReadGroups: true

Warning

If you do not need to set any custom properties, remove the properties block entirely. An empty properties block will cause the deployment to fail.

See Working with user store properties for the full list of options.

6. Deploy with Custom Values¶

Once your values files are configured, deploy both components:

helm install is wso2/identity-server \
  --namespace apim --create-namespace \
  -f values-is.yaml

helm install apim wso2/wso2am-all-in-one \
  --version 4.7.0-1 \
  --namespace apim \
  -f https://raw.githubusercontent.com/wso2/helm-apim/4.7.x/resources/am-pattern-0-all-in-one/default_values.yaml \
  -f values-apim.yaml \
  --set wso2.apim.configurations.encryption.key=$(openssl rand -hex 32)

Deployment Parameters

Release names: is, apim
<namespace> — Kubernetes namespace to deploy into (e.g. apim)
Helm chart paths: wso2/identity-server, wso2/wso2am-all-in-one (or local clones)