Pattern 0: API-M Deployment with All-in-One Setup¶

This deployment consists of a single API-M node with a single API-M runtime. You can use this pattern if you expect to receive low traffic to your deployment and do not need any high availability in your environment.

Info

For advanced details on the deployment pattern, please refer to the official documentation.

Contents¶

Pattern 0: API-M Deployment with All-in-One Setup
Contents
Prerequisites
Step 1 - Set Up Basic Configurations
Minimal Configuration
Configuration

Prerequisites¶

Before you begin, ensure you have the following prerequisites in place:

Step 1 - Set Up Basic Configurations¶

Info

The following tools and configurations are necessary for deploying WSO2 API-M in a Kubernetes environment.

Install the required tools:
Git
Helm
Kubernetes client
Ensure you have a running Kubernetes cluster.
Install the NGINX Ingress Controller.

Add the WSO2 Helm chart repository:

helm repo add wso2 https://helm.wso2.com && helm repo update

Minimal Configuration¶

If you want to quickly try out WSO2 API Manager on Kubernetes with minimal configuration, you can use the default values provided in the default_values.yaml file.

Quick Start Configuration

This minimal configuration includes:

H2 database (embedded)
Default keystore and truststore
Basic settings for testing purposes

Note: This configuration is ideal for development environments or quick evaluation but is not recommended for production use.

Deploy API Manager with minimal configuration using the following command:

helm install apim wso2/wso2am-all-in-one --version 4.5.0-3 -f https://raw.githubusercontent.com/wso2/helm-apim/main/docs/am-pattern-0-all-in-one/default_values.yaml

Once the service is up and running, make sure you have the NGINX Ingress Controller deployed by following the steps outlined in the Add Ingress Controller section.

Configuration¶

1. General Configuration of Helm Charts¶

The helm charts for the API Manager deployment are available in the WSO2 Helm Chart Repository. You can either use the charts from the repository or clone the repository and use the charts from the local copy.

Resource Naming Convention

The helm naming convention for APIM follows a simple pattern:

<RELEASE_NAME>-<CHART_NAME>-<RESOURCE_NAME>

1.1 Add Ingress Controller¶

The recommendation is to use NGINX Ingress Controller suitable for your cloud environment or local deployment. Some sample annotations that could be used with the ingress resources are as follows.

The ingress class should be set to nginx in the ingress resource if you are using the NGINX Ingress Controller.

Following are some of the recommended annotations to include in the helm charts for ingresses. These may vary depending on the requirements. Please refer to the documentation for more information about the annotations.

ingressClass: "nginx"
ingress:
  tlsSecret: ""
  ratelimit:
    enabled: false
    zoneName: ""
    burstLimit: ""
  controlPlane:
    hostname: "am.wso2.com"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/affinity: "cookie"
      nginx.ingress.kubernetes.io/session-cookie-name: "route"
      nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"

- You need to create a kubernetes secret including the certificate and the private key and include the name of the secret in the helm charts. This will be used for TLS termination in load balancer level by the ingress controller. Please refer to the documentation for more information.

kubectl create secret tls my-tls-secret --key <private key filename> --cert <certificate filename>

1.2 Mount Keystore and Truststore¶

If you are not including the keystore and truststore into the docker image, you can mount them using a Kubernetes secret. Following steps shows how to mount the keystore and truststore using a Kubernetes secret.
Create a Kubernetes secret with the keystore and truststore files. The secret should contain the primary keystore file, secondary keystore file, internal keystore file, and the truststore file. Note that the secret should be created in the same namespace in which you will be setting up the deployment.
Make sure to use the same secret name when creating the secret and when configuring the helm chart.
If you are using a different keystore file name and alias, make sure to update the helm chart configurations accordingly. In addition to the primary, internal keystores and truststore files, you can also include the keystores for HTTPS transport as well.
Refer the following sample command to create the secret and use it in the APIM.

kubectl create secret generic apim-keystore-secret --from-file=wso2carbon.jks --from-file=client-truststore.jks --from-file=wso2internal.jks -n <namespace>

By default, this deployment uses the default keystores and truststores provided by the relevant WSO2 product. For advanced details with regards to managing custom Java keystores and truststores in a container based WSO2 product deployment please refer to the official WSO2 container guide.

1.3 Encrypting Secrets¶

If you need to use cipher tool to encrypt the passwords in the secret, first you need to encrypt the passwords using the cipher tool. The cipher tool can be found in the bin directory of the product pack. The following command can be used to encrypt the password.
```
sh cipher-tool.sh -Dconfigure
```
Also the apictl can be used to encrypt password as well. Reference can be found in following.
Then the encrypted values should be filled in the the relevant fields of values.yaml.
Since internal keystore password is required to resolve the encrypted value in runtime, we need to store the value in the cloud provider's secret manager. You can use the cloud provider's secret store to store the password of the internal keystore. The following section can be used to add the cloud provider's credentials to fetch the internal keystore password. Configuration for aws can be at as below.
```
internalKeystorePassword:
  # -- AWS Secrets Manager secret name
  secretName: ""
  # -- AWS Secrets Manager secret key
  secretKey: ""
```
Please note that currently AWS, Azure and GCP Secrets Managers are only supported for this.

1.4 Configure Docker Image and Databases¶

Add the following configurations to reflect the docker image created previously in the helm chart.
```
wso2:
  deployment:
    image:
      imagePullSecrets:
        enabled: false
        username: ""
        password: ""        
      registry: ""
      repository: ""
      digest: ""
```
If you are using a private Docker registry, you must enable imagePullSecrets.enabled and provide the username and password. - Provide the database configurations under the following section.
```
wso2:
  apim:
    configurations:
      databases:
        apim_db:
          url: ""
          username: ""
          password: ""
        shared_db:
          url: ""
          username: ""
          password: ""
```
- If you need to change the hostnames, update them under the Kubernetes ingress section. - Update the keystore passwords in the security section of the values.yaml file. - Review the descriptions of other configurations and modify them as needed to meet your requirements. A simple deployment can be achieved using the basic configurations provided in the values.yaml file. All configuration options for each Helm chart are documented in their respective component guides: - All-in-one - Universal Gateway - Update the admin credentials in the configuration directory.
```
  # -- Super admin username
  adminUsername: ""
  # -- Super admin password
  adminPassword: ""
```

1.5 Configure SSL in Service Exposure¶

SSL Configuration Best Practices

For WSO2 recommended best practices in configuring SSL when exposing internal services to outside of the Kubernetes cluster, refer to the official WSO2 container guide.

Proper SSL configuration is critical for securing API traffic and maintaining compliance with security standards.

2. All-in-One Configurations¶

This section covers the specific configurations relevant to the All-in-One deployment pattern.

2.1 Configure Multiple Gateways¶

If you need to distribute the Gateway load that comes in, you can configure multiple API Gateway environments in WSO2 API Manager

to publish to a single Developer Portal. See more... href="#__codelineno-11-1">gateway: # -- APIM Gateway environments environments: - name: "Default" type: "hybrid" gatewayType: "Regular" provider: "wso2" visibility: displayInApiConsole: true description: "This is a hybrid gateway that handles both production and sandbox token traffic." showAsTokenEndpointUrl: true serviceName: "apim-gw-wso2am-gateway-service" servicePort: 9443 wsHostname: "websocket.wso2.com" httpHostname: "gw.wso2.com" websubHostname: "websub.wso2.com" - name: "Default_apk" type: "hybrid" provider: "wso2" gatewayType: "APK" displayInApiConsole: true description: "This is a hybrid gateway that handles both production and sandbox token traffic." showAsTokenEndpointUrl: true serviceName: "apim-gw-wso2am-gateway-service" servicePort: 9443 wsHostname: "websocket.wso2.com" httpHostname: "default.gw.wso2.com:9095" websubHostname: "websub.wso2.com"

2.2 Configure User Store Properties¶

You can configure user store properties as described in this documentation:

    userStore:
    # -- User store type.
    type: "database_unique_id"
    # -- User store properties
    properties:
        ReadGroups: true

Configuration Note

If you do not want to configure any of these properties, you must remove the properties block from the YAML file to prevent deployment issues.

For a complete list of available user store properties and their descriptions, refer to the documentation.

2.4 Configure JWKS URL¶

By default, for the super tenant, the Resident Key Manager's JWKS URL is set to https://<HOSTNAME>:9443/oauth2/jwks. If you are using a virtual host like am.wso2.com that is not globally routable, this URL will be incorrect. You can configure the correct JWKS URL for the super tenant using the Helm chart as shown below:

wso2:
  apim:
    configurations:
      oauth_config:
        oauth2JWKSUrl: "https://localhost:9443/oauth2/jwks"

2.5 Deploy All-in-One¶

After configuring all the necessary parameters, you can deploy the All-in-One pattern using Helm:

Create a namespace for your deployment
Install the Helm chart with your custom configurations

# Create namespace for deployment
kubectl create namespace <namespace>

# Deploy API Manager using Helm
helm install <release-name> <helm-chart-path> \
  --version 4.5.0-3 \
  --namespace <namespace> \
  --dependency-update \
  -f values.yaml \
  --create-namespace

Deployment Parameters

<release-name>: Choose a name for your release (e.g., apim)
<namespace>: Specify the Kubernetes namespace (e.g., wso2)
<helm-chart-path>: Path to the Helm chart (e.g., ./all-in-one or use the repository URL)

3. Add a DNS record mapping the hostnames and the external IP¶

Obtain the external IP (EXTERNAL-IP) of the API Manager Ingress resources, by listing down the Kubernetes Ingresses.

kubectl get ing -n <NAMESPACE>

If the defined hostnames (in the previous step) are backed by a DNS service, add a DNS record mapping the hostnames and the external IP (EXTERNAL-IP) in the relevant DNS service.

If the defined hostnames are not backed by a DNS service, for the purpose of evaluation you may add an entry mapping the hostnames and the external IP in the /etc/hosts file at the client-side.

<EXTERNAL-IP> <kubernetes.ingress.management.hostname> <kubernetes.ingress.gateway.hostname> <kubernetes.ingress.websub.hostname> <kubernetes.ingress.websocket.hostname>

4. Access Management Consoles¶

API Manager Publisher: https://<kubernetes.ingress.management.hostname>/publisher
API Manager DevPortal: https://<kubernetes.ingress.management.hostname>/devportal
API Manager Carbon Console: https://<kubernetes.ingress.management.hostname>/carbon
Universal Gateway: https://<kubernetes.ingress.gateway.hostname>