环境变量

API7 企业版支持使用环境变量来配置消费者凭证、SSL 证书和某些插件。有一些保留用于特殊用途的环境变量，还有一些可以使用自定义名称创建并引用的环境变量。

保留的环境变量

API7 企业版目前保留了以下环境变量：

变量名称	描述
APISIX_DEPLOYMENT_ETCD_HOST	etcd 主机地址。
APISIX_WORKER_PROCESSES	工作进程（worker processes）的数量。

要使用这些配置，请在启动 APISIX 之前将值分配给环境变量。

自定义环境变量

你可以在配置文件和某些插件中使用自定义环境变量。

注意

环境变量直接配置在每个数据面（网关实例）上，并在重启后立即生效。由于这种配置方式，你无法从控制面查看其实际值。此外，同一个网关组内不同网关实例之间环境变量配置的不一致可能会导致不可预测的行为以及潜在的 API 故障。

消费者凭证

消费者凭证（Consumer Credentials）中的以下敏感字段可以通过 NGINX env 指令存储在环境变量中：

• 密钥身份验证（Key Authentication）凭证中的 key
• 基本身份验证（Basic Authentication）凭证中的 password
• JWT 身份验证（JWT Authentication）凭证中的 secret 和 public key
• HMAC 身份验证（HMAC Authentication）凭证中的 secret key

以下示例演示了如何配置密钥身份验证凭证以从环境变量中获取用户身份验证密钥。

设置环境变量

Docker

在部署网关实例时设置环境变量。请按照添加网关实例的说明，然后将环境变量添加到生成的脚本中。

Docker 示例，向 docker run 命令添加自定义环境变量：

docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e ALICE_AUTH_KEY=alice-key \
-e API7_CONTROL_PLANE_CERT="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e API7_CONTROL_PLANE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CA="-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----" \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:dev

备注

部署后，如果不重新启动网关实例，则无法修改其环境变量。

Kubernetes

在部署网关实例时设置环境变量。请按照添加网关实例的说明，然后将环境变量添加到生成的脚本/YAML 中。

脚本示例，向 helm upgrade 命令添加自定义环境变量：

helm repo add api7 https://charts.api7.ai
helm repo update
cat > /tmp/tls.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMjM2NDZaFw0yNTExMjgwMjM2NDZaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQC/VNWu
FG+9OiY1/oq3FQerIY5EPIxf/IBOwtVjwBB2gqNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQ3NDdjMTRiZS1jMjkxLTQ4
MzktYmY1OC1hOGI5NzEyMzFlNGUwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQBmdE9t
Y33uJexnJ268Hk8RhMP/tO5ieogCwvlv2Hdv9r5FMZ+i/46k/aCOExoy+APGh95v
R0Hdari+JQeub7oB
-----END CERTIFICATE-----
EOF
cat > /tmp/tls.key <<EOF
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIPq6J0PDW7N4p0lTpPpsbNhYXF6mTCQWcoDC0je5xHAO
-----END PRIVATE KEY-----
EOF
cat > /tmp/ca.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----
EOF
kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic -n test api7-ee-3-gateway-tls --from-file=tls.crt=/tmp/tls.crt --from-file=tls.key=/tmp/tls.key --from-file=ca.crt=/tmp/ca.crt
helm upgrade --install -n test --create-namespace api7-ee-3-gateway api7/gateway \
  --set "etcd.auth.tls.enabled=true" \
  --set "etcd.auth.tls.existingSecret=api7-ee-3-gateway-tls" \
  --set "etcd.auth.tls.certFilename=tls.crt" \
  --set "etcd.auth.tls.certKeyFilename=tls.key" \
  --set "etcd.auth.tls.verify=true" \
  --set "gateway.tls.existingCASecret=api7-ee-3-gateway-tls" \
  --set "gateway.tls.certCAFilename=ca.crt" \
  --set "apisix.extraEnvVars[0].name=API7_GATEWAY_GROUP_SHORT_ID" \
  --set "apisix.extraEnvVars[0].value=default" \
  --set "apisix.extraEnvVars[1].name=ALICE_AUTH_KEY" \
  --set "apisix.extraEnvVars[1].value=alice-key" \
  --set "etcd.host[0]=https://your-host-or-ip:443" \
  --set "apisix.replicaCount=1" \
  --set "apisix.image.repository=api7/api7-ee-3-gateway" \
  --set "apisix.image.tag=dev"

YAML 示例：

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dNak0yTkRaYUZ3MHlOVEV4TWpnd01qTTJORFphTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFBZTlJR3UKUFphOVcwS3RYcnVNRmpXMEdvUjdsc3oxNUVwQ1B3bnhnTU9ENWFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRd09UbGlOVGcyTXkwNU1XSXlMVFF3Ck5HSXRZamsxTnkxa01UbGlaRE13TmpZek1HSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFEVVpsOTYKZTJOUUd6QXNwaUQ5Y0FlY2w5QmZTNFdTWFIwb1R3M1NBZytEN0lYVTVzT09meWlWVjR1SnRBeldIOVJaN3lNSwo5dkR1V2RlWEFhTlI4T01DCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUdkTTBGT2VMNGk4T2dLTjNGd3JhL1NZQnNWWnZoWWVHVXlKd05YdnIwdXUKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVNlZ0F3SUJBZ0lRVlhxVEZ1L2hINGNhWnB0S2RHcDA0ekFGQmdNclpYQXdSREVMTUFrR0ExVUUKQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3hFVEFQQmdOVgpCQU1UQ0VGUVNUY2dTVzVqTUI0WERUSTBNRGt3TnpBNE1UYzBOVm9YRFRNME1Ea3dOVEE0TVRjME5Wb3dSREVMCk1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3gKRVRBUEJnTlZCQU1UQ0VGUVNUY2dTVzVqTUNvd0JRWURLMlZ3QXlFQWtUajQ0N2JwenRHMWRjMEhWVzc0emErdgpORUFoVTdteVNZU21VU3dkUmZDakx6QXRNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQVBCZ05WSFJNQkFmOEVCVEFECkFRSC9NQW9HQTFVZERnUURCQUV3TUFVR0F5dGxjQU5CQUt4eEJnL0NFbk9veFFuVmQ4aXhIS0pDZ0NoWjJJWkUKQkxDSGFRVEVibWZ5OFJRK3BvMGNLT3RoV0ZEeDhnc3gyQWpka0xPNVBQYUhQdWpJWHlmejhRST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
kind: Secret
metadata:
  namespace: api7
  name: api7-ee-3-gateway-tls
type: kubernetes.io/tls
---
apisix:
  replicaCount: 1
  image:
    repository: api7/api7-ee-3-gateway
    tag: dev
  extraEnvVars:
  - name: API7_GATEWAY_GROUP_SHORT_ID
    value: "default"
  - name: ALICE_AUTH_KEY
    value: "alice-key"
etcd:
  host:
  - "https://your-host-or-ip:443"
  auth:
    tls:
      enabled: true
      existingSecret: api7-ee-3-gateway-tls
      certFilename: tls.crt
      certKeyFilename: tls.key
      verify: true
gateway:
  tls:
    existingCASecret: api7-ee-3-gateway-tls
    certCAFilename: ca.crt

备注

部署后，如果不重新启动网关实例，则无法修改其环境变量。

使用环境变量配置消费者凭证

1. 从侧边导航栏中选择你网关组的消费者（Consumers）。
2. 点击**+ 添加消费者（Add Consumer）**。
3. 在对话框中，执行以下操作：

• 在**名称（Name）**字段中，输入 Alice。
• 点击添加（Add）。

4. 在凭证（Credentials）选项卡下，点击+ 添加密钥身份验证凭证（Add Key Authentication Credential）。
5. 在对话框中，执行以下操作：

• 在**名称（Name）**字段中，输入 primary-key。
• 在密钥（Key）字段中，选择手动输入（Manually Input），然后输入 $env://ALICE_AUTH_KEY。
• 点击添加（Add）。

6. 要进行验证，请参阅为 API 启用密钥身份验证（Enable Key Authentication for APIs）以在服务级别启用 key-auth 插件，然后按照验证密钥身份验证（Validate Key Authentication）进行验证。

SSL 证书

SSL 证书中的敏感字段 private key（私钥）和 certificate（证书）可以通过 NGINX env 指令存储在环境变量中。

以下示例演示了如何配置 SSL 证书以从环境变量中获取敏感数据。

设置环境变量

Docker

在部署网关实例时设置环境变量。请按照添加网关实例的说明，然后将环境变量添加到生成的脚本中。

Docker 示例，向 docker run 命令添加自定义环境变量：

docker run -d -e API7_CONTROL_PLANE_ENDPOINTS='["https://your-host-or-ip:443"]' \
-e API7_GATEWAY_GROUP_SHORT_ID=default \
-e SSL_CERTIFICATE="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e SSL_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CERT="-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwMzM4NTJaFw0yNTExMjgwMzM4NTJaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQBpBV0D
YBeCedUrIWvyk2YHORcmzBeCiActHJk3u4ZkyKNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCQyOWEzZmVlZi1hNzM2LTQy
OTEtODlmZS0xOWI4MDFjODNjZWQwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQA0aeIB
5Gy5cVYrRgM+PRduSumjDMyDFNbH01GNQ/5RTeyMaH3lAj64JLOO4sQe7gy3dDxx
b7N9mKGl8iMzSLwF
-----END CERTIFICATE-----" \
-e API7_CONTROL_PLANE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJ6hn4EQKXSh4U+2SFPJhBh3RxN/1trnsu2Zjp6hRB5A
-----END PRIVATE KEY-----" \
-e API7_CONTROL_PLANE_CA="-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----" \
-p 9080:9080 \
-p 9443:9443 \
api7/api7-ee-3-gateway:dev

备注

部署后，如果不重新启动网关实例，则无法修改其环境变量。

Kubernetes

在部署网关实例时设置环境变量。请按照添加网关实例的说明，然后将环境变量作为 Kubernetes Secrets 包含在生成的脚本或 YAML 文件中。

脚本示例：

helm repo add api7 https://charts.api7.ai
helm repo update
cat > /tmp/tls.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBiDCCATqgAwIBAgICBAAwBQYDK2VwMEQxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQ0wCwYDVQQKEwRBUEk3MREwDwYDVQQDEwhBUEk3IEluYzAe
Fw0yNDEwMjkwOTE3NThaFw0yNTExMjgwOTE3NThaMDAxDTALBgNVBAoTBEFQSTcx
HzAdBgNVBAMTFmFwaTdlZTMtYXBpc2l4LWdhdGV3YXkwKjAFBgMrZXADIQDT/g4a
WVWigZG2oWGlDLTtTKBtHVystWQxj6XhG1vANaNkMGIwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMC0GA1UdDgQmBCRhMDQ2NGY4YS1kM2FhLTRk
MTMtODk5MC0xYmE0MWM1NGYxMTgwDAYDVR0jBAUwA4ABMDAFBgMrZXADQQActMzf
rggeykNFWKlqqyyQoqK8c9fFmplSHY7zYbUEydmq0LNLnnZAp2LmesUDVh4cbJCK
9haqhJ7oCgKk5psG
-----END CERTIFICATE-----
EOF
cat > /tmp/tls.key <<EOF
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIA9uC9kLMs11oG50sFpUFrcbHvRu/BtwUGfKISzYiXV+
-----END PRIVATE KEY-----
EOF
cat > /tmp/ca.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIBdTCCASegAwIBAgIQVXqTFu/hH4caZptKdGp04zAFBgMrZXAwRDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcxETAPBgNV
BAMTCEFQSTcgSW5jMB4XDTI0MDkwNzA4MTc0NVoXDTM0MDkwNTA4MTc0NVowRDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAoTBEFQSTcx
ETAPBgNVBAMTCEFQSTcgSW5jMCowBQYDK2VwAyEAkTj447bpztG1dc0HVW74za+v
NEAhU7mySYSmUSwdRfCjLzAtMA4GA1UdDwEB/wQEAwIChDAPBgNVHRMBAf8EBTAD
AQH/MAoGA1UdDgQDBAEwMAUGAytlcANBAKxxBg/CEnOoxQnVd8ixHKJCgChZ2IZE
BLCHaQTEbmfy8RQ+po0cKOthWFDx8gsx2AjdkLO5PPaHPujIXyfz8QI=
-----END CERTIFICATE-----
EOF
kubectl create namespace demo --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic -n demo api7-ee-3-gateway-tls --from-file=tls.crt=/tmp/tls.crt --from-file=tls.key=/tmp/tls.key --from-file=ca.crt=/tmp/ca.crt
kubectl apply -n demo -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  namespace: api7
  name: env-secrets
  namespace: demo
type: Opaque
data:
  SSL_CERTIFICATE:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dPVEUwTlRSYUZ3MHlOVEV4TWpnd09URTBOVFJhTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFDcitTZ1gKVW5HT0NZbjRtb3RiRWRLbWpPUkhuMFRjVHBwc1VqVE5BRFdMbmFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRNE5EZzBNVFkyT1MweVpqQTNMVFF6Ck9UTXRPR0poWWkwMU5tVTRNekEzWm1NNFpXSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFDbTFxcmsKMkJ2cDRJdGpiWS82bWJZQlEzbndJRTRjbWxISityb0RDNk9GUVdkMG8rSmNMYjljS1ZnM1J5Q21mWmZVYUZXRQpVRkFocjJ3ZnllNXl1WThKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  SSL_PRIVATE_KEY: 
  TUM0Q0FRQXdCUVlESzJWd0JDSUVJQTl1QzlrTE1zMTFvRzUwc0ZwVUZyY2JIdlJ1L0J0d1VHZktJU3pZaVhWKw==
EOF
helm upgrade --install -n demo --create-namespace api7-ee-3-gateway api7/gateway \
  --set "etcd.auth.tls.enabled=true" \
  --set "etcd.auth.tls.existingSecret=api7-ee-3-gateway-tls" \
  --set "etcd.auth.tls.certFilename=tls.crt" \
  --set "etcd.auth.tls.certKeyFilename=tls.key" \
  --set "etcd.auth.tls.verify=true" \
  --set "gateway.tls.existingCASecret=api7-ee-3-gateway-tls" \
  --set "gateway.tls.certCAFilename=ca.crt" \
  --set "apisix.extraEnvVars[0].name=API7_GATEWAY_GROUP_SHORT_ID" \
  --set "apisix.extraEnvVars[0].value=default" \
  --set "apisix.extraEnvVarsSecret=env-secrets" \
  --set "etcd.host[0]=https://your-host-or-ip:443" \
  --set "apisix.replicaCount=1" \
  --set "apisix.image.repository=api7/api7-ee-3-gateway" \
  --set "apisix.image.tag=dev"

YAML 示例：

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dNak0yTkRaYUZ3MHlOVEV4TWpnd01qTTJORFphTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFBZTlJR3UKUFphOVcwS3RYcnVNRmpXMEdvUjdsc3oxNUVwQ1B3bnhnTU9ENWFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRd09UbGlOVGcyTXkwNU1XSXlMVFF3Ck5HSXRZamsxTnkxa01UbGlaRE13TmpZek1HSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFEVVpsOTYKZTJOUUd6QXNwaUQ5Y0FlY2w5QmZTNFdTWFIwb1R3M1NBZytEN0lYVTVzT09meWlWVjR1SnRBeldIOVJaN3lNSwo5dkR1V2RlWEFhTlI4T01DCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUdkTTBGT2VMNGk4T2dLTjNGd3JhL1NZQnNWWnZoWWVHVXlKd05YdnIwdXUKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ==
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVNlZ0F3SUJBZ0lRVlhxVEZ1L2hINGNhWnB0S2RHcDA0ekFGQmdNclpYQXdSREVMTUFrR0ExVUUKQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3hFVEFQQmdOVgpCQU1UQ0VGUVNUY2dTVzVqTUI0WERUSTBNRGt3TnpBNE1UYzBOVm9YRFRNME1Ea3dOVEE0TVRjME5Wb3dSREVMCk1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RFRBTEJnTlZCQW9UQkVGUVNUY3gKRVRBUEJnTlZCQU1UQ0VGUVNUY2dTVzVqTUNvd0JRWURLMlZ3QXlFQWtUajQ0N2JwenRHMWRjMEhWVzc0emErdgpORUFoVTdteVNZU21VU3dkUmZDakx6QXRNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQVBCZ05WSFJNQkFmOEVCVEFECkFRSC9NQW9HQTFVZERnUURCQUV3TUFVR0F5dGxjQU5CQUt4eEJnL0NFbk9veFFuVmQ4aXhIS0pDZ0NoWjJJWkUKQkxDSGFRVEVibWZ5OFJRK3BvMGNLT3RoV0ZEeDhnc3gyQWpka0xPNVBQYUhQdWpJWHlmejhRST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
kind: Secret
metadata:
  namespace: api7
  name: api7-ee-3-gateway-tls
type: kubernetes.io/tls
---
apiVersion: v1
kind: Secret
metadata:
  namespace: api7
  name: env-secrets
  namespace: demo
type: Opaque
data:
  SSL_CERTIFICATE:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVRxZ0F3SUJBZ0lDQkFBd0JRWURLMlZ3TUVReEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUkKRXdwRFlXeHBabTl5Ym1saE1RMHdDd1lEVlFRS0V3UkJVRWszTVJFd0R3WURWUVFERXdoQlVFazNJRWx1WXpBZQpGdzB5TkRFd01qa3dPVEUwTlRSYUZ3MHlOVEV4TWpnd09URTBOVFJhTURBeERUQUxCZ05WQkFvVEJFRlFTVGN4Ckh6QWRCZ05WQkFNVEZtRndhVGRsWlRNdFlYQnBjMmw0TFdkaGRHVjNZWGt3S2pBRkJnTXJaWEFESVFDcitTZ1gKVW5HT0NZbjRtb3RiRWRLbWpPUkhuMFRjVHBwc1VqVE5BRFdMbmFOa01HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01DTUMwR0ExVWREZ1FtQkNRNE5EZzBNVFkyT1MweVpqQTNMVFF6Ck9UTXRPR0poWWkwMU5tVTRNekEzWm1NNFpXSXdEQVlEVlIwakJBVXdBNEFCTURBRkJnTXJaWEFEUVFDbTFxcmsKMkJ2cDRJdGpiWS82bWJZQlEzbndJRTRjbWxISityb0RDNk9GUVdkMG8rSmNMYjljS1ZnM1J5Q21mWmZVYUZXRQpVRkFocjJ3ZnllNXl1WThKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  SSL_PRIVATE_KEY: 
  TUM0Q0FRQXdCUVlESzJWd0JDSUVJQTl1QzlrTE1zMTFvRzUwc0ZwVUZyY2JIdlJ1L0J0d1VHZktJU3pZaVhWKw==
---
apisix:
  replicaCount: 1
  image:
    repository: api7/api7-ee-3-gateway
    tag: dev
  extraEnvVars:
  - name: API7_GATEWAY_GROUP_SHORT_ID
    value: "default"
  extraEnvVarsSecret: env-secrets
etcd:
  host:
  - "https://your-host-or-ip:443"
  auth:
    tls:
      enabled: true
      existingSecret: api7-ee-3-gateway-tls
      certFilename: tls.crt
      certKeyFilename: tls.key
      verify: true
gateway:
  tls:
    existingCASecret: api7-ee-3-gateway-tls
    certCAFilename: ca.crt

备注

部署后，如果不重新启动网关实例，则无法修改其环境变量。

使用环境变量配置 SSL 证书

1. 从侧边导航栏中选择你网关组的SSL 证书（SSL Certificates）。
2. 点击**+ 添加 SSL 证书（Add SSL Certificate）**。
3. 在对话框中，执行以下操作：

• 在**证书（Certificate）**字段中，输入 $env://SSL_CERTIFICATE。
• 在**私钥（Key）**字段中，输入 $env://SSL_PRIVATE_KEY。
• 点击添加（Add）。