APISIX

API Gateway with TLS termination, per-service route generation, OIDC auth, rate limiting, CORS, IP whitelisting, proxy-rewrite, and WebSocket support. Each linked component gets a dedicated route file in the route/ directory.

Architecture

                APISIX Gateway - API routing, TLS termination, plugin execution (:9080/:9443)

                APISIX Controller - Syncs ApisixRoute/ApisixUpstream CRDs to APISIX config

                APISIX Dashboard - Admin web UI for route management

                etcd - Configuration store for gateway state

                CRDs - ApisixRoute, ApisixUpstream, ApisixTls, ApisixConsumer per linked service

Attributes

Attribute	Example	Description
`namespace` REQ	`ingress-apisix`	Kubernetes namespace for all generated manifests, services, and route CRDs
`apisix_version`	`3.9.1-debian-12-r3`	APISIX container image tag in helm-values-apix.yaml
`external_traffic`	`Local`	Service externalTrafficPolicy in kustomization.yaml. `Local` preserves client source IP, `Cluster` distributes evenly.

Configuration (Stack-Level)

Config	Default	Effect
`domain`	`stack-3.source-lab.io`	Base domain for all route hosts: `{subdomain}.{domain}`. Also used for TLS certificate matching.
`chart_version_apisix`	`2.10.0`	Helm chart version for APISIX gateway
`chart_version_apisix_controller`	`1.0.5`	Helm chart version for APISIX Ingress Controller
`chart_version_apisix_dashboard`	`0.8.2`	Helm chart version for APISIX Dashboard

Sub-Components

gateway - HTTP/API Gateway Route

Each gateway generates: ApisixConsumer (if api_key) + ApisixUpstream + ApisixRoute + ApisixTls in route/gateway.yaml. Upstream can include multiple weighted backends via gateway-external_source_code links.

Attribute	Example	Impact
`subdomain` REQ	`api`	Host match: {subdomain}.{domain}
`api_key`	`secret123`	Enables key-auth plugin + generates ApisixConsumer

Common link attributes also apply: apisix_oidc_enable, apisix_oidc_param, apisix_timeout, websocket, rate_limiting, cors, cors_headers, whitelist, ip_whitelist, proxy_rewrite, headers (see Common Link Attributes below)

gateway-external_source_code link attributes:
weight (default 50) - Load balancing weight per backend in the upstream node list

ai_gateway - AI Model Gateway Route

Each ai_gateway generates: ApisixConsumer (if api_key) + ApisixUpstream + ApisixRoute in route/ai_gateway.yaml. External AI backends generate additional resources in route/ai_gateway_external.yaml.

Attribute	Example	Impact
`subdomain` REQ	`ai`	Host match: {subdomain}.{domain}
`api_key`	`secret123`	Enables key-auth plugin + generates ApisixConsumer

Common link attributes also apply: apisix_oidc_enable, apisix_oidc_param, apisix_timeout, websocket, rate_limiting, cors, cors_headers, whitelist, ip_whitelist, proxy_rewrite, headers

AI Backend Link Attribute	Example	Impact
`path`	`/v1/*`	URL path match on ApisixRoute. Default: `/v1/*`
`deny_patterns`	(multiline list)	ai-prompt-guard plugin: blocked prompt patterns
`allow_patterns`	(multiline list)	ai-prompt-guard plugin: allowed prompt patterns
`prompt_decorator`	(multiline)	ai-prompt-decorator plugin: system prompt prepend rules
`ai_rate_limit`	(multiline config)	ai-rate-limiting plugin: AI-specific rate limits

Backend link types:
ai_gateway-vllm → vLLM router service ({name}-router-service.{ns}:80)
ai_gateway-model → vLLM model sub-component ({model}.{parent_ns}:80)
ai_gateway-external_ai → External AI provider ({ai_endpoint}:443). Attributes: ai_provider (default "openai"), ai_provider_api_key. Azure uses api-key header; others use Authorization: Bearer.

Common Link Attributes (applied on most outbound links)

These attributes are available on most outbound links (apisix-X). Each controls an APISIX plugin or upstream behavior in the generated route file.
Exceptions: rabbitmq has NO OIDC. bridge has NO apisix_timeout. kubecost only supports subdomain, OIDC, ip_whitelist. vllm uses component attributes instead (see below).

Link Attribute	Example	Behavior
`subdomain` REQ	`grafana`	Route host match: `{subdomain}.{domain}`. Also used in ApisixTls SNI.
`apisix_timeout`	(multiline YAML)	ApisixUpstream timeout block (connect/send/read). Each line becomes a YAML key-value.
`websocket`	`true`	Enables `enableWebsocket: true` on ApisixRoute
`apisix_oidc_enable`	`true`	Enables openid-connect plugin on route. Requires `apisix_oidc_param` to be set.
`apisix_oidc_param`	(multiline YAML)	OIDC plugin config (client_id, client_secret, discovery, etc.). Only used when `apisix_oidc_enable` is true.
`rate_limiting`	`true`	Enables limit-count plugin (100 requests per 60 seconds)
`cors`	`true`	Enables cors plugin with `allow_origins: "*"`. Override with `cors_headers`.
`cors_headers`	(multiline)	Custom CORS config lines. Replaces default `allow_origins: "*"` when set.
`whitelist`	`true`	Enables ip-restriction plugin. Requires `ip_whitelist` to be set.
`ip_whitelist`	`10.0.0.0/8 192.168.1.0/24`	Space-separated IP/CIDR allow list. Only used when `whitelist` is true.
`proxy_rewrite`	`true`	Enables proxy-rewrite plugin. Uses `headers` for header injection.
`headers`	`X-Custom: value`	Space-separated key-value pairs for proxy-rewrite header injection. Only used when `proxy_rewrite` is true.

Attribute Dependencies & Conditional Behavior

Toggle	Requires	Behavior
`apisix_oidc_enable = true`	`apisix_oidc_param`	Adds openid-connect plugin block to ApisixRoute. Without `apisix_oidc_param` the plugin has no config.
`whitelist = true`	`ip_whitelist`	Adds ip-restriction plugin. Without `ip_whitelist` there are no IPs to allow.
`proxy_rewrite = true`	`headers`	Adds proxy-rewrite plugin. `headers` provides key-value pairs for header injection.
`cors = true`	`cors_headers` (optional)	If `cors_headers` set: uses custom CORS config. If empty: defaults to `allow_origins: "*"`.
`api_key` set (gateway/ai_gateway)	(none)	Generates ApisixConsumer with key-auth plugin + adds key-auth to route plugin chain.
Keycloak version detection	(auto)	If Keycloak tag is `v1.3_keycloak-x`: upstream uses `keycloak-keycloakx-http.{ns}:80`. Otherwise: `{name}.{ns}:80`.

Outbound Links (APISIX → target)

Each outbound link generates a dedicated route/{service}.yaml. Default K8s resources: ApisixUpstream + ApisixRoute + ApisixTls. Upstream endpoint: {component}.{namespace}.svc.cluster.local:80. Attributes column shows what differs from the common set.

Link Type	Target	Route File	Attributes & Special Behavior
Full common attribute set (subdomain, timeout, websocket, OIDC, rate_limiting, cors, whitelist, proxy_rewrite, headers)
`apisix-grafana`	Grafana	route/grafana.yaml	All common attributes
`apisix-keycloak`	Keycloak	route/keycloak.yaml	All common. Auto-detects Keycloak-X: if tag is `v1.3_keycloak-x` uses `keycloak-keycloakx-http.{ns}:80`
`apisix-keycloak_operator`	Keycloak Operator	route/keycloak_operator.yaml	All common attributes
`apisix-dex`	Dex	route/dex.yaml	All common attributes
`apisix-postgresql`	PostgreSQL	route/postgresql.yaml	All common attributes
`apisix-opensearch`	OpenSearch	route/opensearch.yaml	All common attributes
`apisix-clickhouse`	ClickHouse	route/clickhouse.yaml	All common attributes
`apisix-backstage`	Backstage	route/backstage.yaml	All common attributes
`apisix-flowise`	Flowise	route/flowise.yaml	All common attributes
`apisix-langflow`	Langflow	route/langflow.yaml	All common attributes
`apisix-fastapi`	FastAPI	route/fastapi.yaml	All common attributes
`apisix-stack_agent`	Stack Agent	route/stack_agent.yaml	All common attributes
Extra or different attributes from common set
`apisix-prometheus`	Prometheus	route/prometheus_ingress.yaml	All common + EXTRA: `api_key` (ApisixConsumer), `token_path`. Generates multiple Upstreams/Routes (Prometheus + Alertmanager sub-routes).
`apisix-loki`	Loki	route/loki.yaml	All common + EXTRA: `api_key` (ApisixConsumer), `token_path`.
`apisix-minio`	MinIO	route/minio.yaml	All common. DUAL routes: generates 2x Upstream + 2x Route + 2x TLS (console + API on separate subdomains).
`apisix-open-webui`	Open WebUI	route/open_webui.yaml	All common + EXTRA: `pipelines_subdomain`. DUAL routes: main UI + pipelines endpoint on separate subdomains.
`apisix-vllm`	vLLM	route/vllm.yaml	DIFFERENT: Uses link attributes `api_key`, `enable_auth`, `enable_cors`, `cors_headers`. NO common attrs (no OIDC, no rate_limiting, no proxy_rewrite). ApisixConsumer if api_key set. No ApisixTls.
Reduced attribute set (missing some common attributes)
`apisix-rabbitmq`	RabbitMQ	route/rabbitmq.yaml	NO OIDC (no apisix_oidc_enable/param). Has: subdomain, timeout, websocket, rate_limiting, cors, whitelist, proxy_rewrite, headers.
`apisix-kubecost`	Kubecost	route/kubecost.yaml	MINIMAL: Only `subdomain`, `apisix_oidc_enable`, `apisix_oidc_param`, `ip_whitelist`. NO timeout, NO websocket, NO rate_limiting, NO cors, NO proxy_rewrite.
Multi-instance links (one route per linked instance)
`apisix-external_source_code`	External Source Code	route/backend.yaml	All common. One ApisixUpstream + ApisixRoute + ApisixTls per linked instance.
`apisix-python`	Python app	route/python.yaml	All common. One route per linked instance.
`apisix-image_base`	Image Base	route/image_base.yaml	All common. One route per linked instance.
`apisix-bridge`	Kafka Bridge	route/bridge.yaml	Common except NO apisix_timeout. One route per linked instance.

Sub-Component Link Types

gateway-external_source_code (gateway sub-component → backend)

Each gateway can link to multiple external_source_code backends. All backends are combined into a single ApisixUpstream with weighted load balancing in route/gateway.yaml.

Link Attribute	Default	Impact
`weight`	`50`	Load balancing weight in ApisixUpstream nodes list. Multiple backends get weighted distribution.

ai_gateway-vllm (ai_gateway sub-component → vLLM)

Routes to vLLM router service. Upstream: {name}-router-service.{namespace}.svc.cluster.local:80. Generated in route/ai_gateway.yaml.

Link Attribute	Default	Impact
`subdomain` REQ	-	Host match: {subdomain}.{domain}
`path`	`/v1/*`	URL path match on ApisixRoute
`deny_patterns`	-	ai-prompt-guard: blocked prompt patterns (multiline list)
`allow_patterns`	-	ai-prompt-guard: allowed prompt patterns (multiline list)
`prompt_decorator`	-	ai-prompt-decorator: system prompt prepend rules
`ai_rate_limit`	-	ai-rate-limiting: AI-specific rate limits

ai_gateway-model (ai_gateway sub-component → vLLM model)

Routes to individual vLLM model. Upstream: {model}.{parent_namespace}.svc.cluster.local:80. Same link attributes as ai_gateway-vllm (subdomain, path, deny_patterns, allow_patterns, prompt_decorator, ai_rate_limit).

ai_gateway-external_ai (ai_gateway sub-component → external AI provider)

Routes to external AI providers (OpenAI, Azure, etc.). Upstream: HTTPS on port 443 with scheme: https and passHost: node. Generated in route/ai_gateway_external.yaml.

Link Attribute	Default	Impact
`ai_endpoint` REQ	-	External AI endpoint (e.g. `api.openai.com`)
`ai_provider`	`openai`	Provider type. Azure (`azure_openai`): uses `api-key` header. Others: uses `Authorization: Bearer` header.
`ai_provider_api_key`	-	API key for external provider. Injected via proxy-rewrite headers.
`subdomain`, `path`	`/v1/*`	Same as internal backends
`deny_patterns`, `allow_patterns`, `prompt_decorator`, `ai_rate_limit`	-	Same AI plugins as internal backends

Inbound Links (source → APISIX)

Link Type	Source	Generated Output
`prometheus-apisix`	Prometheus	Generates `monitoring.yaml` (PodMonitor on :9091), `rbac.yaml`, `prometheus-global-rule.yaml`, `alerts/apisix-alerts.yaml`
`istio-apisix`	Istio	Adds `istio-injection: enabled` label to namespace.yaml + generates `patch/istio-patch.yaml`

Generated Files

File	Condition	Content
Helm Values (helm/)
helm-values-apix.yaml	Always	APISIX gateway config: image tag (`apisix_version`), LoadBalancer service (80/443), admin API, etcd
helm-values-controller.yaml	Always	APISIX Ingress Controller config
helm-values-dashboard.yaml	Always	APISIX Dashboard config
Deploy (k8s/deploy/base/)
namespace.yaml	Always	Namespace. Adds `istio-injection: enabled` label if Istio linked.
kustomization.yaml	Always	Kustomize: resources, patches, externalTrafficPolicy from `external_traffic`, stacktic labels
gatewayproxy.yaml	Always	Gateway proxy config (admin endpoint + admin key)
centralized-route.yaml	Always	Centralized routing configuration
standard-install.yaml	Always	Standard installation manifest
monitoring.yaml	Prometheus linked	PodMonitor CR scraping metrics on :9091
rbac.yaml	Prometheus linked	RBAC roles for Prometheus scraping
prometheus-global-rule.yaml	Prometheus linked	PrometheusRule CR with global recording rules
alerts/apisix-alerts.yaml	Prometheus linked	PrometheusRule CR with APISIX alerting rules
secret/kong.env	Always (SOPS)	Gateway credentials
secret/postgresql.env	Always (SOPS)	PostgreSQL connection credentials for APISIX etcd
secret/registry.json	Always (SOPS)	Docker registry credentials (.dockerconfigjson)
Patches (k8s/deploy/base/patch/)
resource.yaml	Always	Resource limit/request patches
ingressclass-patch.yaml	Always	IngressClass configuration patch
istio-patch.yaml	Istio linked	Istio sidecar injection and mTLS config
CRDs (k8s/deploy/base/crd/)
crd/*.yaml (12 files)	Always	APISIX CRD definitions: ApisixRoute, ApisixUpstream, ApisixTls, ApisixConsumer, ApisixGlobalRule, ApisixPluginConfig, etc. + Gateway API CRDs
Routes (k8s/deploy/base/route/) - each removed by post_gen if link not present
route/grafana.yaml	apisix-grafana linked	ApisixUpstream + ApisixRoute + ApisixTls
route/prometheus_ingress.yaml	apisix-prometheus linked	ApisixUpstream + ApisixRoute + ApisixTls
route/loki.yaml	apisix-loki linked	ApisixUpstream + ApisixRoute + ApisixTls
route/kubecost.yaml	apisix-kubecost linked	ApisixUpstream + ApisixRoute + ApisixTls
route/keycloak.yaml	apisix-keycloak linked	ApisixUpstream + ApisixRoute + ApisixTls (version-aware endpoint)
route/keycloak_operator.yaml	apisix-keycloak_operator linked	ApisixUpstream + ApisixRoute + ApisixTls
route/dex.yaml	apisix-dex linked	ApisixUpstream + ApisixRoute + ApisixTls
route/postgresql.yaml	apisix-postgresql linked	ApisixUpstream + ApisixRoute + ApisixTls
route/opensearch.yaml	apisix-opensearch linked	ApisixUpstream + ApisixRoute + ApisixTls
route/clickhouse.yaml	apisix-clickhouse linked	ApisixUpstream + ApisixRoute + ApisixTls
route/rabbitmq.yaml	apisix-rabbitmq linked	ApisixUpstream + ApisixRoute + ApisixTls
route/minio.yaml	apisix-minio linked	ApisixUpstream + ApisixRoute + ApisixTls
route/backstage.yaml	apisix-backstage linked	ApisixUpstream + ApisixRoute + ApisixTls
route/flowise.yaml	apisix-flowise linked	ApisixUpstream + ApisixRoute + ApisixTls
route/langflow.yaml	apisix-langflow linked	ApisixUpstream + ApisixRoute + ApisixTls
route/open_webui.yaml	apisix-open-webui linked	ApisixUpstream + ApisixRoute + ApisixTls
route/vllm.yaml	apisix-vllm linked	ApisixUpstream + ApisixRoute + ApisixTls
route/fastapi.yaml	apisix-fastapi linked	ApisixUpstream + ApisixRoute + ApisixTls
route/stack_agent.yaml	apisix-stack_agent linked	ApisixUpstream + ApisixRoute + ApisixTls
route/backend.yaml	apisix-external_source_code linked	One ApisixUpstream + ApisixRoute + ApisixTls per linked instance
route/python.yaml	apisix-python linked	One ApisixUpstream + ApisixRoute + ApisixTls per linked instance
route/image_base.yaml	apisix-image_base linked	One ApisixUpstream + ApisixRoute + ApisixTls per linked instance
route/bridge.yaml	apisix-bridge linked	One ApisixUpstream + ApisixRoute + ApisixTls per linked instance
route/gateway.yaml	gateway sub-component exists	Per gateway: ApisixConsumer (if api_key) + ApisixUpstream (weighted backends) + ApisixRoute + ApisixTls
route/ai_gateway.yaml	ai_gateway sub-component exists	Per ai_gateway: ApisixConsumer (if api_key) + internal backend routes with AI plugins
route/ai_gateway_external.yaml	ai_gateway has external_ai links	External AI provider routes (HTTPS upstream, provider-specific auth headers)
route/kustomization.yaml	Always	Kustomize for route directory (references all route files)
Documentation
doc/README.md	Always	Component documentation
doc/metrics/apisix.text	Always	Prometheus metrics reference

Plugin Matrix (per route)

Each route can have any combination of these plugins, controlled by link attributes.

Plugin	Trigger	Available On
`key-auth`	`api_key` attribute set	gateway, ai_gateway
`openid-connect`	`apisix_oidc_enable` + `apisix_oidc_param`	All routes
`limit-count`	`rate_limiting = true`	All routes
`cors`	`cors = true`	All routes
`ip-restriction`	`whitelist = true` + `ip_whitelist`	All routes
`proxy-rewrite`	`proxy_rewrite = true` + `headers`	All routes
`ai-prompt-guard`	`deny_patterns` or `allow_patterns`	ai_gateway only
`ai-prompt-decorator`	`prompt_decorator`	ai_gateway only
`ai-rate-limiting`	`ai_rate_limit`	ai_gateway only

Ports

Port	Service	Protocol
80	HTTP data plane (external LoadBalancer)	HTTP
443	HTTPS data plane (external LoadBalancer)	HTTPS
9080	HTTP data plane (container)	HTTP
9443	HTTPS data plane (container)	HTTPS
9180	Admin API (internal only)	HTTP
9091	Prometheus metrics	HTTP

Endpoints

                External route: https://{subdomain}.{domain}

                Admin API: http://apisix-admin.{namespace}.svc.cluster.local:9180

                Upstream pattern: {component}.{namespace}.svc.cluster.local:80

                TLS secret: wildcard-tls-secret (cert-manager namespace)