diff --git a/.env.example b/.env.example index e39f651..db6a745 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,6 @@ -DASHBOARD_VERSION=v5.7.0-rc10 -GATEWAY_VERSION=v5.7.0-rc5 -MDCB_VERSION=v2.7.2-rc3 +DASHBOARD_VERSION=v5.7 +GATEWAY_VERSION=v5.7 +MDCB_VERSION=v2.7 PUMP_VERSION=v1.11 PORTAL_VERSION=v1.11 TYK_HELM_CHART_PATH=tyk-helm diff --git a/src/deployments/operator/main.sh b/src/deployments/operator/main.sh index 9fcb87e..918f6f6 100644 --- a/src/deployments/operator/main.sh +++ b/src/deployments/operator/main.sh @@ -1,6 +1,10 @@ logger "$INFO" "installing tyk-operator in $namespace namespace..."; setVerbose; -sed "s/replace_namespace/$namespace/g" "$operatorDeploymentPath/manifest.yaml" | \ - kubectl apply -n "$namespace" -f - > /dev/null; +helm upgrade "$operatorReleaseName" tyk-helm/tyk-operator --version 1.1.0 \ + --install \ + --namespace "$namespace" \ + "${operatorSecurityContextArgs[@]}" \ + "${operatorSSLArgs[@]}" \ + "${helmFlags[@]}" > /dev/null; unsetVerbose; diff --git a/src/deployments/operator/manifest.yaml b/src/deployments/operator/manifest.yaml deleted file mode 100644 index a04ec23..0000000 --- a/src/deployments/operator/manifest.yaml +++ /dev/null @@ -1,5774 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tyk-operator-controller-manager - namespace: replace_namespace ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: tyk-operator-leader-election-role - namespace: replace_namespace -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tyk-operator-manager-role -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - deletecollection - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - list - - update - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - apidefinitions - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - apidefinitions/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - apidescriptions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - apidescriptions/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - apidescriptions/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - operatorcontexts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - operatorcontexts/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - operatorcontexts/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - portalapicatalogues - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - portalapicatalogues/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - portalapicatalogues/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - portalconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - portalconfigs/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - portalconfigs/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - securitypolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - securitypolicies/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - subgraphs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - subgraphs/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - subgraphs/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - supergraphs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - supergraphs/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - supergraphs/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - tykoasapidefinitions - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - tykoasapidefinitions/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - tykoasapidefinitions/status - verbs: - - get - - patch - - update - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions/finalizers - verbs: - - update - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tyk-operator-metrics-reader -rules: - - nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tyk-operator-proxy-role -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: tyk-operator - name: tyk-operator-tykstreamsapidefinition-editor-role -rules: - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions/status - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: tyk-operator - name: tyk-operator-tykstreamsapidefinition-viewer-role -rules: - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions - verbs: - - get - - list - - watch - - apiGroups: - - tyk.tyk.io - resources: - - tykstreamsapidefinitions/status - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tyk-operator-leader-election-rolebinding - namespace: replace_namespace -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tyk-operator-leader-election-role -subjects: - - kind: ServiceAccount - name: tyk-operator-controller-manager - namespace: replace_namespace ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tyk-operator-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tyk-operator-manager-role -subjects: - - kind: ServiceAccount - name: tyk-operator-controller-manager - namespace: replace_namespace ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tyk-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tyk-operator-proxy-role -subjects: - - kind: ServiceAccount - name: tyk-operator-controller-manager - namespace: replace_namespace ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 91ad8c6e.tyk.io -kind: ConfigMap -metadata: - name: tyk-operator-manager-config - namespace: replace_namespace ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: tyk-operator-controller-manager - name: tyk-operator-controller-manager-metrics-service - namespace: replace_namespace -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: tyk-operator-controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: tyk-operator-webhook-service - namespace: replace_namespace -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: tyk-operator-controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: tyk-operator-controller-manager - name: tyk-operator-controller-manager - namespace: replace_namespace -spec: - progressDeadlineSeconds: 600 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - control-plane: tyk-operator-controller-manager - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - labels: - control-plane: tyk-operator-controller-manager - spec: - containers: - - command: - - /manager - env: - - name: TYK_HTTPS_INGRESS_PORT - value: "8443" - - name: TYK_HTTP_INGRESS_PORT - value: "8080" - envFrom: - - secretRef: - name: tyk-operator-conf - image: komalsukhani/tyk-operator:streams - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 8081 - scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 20 - successThreshold: 1 - timeoutSeconds: 1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /readyz - port: 8081 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /controller_manager_config.yaml - name: manager-config - subPath: controller_manager_config.yaml - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: - runAsNonRoot: true - serviceAccount: tyk-operator-controller-manager - serviceAccountName: tyk-operator-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert - - configMap: - defaultMode: 420 - name: tyk-operator-manager-config - name: manager-config ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: tyk-operator-serving-cert - namespace: replace_namespace -spec: - dnsNames: - - tyk-operator-webhook-service.replace_namespace.svc - - tyk-operator-webhook-service.replace_namespace.svc.cluster.local - issuerRef: - kind: Issuer - name: tyk-operator-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: tyk-operator-selfsigned-issuer - namespace: replace_namespace -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: replace_namespace/tyk-operator-serving-cert - name: tyk-operator-mutating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: tyk-operator-webhook-service - namespace: replace_namespace - path: /mutate-tyk-tyk-io-v1alpha1-apidefinition - failurePolicy: Fail - name: mapidefinition.kb.io - rules: - - apiGroups: - - tyk.tyk.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - apidefinitions - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: replace_namespace/tyk-operator-serving-cert - name: tyk-operator-validating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: tyk-operator-webhook-service - namespace: replace_namespace - path: /validate-tyk-tyk-io-v1alpha1-apidefinition - failurePolicy: Fail - name: vapidefinition.kb.io - rules: - - apiGroups: - - tyk.tyk.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - apidefinitions - sideEffects: None ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - controller-gen.kubebuilder.io/version: v0.14.0 - name: apidefinitions.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: ApiDefinition - listKind: ApiDefinitionList - plural: apidefinitions - shortNames: - - tykapis - singular: apidefinition - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.domain - name: Domain - type: string - - jsonPath: .spec.proxy.listen_path - name: ListenPath - type: string - - jsonPath: .spec.proxy.target_url - name: Proxy.TargetURL - type: string - - jsonPath: .spec.active - name: Enabled - type: boolean - - jsonPath: .status.latestTransaction.status - name: SyncStatus - type: string - - jsonPath: .status.ingressTemplate - name: IngressTemplate - type: boolean - name: v1alpha1 - schema: - openAPIV3Schema: - description: ApiDefinition is the Schema for the apidefinitions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: APIDefinitionSpec represents the configuration for a single - proxied API and it's versions. - properties: - CORS: - properties: - allow_credentials: - description: AllowCredentials if true will allow cookies - type: boolean - allowed_headers: - description: AllowedHeaders are headers that are allowed within - a request. - items: - type: string - type: array - allowed_methods: - description: AllowedMethods is a list of methods to allow access - via. - items: - description: HttpMethod represents HTTP request method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - type: array - allowed_origins: - description: AllowedOrigins is a list of origin domains to allow - access from. - items: - type: string - type: array - debug: - description: Debug if true, this option produces log files for - the CORS middleware - type: boolean - enable: - description: Enable when set to true it enables the cors middleware - for the api - type: boolean - exposed_headers: - description: ExposedHeaders is a list of headers that are exposed - back in the response. - items: - type: string - type: array - max_age: - description: MaxAge is the maximum age of credentials - type: integer - options_passthrough: - description: |- - OptionsPassthrough allow CORS OPTIONS preflight request to be proxied - directly to upstream, without authentication and rest of checks. This means - that pre-flight requests generated by web-clients such as SwaggerUI or the - Tyk Portal documentation system will be able to test the API using trial - keys. If your service handles CORS natively, then enable this option. - type: boolean - type: object - active: - description: Active specifies if the api is enabled or not - type: boolean - allowed_ips: - description: |- - AllowedIPs is a list of IP address that are whitelisted.When this is - provided all IP address that is not on this list will be blocked and a 403 http - status will be returned. The IP address can be IPv4 or IPv6.IP in - CIDR notation is also supported. - items: - type: string - type: array - analytics_plugin: - description: |- - AnalyticsPlugin is used to configure analytics plugin which enables editing or removal of all parts of analytics - records, raw request and responses recorded by Tyk at the gateway level - nullable: true - properties: - enable: - type: boolean - func_name: - type: string - plugin_path: - type: string - required: - - enable - type: object - api_id: - description: |- - Only set this field if you are referring - to an existing API def. - The Operator will use this APIID to link the CR with the API in Tyk - Note: The values in the CR will become the new source of truth, overriding the existing API Definition - type: string - auth: - properties: - auth_header_name: - type: string - cookie_name: - type: string - param_name: - type: string - signature: - properties: - algorithm: - type: string - allowed_clock_skew: - format: int64 - type: integer - error_code: - type: integer - error_message: - type: string - header: - type: string - secret: - type: string - required: - - algorithm - - allowed_clock_skew - - error_code - - error_message - - header - - secret - type: object - use_certificate: - type: boolean - use_cookie: - type: boolean - use_param: - type: boolean - validate_signature: - type: boolean - required: - - auth_header_name - type: object - auth_configs: - additionalProperties: - properties: - auth_header_name: - type: string - cookie_name: - type: string - param_name: - type: string - signature: - properties: - algorithm: - type: string - allowed_clock_skew: - format: int64 - type: integer - error_code: - type: integer - error_message: - type: string - header: - type: string - secret: - type: string - required: - - algorithm - - allowed_clock_skew - - error_code - - error_message - - header - - secret - type: object - use_certificate: - type: boolean - use_cookie: - type: boolean - use_param: - type: boolean - validate_signature: - type: boolean - required: - - auth_header_name - type: object - type: object - base_identity_provided_by: - description: BaseIdentityProvidedBy sets Base Identity Provider for - situation when multiple authentication mechanisms are used - enum: - - auth_token - - hmac_key - - basic_auth_user - - jwt_claim - - oidc_user - - oauth_key - type: string - blacklisted_ips: - description: |- - BlacklistedIPs is a list of IP address that will be blacklisted.This means if - origin IP matches any IP in this list a 403 http status code will be - returned. The IP address can be IPv4 or IPv6. IP in CIDR notation is also - supported. - items: - type: string - type: array - cache_options: - properties: - cache_all_safe_requests: - description: |- - CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests - overrides per-path cache settings in versions, applies across versions - type: boolean - cache_by_headers: - description: CacheByHeaders allows header values to be used as - part of the cache key - items: - type: string - type: array - cache_control_ttl_header: - description: CacheControlTTLHeader is the response header which - tells Tyk how long it is safe to cache the response for - type: string - cache_response_codes: - description: CacheOnlyResponseCodes is an array of response codes - which are safe to cache. e.g. 404 - items: - type: integer - type: array - cache_timeout: - description: CacheTimeout is the TTL for a cached object in seconds - format: int64 - type: integer - enable_cache: - description: |- - EnableCache turns global cache middleware on or off. - It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware. - see `spec.version_data.versions.{VERSION}.extended_paths.cache[]` - type: boolean - enable_upstream_cache_control: - description: EnableUpstreamCacheControl instructs Tyk Cache to - respect upstream cache control headers - type: boolean - required: - - cache_timeout - type: object - certificate_secret_names: - description: |- - CertificateSecretNames represents the names of the secrets that the controller should look for in the current - namespace which contain the certificates. - items: - type: string - type: array - certificates: - description: Certificates is a list of Tyk Certificate IDs. e.g. orgid+fingerprint. - Use CertificateSecretNames if using cert-manager - items: - type: string - type: array - client_certificate_refs: - items: - type: string - type: array - client_certificates: - items: - type: string - type: array - config_data: - description: |- - ConfigData can be used to pass custom attributes (a JSON object) into your middleware, such - as a virtual endpoint or header transform. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - contextRef: - description: |- - Context specify namespace/name of the OperatorContext object used for - reconciling this APIDefinition - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - custom_middleware: - properties: - auth_check: - properties: - name: - type: string - path: - type: string - raw_body_only: - type: boolean - require_session: - type: boolean - required: - - name - - path - type: object - driver: - type: string - id_extractor: - properties: - extract_from: - type: string - extract_with: - type: string - extractor_config: - properties: - header_name: - type: string - param_name: - type: string - regex_expression: - type: string - regex_match_index: - type: integer - type: object - required: - - extract_from - - extract_with - - extractor_config - type: object - post: - items: - properties: - name: - type: string - path: - type: string - raw_body_only: - type: boolean - require_session: - type: boolean - required: - - name - - path - type: object - type: array - post_key_auth: - items: - properties: - name: - type: string - path: - type: string - raw_body_only: - type: boolean - require_session: - type: boolean - required: - - name - - path - type: object - type: array - pre: - items: - properties: - name: - type: string - path: - type: string - raw_body_only: - type: boolean - require_session: - type: boolean - required: - - name - - path - type: object - type: array - response: - items: - properties: - name: - type: string - path: - type: string - raw_body_only: - type: boolean - require_session: - type: boolean - required: - - name - - path - type: object - type: array - required: - - driver - type: object - custom_middleware_bundle: - type: string - definition: - description: VersionDefinition is a struct that holds the version - information for the API - nullable: true - properties: - default: - type: string - enabled: - type: boolean - fallback_to_default: - type: boolean - key: - type: string - location: - type: string - name: - type: string - strip_path: - type: boolean - strip_versioning_data: - type: boolean - url_versioning_pattern: - type: string - versions: - additionalProperties: - type: string - type: object - required: - - default - - enabled - - fallback_to_default - - key - - location - - name - - strip_path - - strip_versioning_data - - url_versioning_pattern - - versions - type: object - detailed_tracing: - nullable: true - type: boolean - disable_quota: - description: DisableQuota allows you to disable quota middleware in - a given API Definition. - type: boolean - disable_rate_limit: - description: DisableRateLimit allows you to disable rate limits in - a given API Definition. - type: boolean - do_not_track: - description: DoNotTrack disables endpoint tracking for this API - type: boolean - domain: - description: Domain represents a custom host header that the gateway - will listen on for this API - type: string - enable_context_vars: - description: |- - EnableContextVars extracts request context variables from the start of the middleware chain. - Set this to true to make them available to your transforms. - Context Variables are available in the url rewriter, modify headers and body transforms. - type: boolean - enable_coprocess_auth: - type: boolean - enable_detailed_recording: - description: |- - EnableDetailedRecording instructs Tyk store the inbound request and outbound response data in HTTP Wire format - as part of the Analytics data - type: boolean - enable_ip_blacklisting: - description: EnableIPBlacklisting activates the ip blacklisting middleware. - type: boolean - enable_ip_whitelisting: - description: EnableIPWhiteListing activates the ip whitelisting middleware. - type: boolean - enable_jwt: - description: EnableJWT set JWT as the access method for this API. - type: boolean - enable_proxy_protocol: - type: boolean - event_handlers: - properties: - events: - additionalProperties: - items: - properties: - handler_meta: - description: |- - MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary - JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured - type is used. - type: object - x-kubernetes-preserve-unknown-fields: true - handler_name: - type: string - required: - - handler_meta - - handler_name - type: object - type: array - type: object - required: - - events - type: object - global_rate_limit: - description: |- - GlobalRateLimit is an API Level Global Rate Limit, which assesses all traffic coming into the API from all - sources and ensures that the overall rate limit is not exceeded. - properties: - per: - description: Per represents a time window in seconds - type: integer - rate: - description: Rate represents the number of requests allowed within - a specified time window (Per) - type: integer - required: - - per - - rate - type: object - graphql: - description: GraphQLConfig is the root config object for a GraphQL - API. - properties: - enabled: - description: Enabled indicates if GraphQL proxy should be enabled. - type: boolean - engine: - description: Engine holds the configuration for engine v2 and - upwards. - properties: - data_sources: - items: - properties: - config: - description: |- - MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary - JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured - type is used. - type: object - x-kubernetes-preserve-unknown-fields: true - internal: - type: boolean - kind: - enum: - - REST - - GraphQL - - Kafka - type: string - name: - type: string - root_fields: - items: - properties: - fields: - items: - type: string - type: array - type: - type: string - required: - - fields - - type - type: object - type: array - required: - - config - - internal - - kind - - name - - root_fields - type: object - nullable: true - type: array - field_configs: - items: - properties: - disable_default_mapping: - type: boolean - field_name: - type: string - path: - items: - type: string - type: array - type_name: - type: string - required: - - disable_default_mapping - - field_name - - path - - type_name - type: object - nullable: true - type: array - global_headers: - description: GlobalHeaders for managing headers for UDG and - all associated data sources - items: - properties: - key: - description: Key is the name of the request header - type: string - value: - description: Value holds the value of the request header - type: string - required: - - key - - value - type: object - nullable: true - type: array - required: - - data_sources - - field_configs - type: object - execution_mode: - description: GraphQLExecutionMode is the mode to define how an - api behaves. - enum: - - "" - - proxyOnly - - executionEngine - - supergraph - - subgraph - type: string - graph_ref: - type: string - introspection: - description: Introspection holds the configuration for GraphQL - Introspection - properties: - disabled: - type: boolean - type: object - last_schema_update: - description: LastSchemaUpdate contains the date and time of the - last triggered schema update to the upstream. - format: date-time - type: string - playground: - description: GraphQLPlayground is the Playground specific configuration. - properties: - enabled: - description: Enabled indicates if the playground should be - enabled. - type: boolean - path: - description: Path sets the path on which the playground will - be hosted if enabled. - type: string - required: - - enabled - - path - type: object - proxy: - description: Proxy holds the configuration for a proxy only api. - properties: - auth_headers: - additionalProperties: - type: string - nullable: true - type: object - features: - nullable: true - properties: - use_immutable_headers: - type: boolean - type: object - request_headers: - additionalProperties: - type: string - nullable: true - type: object - request_headers_rewrite: - additionalProperties: - properties: - remove: - type: boolean - value: - type: string - required: - - remove - - value - type: object - nullable: true - type: object - subscription_type: - description: SubscriptionType is the subscription protocol - to use for graphql subscriptions - enum: - - "" - - graphql-ws - - graphql-transport-ws - - sse - type: string - use_response_extensions: - properties: - on_error_forwarding: - type: boolean - required: - - on_error_forwarding - type: object - type: object - schema: - description: Schema is the GraphQL Schema exposed by the GraphQL - API/Upstream/Engine. - type: string - subgraph: - description: Subgraph holds the configuration for a GraphQL federation - subgraph. - properties: - sdl: - type: string - required: - - sdl - type: object - supergraph: - description: Supergraph holds the configuration for a GraphQL - federation supergraph. - properties: - disable_query_batching: - type: boolean - global_headers: - additionalProperties: - type: string - type: object - merged_sdl: - type: string - subgraphs: - items: - properties: - api_id: - description: UUID v4 string (!not the same as _id of - APIDefinition) - type: string - headers: - additionalProperties: - type: string - nullable: true - type: object - name: - type: string - sdl: - description: the schema definition language of the subgraph - type: string - url: - description: The internal URL of the subgraph - type: string - required: - - api_id - - headers - - name - - sdl - - url - type: object - type: array - updated_at: - description: UpdatedAt contains the date and time of the last - update of a supergraph API. - format: date-time - type: string - type: object - type_field_configurations: - description: TypeFieldConfigurations is a rule set of data source - and mapping of a schema field. - items: - properties: - data_source: - properties: - data_source_config: - description: |- - Config is the DataSource specific configuration object - Each Planner needs to make sure to parse their Config Object correctly - properties: - body: - type: string - default_type_name: - type: string - headers: - items: - type: string - type: array - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - status_code_type_name_mappings: - items: - properties: - status_code: - type: integer - type_name: - type: string - required: - - status_code - type: object - type: array - url: - type: string - required: - - method - - url - type: object - kind: - description: |- - Kind defines the unique identifier of the DataSource - Kind needs to match to the Planner "DataSourceName" name - enum: - - GraphQLDataSource - - HTTPJSONDataSource - type: string - required: - - kind - type: object - field_name: - type: string - mapping: - properties: - disabled: - type: boolean - path: - type: string - required: - - disabled - - path - type: object - type_name: - type: string - required: - - data_source - - field_name - - mapping - - type_name - type: object - type: array - version: - description: Version defines the version of the GraphQL config - and engine to be used. - enum: - - "1" - - "2" - type: string - required: - - enabled - - execution_mode - type: object - id: - description: For server use only, do not use - type: string - internal: - description: Internal tells Tyk Gateway that this is a virtual API. - It can only be routed to from other APIs. - type: boolean - jwt_client_base_field: - description: |- - JWTClientIDBaseField is the name of the field on JWT claim to use for client - id. This field is mutually exclusive to jwt_identity_base_field, meaning you - can only set/use one and jwt_identity_base_field takes precedence when both - are set. - type: string - jwt_default_policies: - description: |- - JWTDefaultPolicies is a list of policies that will be used when base policy - can't be extracted from the JWT token. When this list is provided the first - element will be used as the base policy while the rest of elements will be applied. - items: - type: string - type: array - jwt_expires_at_validation_skew: - description: "JWTExpiresAtValidationSkew adds validation for expired - at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_expires_at_validation_skew\n\texp - = expired at\nIf exp > (now - skew) then validation will fail with - \"token has expired\"" - format: int64 - type: integer - jwt_identity_base_field: - description: |- - JWTIdentityBaseField Identifies the user or identity to be used in the - Claims of the JWT. This will fallback to sub if not found. This field forms - the basis of a new “virtual” token that gets used after validation. It means - policy attributes are carried forward through Tyk for attribution purposes. - type: string - jwt_issued_at_validation_skew: - description: "JWTIssuedAtValidationSkew adds validation for issued - at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_issued_at_validation_skew\n\tiat - = the issued at jwt claim\nIf iat > (now + skew) then validation - will fail with \"token used before issued\"" - format: int64 - type: integer - jwt_not_before_validation_skew: - description: "JWTNotBeforeValidationSkew adds validation for not - before JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_not_before_validation_skew\n\tnbf - = the not before jwt claim\nIf nbf > (now + skew) then validation - will fail with \"token is not valid yet\"" - format: int64 - type: integer - jwt_policy_field_name: - description: JWTPolicyFieldName The policy ID to apply to the virtual - token generated for a JWT - type: string - jwt_scope_claim_name: - description: |- - JWTScopeClaimName overides the key used for scope values in the JWT claims. - By default the value is "scope" - type: string - jwt_scope_to_policy_mapping: - additionalProperties: - type: string - description: |- - JWTScopeToPolicyMapping this is a mapping of scope value to policy id. If - this is set then a scope value found in this map will make the mappend - policy to be applied. - type: object - jwt_signing_method: - description: JWTSigningMethod algorithm used to sign jwt token - enum: - - "" - - rsa - - hmac - - ecdsa - type: string - jwt_skip_kid: - description: |- - JWTSkipKid when true we ingore using kid as the identity for a JWT token and - instead use jwt_identity_base_field if it was set or fallback to sub JWT - claim. - type: boolean - jwt_source: - description: |- - JWTSource Must either be a base64 encoded valid RSA/HMAC key or a url to a - resource serving JWK, this key will then be used to validate inbound JWT and - throttle them according to the centralised JWT options and fields set in the - configuration. - type: string - listen_port: - type: integer - name: - type: string - oauth_meta: - properties: - allowed_access_types: - description: AllowedAccessTypes are an array of allowable access - types. - items: - enum: - - authorization_code - - refresh_token - - password - - client_credentials - type: string - type: array - allowed_authorize_types: - description: |- - AllowedAuthorizeTypes is an array of allowable `response_type` parameters `token` or authorization code `code`. - Choose token for client_credentials or implicit grant types. - items: - enum: - - code - - token - type: string - type: array - auth_login_redirect: - description: Login form to handle user login. - type: string - required: - - allowed_access_types - - allowed_authorize_types - type: object - org_id: - description: OrgID is overwritten - no point setting this - type: string - pinned_public_keys: - additionalProperties: - type: string - description: |- - PinnedPublicKeys allows you to whitelist public keys used to generate certificates, so you will be protected in - case an upstream certificate is compromised. Please use PinnedPublicKeysRefs if using cert-manager. - type: object - pinned_public_keys_refs: - additionalProperties: - type: string - description: |- - PinnedPublicKeysRefs allows you to specify public keys using k8s secret. - It takes domain name as a key and secret name as a value. - type: object - protocol: - description: APIProtocol is the network transport protocol supported - by the gateway - enum: - - "" - - h2c - - tcp - - tls - - http - - https - type: string - proxy: - description: Proxy - properties: - check_host_against_uptime_tests: - description: |- - CheckHostAgainstUptimeTests will check the hostname of the outbound request against the downtime list generated - by the uptime test host checker. If the host is found, then it is skipped or removed from the load balancer. - This is only valid if uptime tests for the api are enabled. - type: boolean - disable_strip_slash: - description: |- - DisableStripSlash disables the stripping of the slash suffix from a URL. - when `true` a request to http://foo.bar/baz/ will be retained. - when `false` a request to http://foo.bar/baz/ will be matched to http://foo.bar/baz - type: boolean - enable_load_balancing: - description: |- - EnableLoadBalancing enables Tyk's round-robin loadbalancer. Tyk will ignore the TargetURL field, and rely on - the hosts in the Targets list - type: boolean - listen_path: - description: |- - ListenPath represents the path to listen on. e.g. `/api` or `/` or `/httpbin`. - Any requests coming into the host, on the port that Tyk is configured to run on, that match this path will - have the rules defined in the API Definition applied. Versioning assumes that different versions of an API - will live on the same URL structure. If you are using URL-based versioning (e.g. /v1/function, /v2/function) - then it is recommended to set up a separate non-versioned definition for each version as they are essentially - separate APIs. - type: string - preserve_host_header: - description: |- - If PreserveHostHeader is set to true then the host header in the outbound request is retained to be the - inbound hostname of the proxy. - type: boolean - service_discovery: - description: 'TODO: Untested. Is there a use-case for SD inside - a K8s environment?' - properties: - cache_timeout: - format: int64 - type: integer - data_path: - type: string - endpoint_returns_list: - type: boolean - parent_data_path: - type: string - port_data_path: - type: string - query_endpoint: - type: string - target_path: - type: string - use_discovery_service: - type: boolean - use_nested_query: - type: boolean - use_target_list: - type: boolean - required: - - cache_timeout - - data_path - - endpoint_returns_list - - parent_data_path - - port_data_path - - query_endpoint - - target_path - - use_discovery_service - - use_nested_query - - use_target_list - type: object - strip_listen_path: - description: |- - StripListenPath removes the inbound listen path in the outgoing request. - e.g. http://acme.com/httpbin/get where `httpbin` is the listen path. The `httpbin` listen path which is used - to identify the API loaded in Tyk is removed, and the outbound request would be http://httpbin.org/get - type: boolean - target_internal: - properties: - path: - description: "Path path on target , this does not include - query parameters.\n\texample /myendpoint" - type: string - query: - description: "Query url query string to add to target\n\texample - check_limits=true" - type: string - target: - description: |- - API a namespaced/name to the api definition resource that you are - targetting - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: object - target_list: - description: |- - Targets defines a list of upstream host targets. Tyk will then round-robin load balance between these targets. - EnableLoadBalancing must be set to true in order to take advantage of this feature. - items: - type: string - type: array - target_url: - description: TargetURL defines the target URL that the request - should be proxied to. - type: string - transport: - description: Transport section exposes advanced transport level - configurations such as minimum TLS version. - properties: - proxy_url: - description: ProxyURL specifies custom forward proxy & port. - e.g. `http(s)://proxy.url:1234` - type: string - ssl_ciphers: - description: |- - SSLCipherSuites is an array of acceptable cipher suites. A list of allowed cipher suites can be found in the - Go Crypto TLS package constants documentation https://golang.org/pkg/crypto/tls/#pkg-constants - items: - type: string - type: array - ssl_force_common_name_check: - description: SSLForceCommonNameCheck forces hostname validation - against the certificate Common Name - type: boolean - ssl_insecure_skip_verify: - description: |- - SSLInsecureSkipVerify controls whether it is possible to use self-signed certificates when connecting to the - upstream. This is applied to `TykMakeHttpRequest` & `TykMakeBatchRequest` in virtual endpoint middleware. - type: boolean - ssl_min_version: - description: |- - SSLMinVersion defines the minimum TLS version the gateway will use to establish a connection to the upstream. - 1.0: 769; 1.1: 770; 1.2: 771; 1.3: 772. - enum: - - 769 - - 770 - - 771 - - 772 - type: integer - type: object - required: - - target_url - type: object - response_processors: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - session_lifetime: - description: "SessionLifetime this is duration in seconds before the - session key expires\nin redis.\n\n\nExample:\nIf you want the session - keys to be alive only 24 hours you can set this\nvalue to 86400 - that we can break down to\n\t60 * 60 * 24 = Total seconds in a day" - format: int64 - type: integer - strip_auth_data: - description: StripAuthData ensures that any security tokens used for - accessing APIs are stripped and not leaked to the upstream - type: boolean - tag_headers: - items: - type: string - type: array - tags: - description: |- - Tags are named gateway nodes which tell gateway clusters whether to load an API or not. - for example, to load the API in an ARA gateway, you might want to include an `edge` tag. - items: - type: string - type: array - upstream_certificate_refs: - additionalProperties: - type: string - description: |- - UpstreamCertificateRefs is a map of domains and secret names that is used internally - to obtain certificates from secrets in order to establish mTLS support for upstreams - type: object - upstream_certificates: - additionalProperties: - type: string - description: |- - UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk - Gateway to provide mTLS support for upstreams - type: object - use_basic_auth: - description: UseBasicAuth enables basic authentication - type: boolean - use_go_plugin_auth: - description: Enable Go Plugin Auth. Needs to be combined with "use_keyless:false" - type: boolean - use_keyless: - description: |- - UseKeylessAccess will switch off all key checking. Some analytics will still be recorded, but rate-limiting, - quotas and security policies will not be possible (there is no session to attach requests to). - type: boolean - use_mutual_tls_auth: - description: UseMutualTLSAuth enables mututal TLS authentication - type: boolean - use_oauth2: - description: UseOAuth2 enables oauth2 authorization - type: boolean - use_standard_auth: - description: UseStandardAuth enables simple bearer token authentication - type: boolean - version_data: - properties: - default_version: - type: string - not_versioned: - type: boolean - versions: - additionalProperties: - properties: - expires: - type: string - extended_paths: - properties: - advance_cache_config: - items: - properties: - cache_key_regex: - type: string - cache_response_codes: - items: - type: integer - type: array - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - timeout: - format: int64 - type: integer - required: - - cache_key_regex - - cache_response_codes - - method - - path - type: object - type: array - black_list: - items: - properties: - ignore_case: - type: boolean - method_actions: - additionalProperties: - properties: - action: - type: string - code: - type: integer - data: - type: string - headers: - additionalProperties: - type: string - type: object - required: - - action - - code - - data - - headers - type: object - type: object - path: - type: string - required: - - ignore_case - - method_actions - - path - type: object - type: array - cache: - description: List of paths which cache middleware should - be enabled on - items: - type: string - type: array - circuit_breakers: - items: - properties: - disable_half_open_state: - type: boolean - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - return_to_service_after: - description: ReturnToServiceAfter represents the - time in seconds to return back to the service - type: integer - samples: - description: Samples defines the number of requests - to base the ThresholdPercent on - format: int64 - type: integer - threshold_percent: - description: ThresholdPercent is the percentage - of requests that fail before breaker is tripped - pattern: ^0\\.\\d+|1\\.0$ - type: string - required: - - method - - path - - return_to_service_after - - samples - - threshold_percent - type: object - type: array - do_not_track_endpoints: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - method - - path - type: object - type: array - hard_timeouts: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - timeout: - type: integer - required: - - method - - path - - timeout - type: object - type: array - ignored: - items: - properties: - ignore_case: - type: boolean - method_actions: - additionalProperties: - properties: - action: - type: string - code: - type: integer - data: - type: string - headers: - additionalProperties: - type: string - type: object - required: - - action - - code - - data - - headers - type: object - type: object - path: - type: string - required: - - ignore_case - - method_actions - - path - type: object - type: array - internal: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - method - - path - type: object - type: array - method_transforms: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - to_method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - required: - - method - - path - - to_method - type: object - type: array - size_limits: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - size_limit: - format: int64 - type: integer - required: - - method - - path - - size_limit - type: object - type: array - track_endpoints: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - method - - path - type: object - type: array - transform: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - template_data: - properties: - enable_session: - type: boolean - input_type: - type: string - template_mode: - type: string - template_source: - type: string - required: - - enable_session - - input_type - - template_mode - - template_source - type: object - required: - - method - - path - - template_data - type: object - type: array - transform_headers: - items: - properties: - act_on: - type: boolean - add_headers: - additionalProperties: - type: string - type: object - delete_headers: - items: - type: string - type: array - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - act_on - - add_headers - - delete_headers - - method - - path - type: object - type: array - transform_jq: - items: - properties: - filter: - type: string - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - filter - - method - - path - type: object - type: array - transform_jq_response: - items: - properties: - filter: - type: string - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - filter - - method - - path - type: object - type: array - transform_response: - items: - properties: - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - template_data: - properties: - enable_session: - type: boolean - input_type: - type: string - template_mode: - type: string - template_source: - type: string - required: - - enable_session - - input_type - - template_mode - - template_source - type: object - required: - - method - - path - - template_data - type: object - type: array - transform_response_headers: - items: - properties: - act_on: - type: boolean - add_headers: - additionalProperties: - type: string - type: object - delete_headers: - items: - type: string - type: array - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - required: - - act_on - - add_headers - - delete_headers - - method - - path - type: object - type: array - url_rewrites: - items: - properties: - match_pattern: - description: MatchPattern is a regular expression - pattern to match the path - type: string - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - description: Path represents the endpoint listen - path - type: string - rewrite_to: - description: RewriteTo is the target path on the - upstream, or target URL we wish to rewrite to - type: string - rewrite_to_internal: - description: |- - RewriteToInternal serves as rewrite_to but used when rewriting to target - internal api's - When rewrite_to and rewrite_to_internal are both provided then - rewrite_to will take rewrite_to_internal - properties: - path: - description: "Path path on target , this does - not include query parameters.\n\texample - /myendpoint" - type: string - query: - description: "Query url query string to add - to target\n\texample check_limits=true" - type: string - target: - description: |- - API a namespaced/name to the api definition resource that you are - targetting - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: object - triggers: - items: - properties: - "on": - type: string - options: - properties: - header_matches: - additionalProperties: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - type: object - path_part_matches: - additionalProperties: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - type: object - payload_matches: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - query_val_matches: - additionalProperties: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - type: object - request_context_matches: - additionalProperties: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - type: object - session_meta_matches: - additionalProperties: - properties: - match_rx: - type: string - reverse: - type: boolean - required: - - match_rx - type: object - type: object - type: object - rewrite_to: - type: string - rewrite_to_internal: - description: |- - RewriteToInternal defines options that constructs a url that refers to an api that - is loaded into the gateway. - properties: - path: - description: "Path path on target , - this does not include query parameters.\n\texample - /myendpoint" - type: string - query: - description: "Query url query string - to add to target\n\texample check_limits=true" - type: string - target: - description: |- - API a namespaced/name to the api definition resource that you are - targetting - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: object - required: - - "on" - - options - type: object - type: array - required: - - match_pattern - - method - - path - type: object - type: array - validate_json: - items: - properties: - disabled: - type: boolean - error_response_code: - description: Allows override of default 422 Unprocessable - Entity response code for validation errors. - type: integer - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - schema: - description: |- - Schema represents schema field that verifies user requests against a specified - JSON schema and check that the data sent to your API by a consumer is in the right format. - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - error_response_code - - method - - path - - schema - type: object - type: array - virtual: - items: - properties: - function_source_type: - type: string - function_source_uri: - type: string - method: - description: HttpMethod represents HTTP request - method - enum: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - - HEAD - - CONNECT - - TRACE - type: string - path: - type: string - proxy_on_error: - type: boolean - response_function_name: - type: string - use_session: - type: boolean - required: - - function_source_type - - function_source_uri - - method - - path - - proxy_on_error - - response_function_name - - use_session - type: object - type: array - white_list: - items: - properties: - ignore_case: - type: boolean - method_actions: - additionalProperties: - properties: - action: - type: string - code: - type: integer - data: - type: string - headers: - additionalProperties: - type: string - type: object - required: - - action - - code - - data - - headers - type: object - type: object - path: - type: string - required: - - ignore_case - - method_actions - - path - type: object - type: array - type: object - global_headers: - additionalProperties: - type: string - type: object - global_headers_remove: - items: - type: string - type: array - global_response_headers: - additionalProperties: - type: string - type: object - global_response_headers_remove: - items: - type: string - type: array - global_size_limit: - format: int64 - type: integer - ignore_endpoint_case: - type: boolean - name: - type: string - override_target: - type: string - paths: - properties: - black_list: - items: - type: string - type: array - ignored: - items: - type: string - type: array - white_list: - items: - type: string - type: array - type: object - use_extended_paths: - type: boolean - required: - - name - type: object - type: object - required: - - default_version - - not_versioned - type: object - required: - - name - - protocol - - proxy - type: object - status: - description: ApiDefinitionStatus defines the observed state of ApiDefinition - properties: - api_id: - type: string - ingressTemplate: - description: IngressTemplate shows whether this CR is used as Ingress - Template or not. - type: boolean - latestCRDSpecHash: - description: |- - LatestCRDSpecHash stores the hash of ApiDefinition CRD created on K8s. This information is updated after - creating or updating the ApiDefinition. It is useful for Operator to understand running update - operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, Operator - runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. - type: string - latestTransaction: - description: LatestTransaction provides status information about the - last reconciliation. - properties: - error: - description: Error corresponds to the error happened on Tyk API - level, if any. - type: string - status: - description: Status corresponds to the status of the last transaction. - type: string - time: - description: Time corresponds to the time of last transaction. - format: date-time - type: string - type: object - latestTykSpecHash: - description: |- - LatestTykSpecHash stores the hash of ApiDefinition created on Tyk. This information is updated after - creating or updating the ApiDefinition. It is useful for Operator to understand running update - operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, Operator - runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. - type: string - linked_by_apis: - description: |- - LinkedByAPIs is a list of ApiDefinition namespaced/name that links to this - resource - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_by_policies: - description: LinkedByPolicies is a list policies that references this - api definition - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_to_apis: - description: |- - LinkedToAPIs is a list of ApiDefinition namespaced/name that this resource - links to. - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_to_subgraph: - description: |- - LinkedToSubgraph corresponds to the name of the Subgraph CR if the ApiDefinition is GraphQL Federation Subgraph. - ApiDefinition CR can only be linked to Subgraph CRs that are created in the same namespace as ApiDefinition CR. - type: string - orgId: - description: OrgID corresponds to the Organization ID that this API - belongs to. - type: string - required: - - api_id - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: apidescriptions.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: APIDescription - listKind: APIDescriptionList - plural: apidescriptions - singular: apidescription - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: APIDescription is the Schema for the apidescriptions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: APIDescriptionSpec defines the desired state of APIDescription - properties: - auth_type: - description: AuthType displays as a badge next to the name of the - API - enum: - - keyless - - jwt - - oauth - - authToken - type: string - config: - description: |- - Config allows you to optionally override various fields in the PortalConfig. - TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. - properties: - catalogue_login_only: - description: CatalogueLoginOnly limits access to catalogues for - login users only. - type: boolean - dcr_options: - description: DCROptions dynamic client registration options. - properties: - access_token: - description: AccessToken represents an optional bearer token - to authenticate with against the registration endpoint - type: string - grant_types: - description: |- - GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at - the token endpoint. - items: - enum: - - client_credentials - - authorization_code - - refresh_token - type: string - type: array - idp_host: - description: |- - IDPHost is the fully qualified hostname of the Identity Provider. - e.g. https://mysubdomain.eu.auth0.com - type: string - provider: - description: |- - Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec - and perform provider specific logic. - If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend - support for your provider. - enum: - - gluu - - keycloak - - okta - type: string - registration_endpoint: - description: RegistrationEndpoint is the registration_endpoint - as presented in the /.well-known/openid-configuration document. - type: string - response_types: - description: |- - ResponseTypes is an array of OAuth 2.0 response type strings that the client can - use at the authorization endpoint. - items: - enum: - - code - - token - type: string - type: array - token_endpoint_auth_method: - description: |- - TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. - "none": The client is a public client and does not have a client secret. - "client_secret_post": The client uses the HTTP POST parameters - "client_secret_basic": The client uses HTTP Basic authentication - enum: - - client_secret_basic - - client_secret_post - - client_secret_jwt - - private_key_jwt - - none - type: string - required: - - grant_types - - idp_host - - registration_endpoint - - token_endpoint_auth_method - type: object - disable_auto_login: - type: boolean - disable_login: - description: |- - DisableLogin disables login on developer portal.If you do not want - developers to be able to login, set this value to true. You can use this - configuration option in the portal templates to display or hide the login - form as well as disabling the actual login method. - type: boolean - disable_signup: - description: |- - DisableSignup stop developer sign-up to the portal.This will stop developers - from being able to signup, they will need to be created manually, or - assigned keys via the key management API. - type: boolean - email: - type: string - enable_dcr: - description: EnableDCR activates dynamic client registration. - type: boolean - enable_multi_selection: - description: |- - EnableMultiSelection enables subscribing to multiple APIs with single - key.User will be able subscript any combination of exposed catalogues of the - same authentication type - type: boolean - id: - description: Set by the server. DO NOT set this field it is read - only. - type: string - key_request_fields: - description: KeyRequestFields is a slice of fields which are asked - of the portal developer when requesting an api key - items: - type: string - type: array - mail_options: - properties: - email_copy: - properties: - key_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - reset_password_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - welcome_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - required: - - key_email - - reset_password_email - - welcome_email - type: object - mail_from_email: - type: string - mail_from_name: - type: string - required: - - email_copy - - mail_from_email - - mail_from_name - type: object - oauth_usage_limit: - description: OAuthUsageLimit is the maximum permitted number of - OAuth clients - type: integer - org_id: - description: OrgID is the organization ID - type: string - override: - description: |- - Override overides global settings. These Catalogue settings are currently - being overwritten by the Global Catalogue settings. Toggle the checkbox - below to override them for this Catalogue. - type: boolean - redirect_on_key_request: - description: |- - RedirectOnKeyRequest redirects key requests. WHen set to true it will - redirect key requests to the url specified in RedirectTo field - type: boolean - redirect_to: - description: RedirectTo is a url used to redirect key requests - type: string - require_key_approval: - description: |- - RequireKeyApproval requires reviewing of all key requests before approving - them. By default developers will auto-enroll into an API and be given an API - key. If you wish to review key requests before giving developers access to - the API, enable this option and you will manually need to approve them in - the 'Key requests' section of the dashboard. - type: boolean - secure_key_approval: - description: |- - SecureKeyApproval enables Secure key approval.By default, API keys when - approved are sent in an email to the Developer. By enabling this option, the - Developer will instead receive a link where they can go to generate the API - key securely - type: boolean - signup_fields: - description: SignUpFields is a slice of fields which are asked - of the portal developer when they register for an account - items: - type: string - type: array - type: object - contextRef: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - docs: - properties: - doc_type: - enum: - - swagger - - swagger_custom_url - - graphql - type: string - documentation: - type: string - required: - - doc_type - type: object - documentation: - description: Do not set Documentation. Use `docs` instead. - type: string - fields: - additionalProperties: - type: string - description: |- - Fields is a generic map of key:value pairs. - You may wish to use this to tag a catalogue as type:internal or type:public - Then apply logic at the template layer to dynamically display catalogue apis to different user types. - type: object - is_keyless: - description: IsKeyless toggles visibility of the `Request an API Key - button`. Use this when AuthType is keyless, jwt or oauth. - type: boolean - long_description: - description: |- - LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just - below the name and AuthType in the catalogue listing page. - type: string - name: - description: Name is the title of the API that you wish to be published - to the catalogue - type: string - policy_id: - description: |- - PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. - Rather, use `policyRef` instead. - type: string - policyRef: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - short_description: - description: 'TODO: I don''t think this is exposed to the default - portal templates.' - type: string - show: - description: Show toggles visibility of the API in the portal catalogue - type: boolean - version: - default: v2 - description: Version should always be v2 - enum: - - v2 - type: string - type: object - status: - description: APIDescriptionStatus defines the observed state of APIDescription - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: operatorcontexts.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: OperatorContext - listKind: OperatorContextList - plural: operatorcontexts - singular: operatorcontext - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OperatorContext is the Schema for the operatorcontexts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: OperatorContextSpec defines the desired state of OperatorContext - properties: - env: - description: |- - Env is the values of the admin api endpoint that the operator will use to - reconcile resources - properties: - auth: - type: string - ingress: - properties: - httpPort: - type: integer - httpsPort: - type: integer - type: object - insecureSkipVerify: - type: boolean - mode: - description: |- - OperatorContextMode is the mode to which the admin api binding is done values are - ce for community edition and pro for dashboard - enum: - - ce - - pro - type: string - org: - type: string - url: - type: string - user_group_owners: - items: - type: string - type: array - user_owners: - items: - type: string - type: array - type: object - secretRef: - description: Reference to k8s secret resource that we load environment - from. - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: object - status: - description: OperatorContextStatus defines the observed state of OperatorContext - properties: - linked_api_definitions: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_api_descriptions: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_portal_catalogues: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_portal_configs: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_security_policies: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - linked_tyk_oas_api_definition: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: portalapicatalogues.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: PortalAPICatalogue - listKind: PortalAPICatalogueList - plural: portalapicatalogues - shortNames: - - tykcatalogues - singular: portalapicatalogue - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.id - name: ID - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: PortalAPICatalogue is the Schema for the portalapicatalogues - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PortalAPICatalogueSpec defines the desired state of PortalAPICatalogue - properties: - apis: - description: APIDescriptionList is a list of PortalCatalogueDescription - published on this PortalAPICatalogue - items: - properties: - apiDescriptionRef: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - auth_type: - description: AuthType displays as a badge next to the name of - the API - enum: - - keyless - - jwt - - oauth - - authToken - type: string - config: - description: |- - Config allows you to optionally override various fields in the PortalConfig. - TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. - properties: - catalogue_login_only: - description: CatalogueLoginOnly limits access to catalogues - for login users only. - type: boolean - dcr_options: - description: DCROptions dynamic client registration options. - properties: - access_token: - description: AccessToken represents an optional bearer - token to authenticate with against the registration - endpoint - type: string - grant_types: - description: |- - GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at - the token endpoint. - items: - enum: - - client_credentials - - authorization_code - - refresh_token - type: string - type: array - idp_host: - description: |- - IDPHost is the fully qualified hostname of the Identity Provider. - e.g. https://mysubdomain.eu.auth0.com - type: string - provider: - description: |- - Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec - and perform provider specific logic. - If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend - support for your provider. - enum: - - gluu - - keycloak - - okta - type: string - registration_endpoint: - description: RegistrationEndpoint is the registration_endpoint - as presented in the /.well-known/openid-configuration - document. - type: string - response_types: - description: |- - ResponseTypes is an array of OAuth 2.0 response type strings that the client can - use at the authorization endpoint. - items: - enum: - - code - - token - type: string - type: array - token_endpoint_auth_method: - description: |- - TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. - "none": The client is a public client and does not have a client secret. - "client_secret_post": The client uses the HTTP POST parameters - "client_secret_basic": The client uses HTTP Basic authentication - enum: - - client_secret_basic - - client_secret_post - - client_secret_jwt - - private_key_jwt - - none - type: string - required: - - grant_types - - idp_host - - registration_endpoint - - token_endpoint_auth_method - type: object - disable_auto_login: - type: boolean - disable_login: - description: |- - DisableLogin disables login on developer portal.If you do not want - developers to be able to login, set this value to true. You can use this - configuration option in the portal templates to display or hide the login - form as well as disabling the actual login method. - type: boolean - disable_signup: - description: |- - DisableSignup stop developer sign-up to the portal.This will stop developers - from being able to signup, they will need to be created manually, or - assigned keys via the key management API. - type: boolean - email: - type: string - enable_dcr: - description: EnableDCR activates dynamic client registration. - type: boolean - enable_multi_selection: - description: |- - EnableMultiSelection enables subscribing to multiple APIs with single - key.User will be able subscript any combination of exposed catalogues of the - same authentication type - type: boolean - id: - description: Set by the server. DO NOT set this field it - is read only. - type: string - key_request_fields: - description: KeyRequestFields is a slice of fields which - are asked of the portal developer when requesting an api - key - items: - type: string - type: array - mail_options: - properties: - email_copy: - properties: - key_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - reset_password_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - welcome_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - required: - - key_email - - reset_password_email - - welcome_email - type: object - mail_from_email: - type: string - mail_from_name: - type: string - required: - - email_copy - - mail_from_email - - mail_from_name - type: object - oauth_usage_limit: - description: OAuthUsageLimit is the maximum permitted number - of OAuth clients - type: integer - org_id: - description: OrgID is the organization ID - type: string - override: - description: |- - Override overides global settings. These Catalogue settings are currently - being overwritten by the Global Catalogue settings. Toggle the checkbox - below to override them for this Catalogue. - type: boolean - redirect_on_key_request: - description: |- - RedirectOnKeyRequest redirects key requests. WHen set to true it will - redirect key requests to the url specified in RedirectTo field - type: boolean - redirect_to: - description: RedirectTo is a url used to redirect key requests - type: string - require_key_approval: - description: |- - RequireKeyApproval requires reviewing of all key requests before approving - them. By default developers will auto-enroll into an API and be given an API - key. If you wish to review key requests before giving developers access to - the API, enable this option and you will manually need to approve them in - the 'Key requests' section of the dashboard. - type: boolean - secure_key_approval: - description: |- - SecureKeyApproval enables Secure key approval.By default, API keys when - approved are sent in an email to the Developer. By enabling this option, the - Developer will instead receive a link where they can go to generate the API - key securely - type: boolean - signup_fields: - description: SignUpFields is a slice of fields which are - asked of the portal developer when they register for an - account - items: - type: string - type: array - type: object - docs: - properties: - doc_type: - enum: - - swagger - - swagger_custom_url - - graphql - type: string - documentation: - type: string - required: - - doc_type - type: object - documentation: - description: Do not set Documentation. Use `docs` instead. - type: string - fields: - additionalProperties: - type: string - description: |- - Fields is a generic map of key:value pairs. - You may wish to use this to tag a catalogue as type:internal or type:public - Then apply logic at the template layer to dynamically display catalogue apis to different user types. - type: object - is_keyless: - description: IsKeyless toggles visibility of the `Request an - API Key button`. Use this when AuthType is keyless, jwt or - oauth. - type: boolean - long_description: - description: |- - LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just - below the name and AuthType in the catalogue listing page. - type: string - name: - description: Name is the title of the API that you wish to be - published to the catalogue - type: string - policy_id: - description: |- - PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. - Rather, use `policyRef` instead. - type: string - policyRef: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - short_description: - description: 'TODO: I don''t think this is exposed to the default - portal templates.' - type: string - show: - description: Show toggles visibility of the API in the portal - catalogue - type: boolean - version: - default: v2 - description: Version should always be v2 - enum: - - v2 - type: string - type: object - type: array - contextRef: - description: |- - Context is reference to OperatorContext resource. Set this if you want to - target a specific OperatorContext. When omitted default OperatorContext is - used. - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - email: - description: |- - Email is Catalogue owner email address.Catalogue owner will be notified at - this email address when an API subscription request is submitted or granted - type: string - org_id: - description: OrgID is the organization ID - type: string - type: object - status: - description: PortalAPICatalogueStatus defines the observed state of PortalAPICatalogue - properties: - id: - description: ID is the mongo ID of the PortalAPICatalogue object created - by the dashboard. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: portalconfigs.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: PortalConfig - listKind: PortalConfigList - plural: portalconfigs - singular: portalconfig - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: PortalConfig is the Schema for the portalconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PortalConfigSpec defines the desired state of PortalConfig - properties: - catalogue_login_only: - description: CatalogueLoginOnly limits access to catalogues for login - users only. - type: boolean - contextRef: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - dcr_options: - description: DCROptions dynamic client registration options. - properties: - access_token: - description: AccessToken represents an optional bearer token to - authenticate with against the registration endpoint - type: string - grant_types: - description: |- - GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at - the token endpoint. - items: - enum: - - client_credentials - - authorization_code - - refresh_token - type: string - type: array - idp_host: - description: |- - IDPHost is the fully qualified hostname of the Identity Provider. - e.g. https://mysubdomain.eu.auth0.com - type: string - provider: - description: |- - Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec - and perform provider specific logic. - If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend - support for your provider. - enum: - - gluu - - keycloak - - okta - type: string - registration_endpoint: - description: RegistrationEndpoint is the registration_endpoint - as presented in the /.well-known/openid-configuration document. - type: string - response_types: - description: |- - ResponseTypes is an array of OAuth 2.0 response type strings that the client can - use at the authorization endpoint. - items: - enum: - - code - - token - type: string - type: array - token_endpoint_auth_method: - description: |- - TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. - "none": The client is a public client and does not have a client secret. - "client_secret_post": The client uses the HTTP POST parameters - "client_secret_basic": The client uses HTTP Basic authentication - enum: - - client_secret_basic - - client_secret_post - - client_secret_jwt - - private_key_jwt - - none - type: string - required: - - grant_types - - idp_host - - registration_endpoint - - token_endpoint_auth_method - type: object - disable_auto_login: - type: boolean - disable_login: - description: |- - DisableLogin disables login on developer portal.If you do not want - developers to be able to login, set this value to true. You can use this - configuration option in the portal templates to display or hide the login - form as well as disabling the actual login method. - type: boolean - disable_signup: - description: |- - DisableSignup stop developer sign-up to the portal.This will stop developers - from being able to signup, they will need to be created manually, or - assigned keys via the key management API. - type: boolean - email: - type: string - enable_dcr: - description: EnableDCR activates dynamic client registration. - type: boolean - enable_multi_selection: - description: |- - EnableMultiSelection enables subscribing to multiple APIs with single - key.User will be able subscript any combination of exposed catalogues of the - same authentication type - type: boolean - id: - description: Set by the server. DO NOT set this field it is read only. - type: string - key_request_fields: - description: KeyRequestFields is a slice of fields which are asked - of the portal developer when requesting an api key - items: - type: string - type: array - mail_options: - properties: - email_copy: - properties: - key_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - reset_password_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - welcome_email: - properties: - body: - type: string - enabled: - type: boolean - hide_token_data: - type: boolean - sign_off: - type: string - subject: - type: string - required: - - body - - enabled - - hide_token_data - - sign_off - - subject - type: object - required: - - key_email - - reset_password_email - - welcome_email - type: object - mail_from_email: - type: string - mail_from_name: - type: string - required: - - email_copy - - mail_from_email - - mail_from_name - type: object - oauth_usage_limit: - description: OAuthUsageLimit is the maximum permitted number of OAuth - clients - type: integer - org_id: - description: OrgID is the organization ID - type: string - override: - description: |- - Override overides global settings. These Catalogue settings are currently - being overwritten by the Global Catalogue settings. Toggle the checkbox - below to override them for this Catalogue. - type: boolean - redirect_on_key_request: - description: |- - RedirectOnKeyRequest redirects key requests. WHen set to true it will - redirect key requests to the url specified in RedirectTo field - type: boolean - redirect_to: - description: RedirectTo is a url used to redirect key requests - type: string - require_key_approval: - description: |- - RequireKeyApproval requires reviewing of all key requests before approving - them. By default developers will auto-enroll into an API and be given an API - key. If you wish to review key requests before giving developers access to - the API, enable this option and you will manually need to approve them in - the 'Key requests' section of the dashboard. - type: boolean - secure_key_approval: - description: |- - SecureKeyApproval enables Secure key approval.By default, API keys when - approved are sent in an email to the Developer. By enabling this option, the - Developer will instead receive a link where they can go to generate the API - key securely - type: boolean - signup_fields: - description: SignUpFields is a slice of fields which are asked of - the portal developer when they register for an account - items: - type: string - type: array - type: object - status: - description: PortalConfigStatus defines the observed state of PortalConfig - properties: - id: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - controller-gen.kubebuilder.io/version: v0.14.0 - name: securitypolicies.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: SecurityPolicy - listKind: SecurityPolicyList - plural: securitypolicies - shortNames: - - tykpolicies - singular: securitypolicy - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecurityPolicy is the Schema for the securitypolicies API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecurityPolicySpec defines the desired state of SecurityPolicy - properties: - _id: - description: |- - MID ("_id") is generated by Tyk once the resource is created. - Do NOT fill this in. - type: string - access_rights: - additionalProperties: - description: AccessDefinition defines which versions of an API a - key has access to - properties: - allowance_scope: - type: string - allowed_types: - description: |- - Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy - or directly on a key. - items: - description: GraphQLType represents a GraphQL Type for Tyk. - properties: - fields: - items: - type: string - type: array - name: - type: string - required: - - fields - - name - type: object - type: array - allowed_urls: - items: - description: AccessSpec defines what URLS a user has access - to and what methods are enabled - properties: - methods: - items: - type: string - type: array - url: - type: string - required: - - methods - - url - type: object - type: array - api_id: - description: 'TODO: APIID should not really be needed, as is - auto-set from the APIDefinition Resource' - type: string - api_name: - description: 'TODO: APIName should not really be needed, as - is auto-set from the APIDefinition Resource' - type: string - disable_introspection: - description: DisableIntrospection disables GraphQL introspection - if it is set to True. - type: boolean - endpoints: - description: Endpoints is a collection of Endpoint. - items: - description: Endpoint holds the configuration for endpoint - rate limiting. - properties: - methods: - description: EndpointMethods is a collection of EndpointMethod. - items: - description: EndpointMethod holds the configuration - on endpoint method level. - properties: - limit: - description: RateLimit holds rate limit configuration. - properties: - per: - description: Per is the interval at which rate - limit is enforced. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - rate: - description: Rate is the allowed number of requests - per interval. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - smoothing: - description: Smoothing contains rate limit smoothing - settings. - properties: - delay: - description: Delay is the minimum time between - rate limit changes (in seconds). - format: int64 - type: integer - enabled: - description: Enabled indicates if rate limit - smoothing is active. - type: boolean - step: - description: Step is the increment/decrement - for adjusting the rate limit. - format: int64 - type: integer - threshold: - description: Threshold is the request rate - above which smoothing is applied. - format: int64 - type: integer - trigger: - description: Trigger is the step factor - determining when smoothing events trigger. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - required: - - enabled - type: object - required: - - per - - rate - type: object - name: - type: string - type: object - type: array - path: - type: string - type: object - type: array - field_access_rights: - description: FieldAccessRights is array of depth limit settings - per GraphQL APIs. - items: - description: FieldAccessDefinition represent a struct for - depth limit settings per API. - properties: - field_name: - description: FieldName represents the name of the Query - or Mutation which the limit applies to. - type: string - limits: - description: Limit specifies the numerical value of the - limit. - properties: - max_query_depth: - description: MaxQueryDepth represents the numerical - value of the limit. - format: int64 - type: integer - required: - - max_query_depth - type: object - type_name: - description: |- - TypeName points to a type on which depth limit is set. - It can be either Query (most common case) or Mutation - type: string - type: object - type: array - kind: - default: ApiDefinition - description: |- - Kind represents the kind of the linked API Definition resource. - It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). - By default, Kind is set to "ApiDefinition". - enum: - - ApiDefinition - - TykOasApiDefinition - - TykStreamsApiDefinition - type: string - limit: - description: APILimit stores quota and rate limit on ACL level - (per API) - properties: - max_query_depth: - type: integer - per: - format: int64 - type: integer - quota_max: - format: int64 - type: integer - quota_renewal_rate: - format: int64 - type: integer - rate: - format: int64 - type: integer - smoothing: - description: Smoothing contains rate limit smoothing settings. - properties: - delay: - description: Delay is the minimum time between rate - limit changes (in seconds). - format: int64 - type: integer - enabled: - description: Enabled indicates if rate limit smoothing - is active. - type: boolean - step: - description: Step is the increment/decrement for adjusting - the rate limit. - format: int64 - type: integer - threshold: - description: Threshold is the request rate above which - smoothing is applied. - format: int64 - type: integer - trigger: - description: Trigger is the step factor determining - when smoothing events trigger. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - required: - - enabled - type: object - throttle_interval: - format: int64 - type: integer - throttle_retry_limit: - type: integer - required: - - per - - quota_max - - quota_renewal_rate - - rate - - throttle_interval - - throttle_retry_limit - type: object - name: - description: Name of the ApiDefinition resource to target - type: string - namespace: - description: Namespace of the ApiDefinition resource to target - type: string - restricted_types: - description: |- - Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy - or directly on a key. - items: - description: GraphQLType represents a GraphQL Type for Tyk. - properties: - fields: - items: - type: string - type: array - name: - type: string - required: - - fields - - name - type: object - type: array - versions: - items: - type: string - type: array - required: - - name - - namespace - type: object - type: object - access_rights_array: - items: - description: AccessDefinition defines which versions of an API a - key has access to - properties: - allowance_scope: - type: string - allowed_types: - description: |- - Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy - or directly on a key. - items: - description: GraphQLType represents a GraphQL Type for Tyk. - properties: - fields: - items: - type: string - type: array - name: - type: string - required: - - fields - - name - type: object - type: array - allowed_urls: - items: - description: AccessSpec defines what URLS a user has access - to and what methods are enabled - properties: - methods: - items: - type: string - type: array - url: - type: string - required: - - methods - - url - type: object - type: array - api_id: - description: 'TODO: APIID should not really be needed, as is - auto-set from the APIDefinition Resource' - type: string - api_name: - description: 'TODO: APIName should not really be needed, as - is auto-set from the APIDefinition Resource' - type: string - disable_introspection: - description: DisableIntrospection disables GraphQL introspection - if it is set to True. - type: boolean - endpoints: - description: Endpoints is a collection of Endpoint. - items: - description: Endpoint holds the configuration for endpoint - rate limiting. - properties: - methods: - description: EndpointMethods is a collection of EndpointMethod. - items: - description: EndpointMethod holds the configuration - on endpoint method level. - properties: - limit: - description: RateLimit holds rate limit configuration. - properties: - per: - description: Per is the interval at which rate - limit is enforced. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - rate: - description: Rate is the allowed number of requests - per interval. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - smoothing: - description: Smoothing contains rate limit smoothing - settings. - properties: - delay: - description: Delay is the minimum time between - rate limit changes (in seconds). - format: int64 - type: integer - enabled: - description: Enabled indicates if rate limit - smoothing is active. - type: boolean - step: - description: Step is the increment/decrement - for adjusting the rate limit. - format: int64 - type: integer - threshold: - description: Threshold is the request rate - above which smoothing is applied. - format: int64 - type: integer - trigger: - description: Trigger is the step factor - determining when smoothing events trigger. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - required: - - enabled - type: object - required: - - per - - rate - type: object - name: - type: string - type: object - type: array - path: - type: string - type: object - type: array - field_access_rights: - description: FieldAccessRights is array of depth limit settings - per GraphQL APIs. - items: - description: FieldAccessDefinition represent a struct for - depth limit settings per API. - properties: - field_name: - description: FieldName represents the name of the Query - or Mutation which the limit applies to. - type: string - limits: - description: Limit specifies the numerical value of the - limit. - properties: - max_query_depth: - description: MaxQueryDepth represents the numerical - value of the limit. - format: int64 - type: integer - required: - - max_query_depth - type: object - type_name: - description: |- - TypeName points to a type on which depth limit is set. - It can be either Query (most common case) or Mutation - type: string - type: object - type: array - kind: - default: ApiDefinition - description: |- - Kind represents the kind of the linked API Definition resource. - It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). - By default, Kind is set to "ApiDefinition". - enum: - - ApiDefinition - - TykOasApiDefinition - - TykStreamsApiDefinition - type: string - limit: - description: APILimit stores quota and rate limit on ACL level - (per API) - properties: - max_query_depth: - type: integer - per: - format: int64 - type: integer - quota_max: - format: int64 - type: integer - quota_renewal_rate: - format: int64 - type: integer - rate: - format: int64 - type: integer - smoothing: - description: Smoothing contains rate limit smoothing settings. - properties: - delay: - description: Delay is the minimum time between rate - limit changes (in seconds). - format: int64 - type: integer - enabled: - description: Enabled indicates if rate limit smoothing - is active. - type: boolean - step: - description: Step is the increment/decrement for adjusting - the rate limit. - format: int64 - type: integer - threshold: - description: Threshold is the request rate above which - smoothing is applied. - format: int64 - type: integer - trigger: - description: Trigger is the step factor determining - when smoothing events trigger. - pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ - type: string - required: - - enabled - type: object - throttle_interval: - format: int64 - type: integer - throttle_retry_limit: - type: integer - required: - - per - - quota_max - - quota_renewal_rate - - rate - - throttle_interval - - throttle_retry_limit - type: object - name: - description: Name of the ApiDefinition resource to target - type: string - namespace: - description: Namespace of the ApiDefinition resource to target - type: string - restricted_types: - description: |- - Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy - or directly on a key. - items: - description: GraphQLType represents a GraphQL Type for Tyk. - properties: - fields: - items: - type: string - type: array - name: - type: string - required: - - fields - - name - type: object - type: array - versions: - items: - type: string - type: array - required: - - name - - namespace - type: object - type: array - active: - description: Active must be set to `true` for Tyk to load the security - policy into memory. - type: boolean - contextRef: - description: |- - Context specify namespace/name of the OperatorContext object used for - reconciling this APIDefinition - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - enable_http_signature_validation: - type: boolean - hmac_enabled: - type: boolean - id: - description: |- - If you are linking an existing Policy ID to a new YAML CRD, then - fill in this ID field with the "_id" field. - See policies.md readme for more info - type: string - is_inactive: - description: IsInactive applies to the key itself. Allows enabling - or disabling the policy without deleting it. - type: boolean - key_expires_in: - description: KeyExpiresIn is the number of seconds till key expiry. - For 1 hour is 3600. Default never expire or 0 - format: int64 - type: integer - max_query_depth: - description: Max depth of a GraphQL query - type: integer - meta_data: - additionalProperties: - type: string - description: LastUpdated string `json:"last_updated"` - type: object - name: - description: Name represents the name of the security policy as displayed - in the Dashboard - type: string - org_id: - description: OrgID is overwritten - no point setting this - type: string - partitions: - properties: - acl: - type: boolean - complexity: - type: boolean - per_api: - type: boolean - quota: - type: boolean - rate_limit: - type: boolean - type: object - per: - description: |- - To be used in conjunction with "Rate". Per seconds. 1 minute=60. 1 hour=3600 - omit or "-1" for unlimited - format: int64 - type: integer - quota_max: - description: Value of Quota allowed, omit or "-1" for unlimited - format: int64 - type: integer - quota_renewal_rate: - description: Value reset length, in seconds, omit or "-1" for unlimited - format: int64 - type: integer - rate: - description: Rate limit per X seconds (x="Per"), omit or "-1" for - unlimited - format: int64 - type: integer - state: - description: |- - State can be active, draft or deny - active: All keys are active and new keys can be created. - draft: All keys are active but no new keys can be created. - deny: All keys are deactivated and no keys can be created. - enum: - - active - - draft - - deny - type: string - tags: - description: Custom tags to apply to the key, get transfered to the - analytics - items: - type: string - type: array - throttle_interval: - description: If rate limited, how many seconds to retry a request - for. omit or "-1" for unlimited - format: int64 - type: integer - throttle_retry_limit: - description: Number of retries before returning error. omit or "-1" - for unlimited - type: integer - required: - - active - - name - - state - type: object - status: - description: SecurityPolicyStatus defines the observed state of SecurityPolicy - properties: - latestCRDSpecHash: - type: string - latestTykSpecHash: - type: string - linked_apis: - items: - properties: - kind: - description: |- - LinkedApiKind represents the Kubernetes kind of the API Definition resource that - is being target by current resource. - enum: - - ApiDefinition - - TykOasApiDefinition - - TykStreamsApiDefinition - type: string - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - pol_id: - type: string - required: - - pol_id - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: subgraphs.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: SubGraph - listKind: SubGraphList - plural: subgraphs - singular: subgraph - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SubGraph is the Schema for the subgraphs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SubGraphSpec defines the desired state of SubGraph - properties: - schema: - type: string - sdl: - type: string - required: - - schema - - sdl - type: object - status: - description: SubGraphStatus defines the observed state of SubGraph - properties: - linked_by_api: - description: |- - LinkedByAPI specifies the ID of the ApiDefinition CR that is linked to this particular SubGraph CR. - Please note that SubGraph CR can only be linked to one ApiDefinition CR that is created in the same - namespace as SubGraph CR. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: supergraphs.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: SuperGraph - listKind: SuperGraphList - plural: supergraphs - singular: supergraph - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SuperGraph is the Schema for the supergraphs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SuperGraphSpec defines the desired state of SuperGraph - properties: - merged_sdl: - type: string - schema: - type: string - subgraph_refs: - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - required: - - subgraph_refs - type: object - status: - description: SuperGraphStatus defines the observed state of SuperGraph - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: tykoasapidefinitions.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: TykOasApiDefinition - listKind: TykOasApiDefinitionList - plural: tykoasapidefinitions - shortNames: - - tykoas - singular: tykoasapidefinition - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.domain.name - name: Domain - type: string - - jsonPath: .status.listenPath - name: ListenPath - type: string - - jsonPath: .status.targetURL - name: Proxy.TargetURL - type: string - - jsonPath: .status.enabled - name: Enabled - type: boolean - - jsonPath: .status.latestTransaction.status - name: SyncStatus - type: string - - jsonPath: .status.ingressTemplate - name: IngressTemplate - type: boolean - - jsonPath: .spec.categories - name: Categories - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: TykOasApiDefinition is the Schema for the tykoasapidefinitions - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TykOasApiDefinitionSpec defines the desired state of TykOasApiDefinition - properties: - categories: - description: |- - Categories serve as identifiers for the API definitions, - subsequently enabling the filtering of API listings based on these categories. - items: - type: string - type: array - certificatePinning: - description: |- - CertificatePinning contains the configuration related to certificate pinning. - It is possible to set Kubernetes secrets containing certificates. - - - It is used to set `upstream.certificatePinning` in Tyk OAS API Definition. - properties: - domainToPublicKeysMapping: - description: |- - DomainToPublicKeysMapping maintains the mapping of domain to pinned public keys. - - - Tyk classic API definition: `pinned_public_keys` - items: - description: PinnedPublicKey contains a mapping from the domain - name into a list of public keys. - properties: - domain: - description: Domain contains the domain name. - type: string - publicKeyRefs: - description: |- - PublicKeyRefs holds a list of Kubernetes secret names that reside in the same namespace - as current TykOasApiDefinition resource. The secret needs to be a type of TLS secret - where the pinned public key is stored in `tls.crt` field. - Each secret must contain a public key associated with the specified domain name. - - - **NOTE** - If you want to continue using secrets that are already created on Tyk Dashboard, - specify their IDs in `publicKeys` field of TykOasApiDefinition CR. And then, - Tyk Operator will merge this array which is specified through `publicKeys` field - with new Tyk Secrets which will be created based on Kubernetes secrets - defined in `publicKeyRefs`. - items: - type: string - type: array - publicKeys: - description: |- - PublicKeys contains a list of the public keys IDs pinned to the domain name. - - - It only accepts Tyk IDs of the public keys. If you have Kubernetes secrets - containing public keys of the domain, please use `publicKeysRefs` field - instead of this one. As this one only works with already existing - public keys on Tyk Dashboard. - items: - type: string - type: array - required: - - domain - type: object - type: array - enabled: - description: |- - Enabled is a boolean flag, if set to `true`, it enables certificate pinning for the API. - - - Tyk classic API definition: `certificate_pinning_disabled` - type: boolean - required: - - enabled - type: object - clientCertificate: - description: |- - ClientCertificate is used to configure client certificates settings needed - for MTLS connection between Tyk and client. - It is used to set `server.clientCertificate` field of Tyk OAS API - properties: - allowlist: - description: Allowlist stores list of k8s secret names storing - client certificates - items: - type: string - type: array - enabled: - description: Enabled activates mTLS for the API. - type: boolean - type: object - contextRef: - description: |- - Context specify namespace/name of the OperatorContext object used for - reconciling this APIDefinition - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - customDomain: - description: |- - CustomDomain is the domain to bind this API to. This enforces domain matching for client requests. - - - Tyk classic API definition: `domain` - properties: - certificates: - description: |- - Certificates defines a field for specifying certificate IDs - that the Tyk can utilise to dynamically load certificates for your custom domain. - - - Tyk classic API definition: `certificates` - items: - type: string - type: array - certificatesRef: - description: |- - CertificatesRef defines a field for specifying certificates - through Kubernetes secrets. Secrets need to be installed within - the namespace of the TykOasApiDefinition resource. - items: - type: string - type: array - enabled: - description: Enabled allow/disallow the usage of the domain. - type: boolean - name: - description: Name is the name of the domain. - type: string - required: - - enabled - - name - type: object - mutualTLS: - description: MutualTLS represents the configuration for an Upstream - mTLS. - properties: - domainToCertificateMapping: - description: DomainToCertificateMapping contains the configuration - for an upstream server domain. - items: - description: CertificateMapping represents the mapping of a - domain to its certificate. - properties: - certificateID: - description: Certificate references to Tyk cert ID - type: string - certificateRef: - description: CertificateRef references the secret containing - the domain's SSL Certificate. - type: string - domain: - description: Domain refers to the domain name of an upstream - server. - type: string - required: - - domain - type: object - type: array - enabled: - description: Enabled indicates if MTLS should be enabled or not. - type: boolean - required: - - enabled - type: object - tykOAS: - description: TykOAS provides storage information about Tyk OAS - properties: - configmapRef: - description: ConfigmapRef provides information of configmap in - which Tyk OAS is stored - properties: - keyName: - description: KeyName is the key of configmap in which Tyk - OAS doc is stored - type: string - name: - description: Name is the name of configmap - type: string - namespace: - description: |- - Namespace is the namespace of configmap. - If Namespace is not provided, we assume that the ConfigMap is in the same - namespace as TykOasApiDefinition resource. - type: string - required: - - keyName - - name - type: object - required: - - configmapRef - type: object - versioning: - description: Versioning provides versioning information about this - OAS API - properties: - default: - description: Default contains the default version name if a request - is issued without a version. - type: string - enabled: - description: Enabled is a boolean flag, if set to true it will - enable versioning of the API. - type: boolean - fallbackToDefault: - description: |- - FallbackToDefault specifies that the default version of the OAS API should be used if - the requested version does not exist." - type: boolean - key: - description: Key contains the name of the key to check for versioning - information. - type: string - location: - description: |- - Location contains versioning location information. It can be one of the following: - header, url-param, url. - enum: - - header - - url-param - - url - type: string - name: - description: Name contains the name of the version. - type: string - stripVersioningData: - description: StripVersioningData if enabled, specifies that the - API responses will be stripped of versioning data. - type: boolean - urlVersioningPattern: - description: |- - UrlVersioningPattern configure with a regex that matches the versioning identifier format in your URLs. - This is essential when using stripVersioningData and fallbackToDefault with location=url." - type: string - versions: - description: Versions contains a list of versions that map to - individual API IDs. - items: - description: TykOASVersion represents each OAS API Definition - used as a version. - properties: - name: - description: Name contains the name of the referenced TykOasApiDefinition. - type: string - tykOasApiDefinitionRef: - description: TykOasApiDefinitionRef references a TykOasApiDefinition - Name and Namespace. - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - required: - - name - - tykOasApiDefinitionRef - type: object - type: array - required: - - enabled - type: object - required: - - tykOAS - type: object - status: - description: TykOasApiDefinitionStatus defines the observed state of TykOasApiDefinition - properties: - certificatePinning: - description: |- - PinnedPublicKeys shows Tyk IDs of the all pinned public keys for each domain - specified in this particular TykOasApiDefinition. - items: - description: |- - PublicKeyStatus corresponds to the pinned public key details to be displayed in the status - of the TykOasApiDefinition CR. - properties: - domain: - type: string - publicKeys: - items: - type: string - type: array - required: - - domain - - publicKeys - type: object - type: array - domain: - description: |- - DomainStatus shows Tyk IDs of the certificates used for a particular domain - specified in this particular TykOasApiDefinition. - properties: - certificates: - description: Certificates corresponds to Tyk IDs of the certificates - that are uploaded to Tyk. - items: - type: string - type: array - enabled: - type: boolean - name: - description: Name corresponds to the name of the domain. - type: string - type: object - enabled: - description: Enabled represents if API is enabled or not - type: boolean - id: - description: ID is the unique identifier of the API within Tyk. - type: string - ingressTemplate: - description: IngressTemplate shows whether this CR is used as Ingress - Template or not. - type: boolean - latestCRDSpecHash: - description: |- - LatestCRDSpecHash stores the hash of TykOasApiDefinition CR created on K8s. This information is updated after - creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for - running update operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, - Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. - type: string - latestConfigMapHash: - description: LatestConfigMapHash stores the hash of ConfigMap that - is being used by TykOasApiDefinition. - type: string - latestTransaction: - description: LatestTransaction provides status information about the - last reconciliation. - properties: - error: - description: Error corresponds to the error happened on Tyk API - level, if any. - type: string - status: - description: Status corresponds to the status of the last transaction. - type: string - time: - description: Time corresponds to the time of last transaction. - format: date-time - type: string - type: object - latestTykSpecHash: - description: |- - LatestTykSpecHash stores the hash of OAS API Definition created on Tyk. This information is updated after - creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for - running update operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, - Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. - type: string - linkedByPolicies: - description: LinkedByPolicies is a list policies that references this - OAS API Definition. - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - listenPath: - description: ListenPath is the base path on Tyk to which requests - for this API will be sent. - type: string - name: - description: Name is the name of the OAS API within Tyk. - type: string - targetURL: - description: TargetURL is the upstream address to which requests will - be proxied. - type: string - versioningStatus: - description: VersioningStatus shows the status of a Versioned TykOasAPIDefinition. - properties: - baseAPIVersionContextRef: - description: |- - BaseAPIVersionContextRef specifies the namespace and name of the - Base API a versioned API is linked to. - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - isDefaultVersion: - description: IsDefaultVersion specifies if the OAS API is the - default Version. - type: boolean - isVersionedAPI: - description: IsVersionedAPI indicates if the API is versioned. - type: boolean - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: tykstreamsapidefinitions.tyk.tyk.io -spec: - group: tyk.tyk.io - names: - categories: - - tyk - kind: TykStreamsApiDefinition - listKind: TykStreamsApiDefinitionList - plural: tykstreamsapidefinitions - shortNames: - - tykstreams - singular: tykstreamsapidefinition - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.domain - name: Domain - type: string - - jsonPath: .status.listenPath - name: ListenPath - type: string - - jsonPath: .status.enabled - name: Enabled - type: boolean - - jsonPath: .status.latestTransaction.status - name: SyncStatus - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: TykStreamsApiDefinition is the Schema for the tykstreamsapidefinitions - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TykStreamsApiDefinitionSpec defines the desired state of - TykStreamsApiDefinition - properties: - contextRef: - description: |- - Context specify namespace/name of the OperatorContext object used for - reconciling this APIDefinition - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - tykStreams: - description: TykStreams provides storage information about Tyk Streams - properties: - configmapRef: - description: ConfigmapRef provides information of configmap in - which Tyk Streams is stored - properties: - keyName: - description: KeyName is the key of configmap in which Tyk - OAS doc is stored - type: string - name: - description: Name is the name of configmap - type: string - namespace: - description: |- - Namespace is the namespace of configmap. - If Namespace is not provided, we assume that the ConfigMap is in the same - namespace as TykOasApiDefinition resource. - type: string - required: - - keyName - - name - type: object - required: - - configmapRef - type: object - required: - - tykStreams - type: object - status: - description: TykStreamsApiDefinitionStatus defines the observed state - of TykStreamsApiDefinition - properties: - domain: - description: Domain is the custom domain name for an API. - type: string - enabled: - description: Enabled represents if API is enabled or not - type: boolean - id: - description: ID is the unique identifier of the API within Tyk. - type: string - latestCRDSpecHash: - description: LatestCRDSpecHash is the hash of the TykStreamsApiDefinition - CR created on Kubernetes. - type: string - latestConfigMapHash: - description: LatestConfigMapHash is the hash of the ConfigMap used - by TykStreamsApiDefinition. - type: string - latestTransaction: - description: LatestTransaction provides status information about the - last reconciliation. - properties: - error: - description: Error corresponds to the error happened on Tyk API - level, if any. - type: string - status: - description: Status corresponds to the status of the last transaction. - type: string - time: - description: Time corresponds to the time of last transaction. - format: date-time - type: string - type: object - latestTykSpecHash: - description: LatestTykSpecHash is the hash of the API Definition created - on Tyk. - type: string - linkedByPolicies: - description: LinkedByPolicies is a list policies that references this - OAS API Definition. - items: - properties: - name: - description: k8s resource name - type: string - namespace: - description: |- - The k8s namespace of the resource being targeted. When omitted this will be - set to the namespace of the object that is being reconciled. - type: string - required: - - name - type: object - type: array - listenPath: - description: ListenPath is the Base path on Tyk for API requests. - type: string - name: - description: Name is the name of the API within Tyk. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/src/main/tyk-cp.sh b/src/main/tyk-cp.sh index 4728d2f..86392f6 100644 --- a/src/main/tyk-cp.sh +++ b/src/main/tyk-cp.sh @@ -1,7 +1,7 @@ source src/main/storage/main.sh; tykReleaseName="tyk-cp"; -tykReleaseVersion="2.1.0"; +tykReleaseVersion="2.2.0"; args=( --set "global.license.dashboard=$LICENSE" \ diff --git a/src/main/tyk-dp.sh b/src/main/tyk-dp.sh index 559864e..5fe7b01 100644 --- a/src/main/tyk-dp.sh +++ b/src/main/tyk-dp.sh @@ -21,7 +21,7 @@ else tykReleaseName="tyk-dp-$TYK_WORKER_SHARDING_TAGS"; fi -tykReleaseVersion="2.1.0"; +tykReleaseVersion="2.2.0"; logger "$DEBUG" "tykReleaseName=$tykReleaseName"; diff --git a/src/main/tyk-gateway.sh b/src/main/tyk-gateway.sh index 405f66f..5569212 100644 --- a/src/main/tyk-gateway.sh +++ b/src/main/tyk-gateway.sh @@ -5,7 +5,7 @@ args=(--set "tyk-gateway.gateway.image.repository=tykio/tyk-gateway" \ --set "tyk-pump.pump.image.repository=tykio/tyk-pump-docker-pub"); tykReleaseName="tyk-oss"; -tykReleaseVersion="2.1.0"; +tykReleaseVersion="2.2.0"; addService "gateway-svc-$tykReleaseName-tyk-gateway"; checkTykRelease; diff --git a/src/main/tyk-stack.sh b/src/main/tyk-stack.sh index 433d089..75d6cc8 100644 --- a/src/main/tyk-stack.sh +++ b/src/main/tyk-stack.sh @@ -1,7 +1,7 @@ source src/main/storage/main.sh; tykReleaseName="tyk-stack"; -tykReleaseVersion="2.1.0"; +tykReleaseVersion="2.2.0"; args=( --set "global.license.dashboard=$LICENSE" \