From f4da90fe405d60a968a588026330ca15ff23dd95 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 3 Oct 2024 14:27:51 +0000 Subject: [PATCH 1/9] add CRDs for version v0.18.8-rc-test --- components/tyk-operator/Chart.yaml | 5 + components/tyk-operator/README.md | 43 + components/tyk-operator/crds/crds.yaml | 4875 +++++++++++++++++ components/tyk-operator/templates/NOTES.txt | 1 + .../tyk-operator/templates/_helpers.tpl | 62 + components/tyk-operator/templates/all.yaml | 643 +++ components/tyk-operator/values.yaml | 61 + tyk-operator-crds/crd-v0.18.8-rc-test.yaml | 4875 +++++++++++++++++ 8 files changed, 10565 insertions(+) create mode 100644 components/tyk-operator/Chart.yaml create mode 100644 components/tyk-operator/README.md create mode 100644 components/tyk-operator/crds/crds.yaml create mode 100644 components/tyk-operator/templates/NOTES.txt create mode 100644 components/tyk-operator/templates/_helpers.tpl create mode 100644 components/tyk-operator/templates/all.yaml create mode 100644 components/tyk-operator/values.yaml create mode 100644 tyk-operator-crds/crd-v0.18.8-rc-test.yaml diff --git a/components/tyk-operator/Chart.yaml b/components/tyk-operator/Chart.yaml new file mode 100644 index 00000000..e2390903 --- /dev/null +++ b/components/tyk-operator/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: tyk-operator +description: A Helm chart to install the tyk-operator +type: application +version: 0.18.0 # version of the chart diff --git a/components/tyk-operator/README.md b/components/tyk-operator/README.md new file mode 100644 index 00000000..de4c07eb --- /dev/null +++ b/components/tyk-operator/README.md @@ -0,0 +1,43 @@ +## Tyk Operator + +Tyk Operator brings Full Lifecycle API Management capabilities to Kubernetes. Configure Ingress, APIs, Security Policies, Authentication, Authorization, Mediation and more - all using GitOps best practices with Custom Resources and Kubernetes-native primitives. + +### Usage + +```bash +helm repo add tyk-charts https://helm.tyk.io/public/helm/charts/ +helm repo update +``` + +### Prerequisites + +Before installing the Operator make sure you follow this guide and complete all +steps from it, otherwise the Operator won't function properly: https://github.com/TykTechnologies/tyk-operator/blob/master/docs/installation/installation.md#tyk-operator-installation + +**_NOTE_:** cert-manager is required as described [here](https://tyk.io/docs/tyk-stack/tyk-operator/installing-tyk-operator/#step-2-installing-cert-manager). +If you haven't installed `cert-manager` yet, you can install it as follows: +``` +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml +``` + +### Installation +If you have fully functioning & bootstrapped Tyk Installation and cert-manager, +you can install Tyk Operator as follows: + +```bash +helm install tyk-operator tyk-charts/tyk-operator +``` + +By default it will install latest stable release of operator. + +You can install any other version by +1. Setting `image.tag` in values.yml or with `--set {image.tag}={VERSION_TAG}` while doing the helm install. +2. Installing CRDs of corresponding version. This is important as operator might not work otherwise. You can do so by running below command. +``` +kubectl apply -f https://github.com/TykTechnologies/tyk-charts/releases/download/operator-release-{VERSION_TAG}/crds.yaml +``` + +Replace `VERSION_TAG` with operator version tag. + + +> **_NOTE_:** If you want to install `latest` release of operator, replace `VERSION_TAG` with `master` while installing CRDs. diff --git a/components/tyk-operator/crds/crds.yaml b/components/tyk-operator/crds/crds.yaml new file mode 100644 index 00000000..f14532b9 --- /dev/null +++ b/components/tyk-operator/crds/crds.yaml @@ -0,0 +1,4875 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + controller-gen.kubebuilder.io/version: v0.14.0 + name: apidefinitions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: ApiDefinition + listKind: ApiDefinitionList + plural: apidefinitions + shortNames: + - tykapis + singular: apidefinition + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.domain + name: Domain + type: string + - jsonPath: .spec.proxy.listen_path + name: ListenPath + type: string + - jsonPath: .spec.proxy.target_url + name: Proxy.TargetURL + type: string + - jsonPath: .spec.active + name: Enabled + type: boolean + - jsonPath: .status.latestTransaction.status + name: SyncStatus + type: string + - jsonPath: .status.ingressTemplate + name: IngressTemplate + type: boolean + name: v1alpha1 + schema: + openAPIV3Schema: + description: ApiDefinition is the Schema for the apidefinitions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APIDefinitionSpec represents the configuration for a single + proxied API and it's versions. + properties: + CORS: + properties: + allow_credentials: + description: AllowCredentials if true will allow cookies + type: boolean + allowed_headers: + description: AllowedHeaders are headers that are allowed within + a request. + items: + type: string + type: array + allowed_methods: + description: AllowedMethods is a list of methods to allow access + via. + items: + description: HttpMethod represents HTTP request method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + type: array + allowed_origins: + description: AllowedOrigins is a list of origin domains to allow + access from. + items: + type: string + type: array + debug: + description: Debug if true, this option produces log files for + the CORS middleware + type: boolean + enable: + description: Enable when set to true it enables the cors middleware + for the api + type: boolean + exposed_headers: + description: ExposedHeaders is a list of headers that are exposed + back in the response. + items: + type: string + type: array + max_age: + description: MaxAge is the maximum age of credentials + type: integer + options_passthrough: + description: |- + OptionsPassthrough allow CORS OPTIONS preflight request to be proxied + directly to upstream, without authentication and rest of checks. This means + that pre-flight requests generated by web-clients such as SwaggerUI or the + Tyk Portal documentation system will be able to test the API using trial + keys. If your service handles CORS natively, then enable this option. + type: boolean + type: object + active: + description: Active specifies if the api is enabled or not + type: boolean + allowed_ips: + description: |- + AllowedIPs is a list of IP address that are whitelisted.When this is + provided all IP address that is not on this list will be blocked and a 403 http + status will be returned. The IP address can be IPv4 or IPv6.IP in + CIDR notation is also supported. + items: + type: string + type: array + analytics_plugin: + description: |- + AnalyticsPlugin is used to configure analytics plugin which enables editing or removal of all parts of analytics + records, raw request and responses recorded by Tyk at the gateway level + nullable: true + properties: + enable: + type: boolean + func_name: + type: string + plugin_path: + type: string + required: + - enable + type: object + api_id: + description: |- + Only set this field if you are referring + to an existing API def. + The Operator will use this APIID to link the CR with the API in Tyk + Note: The values in the CR will become the new source of truth, overriding the existing API Definition + type: string + auth: + properties: + auth_header_name: + type: string + cookie_name: + type: string + param_name: + type: string + signature: + properties: + algorithm: + type: string + allowed_clock_skew: + format: int64 + type: integer + error_code: + type: integer + error_message: + type: string + header: + type: string + secret: + type: string + required: + - algorithm + - allowed_clock_skew + - error_code + - error_message + - header + - secret + type: object + use_certificate: + type: boolean + use_cookie: + type: boolean + use_param: + type: boolean + validate_signature: + type: boolean + required: + - auth_header_name + type: object + auth_configs: + additionalProperties: + properties: + auth_header_name: + type: string + cookie_name: + type: string + param_name: + type: string + signature: + properties: + algorithm: + type: string + allowed_clock_skew: + format: int64 + type: integer + error_code: + type: integer + error_message: + type: string + header: + type: string + secret: + type: string + required: + - algorithm + - allowed_clock_skew + - error_code + - error_message + - header + - secret + type: object + use_certificate: + type: boolean + use_cookie: + type: boolean + use_param: + type: boolean + validate_signature: + type: boolean + required: + - auth_header_name + type: object + type: object + base_identity_provided_by: + description: BaseIdentityProvidedBy sets Base Identity Provider for + situation when multiple authentication mechanisms are used + enum: + - auth_token + - hmac_key + - basic_auth_user + - jwt_claim + - oidc_user + - oauth_key + type: string + blacklisted_ips: + description: |- + BlacklistedIPs is a list of IP address that will be blacklisted.This means if + origin IP matches any IP in this list a 403 http status code will be + returned. The IP address can be IPv4 or IPv6. IP in CIDR notation is also + supported. + items: + type: string + type: array + cache_options: + properties: + cache_all_safe_requests: + description: |- + CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests + overrides per-path cache settings in versions, applies across versions + type: boolean + cache_by_headers: + description: CacheByHeaders allows header values to be used as + part of the cache key + items: + type: string + type: array + cache_control_ttl_header: + description: CacheControlTTLHeader is the response header which + tells Tyk how long it is safe to cache the response for + type: string + cache_response_codes: + description: CacheOnlyResponseCodes is an array of response codes + which are safe to cache. e.g. 404 + items: + type: integer + type: array + cache_timeout: + description: CacheTimeout is the TTL for a cached object in seconds + format: int64 + type: integer + enable_cache: + description: |- + EnableCache turns global cache middleware on or off. + It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware. + see `spec.version_data.versions.{VERSION}.extended_paths.cache[]` + type: boolean + enable_upstream_cache_control: + description: EnableUpstreamCacheControl instructs Tyk Cache to + respect upstream cache control headers + type: boolean + required: + - cache_timeout + type: object + certificate_secret_names: + description: |- + CertificateSecretNames represents the names of the secrets that the controller should look for in the current + namespace which contain the certificates. + items: + type: string + type: array + certificates: + description: Certificates is a list of Tyk Certificate IDs. e.g. orgid+fingerprint. + Use CertificateSecretNames if using cert-manager + items: + type: string + type: array + client_certificate_refs: + items: + type: string + type: array + client_certificates: + items: + type: string + type: array + config_data: + description: |- + ConfigData can be used to pass custom attributes (a JSON object) into your middleware, such + as a virtual endpoint or header transform. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + custom_middleware: + properties: + auth_check: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + driver: + type: string + id_extractor: + properties: + extract_from: + type: string + extract_with: + type: string + extractor_config: + properties: + header_name: + type: string + param_name: + type: string + regex_expression: + type: string + regex_match_index: + type: integer + type: object + required: + - extract_from + - extract_with + - extractor_config + type: object + post: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + post_key_auth: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + pre: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + response: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + required: + - driver + type: object + custom_middleware_bundle: + type: string + definition: + properties: + key: + type: string + location: + type: string + strip_path: + type: boolean + required: + - key + - location + - strip_path + type: object + detailed_tracing: + nullable: true + type: boolean + disable_quota: + description: DisableQuota allows you to disable quota middleware in + a given API Definition. + type: boolean + disable_rate_limit: + description: DisableRateLimit allows you to disable rate limits in + a given API Definition. + type: boolean + do_not_track: + description: DoNotTrack disables endpoint tracking for this API + type: boolean + domain: + description: Domain represents a custom host header that the gateway + will listen on for this API + type: string + enable_context_vars: + description: |- + EnableContextVars extracts request context variables from the start of the middleware chain. + Set this to true to make them available to your transforms. + Context Variables are available in the url rewriter, modify headers and body transforms. + type: boolean + enable_coprocess_auth: + type: boolean + enable_detailed_recording: + description: |- + EnableDetailedRecording instructs Tyk store the inbound request and outbound response data in HTTP Wire format + as part of the Analytics data + type: boolean + enable_ip_blacklisting: + description: EnableIPBlacklisting activates the ip blacklisting middleware. + type: boolean + enable_ip_whitelisting: + description: EnableIPWhiteListing activates the ip whitelisting middleware. + type: boolean + enable_jwt: + description: EnableJWT set JWT as the access method for this API. + type: boolean + enable_proxy_protocol: + type: boolean + event_handlers: + properties: + events: + additionalProperties: + items: + properties: + handler_meta: + description: |- + MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary + JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured + type is used. + type: object + x-kubernetes-preserve-unknown-fields: true + handler_name: + type: string + required: + - handler_meta + - handler_name + type: object + type: array + type: object + required: + - events + type: object + global_rate_limit: + description: |- + GlobalRateLimit is an API Level Global Rate Limit, which assesses all traffic coming into the API from all + sources and ensures that the overall rate limit is not exceeded. + properties: + per: + description: Per represents a time window in seconds + type: integer + rate: + description: Rate represents the number of requests allowed within + a specified time window (Per) + type: integer + required: + - per + - rate + type: object + graphql: + description: GraphQLConfig is the root config object for a GraphQL + API. + properties: + enabled: + description: Enabled indicates if GraphQL proxy should be enabled. + type: boolean + engine: + description: Engine holds the configuration for engine v2 and + upwards. + properties: + data_sources: + items: + properties: + config: + description: |- + MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary + JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured + type is used. + type: object + x-kubernetes-preserve-unknown-fields: true + internal: + type: boolean + kind: + enum: + - REST + - GraphQL + - Kafka + type: string + name: + type: string + root_fields: + items: + properties: + fields: + items: + type: string + type: array + type: + type: string + required: + - fields + - type + type: object + type: array + required: + - config + - internal + - kind + - name + - root_fields + type: object + nullable: true + type: array + field_configs: + items: + properties: + disable_default_mapping: + type: boolean + field_name: + type: string + path: + items: + type: string + type: array + type_name: + type: string + required: + - disable_default_mapping + - field_name + - path + - type_name + type: object + nullable: true + type: array + global_headers: + description: GlobalHeaders for managing headers for UDG and + all associated data sources + items: + properties: + key: + description: Key is the name of the request header + type: string + value: + description: Value holds the value of the request header + type: string + required: + - key + - value + type: object + nullable: true + type: array + required: + - data_sources + - field_configs + type: object + execution_mode: + description: GraphQLExecutionMode is the mode to define how an + api behaves. + enum: + - "" + - proxyOnly + - executionEngine + - supergraph + - subgraph + type: string + graph_ref: + type: string + introspection: + description: Introspection holds the configuration for GraphQL + Introspection + properties: + disabled: + type: boolean + type: object + last_schema_update: + description: LastSchemaUpdate contains the date and time of the + last triggered schema update to the upstream. + format: date-time + type: string + playground: + description: GraphQLPlayground is the Playground specific configuration. + properties: + enabled: + description: Enabled indicates if the playground should be + enabled. + type: boolean + path: + description: Path sets the path on which the playground will + be hosted if enabled. + type: string + required: + - enabled + - path + type: object + proxy: + description: Proxy holds the configuration for a proxy only api. + properties: + auth_headers: + additionalProperties: + type: string + nullable: true + type: object + features: + nullable: true + properties: + use_immutable_headers: + type: boolean + type: object + request_headers: + additionalProperties: + type: string + nullable: true + type: object + request_headers_rewrite: + additionalProperties: + properties: + remove: + type: boolean + value: + type: string + required: + - remove + - value + type: object + nullable: true + type: object + subscription_type: + description: SubscriptionType is the subscription protocol + to use for graphql subscriptions + enum: + - "" + - graphql-ws + - graphql-transport-ws + - sse + type: string + use_response_extensions: + properties: + on_error_forwarding: + type: boolean + required: + - on_error_forwarding + type: object + type: object + schema: + description: Schema is the GraphQL Schema exposed by the GraphQL + API/Upstream/Engine. + type: string + subgraph: + description: Subgraph holds the configuration for a GraphQL federation + subgraph. + properties: + sdl: + type: string + required: + - sdl + type: object + supergraph: + description: Supergraph holds the configuration for a GraphQL + federation supergraph. + properties: + disable_query_batching: + type: boolean + global_headers: + additionalProperties: + type: string + type: object + merged_sdl: + type: string + subgraphs: + items: + properties: + api_id: + description: UUID v4 string (!not the same as _id of + APIDefinition) + type: string + headers: + additionalProperties: + type: string + nullable: true + type: object + name: + type: string + sdl: + description: the schema definition language of the subgraph + type: string + url: + description: The internal URL of the subgraph + type: string + required: + - api_id + - headers + - name + - sdl + - url + type: object + type: array + updated_at: + description: UpdatedAt contains the date and time of the last + update of a supergraph API. + format: date-time + type: string + type: object + type_field_configurations: + description: TypeFieldConfigurations is a rule set of data source + and mapping of a schema field. + items: + properties: + data_source: + properties: + data_source_config: + description: |- + Config is the DataSource specific configuration object + Each Planner needs to make sure to parse their Config Object correctly + properties: + body: + type: string + default_type_name: + type: string + headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + status_code_type_name_mappings: + items: + properties: + status_code: + type: integer + type_name: + type: string + required: + - status_code + type: object + type: array + url: + type: string + required: + - method + - url + type: object + kind: + description: |- + Kind defines the unique identifier of the DataSource + Kind needs to match to the Planner "DataSourceName" name + enum: + - GraphQLDataSource + - HTTPJSONDataSource + type: string + required: + - kind + type: object + field_name: + type: string + mapping: + properties: + disabled: + type: boolean + path: + type: string + required: + - disabled + - path + type: object + type_name: + type: string + required: + - data_source + - field_name + - mapping + - type_name + type: object + type: array + version: + description: Version defines the version of the GraphQL config + and engine to be used. + enum: + - "1" + - "2" + type: string + required: + - enabled + - execution_mode + type: object + id: + description: For server use only, do not use + type: string + internal: + description: Internal tells Tyk Gateway that this is a virtual API. + It can only be routed to from other APIs. + type: boolean + jwt_client_base_field: + description: |- + JWTClientIDBaseField is the name of the field on JWT claim to use for client + id. This field is mutually exclusive to jwt_identity_base_field, meaning you + can only set/use one and jwt_identity_base_field takes precedence when both + are set. + type: string + jwt_default_policies: + description: |- + JWTDefaultPolicies is a list of policies that will be used when base policy + can't be extracted from the JWT token. When this list is provided the first + element will be used as the base policy while the rest of elements will be applied. + items: + type: string + type: array + jwt_expires_at_validation_skew: + description: "JWTExpiresAtValidationSkew adds validation for expired + at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_expires_at_validation_skew\n\texp + = expired at\nIf exp > (now - skew) then validation will fail with + \"token has expired\"" + format: int64 + type: integer + jwt_identity_base_field: + description: |- + JWTIdentityBaseField Identifies the user or identity to be used in the + Claims of the JWT. This will fallback to sub if not found. This field forms + the basis of a new “virtual” token that gets used after validation. It means + policy attributes are carried forward through Tyk for attribution purposes. + type: string + jwt_issued_at_validation_skew: + description: "JWTIssuedAtValidationSkew adds validation for issued + at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_issued_at_validation_skew\n\tiat + = the issued at jwt claim\nIf iat > (now + skew) then validation + will fail with \"token used before issued\"" + format: int64 + type: integer + jwt_not_before_validation_skew: + description: "JWTNotBeforeValidationSkew adds validation for not + before JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_not_before_validation_skew\n\tnbf + = the not before jwt claim\nIf nbf > (now + skew) then validation + will fail with \"token is not valid yet\"" + format: int64 + type: integer + jwt_policy_field_name: + description: JWTPolicyFieldName The policy ID to apply to the virtual + token generated for a JWT + type: string + jwt_scope_claim_name: + description: |- + JWTScopeClaimName overides the key used for scope values in the JWT claims. + By default the value is "scope" + type: string + jwt_scope_to_policy_mapping: + additionalProperties: + type: string + description: |- + JWTScopeToPolicyMapping this is a mapping of scope value to policy id. If + this is set then a scope value found in this map will make the mappend + policy to be applied. + type: object + jwt_signing_method: + description: JWTSigningMethod algorithm used to sign jwt token + enum: + - "" + - rsa + - hmac + - ecdsa + type: string + jwt_skip_kid: + description: |- + JWTSkipKid when true we ingore using kid as the identity for a JWT token and + instead use jwt_identity_base_field if it was set or fallback to sub JWT + claim. + type: boolean + jwt_source: + description: |- + JWTSource Must either be a base64 encoded valid RSA/HMAC key or a url to a + resource serving JWK, this key will then be used to validate inbound JWT and + throttle them according to the centralised JWT options and fields set in the + configuration. + type: string + listen_port: + type: integer + name: + type: string + oauth_meta: + properties: + allowed_access_types: + description: AllowedAccessTypes are an array of allowable access + types. + items: + enum: + - authorization_code + - refresh_token + - password + - client_credentials + type: string + type: array + allowed_authorize_types: + description: |- + AllowedAuthorizeTypes is an array of allowable `response_type` parameters `token` or authorization code `code`. + Choose token for client_credentials or implicit grant types. + items: + enum: + - code + - token + type: string + type: array + auth_login_redirect: + description: Login form to handle user login. + type: string + required: + - allowed_access_types + - allowed_authorize_types + type: object + org_id: + description: OrgID is overwritten - no point setting this + type: string + pinned_public_keys: + additionalProperties: + type: string + description: |- + PinnedPublicKeys allows you to whitelist public keys used to generate certificates, so you will be protected in + case an upstream certificate is compromised. Please use PinnedPublicKeysRefs if using cert-manager. + type: object + pinned_public_keys_refs: + additionalProperties: + type: string + description: |- + PinnedPublicKeysRefs allows you to specify public keys using k8s secret. + It takes domain name as a key and secret name as a value. + type: object + protocol: + description: APIProtocol is the network transport protocol supported + by the gateway + enum: + - "" + - h2c + - tcp + - tls + - http + - https + type: string + proxy: + description: Proxy + properties: + check_host_against_uptime_tests: + description: |- + CheckHostAgainstUptimeTests will check the hostname of the outbound request against the downtime list generated + by the uptime test host checker. If the host is found, then it is skipped or removed from the load balancer. + This is only valid if uptime tests for the api are enabled. + type: boolean + disable_strip_slash: + description: |- + DisableStripSlash disables the stripping of the slash suffix from a URL. + when `true` a request to http://foo.bar/baz/ will be retained. + when `false` a request to http://foo.bar/baz/ will be matched to http://foo.bar/baz + type: boolean + enable_load_balancing: + description: |- + EnableLoadBalancing enables Tyk's round-robin loadbalancer. Tyk will ignore the TargetURL field, and rely on + the hosts in the Targets list + type: boolean + listen_path: + description: |- + ListenPath represents the path to listen on. e.g. `/api` or `/` or `/httpbin`. + Any requests coming into the host, on the port that Tyk is configured to run on, that match this path will + have the rules defined in the API Definition applied. Versioning assumes that different versions of an API + will live on the same URL structure. If you are using URL-based versioning (e.g. /v1/function, /v2/function) + then it is recommended to set up a separate non-versioned definition for each version as they are essentially + separate APIs. + type: string + preserve_host_header: + description: |- + If PreserveHostHeader is set to true then the host header in the outbound request is retained to be the + inbound hostname of the proxy. + type: boolean + service_discovery: + description: 'TODO: Untested. Is there a use-case for SD inside + a K8s environment?' + properties: + cache_timeout: + format: int64 + type: integer + data_path: + type: string + endpoint_returns_list: + type: boolean + parent_data_path: + type: string + port_data_path: + type: string + query_endpoint: + type: string + target_path: + type: string + use_discovery_service: + type: boolean + use_nested_query: + type: boolean + use_target_list: + type: boolean + required: + - cache_timeout + - data_path + - endpoint_returns_list + - parent_data_path + - port_data_path + - query_endpoint + - target_path + - use_discovery_service + - use_nested_query + - use_target_list + type: object + strip_listen_path: + description: |- + StripListenPath removes the inbound listen path in the outgoing request. + e.g. http://acme.com/httpbin/get where `httpbin` is the listen path. The `httpbin` listen path which is used + to identify the API loaded in Tyk is removed, and the outbound request would be http://httpbin.org/get + type: boolean + target_internal: + properties: + path: + description: "Path path on target , this does not include + query parameters.\n\texample /myendpoint" + type: string + query: + description: "Query url query string to add to target\n\texample + check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + target_list: + description: |- + Targets defines a list of upstream host targets. Tyk will then round-robin load balance between these targets. + EnableLoadBalancing must be set to true in order to take advantage of this feature. + items: + type: string + type: array + target_url: + description: TargetURL defines the target URL that the request + should be proxied to. + type: string + transport: + description: Transport section exposes advanced transport level + configurations such as minimum TLS version. + properties: + proxy_url: + description: ProxyURL specifies custom forward proxy & port. + e.g. `http(s)://proxy.url:1234` + type: string + ssl_ciphers: + description: |- + SSLCipherSuites is an array of acceptable cipher suites. A list of allowed cipher suites can be found in the + Go Crypto TLS package constants documentation https://golang.org/pkg/crypto/tls/#pkg-constants + items: + type: string + type: array + ssl_force_common_name_check: + description: SSLForceCommonNameCheck forces hostname validation + against the certificate Common Name + type: boolean + ssl_insecure_skip_verify: + description: |- + SSLInsecureSkipVerify controls whether it is possible to use self-signed certificates when connecting to the + upstream. This is applied to `TykMakeHttpRequest` & `TykMakeBatchRequest` in virtual endpoint middleware. + type: boolean + ssl_min_version: + description: |- + SSLMinVersion defines the minimum TLS version the gateway will use to establish a connection to the upstream. + 1.0: 769; 1.1: 770; 1.2: 771; 1.3: 772. + enum: + - 769 + - 770 + - 771 + - 772 + type: integer + type: object + required: + - target_url + type: object + response_processors: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + session_lifetime: + description: "SessionLifetime this is duration in seconds before the + session key expires\nin redis.\n\n\nExample:\nIf you want the session + keys to be alive only 24 hours you can set this\nvalue to 86400 + that we can break down to\n\t60 * 60 * 24 = Total seconds in a day" + format: int64 + type: integer + strip_auth_data: + description: StripAuthData ensures that any security tokens used for + accessing APIs are stripped and not leaked to the upstream + type: boolean + tag_headers: + items: + type: string + type: array + tags: + description: |- + Tags are named gateway nodes which tell gateway clusters whether to load an API or not. + for example, to load the API in an ARA gateway, you might want to include an `edge` tag. + items: + type: string + type: array + upstream_certificate_refs: + additionalProperties: + type: string + description: |- + UpstreamCertificateRefs is a map of domains and secret names that is used internally + to obtain certificates from secrets in order to establish mTLS support for upstreams + type: object + upstream_certificates: + additionalProperties: + type: string + description: |- + UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk + Gateway to provide mTLS support for upstreams + type: object + use_basic_auth: + description: UseBasicAuth enables basic authentication + type: boolean + use_go_plugin_auth: + description: Enable Go Plugin Auth. Needs to be combined with "use_keyless:false" + type: boolean + use_keyless: + description: |- + UseKeylessAccess will switch off all key checking. Some analytics will still be recorded, but rate-limiting, + quotas and security policies will not be possible (there is no session to attach requests to). + type: boolean + use_mutual_tls_auth: + description: UseMutualTLSAuth enables mututal TLS authentication + type: boolean + use_oauth2: + description: UseOAuth2 enables oauth2 authorization + type: boolean + use_standard_auth: + description: UseStandardAuth enables simple bearer token authentication + type: boolean + version_data: + properties: + default_version: + type: string + not_versioned: + type: boolean + versions: + additionalProperties: + properties: + expires: + type: string + extended_paths: + properties: + advance_cache_config: + items: + properties: + cache_key_regex: + type: string + cache_response_codes: + items: + type: integer + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + timeout: + format: int64 + type: integer + required: + - cache_key_regex + - cache_response_codes + - method + - path + type: object + type: array + black_list: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + cache: + description: List of paths which cache middleware should + be enabled on + items: + type: string + type: array + circuit_breakers: + items: + properties: + disable_half_open_state: + type: boolean + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + return_to_service_after: + description: ReturnToServiceAfter represents the + time in seconds to return back to the service + type: integer + samples: + description: Samples defines the number of requests + to base the ThresholdPercent on + format: int64 + type: integer + threshold_percent: + description: ThresholdPercent is the percentage + of requests that fail before breaker is tripped + pattern: ^0\\.\\d+|1\\.0$ + type: string + required: + - method + - path + - return_to_service_after + - samples + - threshold_percent + type: object + type: array + do_not_track_endpoints: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + hard_timeouts: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + timeout: + type: integer + required: + - method + - path + - timeout + type: object + type: array + ignored: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + internal: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + method_transforms: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + to_method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + required: + - method + - path + - to_method + type: object + type: array + size_limits: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + size_limit: + format: int64 + type: integer + required: + - method + - path + - size_limit + type: object + type: array + track_endpoints: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + transform: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + template_data: + properties: + enable_session: + type: boolean + input_type: + type: string + template_mode: + type: string + template_source: + type: string + required: + - enable_session + - input_type + - template_mode + - template_source + type: object + required: + - method + - path + - template_data + type: object + type: array + transform_headers: + items: + properties: + act_on: + type: boolean + add_headers: + additionalProperties: + type: string + type: object + delete_headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - act_on + - add_headers + - delete_headers + - method + - path + type: object + type: array + transform_jq: + items: + properties: + filter: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - filter + - method + - path + type: object + type: array + transform_jq_response: + items: + properties: + filter: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - filter + - method + - path + type: object + type: array + transform_response: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + template_data: + properties: + enable_session: + type: boolean + input_type: + type: string + template_mode: + type: string + template_source: + type: string + required: + - enable_session + - input_type + - template_mode + - template_source + type: object + required: + - method + - path + - template_data + type: object + type: array + transform_response_headers: + items: + properties: + act_on: + type: boolean + add_headers: + additionalProperties: + type: string + type: object + delete_headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - act_on + - add_headers + - delete_headers + - method + - path + type: object + type: array + url_rewrites: + items: + properties: + match_pattern: + description: MatchPattern is a regular expression + pattern to match the path + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + description: Path represents the endpoint listen + path + type: string + rewrite_to: + description: RewriteTo is the target path on the + upstream, or target URL we wish to rewrite to + type: string + rewrite_to_internal: + description: |- + RewriteToInternal serves as rewrite_to but used when rewriting to target + internal api's + When rewrite_to and rewrite_to_internal are both provided then + rewrite_to will take rewrite_to_internal + properties: + path: + description: "Path path on target , this does + not include query parameters.\n\texample + /myendpoint" + type: string + query: + description: "Query url query string to add + to target\n\texample check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + triggers: + items: + properties: + "on": + type: string + options: + properties: + header_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + path_part_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + payload_matches: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + query_val_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + request_context_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + session_meta_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + type: object + rewrite_to: + type: string + rewrite_to_internal: + description: |- + RewriteToInternal defines options that constructs a url that refers to an api that + is loaded into the gateway. + properties: + path: + description: "Path path on target , + this does not include query parameters.\n\texample + /myendpoint" + type: string + query: + description: "Query url query string + to add to target\n\texample check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + required: + - "on" + - options + type: object + type: array + required: + - match_pattern + - method + - path + type: object + type: array + validate_json: + items: + properties: + disabled: + type: boolean + error_response_code: + description: Allows override of default 422 Unprocessable + Entity response code for validation errors. + type: integer + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + schema: + description: |- + Schema represents schema field that verifies user requests against a specified + JSON schema and check that the data sent to your API by a consumer is in the right format. + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - error_response_code + - method + - path + - schema + type: object + type: array + virtual: + items: + properties: + function_source_type: + type: string + function_source_uri: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + proxy_on_error: + type: boolean + response_function_name: + type: string + use_session: + type: boolean + required: + - function_source_type + - function_source_uri + - method + - path + - proxy_on_error + - response_function_name + - use_session + type: object + type: array + white_list: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + type: object + global_headers: + additionalProperties: + type: string + type: object + global_headers_remove: + items: + type: string + type: array + global_response_headers: + additionalProperties: + type: string + type: object + global_response_headers_remove: + items: + type: string + type: array + global_size_limit: + format: int64 + type: integer + ignore_endpoint_case: + type: boolean + name: + type: string + override_target: + type: string + paths: + properties: + black_list: + items: + type: string + type: array + ignored: + items: + type: string + type: array + white_list: + items: + type: string + type: array + type: object + use_extended_paths: + type: boolean + required: + - name + type: object + type: object + required: + - default_version + - not_versioned + type: object + required: + - name + - protocol + - proxy + type: object + status: + description: ApiDefinitionStatus defines the observed state of ApiDefinition + properties: + api_id: + type: string + ingressTemplate: + description: IngressTemplate shows whether this CR is used as Ingress + Template or not. + type: boolean + latestCRDSpecHash: + description: |- + LatestCRDSpecHash stores the hash of ApiDefinition CRD created on K8s. This information is updated after + creating or updating the ApiDefinition. It is useful for Operator to understand running update + operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, Operator + runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + latestTransaction: + description: LatestTransaction provides status information about the + last reconciliation. + properties: + error: + description: Error corresponds to the error happened on Tyk API + level, if any. + type: string + status: + description: Status corresponds to the status of the last transaction. + type: string + time: + description: Time corresponds to the time of last transaction. + format: date-time + type: string + type: object + latestTykSpecHash: + description: |- + LatestTykSpecHash stores the hash of ApiDefinition created on Tyk. This information is updated after + creating or updating the ApiDefinition. It is useful for Operator to understand running update + operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, Operator + runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + linked_by_apis: + description: |- + LinkedByAPIs is a list of ApiDefinition namespaced/name that links to this + resource + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_by_policies: + description: LinkedByPolicies is a list policies that references this + api definition + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_to_apis: + description: |- + LinkedToAPIs is a list of ApiDefinition namespaced/name that this resource + links to. + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_to_subgraph: + description: |- + LinkedToSubgraph corresponds to the name of the Subgraph CR if the ApiDefinition is GraphQL Federation Subgraph. + ApiDefinition CR can only be linked to Subgraph CRs that are created in the same namespace as ApiDefinition CR. + type: string + orgId: + description: OrgID corresponds to the Organization ID that this API + belongs to. + type: string + required: + - api_id + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apidescriptions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: APIDescription + listKind: APIDescriptionList + plural: apidescriptions + singular: apidescription + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIDescription is the Schema for the apidescriptions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APIDescriptionSpec defines the desired state of APIDescription + properties: + auth_type: + description: AuthType displays as a badge next to the name of the + API + enum: + - keyless + - jwt + - oauth + - authToken + type: string + config: + description: |- + Config allows you to optionally override various fields in the PortalConfig. + TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues for + login users only. + type: boolean + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer token + to authenticate with against the registration endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it is read + only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which are asked + of the portal developer when requesting an api key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number of + OAuth clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are asked + of the portal developer when they register for an account + items: + type: string + type: array + type: object + contextRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + docs: + properties: + doc_type: + enum: + - swagger + - swagger_custom_url + - graphql + type: string + documentation: + type: string + required: + - doc_type + type: object + documentation: + description: Do not set Documentation. Use `docs` instead. + type: string + fields: + additionalProperties: + type: string + description: |- + Fields is a generic map of key:value pairs. + You may wish to use this to tag a catalogue as type:internal or type:public + Then apply logic at the template layer to dynamically display catalogue apis to different user types. + type: object + is_keyless: + description: IsKeyless toggles visibility of the `Request an API Key + button`. Use this when AuthType is keyless, jwt or oauth. + type: boolean + long_description: + description: |- + LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just + below the name and AuthType in the catalogue listing page. + type: string + name: + description: Name is the title of the API that you wish to be published + to the catalogue + type: string + policy_id: + description: |- + PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. + Rather, use `policyRef` instead. + type: string + policyRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + short_description: + description: 'TODO: I don''t think this is exposed to the default + portal templates.' + type: string + show: + description: Show toggles visibility of the API in the portal catalogue + type: boolean + version: + default: v2 + description: Version should always be v2 + enum: + - v2 + type: string + type: object + status: + description: APIDescriptionStatus defines the observed state of APIDescription + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: operatorcontexts.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: OperatorContext + listKind: OperatorContextList + plural: operatorcontexts + singular: operatorcontext + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OperatorContext is the Schema for the operatorcontexts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OperatorContextSpec defines the desired state of OperatorContext + properties: + env: + description: |- + Env is the values of the admin api endpoint that the operator will use to + reconcile resources + properties: + auth: + type: string + ingress: + properties: + httpPort: + type: integer + httpsPort: + type: integer + type: object + insecureSkipVerify: + type: boolean + mode: + description: |- + OperatorContextMode is the mode to which the admin api binding is done values are + ce for community edition and pro for dashboard + enum: + - ce + - pro + type: string + org: + type: string + url: + type: string + user_group_owners: + items: + type: string + type: array + user_owners: + items: + type: string + type: array + type: object + secretRef: + description: Reference to k8s secret resource that we load environment + from. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + status: + description: OperatorContextStatus defines the observed state of OperatorContext + properties: + linked_api_definitions: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_api_descriptions: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_portal_catalogues: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_portal_configs: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_security_policies: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_tyk_oas_api_definition: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: portalapicatalogues.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: PortalAPICatalogue + listKind: PortalAPICatalogueList + plural: portalapicatalogues + shortNames: + - tykcatalogues + singular: portalapicatalogue + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.id + name: ID + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: PortalAPICatalogue is the Schema for the portalapicatalogues + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PortalAPICatalogueSpec defines the desired state of PortalAPICatalogue + properties: + apis: + description: APIDescriptionList is a list of PortalCatalogueDescription + published on this PortalAPICatalogue + items: + properties: + apiDescriptionRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + auth_type: + description: AuthType displays as a badge next to the name of + the API + enum: + - keyless + - jwt + - oauth + - authToken + type: string + config: + description: |- + Config allows you to optionally override various fields in the PortalConfig. + TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues + for login users only. + type: boolean + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer + token to authenticate with against the registration + endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration + document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it + is read only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which + are asked of the portal developer when requesting an api + key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number + of OAuth clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are + asked of the portal developer when they register for an + account + items: + type: string + type: array + type: object + docs: + properties: + doc_type: + enum: + - swagger + - swagger_custom_url + - graphql + type: string + documentation: + type: string + required: + - doc_type + type: object + documentation: + description: Do not set Documentation. Use `docs` instead. + type: string + fields: + additionalProperties: + type: string + description: |- + Fields is a generic map of key:value pairs. + You may wish to use this to tag a catalogue as type:internal or type:public + Then apply logic at the template layer to dynamically display catalogue apis to different user types. + type: object + is_keyless: + description: IsKeyless toggles visibility of the `Request an + API Key button`. Use this when AuthType is keyless, jwt or + oauth. + type: boolean + long_description: + description: |- + LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just + below the name and AuthType in the catalogue listing page. + type: string + name: + description: Name is the title of the API that you wish to be + published to the catalogue + type: string + policy_id: + description: |- + PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. + Rather, use `policyRef` instead. + type: string + policyRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + short_description: + description: 'TODO: I don''t think this is exposed to the default + portal templates.' + type: string + show: + description: Show toggles visibility of the API in the portal + catalogue + type: boolean + version: + default: v2 + description: Version should always be v2 + enum: + - v2 + type: string + type: object + type: array + contextRef: + description: |- + Context is reference to OperatorContext resource. Set this if you want to + target a specific OperatorContext. When omitted default OperatorContext is + used. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + email: + description: |- + Email is Catalogue owner email address.Catalogue owner will be notified at + this email address when an API subscription request is submitted or granted + type: string + org_id: + description: OrgID is the organization ID + type: string + type: object + status: + description: PortalAPICatalogueStatus defines the observed state of PortalAPICatalogue + properties: + id: + description: ID is the mongo ID of the PortalAPICatalogue object created + by the dashboard. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: portalconfigs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: PortalConfig + listKind: PortalConfigList + plural: portalconfigs + singular: portalconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PortalConfig is the Schema for the portalconfigs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PortalConfigSpec defines the desired state of PortalConfig + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues for login + users only. + type: boolean + contextRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer token to + authenticate with against the registration endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it is read only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which are asked + of the portal developer when requesting an api key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number of OAuth + clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are asked of + the portal developer when they register for an account + items: + type: string + type: array + type: object + status: + description: PortalConfigStatus defines the observed state of PortalConfig + properties: + id: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + controller-gen.kubebuilder.io/version: v0.14.0 + name: securitypolicies.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SecurityPolicy + listKind: SecurityPolicyList + plural: securitypolicies + shortNames: + - tykpolicies + singular: securitypolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityPolicy is the Schema for the securitypolicies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecurityPolicySpec defines the desired state of SecurityPolicy + properties: + _id: + description: |- + MID ("_id") is generated by Tyk once the resource is created. + Do NOT fill this in. + type: string + access_rights: + additionalProperties: + description: AccessDefinition defines which versions of an API a + key has access to + properties: + allowance_scope: + type: string + allowed_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + allowed_urls: + items: + description: AccessSpec defines what URLS a user has access + to and what methods are enabled + properties: + methods: + items: + type: string + type: array + url: + type: string + required: + - methods + - url + type: object + type: array + api_id: + description: 'TODO: APIID should not really be needed, as is + auto-set from the APIDefinition Resource' + type: string + api_name: + description: 'TODO: APIName should not really be needed, as + is auto-set from the APIDefinition Resource' + type: string + disable_introspection: + description: DisableIntrospection disables GraphQL introspection + if it is set to True. + type: boolean + endpoints: + description: Endpoints is a collection of Endpoint. + items: + description: Endpoint holds the configuration for endpoint + rate limiting. + properties: + methods: + description: EndpointMethods is a collection of EndpointMethod. + items: + description: EndpointMethod holds the configuration + on endpoint method level. + properties: + limit: + description: RateLimit holds rate limit configuration. + properties: + per: + description: Per is the interval at which rate + limit is enforced. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + rate: + description: Rate is the allowed number of requests + per interval. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + smoothing: + description: Smoothing contains rate limit smoothing + settings. + properties: + delay: + description: Delay is the minimum time between + rate limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit + smoothing is active. + type: boolean + step: + description: Step is the increment/decrement + for adjusting the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate + above which smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor + determining when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + required: + - per + - rate + type: object + name: + type: string + type: object + type: array + path: + type: string + type: object + type: array + field_access_rights: + description: FieldAccessRights is array of depth limit settings + per GraphQL APIs. + items: + description: FieldAccessDefinition represent a struct for + depth limit settings per API. + properties: + field_name: + description: FieldName represents the name of the Query + or Mutation which the limit applies to. + type: string + limits: + description: Limit specifies the numerical value of the + limit. + properties: + max_query_depth: + description: MaxQueryDepth represents the numerical + value of the limit. + format: int64 + type: integer + required: + - max_query_depth + type: object + type_name: + description: |- + TypeName points to a type on which depth limit is set. + It can be either Query (most common case) or Mutation + type: string + type: object + type: array + kind: + default: ApiDefinition + description: |- + Kind represents the kind of the linked API Definition resource. + It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). + By default, Kind is set to "ApiDefinition". + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + limit: + description: APILimit stores quota and rate limit on ACL level + (per API) + properties: + max_query_depth: + type: integer + per: + format: int64 + type: integer + quota_max: + format: int64 + type: integer + quota_renewal_rate: + format: int64 + type: integer + rate: + format: int64 + type: integer + smoothing: + description: Smoothing contains rate limit smoothing settings. + properties: + delay: + description: Delay is the minimum time between rate + limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit smoothing + is active. + type: boolean + step: + description: Step is the increment/decrement for adjusting + the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate above which + smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor determining + when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + throttle_interval: + format: int64 + type: integer + throttle_retry_limit: + type: integer + required: + - per + - quota_max + - quota_renewal_rate + - rate + - throttle_interval + - throttle_retry_limit + type: object + name: + description: Name of the ApiDefinition resource to target + type: string + namespace: + description: Namespace of the ApiDefinition resource to target + type: string + restricted_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + versions: + items: + type: string + type: array + required: + - name + - namespace + type: object + type: object + access_rights_array: + items: + description: AccessDefinition defines which versions of an API a + key has access to + properties: + allowance_scope: + type: string + allowed_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + allowed_urls: + items: + description: AccessSpec defines what URLS a user has access + to and what methods are enabled + properties: + methods: + items: + type: string + type: array + url: + type: string + required: + - methods + - url + type: object + type: array + api_id: + description: 'TODO: APIID should not really be needed, as is + auto-set from the APIDefinition Resource' + type: string + api_name: + description: 'TODO: APIName should not really be needed, as + is auto-set from the APIDefinition Resource' + type: string + disable_introspection: + description: DisableIntrospection disables GraphQL introspection + if it is set to True. + type: boolean + endpoints: + description: Endpoints is a collection of Endpoint. + items: + description: Endpoint holds the configuration for endpoint + rate limiting. + properties: + methods: + description: EndpointMethods is a collection of EndpointMethod. + items: + description: EndpointMethod holds the configuration + on endpoint method level. + properties: + limit: + description: RateLimit holds rate limit configuration. + properties: + per: + description: Per is the interval at which rate + limit is enforced. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + rate: + description: Rate is the allowed number of requests + per interval. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + smoothing: + description: Smoothing contains rate limit smoothing + settings. + properties: + delay: + description: Delay is the minimum time between + rate limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit + smoothing is active. + type: boolean + step: + description: Step is the increment/decrement + for adjusting the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate + above which smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor + determining when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + required: + - per + - rate + type: object + name: + type: string + type: object + type: array + path: + type: string + type: object + type: array + field_access_rights: + description: FieldAccessRights is array of depth limit settings + per GraphQL APIs. + items: + description: FieldAccessDefinition represent a struct for + depth limit settings per API. + properties: + field_name: + description: FieldName represents the name of the Query + or Mutation which the limit applies to. + type: string + limits: + description: Limit specifies the numerical value of the + limit. + properties: + max_query_depth: + description: MaxQueryDepth represents the numerical + value of the limit. + format: int64 + type: integer + required: + - max_query_depth + type: object + type_name: + description: |- + TypeName points to a type on which depth limit is set. + It can be either Query (most common case) or Mutation + type: string + type: object + type: array + kind: + default: ApiDefinition + description: |- + Kind represents the kind of the linked API Definition resource. + It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). + By default, Kind is set to "ApiDefinition". + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + limit: + description: APILimit stores quota and rate limit on ACL level + (per API) + properties: + max_query_depth: + type: integer + per: + format: int64 + type: integer + quota_max: + format: int64 + type: integer + quota_renewal_rate: + format: int64 + type: integer + rate: + format: int64 + type: integer + smoothing: + description: Smoothing contains rate limit smoothing settings. + properties: + delay: + description: Delay is the minimum time between rate + limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit smoothing + is active. + type: boolean + step: + description: Step is the increment/decrement for adjusting + the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate above which + smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor determining + when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + throttle_interval: + format: int64 + type: integer + throttle_retry_limit: + type: integer + required: + - per + - quota_max + - quota_renewal_rate + - rate + - throttle_interval + - throttle_retry_limit + type: object + name: + description: Name of the ApiDefinition resource to target + type: string + namespace: + description: Namespace of the ApiDefinition resource to target + type: string + restricted_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + versions: + items: + type: string + type: array + required: + - name + - namespace + type: object + type: array + active: + description: Active must be set to `true` for Tyk to load the security + policy into memory. + type: boolean + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + enable_http_signature_validation: + type: boolean + hmac_enabled: + type: boolean + id: + description: |- + If you are linking an existing Policy ID to a new YAML CRD, then + fill in this ID field with the "_id" field. + See policies.md readme for more info + type: string + is_inactive: + description: IsInactive applies to the key itself. Allows enabling + or disabling the policy without deleting it. + type: boolean + key_expires_in: + description: KeyExpiresIn is the number of seconds till key expiry. + For 1 hour is 3600. Default never expire or 0 + format: int64 + type: integer + max_query_depth: + description: Max depth of a GraphQL query + type: integer + meta_data: + additionalProperties: + type: string + description: LastUpdated string `json:"last_updated"` + type: object + name: + description: Name represents the name of the security policy as displayed + in the Dashboard + type: string + org_id: + description: OrgID is overwritten - no point setting this + type: string + partitions: + properties: + acl: + type: boolean + complexity: + type: boolean + per_api: + type: boolean + quota: + type: boolean + rate_limit: + type: boolean + type: object + per: + description: |- + To be used in conjunction with "Rate". Per seconds. 1 minute=60. 1 hour=3600 + omit or "-1" for unlimited + format: int64 + type: integer + quota_max: + description: Value of Quota allowed, omit or "-1" for unlimited + format: int64 + type: integer + quota_renewal_rate: + description: Value reset length, in seconds, omit or "-1" for unlimited + format: int64 + type: integer + rate: + description: Rate limit per X seconds (x="Per"), omit or "-1" for + unlimited + format: int64 + type: integer + state: + description: |- + State can be active, draft or deny + active: All keys are active and new keys can be created. + draft: All keys are active but no new keys can be created. + deny: All keys are deactivated and no keys can be created. + enum: + - active + - draft + - deny + type: string + tags: + description: Custom tags to apply to the key, get transfered to the + analytics + items: + type: string + type: array + throttle_interval: + description: If rate limited, how many seconds to retry a request + for. omit or "-1" for unlimited + format: int64 + type: integer + throttle_retry_limit: + description: Number of retries before returning error. omit or "-1" + for unlimited + type: integer + required: + - active + - name + - state + type: object + status: + description: SecurityPolicyStatus defines the observed state of SecurityPolicy + properties: + latestCRDSpecHash: + type: string + latestTykSpecHash: + type: string + linked_apis: + items: + properties: + kind: + description: |- + LinkedApiKind represents the Kubernetes kind of the API Definition resource that + is being target by current resource. + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + pol_id: + type: string + required: + - pol_id + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: subgraphs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SubGraph + listKind: SubGraphList + plural: subgraphs + singular: subgraph + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SubGraph is the Schema for the subgraphs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SubGraphSpec defines the desired state of SubGraph + properties: + schema: + type: string + sdl: + type: string + required: + - schema + - sdl + type: object + status: + description: SubGraphStatus defines the observed state of SubGraph + properties: + linked_by_api: + description: |- + LinkedByAPI specifies the ID of the ApiDefinition CR that is linked to this particular SubGraph CR. + Please note that SubGraph CR can only be linked to one ApiDefinition CR that is created in the same + namespace as SubGraph CR. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: supergraphs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SuperGraph + listKind: SuperGraphList + plural: supergraphs + singular: supergraph + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SuperGraph is the Schema for the supergraphs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SuperGraphSpec defines the desired state of SuperGraph + properties: + merged_sdl: + type: string + schema: + type: string + subgraph_refs: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + required: + - subgraph_refs + type: object + status: + description: SuperGraphStatus defines the observed state of SuperGraph + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tykoasapidefinitions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: TykOasApiDefinition + listKind: TykOasApiDefinitionList + plural: tykoasapidefinitions + shortNames: + - tykoas + singular: tykoasapidefinition + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.domain.name + name: Domain + type: string + - jsonPath: .status.listenPath + name: ListenPath + type: string + - jsonPath: .status.targetURL + name: Proxy.TargetURL + type: string + - jsonPath: .status.enabled + name: Enabled + type: boolean + - jsonPath: .status.latestTransaction.status + name: SyncStatus + type: string + - jsonPath: .status.ingressTemplate + name: IngressTemplate + type: boolean + - jsonPath: .spec.categories + name: Categories + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TykOasApiDefinition is the Schema for the tykoasapidefinitions + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TykOasApiDefinitionSpec defines the desired state of TykOasApiDefinition + properties: + categories: + description: |- + Categories serve as identifiers for the API definitions, + subsequently enabling the filtering of API listings based on these categories. + items: + type: string + type: array + certificatePinning: + description: |- + CertificatePinning contains the configuration related to certificate pinning. + It is possible to set Kubernetes secrets containing certificates. + + + It is used to set `upstream.certificatePinning` in Tyk OAS API Definition. + properties: + domainToPublicKeysMapping: + description: |- + DomainToPublicKeysMapping maintains the mapping of domain to pinned public keys. + + + Tyk classic API definition: `pinned_public_keys` + items: + description: PinnedPublicKey contains a mapping from the domain + name into a list of public keys. + properties: + domain: + description: Domain contains the domain name. + type: string + publicKeyRefs: + description: |- + PublicKeyRefs holds a list of Kubernetes secret names that reside in the same namespace + as current TykOasApiDefinition resource. The secret needs to be a type of TLS secret + where the pinned public key is stored in `tls.crt` field. + Each secret must contain a public key associated with the specified domain name. + + + **NOTE** + If you want to continue using secrets that are already created on Tyk Dashboard, + specify their IDs in `publicKeys` field of TykOasApiDefinition CR. And then, + Tyk Operator will merge this array which is specified through `publicKeys` field + with new Tyk Secrets which will be created based on Kubernetes secrets + defined in `publicKeyRefs`. + items: + type: string + type: array + publicKeys: + description: |- + PublicKeys contains a list of the public keys IDs pinned to the domain name. + + + It only accepts Tyk IDs of the public keys. If you have Kubernetes secrets + containing public keys of the domain, please use `publicKeysRefs` field + instead of this one. As this one only works with already existing + public keys on Tyk Dashboard. + items: + type: string + type: array + required: + - domain + type: object + type: array + enabled: + description: |- + Enabled is a boolean flag, if set to `true`, it enables certificate pinning for the API. + + + Tyk classic API definition: `certificate_pinning_disabled` + type: boolean + required: + - enabled + type: object + clientCertificate: + description: |- + ClientCertificate is used to configure client certificates settings needed + for MTLS connection between Tyk and client. + It is used to set `server.clientCertificate` field of Tyk OAS API + properties: + allowlist: + description: Allowlist stores list of k8s secret names storing + client certificates + items: + type: string + type: array + enabled: + description: Enabled activates mTLS for the API. + type: boolean + type: object + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + customDomain: + description: |- + CustomDomain is the domain to bind this API to. This enforces domain matching for client requests. + + + Tyk classic API definition: `domain` + properties: + certificates: + description: |- + Certificates defines a field for specifying certificate IDs + that the Tyk can utilise to dynamically load certificates for your custom domain. + + + Tyk classic API definition: `certificates` + items: + type: string + type: array + certificatesRef: + description: |- + CertificatesRef defines a field for specifying certificates + through Kubernetes secrets. Secrets need to be installed within + the namespace of the TykOasApiDefinition resource. + items: + type: string + type: array + enabled: + description: Enabled allow/disallow the usage of the domain. + type: boolean + name: + description: Name is the name of the domain. + type: string + required: + - enabled + - name + type: object + mutualTLS: + description: MutualTLS represents the configuration for an Upstream + mTLS. + properties: + domainToCertificateMapping: + description: DomainToCertificateMapping contains the configuration + for an upstream server domain. + items: + description: CertificateMapping represents the mapping of a + domain to its certificate. + properties: + certificateID: + description: Certificate references to Tyk cert ID + type: string + certificateRef: + description: CertificateRef references the secret containing + the domain's SSL Certificate. + type: string + domain: + description: Domain refers to the domain name of an upstream + server. + type: string + required: + - domain + type: object + type: array + enabled: + description: Enabled indicates if MTLS should be enabled or not. + type: boolean + required: + - enabled + type: object + tykOAS: + description: TykOAS provides storage information about Tyk OAS + properties: + configmapRef: + description: ConfigmapRef provides information of configmap in + which Tyk OAS is stored + properties: + keyName: + description: KeyName is the key of configmap in which Tyk + OAS doc is stored + type: string + name: + description: Name is the name of configmap + type: string + namespace: + description: |- + Namespace is the namespace of configmap. + If Namespace is not provided, we assume that the ConfigMap is in the same + namespace as TykOasApiDefinition resource. + type: string + required: + - keyName + - name + type: object + required: + - configmapRef + type: object + versioning: + description: Versioning provides versioning information about this + OAS API + properties: + default: + description: Default contains the default version name if a request + is issued without a version. + type: string + enabled: + description: Enabled is a boolean flag, if set to true it will + enable versioning of the API. + type: boolean + fallbackToDefault: + description: |- + FallbackToDefault specifies that the default version of the OAS API should be used if + the requested version does not exist." + type: boolean + key: + description: Key contains the name of the key to check for versioning + information. + type: string + location: + description: |- + Location contains versioning location information. It can be one of the following: + header, url-param, url. + enum: + - header + - url-param + - url + type: string + name: + description: Name contains the name of the version. + type: string + stripVersioningData: + description: StripVersioningData if enabled, specifies that the + API responses will be stripped of versioning data. + type: boolean + urlVersioningPattern: + description: |- + UrlVersioningPattern configure with a regex that matches the versioning identifier format in your URLs. + This is essential when using stripVersioningData and fallbackToDefault with location=url." + type: string + versions: + description: Versions contains a list of versions that map to + individual API IDs. + items: + description: TykOASVersion represents each OAS API Definition + used as a version. + properties: + name: + description: Name contains the name of the referenced TykOasApiDefinition. + type: string + tykOasApiDefinitionRef: + description: TykOasApiDefinitionRef references a TykOasApiDefinition + Name and Namespace. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + required: + - name + - tykOasApiDefinitionRef + type: object + type: array + required: + - enabled + type: object + required: + - tykOAS + type: object + status: + description: TykOasApiDefinitionStatus defines the observed state of TykOasApiDefinition + properties: + certificatePinning: + description: |- + PinnedPublicKeys shows Tyk IDs of the all pinned public keys for each domain + specified in this particular TykOasApiDefinition. + items: + description: |- + PublicKeyStatus corresponds to the pinned public key details to be displayed in the status + of the TykOasApiDefinition CR. + properties: + domain: + type: string + publicKeys: + items: + type: string + type: array + required: + - domain + - publicKeys + type: object + type: array + domain: + description: |- + DomainStatus shows Tyk IDs of the certificates used for a particular domain + specified in this particular TykOasApiDefinition. + properties: + certificates: + description: Certificates corresponds to Tyk IDs of the certificates + that are uploaded to Tyk. + items: + type: string + type: array + enabled: + type: boolean + name: + description: Name corresponds to the name of the domain. + type: string + type: object + enabled: + description: Enabled represents if API is enabled or not + type: boolean + id: + description: ID is the unique identifier of the API within Tyk. + type: string + ingressTemplate: + description: IngressTemplate shows whether this CR is used as Ingress + Template or not. + type: boolean + latestCRDSpecHash: + description: |- + LatestCRDSpecHash stores the hash of TykOasApiDefinition CR created on K8s. This information is updated after + creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for + running update operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, + Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + latestConfigMapHash: + description: LatestConfigMapHash stores the hash of ConfigMap that + is being used by TykOasApiDefinition. + type: string + latestTransaction: + description: LatestTransaction provides status information about the + last reconciliation. + properties: + error: + description: Error corresponds to the error happened on Tyk API + level, if any. + type: string + status: + description: Status corresponds to the status of the last transaction. + type: string + time: + description: Time corresponds to the time of last transaction. + format: date-time + type: string + type: object + latestTykSpecHash: + description: |- + LatestTykSpecHash stores the hash of OAS API Definition created on Tyk. This information is updated after + creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for + running update operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, + Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + linkedByPolicies: + description: LinkedByPolicies is a list policies that references this + OAS API Definition. + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + listenPath: + description: ListenPath is the base path on Tyk to which requests + for this API will be sent. + type: string + name: + description: Name is the name of the OAS API within Tyk. + type: string + targetURL: + description: TargetURL is the upstream address to which requests will + be proxied. + type: string + versioningStatus: + description: VersioningStatus shows the status of a Versioned TykOasAPIDefinition. + properties: + baseAPIVersionContextRef: + description: |- + BaseAPIVersionContextRef specifies the namespace and name of the + Base API a versioned API is linked to. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + isDefaultVersion: + description: IsDefaultVersion specifies if the OAS API is the + default Version. + type: boolean + isVersionedAPI: + description: IsVersionedAPI indicates if the API is versioned. + type: boolean + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/components/tyk-operator/templates/NOTES.txt b/components/tyk-operator/templates/NOTES.txt new file mode 100644 index 00000000..5698a228 --- /dev/null +++ b/components/tyk-operator/templates/NOTES.txt @@ -0,0 +1 @@ +You have deployed the tyk-operator! See https://github.com/TykTechnologies/tyk-operator for more information. diff --git a/components/tyk-operator/templates/_helpers.tpl b/components/tyk-operator/templates/_helpers.tpl new file mode 100644 index 00000000..7c009a1e --- /dev/null +++ b/components/tyk-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "tyk-operator-helm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tyk-operator-helm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tyk-operator-helm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "tyk-operator-helm.labels" -}} +helm.sh/chart: {{ include "tyk-operator-helm.chart" . }} +{{ include "tyk-operator-helm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tyk-operator-helm.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tyk-operator-helm.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "tyk-operator-helm.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "tyk-operator-helm.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/components/tyk-operator/templates/all.yaml b/components/tyk-operator/templates/all.yaml new file mode 100644 index 00000000..a91dffae --- /dev/null +++ b/components/tyk-operator/templates/all.yaml @@ -0,0 +1,643 @@ + +apiVersion: v1 +{{ with .Values.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{ end }} +kind: ServiceAccount +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-leader-election-role + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - deletecollection + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - apidefinitions + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - apidefinitions/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - apidescriptions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - apidescriptions/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - apidescriptions/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - operatorcontexts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - operatorcontexts/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - operatorcontexts/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - portalapicatalogues + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - portalapicatalogues/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - portalapicatalogues/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - portalconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - portalconfigs/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - portalconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - securitypolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - securitypolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - subgraphs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - subgraphs/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - subgraphs/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - supergraphs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - supergraphs/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - supergraphs/status + verbs: + - get + - patch + - update +- apiGroups: + - tyk.tyk.io + resources: + - tykoasapidefinitions + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - tyk.tyk.io + resources: + - tykoasapidefinitions/finalizers + verbs: + - update +- apiGroups: + - tyk.tyk.io + resources: + - tykoasapidefinitions/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-leader-election-rolebinding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tyk-operator-helm.fullname" . }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "tyk-operator-helm.fullname" . }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "tyk-operator-helm.fullname" . }}-proxy-role +subjects: +- kind: ServiceAccount + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :{{ .Values.healthProbePort }} + metrics: + bindAddress: 127.0.0.1:{{ .Values.metricsPort }} + webhook: + port: {{ .Values.webhookPort }} + leaderElection: + leaderElect: true + resourceName: 91ad8c6e.tyk.io +kind: ConfigMap +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-manager-config + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: tyk-operator-controller-manager + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager-metrics-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: https + port: {{ .Values.rbac.port }} + targetPort: https + selector: + control-plane: tyk-operator-controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 443 + targetPort: {{ .Values.webhookPort }} + selector: + control-plane: tyk-operator-controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: tyk-operator-controller-manager + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +spec: + replicas: {{default 1 .Values.replicaCount }} + selector: + matchLabels: + control-plane: tyk-operator-controller-manager + template: + metadata: +{{- with .Values.podAnnotations }} + annotations: +{{- toYaml . | nindent 8 }} +{{- end }} + labels: + control-plane: tyk-operator-controller-manager + spec: + containers: + - command: + - /manager +{{- with .Values.envVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} +{{- with .Values.envFrom }} + envFrom: +{{- toYaml . | nindent 10 }} +{{- end }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.healthProbePort }} + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: {{ .Values.webhookPort }} + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.healthProbePort }} + initialDelaySeconds: 5 + periodSeconds: 10 +{{- with .Values.resources }} + resources: +{{- toYaml . | nindent 10 }} +{{- end }} +{{- with .Values.securityContext }} + securityContext: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + {{ if .Values.extraVolumeMounts }} + {{ toYaml .Values.extraVolumeMounts | nindent 8}} + {{ end }} + - mountPath: /controller_manager_config.yaml + name: manager-config + subPath: controller_manager_config.yaml + - args: + - --secure-listen-address=0.0.0.0:{{ .Values.rbac.port }} + - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}/ + - --logtostderr=true + - --v=10 + image: {{ .Values.rbac.image.repository }}:{{ .Values.rbac.image.tag }} + imagePullPolicy: {{ .Values.rbac.image.pullPolicy }} + name: kube-rbac-proxy + ports: + - containerPort: {{ .Values.rbac.port }} + name: https +{{- with .Values.rbac.resources }} + resources: +{{- toYaml . | nindent 10 }} +{{- end }} + hostNetwork: {{ .Values.hostNetwork | default false }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "tyk-operator-helm.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert + {{ if .Values.extraVolumes }} + {{ toYaml .Values.extraVolumes | nindent 6 }} + {{ end }} + - configMap: + name: {{ include "tyk-operator-helm.fullname" . }}-manager-config + name: manager-config +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-serving-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "tyk-operator-helm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc + - {{ include "tyk-operator-helm.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ include "tyk-operator-helm.fullname" . }}-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "tyk-operator-helm.fullname" . }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +{{ if .Values.serviceMonitor }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: tyk-operator-controller-manager + name: {{ include "tyk-operator-helm.fullname" . }}-controller-manager-metrics-monitor + namespace: {{ .Release.Namespace }} +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: tyk-operator-controller-manager +{{ end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "tyk-operator-helm.fullname" . }}-serving-cert + name: {{ include "tyk-operator-helm.fullname" . }}-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ include "tyk-operator-helm.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-tyk-tyk-io-v1alpha1-apidefinition + failurePolicy: Fail + name: mapidefinition.kb.io + rules: + - apiGroups: + - tyk.tyk.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - apidefinitions + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "tyk-operator-helm.fullname" . }}-serving-cert + name: {{ include "tyk-operator-helm.fullname" . }}-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ include "tyk-operator-helm.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-tyk-tyk-io-v1alpha1-apidefinition + failurePolicy: Fail + name: vapidefinition.kb.io + rules: + - apiGroups: + - tyk.tyk.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - apidefinitions + sideEffects: None diff --git a/components/tyk-operator/values.yaml b/components/tyk-operator/values.yaml new file mode 100644 index 00000000..2f04a7fc --- /dev/null +++ b/components/tyk-operator/values.yaml @@ -0,0 +1,61 @@ +replicaCount: 1 +# loads environment variables to the operator. +envFrom: + - secretRef: + name: tyk-operator-conf +envVars: + - name: TYK_HTTPS_INGRESS_PORT + value: "8443" + - name: TYK_HTTP_INGRESS_PORT + value: "8080" +image: + repository: tykio/tyk-operator + pullPolicy: IfNotPresent + tag: "v0.18.0" +# specify imagePullSecrets for ServiceAccount +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +# extraVolumes is a list of volumes to be added to the pod +# extraVolumes: +# - name: ca-certs +# secret: +# secretName: ca-certs +# - name: ca-certs +# configMap: +# name: custom-ca-configmap +extraVolumes: [] +# extraVolumeMounts is a list of volume mounts to be added to the pod +# extraVolumeMounts: +# - name: ca-certs +# mountPath: /etc/ssl/certs/your-cert.pem +# subPath: your-cert.pem +# readOnly: false +extraVolumeMounts: [] +# healthProbePort identifies the port the Controller Manager will listen on. Used by liveness and readiness probes +healthProbePort: 8081 +# metricsPort identifies the port on which Tyk Operator metrics are served +metricsPort: 8080 +# webhookPort identifies the port on which webhooks are handled +webhookPort: 9443 +annotations: {} +podAnnotations: {} +podSecurityContext: + allowPrivilegeEscalation: false +resources: {} +nodeSelector: {} +hostNetwork: false +# rbac specifies necessary resources for kube-rbac-proxy container +rbac: + resources: {} + # specify custom/internal repo name for kube-rbac-proxy container + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + pullPolicy: IfNotPresent + tag: "v0.15.0" + port: 8443 +# serviceMonitor decides deploying ServiceMonitor if Prometheus Operator scrapes /metrics. +# By default it is set to false and set it to true to enable deploying Service Monitor. +# Tyk Operator publishes a collection of performance metrics for each controller. +# These metrics can be scraped by Prometheus Operator, by deploying ServiceMonitor resource. +serviceMonitor: false diff --git a/tyk-operator-crds/crd-v0.18.8-rc-test.yaml b/tyk-operator-crds/crd-v0.18.8-rc-test.yaml new file mode 100644 index 00000000..f14532b9 --- /dev/null +++ b/tyk-operator-crds/crd-v0.18.8-rc-test.yaml @@ -0,0 +1,4875 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + controller-gen.kubebuilder.io/version: v0.14.0 + name: apidefinitions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: ApiDefinition + listKind: ApiDefinitionList + plural: apidefinitions + shortNames: + - tykapis + singular: apidefinition + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.domain + name: Domain + type: string + - jsonPath: .spec.proxy.listen_path + name: ListenPath + type: string + - jsonPath: .spec.proxy.target_url + name: Proxy.TargetURL + type: string + - jsonPath: .spec.active + name: Enabled + type: boolean + - jsonPath: .status.latestTransaction.status + name: SyncStatus + type: string + - jsonPath: .status.ingressTemplate + name: IngressTemplate + type: boolean + name: v1alpha1 + schema: + openAPIV3Schema: + description: ApiDefinition is the Schema for the apidefinitions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APIDefinitionSpec represents the configuration for a single + proxied API and it's versions. + properties: + CORS: + properties: + allow_credentials: + description: AllowCredentials if true will allow cookies + type: boolean + allowed_headers: + description: AllowedHeaders are headers that are allowed within + a request. + items: + type: string + type: array + allowed_methods: + description: AllowedMethods is a list of methods to allow access + via. + items: + description: HttpMethod represents HTTP request method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + type: array + allowed_origins: + description: AllowedOrigins is a list of origin domains to allow + access from. + items: + type: string + type: array + debug: + description: Debug if true, this option produces log files for + the CORS middleware + type: boolean + enable: + description: Enable when set to true it enables the cors middleware + for the api + type: boolean + exposed_headers: + description: ExposedHeaders is a list of headers that are exposed + back in the response. + items: + type: string + type: array + max_age: + description: MaxAge is the maximum age of credentials + type: integer + options_passthrough: + description: |- + OptionsPassthrough allow CORS OPTIONS preflight request to be proxied + directly to upstream, without authentication and rest of checks. This means + that pre-flight requests generated by web-clients such as SwaggerUI or the + Tyk Portal documentation system will be able to test the API using trial + keys. If your service handles CORS natively, then enable this option. + type: boolean + type: object + active: + description: Active specifies if the api is enabled or not + type: boolean + allowed_ips: + description: |- + AllowedIPs is a list of IP address that are whitelisted.When this is + provided all IP address that is not on this list will be blocked and a 403 http + status will be returned. The IP address can be IPv4 or IPv6.IP in + CIDR notation is also supported. + items: + type: string + type: array + analytics_plugin: + description: |- + AnalyticsPlugin is used to configure analytics plugin which enables editing or removal of all parts of analytics + records, raw request and responses recorded by Tyk at the gateway level + nullable: true + properties: + enable: + type: boolean + func_name: + type: string + plugin_path: + type: string + required: + - enable + type: object + api_id: + description: |- + Only set this field if you are referring + to an existing API def. + The Operator will use this APIID to link the CR with the API in Tyk + Note: The values in the CR will become the new source of truth, overriding the existing API Definition + type: string + auth: + properties: + auth_header_name: + type: string + cookie_name: + type: string + param_name: + type: string + signature: + properties: + algorithm: + type: string + allowed_clock_skew: + format: int64 + type: integer + error_code: + type: integer + error_message: + type: string + header: + type: string + secret: + type: string + required: + - algorithm + - allowed_clock_skew + - error_code + - error_message + - header + - secret + type: object + use_certificate: + type: boolean + use_cookie: + type: boolean + use_param: + type: boolean + validate_signature: + type: boolean + required: + - auth_header_name + type: object + auth_configs: + additionalProperties: + properties: + auth_header_name: + type: string + cookie_name: + type: string + param_name: + type: string + signature: + properties: + algorithm: + type: string + allowed_clock_skew: + format: int64 + type: integer + error_code: + type: integer + error_message: + type: string + header: + type: string + secret: + type: string + required: + - algorithm + - allowed_clock_skew + - error_code + - error_message + - header + - secret + type: object + use_certificate: + type: boolean + use_cookie: + type: boolean + use_param: + type: boolean + validate_signature: + type: boolean + required: + - auth_header_name + type: object + type: object + base_identity_provided_by: + description: BaseIdentityProvidedBy sets Base Identity Provider for + situation when multiple authentication mechanisms are used + enum: + - auth_token + - hmac_key + - basic_auth_user + - jwt_claim + - oidc_user + - oauth_key + type: string + blacklisted_ips: + description: |- + BlacklistedIPs is a list of IP address that will be blacklisted.This means if + origin IP matches any IP in this list a 403 http status code will be + returned. The IP address can be IPv4 or IPv6. IP in CIDR notation is also + supported. + items: + type: string + type: array + cache_options: + properties: + cache_all_safe_requests: + description: |- + CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests + overrides per-path cache settings in versions, applies across versions + type: boolean + cache_by_headers: + description: CacheByHeaders allows header values to be used as + part of the cache key + items: + type: string + type: array + cache_control_ttl_header: + description: CacheControlTTLHeader is the response header which + tells Tyk how long it is safe to cache the response for + type: string + cache_response_codes: + description: CacheOnlyResponseCodes is an array of response codes + which are safe to cache. e.g. 404 + items: + type: integer + type: array + cache_timeout: + description: CacheTimeout is the TTL for a cached object in seconds + format: int64 + type: integer + enable_cache: + description: |- + EnableCache turns global cache middleware on or off. + It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware. + see `spec.version_data.versions.{VERSION}.extended_paths.cache[]` + type: boolean + enable_upstream_cache_control: + description: EnableUpstreamCacheControl instructs Tyk Cache to + respect upstream cache control headers + type: boolean + required: + - cache_timeout + type: object + certificate_secret_names: + description: |- + CertificateSecretNames represents the names of the secrets that the controller should look for in the current + namespace which contain the certificates. + items: + type: string + type: array + certificates: + description: Certificates is a list of Tyk Certificate IDs. e.g. orgid+fingerprint. + Use CertificateSecretNames if using cert-manager + items: + type: string + type: array + client_certificate_refs: + items: + type: string + type: array + client_certificates: + items: + type: string + type: array + config_data: + description: |- + ConfigData can be used to pass custom attributes (a JSON object) into your middleware, such + as a virtual endpoint or header transform. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + custom_middleware: + properties: + auth_check: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + driver: + type: string + id_extractor: + properties: + extract_from: + type: string + extract_with: + type: string + extractor_config: + properties: + header_name: + type: string + param_name: + type: string + regex_expression: + type: string + regex_match_index: + type: integer + type: object + required: + - extract_from + - extract_with + - extractor_config + type: object + post: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + post_key_auth: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + pre: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + response: + items: + properties: + name: + type: string + path: + type: string + raw_body_only: + type: boolean + require_session: + type: boolean + required: + - name + - path + type: object + type: array + required: + - driver + type: object + custom_middleware_bundle: + type: string + definition: + properties: + key: + type: string + location: + type: string + strip_path: + type: boolean + required: + - key + - location + - strip_path + type: object + detailed_tracing: + nullable: true + type: boolean + disable_quota: + description: DisableQuota allows you to disable quota middleware in + a given API Definition. + type: boolean + disable_rate_limit: + description: DisableRateLimit allows you to disable rate limits in + a given API Definition. + type: boolean + do_not_track: + description: DoNotTrack disables endpoint tracking for this API + type: boolean + domain: + description: Domain represents a custom host header that the gateway + will listen on for this API + type: string + enable_context_vars: + description: |- + EnableContextVars extracts request context variables from the start of the middleware chain. + Set this to true to make them available to your transforms. + Context Variables are available in the url rewriter, modify headers and body transforms. + type: boolean + enable_coprocess_auth: + type: boolean + enable_detailed_recording: + description: |- + EnableDetailedRecording instructs Tyk store the inbound request and outbound response data in HTTP Wire format + as part of the Analytics data + type: boolean + enable_ip_blacklisting: + description: EnableIPBlacklisting activates the ip blacklisting middleware. + type: boolean + enable_ip_whitelisting: + description: EnableIPWhiteListing activates the ip whitelisting middleware. + type: boolean + enable_jwt: + description: EnableJWT set JWT as the access method for this API. + type: boolean + enable_proxy_protocol: + type: boolean + event_handlers: + properties: + events: + additionalProperties: + items: + properties: + handler_meta: + description: |- + MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary + JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured + type is used. + type: object + x-kubernetes-preserve-unknown-fields: true + handler_name: + type: string + required: + - handler_meta + - handler_name + type: object + type: array + type: object + required: + - events + type: object + global_rate_limit: + description: |- + GlobalRateLimit is an API Level Global Rate Limit, which assesses all traffic coming into the API from all + sources and ensures that the overall rate limit is not exceeded. + properties: + per: + description: Per represents a time window in seconds + type: integer + rate: + description: Rate represents the number of requests allowed within + a specified time window (Per) + type: integer + required: + - per + - rate + type: object + graphql: + description: GraphQLConfig is the root config object for a GraphQL + API. + properties: + enabled: + description: Enabled indicates if GraphQL proxy should be enabled. + type: boolean + engine: + description: Engine holds the configuration for engine v2 and + upwards. + properties: + data_sources: + items: + properties: + config: + description: |- + MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary + JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured + type is used. + type: object + x-kubernetes-preserve-unknown-fields: true + internal: + type: boolean + kind: + enum: + - REST + - GraphQL + - Kafka + type: string + name: + type: string + root_fields: + items: + properties: + fields: + items: + type: string + type: array + type: + type: string + required: + - fields + - type + type: object + type: array + required: + - config + - internal + - kind + - name + - root_fields + type: object + nullable: true + type: array + field_configs: + items: + properties: + disable_default_mapping: + type: boolean + field_name: + type: string + path: + items: + type: string + type: array + type_name: + type: string + required: + - disable_default_mapping + - field_name + - path + - type_name + type: object + nullable: true + type: array + global_headers: + description: GlobalHeaders for managing headers for UDG and + all associated data sources + items: + properties: + key: + description: Key is the name of the request header + type: string + value: + description: Value holds the value of the request header + type: string + required: + - key + - value + type: object + nullable: true + type: array + required: + - data_sources + - field_configs + type: object + execution_mode: + description: GraphQLExecutionMode is the mode to define how an + api behaves. + enum: + - "" + - proxyOnly + - executionEngine + - supergraph + - subgraph + type: string + graph_ref: + type: string + introspection: + description: Introspection holds the configuration for GraphQL + Introspection + properties: + disabled: + type: boolean + type: object + last_schema_update: + description: LastSchemaUpdate contains the date and time of the + last triggered schema update to the upstream. + format: date-time + type: string + playground: + description: GraphQLPlayground is the Playground specific configuration. + properties: + enabled: + description: Enabled indicates if the playground should be + enabled. + type: boolean + path: + description: Path sets the path on which the playground will + be hosted if enabled. + type: string + required: + - enabled + - path + type: object + proxy: + description: Proxy holds the configuration for a proxy only api. + properties: + auth_headers: + additionalProperties: + type: string + nullable: true + type: object + features: + nullable: true + properties: + use_immutable_headers: + type: boolean + type: object + request_headers: + additionalProperties: + type: string + nullable: true + type: object + request_headers_rewrite: + additionalProperties: + properties: + remove: + type: boolean + value: + type: string + required: + - remove + - value + type: object + nullable: true + type: object + subscription_type: + description: SubscriptionType is the subscription protocol + to use for graphql subscriptions + enum: + - "" + - graphql-ws + - graphql-transport-ws + - sse + type: string + use_response_extensions: + properties: + on_error_forwarding: + type: boolean + required: + - on_error_forwarding + type: object + type: object + schema: + description: Schema is the GraphQL Schema exposed by the GraphQL + API/Upstream/Engine. + type: string + subgraph: + description: Subgraph holds the configuration for a GraphQL federation + subgraph. + properties: + sdl: + type: string + required: + - sdl + type: object + supergraph: + description: Supergraph holds the configuration for a GraphQL + federation supergraph. + properties: + disable_query_batching: + type: boolean + global_headers: + additionalProperties: + type: string + type: object + merged_sdl: + type: string + subgraphs: + items: + properties: + api_id: + description: UUID v4 string (!not the same as _id of + APIDefinition) + type: string + headers: + additionalProperties: + type: string + nullable: true + type: object + name: + type: string + sdl: + description: the schema definition language of the subgraph + type: string + url: + description: The internal URL of the subgraph + type: string + required: + - api_id + - headers + - name + - sdl + - url + type: object + type: array + updated_at: + description: UpdatedAt contains the date and time of the last + update of a supergraph API. + format: date-time + type: string + type: object + type_field_configurations: + description: TypeFieldConfigurations is a rule set of data source + and mapping of a schema field. + items: + properties: + data_source: + properties: + data_source_config: + description: |- + Config is the DataSource specific configuration object + Each Planner needs to make sure to parse their Config Object correctly + properties: + body: + type: string + default_type_name: + type: string + headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + status_code_type_name_mappings: + items: + properties: + status_code: + type: integer + type_name: + type: string + required: + - status_code + type: object + type: array + url: + type: string + required: + - method + - url + type: object + kind: + description: |- + Kind defines the unique identifier of the DataSource + Kind needs to match to the Planner "DataSourceName" name + enum: + - GraphQLDataSource + - HTTPJSONDataSource + type: string + required: + - kind + type: object + field_name: + type: string + mapping: + properties: + disabled: + type: boolean + path: + type: string + required: + - disabled + - path + type: object + type_name: + type: string + required: + - data_source + - field_name + - mapping + - type_name + type: object + type: array + version: + description: Version defines the version of the GraphQL config + and engine to be used. + enum: + - "1" + - "2" + type: string + required: + - enabled + - execution_mode + type: object + id: + description: For server use only, do not use + type: string + internal: + description: Internal tells Tyk Gateway that this is a virtual API. + It can only be routed to from other APIs. + type: boolean + jwt_client_base_field: + description: |- + JWTClientIDBaseField is the name of the field on JWT claim to use for client + id. This field is mutually exclusive to jwt_identity_base_field, meaning you + can only set/use one and jwt_identity_base_field takes precedence when both + are set. + type: string + jwt_default_policies: + description: |- + JWTDefaultPolicies is a list of policies that will be used when base policy + can't be extracted from the JWT token. When this list is provided the first + element will be used as the base policy while the rest of elements will be applied. + items: + type: string + type: array + jwt_expires_at_validation_skew: + description: "JWTExpiresAtValidationSkew adds validation for expired + at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_expires_at_validation_skew\n\texp + = expired at\nIf exp > (now - skew) then validation will fail with + \"token has expired\"" + format: int64 + type: integer + jwt_identity_base_field: + description: |- + JWTIdentityBaseField Identifies the user or identity to be used in the + Claims of the JWT. This will fallback to sub if not found. This field forms + the basis of a new “virtual” token that gets used after validation. It means + policy attributes are carried forward through Tyk for attribution purposes. + type: string + jwt_issued_at_validation_skew: + description: "JWTIssuedAtValidationSkew adds validation for issued + at JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_issued_at_validation_skew\n\tiat + = the issued at jwt claim\nIf iat > (now + skew) then validation + will fail with \"token used before issued\"" + format: int64 + type: integer + jwt_not_before_validation_skew: + description: "JWTNotBeforeValidationSkew adds validation for not + before JWT claim.\nGiven\n\tnow = current unix time\n\tskew = jwt_not_before_validation_skew\n\tnbf + = the not before jwt claim\nIf nbf > (now + skew) then validation + will fail with \"token is not valid yet\"" + format: int64 + type: integer + jwt_policy_field_name: + description: JWTPolicyFieldName The policy ID to apply to the virtual + token generated for a JWT + type: string + jwt_scope_claim_name: + description: |- + JWTScopeClaimName overides the key used for scope values in the JWT claims. + By default the value is "scope" + type: string + jwt_scope_to_policy_mapping: + additionalProperties: + type: string + description: |- + JWTScopeToPolicyMapping this is a mapping of scope value to policy id. If + this is set then a scope value found in this map will make the mappend + policy to be applied. + type: object + jwt_signing_method: + description: JWTSigningMethod algorithm used to sign jwt token + enum: + - "" + - rsa + - hmac + - ecdsa + type: string + jwt_skip_kid: + description: |- + JWTSkipKid when true we ingore using kid as the identity for a JWT token and + instead use jwt_identity_base_field if it was set or fallback to sub JWT + claim. + type: boolean + jwt_source: + description: |- + JWTSource Must either be a base64 encoded valid RSA/HMAC key or a url to a + resource serving JWK, this key will then be used to validate inbound JWT and + throttle them according to the centralised JWT options and fields set in the + configuration. + type: string + listen_port: + type: integer + name: + type: string + oauth_meta: + properties: + allowed_access_types: + description: AllowedAccessTypes are an array of allowable access + types. + items: + enum: + - authorization_code + - refresh_token + - password + - client_credentials + type: string + type: array + allowed_authorize_types: + description: |- + AllowedAuthorizeTypes is an array of allowable `response_type` parameters `token` or authorization code `code`. + Choose token for client_credentials or implicit grant types. + items: + enum: + - code + - token + type: string + type: array + auth_login_redirect: + description: Login form to handle user login. + type: string + required: + - allowed_access_types + - allowed_authorize_types + type: object + org_id: + description: OrgID is overwritten - no point setting this + type: string + pinned_public_keys: + additionalProperties: + type: string + description: |- + PinnedPublicKeys allows you to whitelist public keys used to generate certificates, so you will be protected in + case an upstream certificate is compromised. Please use PinnedPublicKeysRefs if using cert-manager. + type: object + pinned_public_keys_refs: + additionalProperties: + type: string + description: |- + PinnedPublicKeysRefs allows you to specify public keys using k8s secret. + It takes domain name as a key and secret name as a value. + type: object + protocol: + description: APIProtocol is the network transport protocol supported + by the gateway + enum: + - "" + - h2c + - tcp + - tls + - http + - https + type: string + proxy: + description: Proxy + properties: + check_host_against_uptime_tests: + description: |- + CheckHostAgainstUptimeTests will check the hostname of the outbound request against the downtime list generated + by the uptime test host checker. If the host is found, then it is skipped or removed from the load balancer. + This is only valid if uptime tests for the api are enabled. + type: boolean + disable_strip_slash: + description: |- + DisableStripSlash disables the stripping of the slash suffix from a URL. + when `true` a request to http://foo.bar/baz/ will be retained. + when `false` a request to http://foo.bar/baz/ will be matched to http://foo.bar/baz + type: boolean + enable_load_balancing: + description: |- + EnableLoadBalancing enables Tyk's round-robin loadbalancer. Tyk will ignore the TargetURL field, and rely on + the hosts in the Targets list + type: boolean + listen_path: + description: |- + ListenPath represents the path to listen on. e.g. `/api` or `/` or `/httpbin`. + Any requests coming into the host, on the port that Tyk is configured to run on, that match this path will + have the rules defined in the API Definition applied. Versioning assumes that different versions of an API + will live on the same URL structure. If you are using URL-based versioning (e.g. /v1/function, /v2/function) + then it is recommended to set up a separate non-versioned definition for each version as they are essentially + separate APIs. + type: string + preserve_host_header: + description: |- + If PreserveHostHeader is set to true then the host header in the outbound request is retained to be the + inbound hostname of the proxy. + type: boolean + service_discovery: + description: 'TODO: Untested. Is there a use-case for SD inside + a K8s environment?' + properties: + cache_timeout: + format: int64 + type: integer + data_path: + type: string + endpoint_returns_list: + type: boolean + parent_data_path: + type: string + port_data_path: + type: string + query_endpoint: + type: string + target_path: + type: string + use_discovery_service: + type: boolean + use_nested_query: + type: boolean + use_target_list: + type: boolean + required: + - cache_timeout + - data_path + - endpoint_returns_list + - parent_data_path + - port_data_path + - query_endpoint + - target_path + - use_discovery_service + - use_nested_query + - use_target_list + type: object + strip_listen_path: + description: |- + StripListenPath removes the inbound listen path in the outgoing request. + e.g. http://acme.com/httpbin/get where `httpbin` is the listen path. The `httpbin` listen path which is used + to identify the API loaded in Tyk is removed, and the outbound request would be http://httpbin.org/get + type: boolean + target_internal: + properties: + path: + description: "Path path on target , this does not include + query parameters.\n\texample /myendpoint" + type: string + query: + description: "Query url query string to add to target\n\texample + check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + target_list: + description: |- + Targets defines a list of upstream host targets. Tyk will then round-robin load balance between these targets. + EnableLoadBalancing must be set to true in order to take advantage of this feature. + items: + type: string + type: array + target_url: + description: TargetURL defines the target URL that the request + should be proxied to. + type: string + transport: + description: Transport section exposes advanced transport level + configurations such as minimum TLS version. + properties: + proxy_url: + description: ProxyURL specifies custom forward proxy & port. + e.g. `http(s)://proxy.url:1234` + type: string + ssl_ciphers: + description: |- + SSLCipherSuites is an array of acceptable cipher suites. A list of allowed cipher suites can be found in the + Go Crypto TLS package constants documentation https://golang.org/pkg/crypto/tls/#pkg-constants + items: + type: string + type: array + ssl_force_common_name_check: + description: SSLForceCommonNameCheck forces hostname validation + against the certificate Common Name + type: boolean + ssl_insecure_skip_verify: + description: |- + SSLInsecureSkipVerify controls whether it is possible to use self-signed certificates when connecting to the + upstream. This is applied to `TykMakeHttpRequest` & `TykMakeBatchRequest` in virtual endpoint middleware. + type: boolean + ssl_min_version: + description: |- + SSLMinVersion defines the minimum TLS version the gateway will use to establish a connection to the upstream. + 1.0: 769; 1.1: 770; 1.2: 771; 1.3: 772. + enum: + - 769 + - 770 + - 771 + - 772 + type: integer + type: object + required: + - target_url + type: object + response_processors: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + session_lifetime: + description: "SessionLifetime this is duration in seconds before the + session key expires\nin redis.\n\n\nExample:\nIf you want the session + keys to be alive only 24 hours you can set this\nvalue to 86400 + that we can break down to\n\t60 * 60 * 24 = Total seconds in a day" + format: int64 + type: integer + strip_auth_data: + description: StripAuthData ensures that any security tokens used for + accessing APIs are stripped and not leaked to the upstream + type: boolean + tag_headers: + items: + type: string + type: array + tags: + description: |- + Tags are named gateway nodes which tell gateway clusters whether to load an API or not. + for example, to load the API in an ARA gateway, you might want to include an `edge` tag. + items: + type: string + type: array + upstream_certificate_refs: + additionalProperties: + type: string + description: |- + UpstreamCertificateRefs is a map of domains and secret names that is used internally + to obtain certificates from secrets in order to establish mTLS support for upstreams + type: object + upstream_certificates: + additionalProperties: + type: string + description: |- + UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk + Gateway to provide mTLS support for upstreams + type: object + use_basic_auth: + description: UseBasicAuth enables basic authentication + type: boolean + use_go_plugin_auth: + description: Enable Go Plugin Auth. Needs to be combined with "use_keyless:false" + type: boolean + use_keyless: + description: |- + UseKeylessAccess will switch off all key checking. Some analytics will still be recorded, but rate-limiting, + quotas and security policies will not be possible (there is no session to attach requests to). + type: boolean + use_mutual_tls_auth: + description: UseMutualTLSAuth enables mututal TLS authentication + type: boolean + use_oauth2: + description: UseOAuth2 enables oauth2 authorization + type: boolean + use_standard_auth: + description: UseStandardAuth enables simple bearer token authentication + type: boolean + version_data: + properties: + default_version: + type: string + not_versioned: + type: boolean + versions: + additionalProperties: + properties: + expires: + type: string + extended_paths: + properties: + advance_cache_config: + items: + properties: + cache_key_regex: + type: string + cache_response_codes: + items: + type: integer + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + timeout: + format: int64 + type: integer + required: + - cache_key_regex + - cache_response_codes + - method + - path + type: object + type: array + black_list: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + cache: + description: List of paths which cache middleware should + be enabled on + items: + type: string + type: array + circuit_breakers: + items: + properties: + disable_half_open_state: + type: boolean + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + return_to_service_after: + description: ReturnToServiceAfter represents the + time in seconds to return back to the service + type: integer + samples: + description: Samples defines the number of requests + to base the ThresholdPercent on + format: int64 + type: integer + threshold_percent: + description: ThresholdPercent is the percentage + of requests that fail before breaker is tripped + pattern: ^0\\.\\d+|1\\.0$ + type: string + required: + - method + - path + - return_to_service_after + - samples + - threshold_percent + type: object + type: array + do_not_track_endpoints: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + hard_timeouts: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + timeout: + type: integer + required: + - method + - path + - timeout + type: object + type: array + ignored: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + internal: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + method_transforms: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + to_method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + required: + - method + - path + - to_method + type: object + type: array + size_limits: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + size_limit: + format: int64 + type: integer + required: + - method + - path + - size_limit + type: object + type: array + track_endpoints: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - method + - path + type: object + type: array + transform: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + template_data: + properties: + enable_session: + type: boolean + input_type: + type: string + template_mode: + type: string + template_source: + type: string + required: + - enable_session + - input_type + - template_mode + - template_source + type: object + required: + - method + - path + - template_data + type: object + type: array + transform_headers: + items: + properties: + act_on: + type: boolean + add_headers: + additionalProperties: + type: string + type: object + delete_headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - act_on + - add_headers + - delete_headers + - method + - path + type: object + type: array + transform_jq: + items: + properties: + filter: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - filter + - method + - path + type: object + type: array + transform_jq_response: + items: + properties: + filter: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - filter + - method + - path + type: object + type: array + transform_response: + items: + properties: + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + template_data: + properties: + enable_session: + type: boolean + input_type: + type: string + template_mode: + type: string + template_source: + type: string + required: + - enable_session + - input_type + - template_mode + - template_source + type: object + required: + - method + - path + - template_data + type: object + type: array + transform_response_headers: + items: + properties: + act_on: + type: boolean + add_headers: + additionalProperties: + type: string + type: object + delete_headers: + items: + type: string + type: array + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + required: + - act_on + - add_headers + - delete_headers + - method + - path + type: object + type: array + url_rewrites: + items: + properties: + match_pattern: + description: MatchPattern is a regular expression + pattern to match the path + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + description: Path represents the endpoint listen + path + type: string + rewrite_to: + description: RewriteTo is the target path on the + upstream, or target URL we wish to rewrite to + type: string + rewrite_to_internal: + description: |- + RewriteToInternal serves as rewrite_to but used when rewriting to target + internal api's + When rewrite_to and rewrite_to_internal are both provided then + rewrite_to will take rewrite_to_internal + properties: + path: + description: "Path path on target , this does + not include query parameters.\n\texample + /myendpoint" + type: string + query: + description: "Query url query string to add + to target\n\texample check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + triggers: + items: + properties: + "on": + type: string + options: + properties: + header_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + path_part_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + payload_matches: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + query_val_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + request_context_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + session_meta_matches: + additionalProperties: + properties: + match_rx: + type: string + reverse: + type: boolean + required: + - match_rx + type: object + type: object + type: object + rewrite_to: + type: string + rewrite_to_internal: + description: |- + RewriteToInternal defines options that constructs a url that refers to an api that + is loaded into the gateway. + properties: + path: + description: "Path path on target , + this does not include query parameters.\n\texample + /myendpoint" + type: string + query: + description: "Query url query string + to add to target\n\texample check_limits=true" + type: string + target: + description: |- + API a namespaced/name to the api definition resource that you are + targetting + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + required: + - "on" + - options + type: object + type: array + required: + - match_pattern + - method + - path + type: object + type: array + validate_json: + items: + properties: + disabled: + type: boolean + error_response_code: + description: Allows override of default 422 Unprocessable + Entity response code for validation errors. + type: integer + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + schema: + description: |- + Schema represents schema field that verifies user requests against a specified + JSON schema and check that the data sent to your API by a consumer is in the right format. + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - error_response_code + - method + - path + - schema + type: object + type: array + virtual: + items: + properties: + function_source_type: + type: string + function_source_uri: + type: string + method: + description: HttpMethod represents HTTP request + method + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + - HEAD + - CONNECT + - TRACE + type: string + path: + type: string + proxy_on_error: + type: boolean + response_function_name: + type: string + use_session: + type: boolean + required: + - function_source_type + - function_source_uri + - method + - path + - proxy_on_error + - response_function_name + - use_session + type: object + type: array + white_list: + items: + properties: + ignore_case: + type: boolean + method_actions: + additionalProperties: + properties: + action: + type: string + code: + type: integer + data: + type: string + headers: + additionalProperties: + type: string + type: object + required: + - action + - code + - data + - headers + type: object + type: object + path: + type: string + required: + - ignore_case + - method_actions + - path + type: object + type: array + type: object + global_headers: + additionalProperties: + type: string + type: object + global_headers_remove: + items: + type: string + type: array + global_response_headers: + additionalProperties: + type: string + type: object + global_response_headers_remove: + items: + type: string + type: array + global_size_limit: + format: int64 + type: integer + ignore_endpoint_case: + type: boolean + name: + type: string + override_target: + type: string + paths: + properties: + black_list: + items: + type: string + type: array + ignored: + items: + type: string + type: array + white_list: + items: + type: string + type: array + type: object + use_extended_paths: + type: boolean + required: + - name + type: object + type: object + required: + - default_version + - not_versioned + type: object + required: + - name + - protocol + - proxy + type: object + status: + description: ApiDefinitionStatus defines the observed state of ApiDefinition + properties: + api_id: + type: string + ingressTemplate: + description: IngressTemplate shows whether this CR is used as Ingress + Template or not. + type: boolean + latestCRDSpecHash: + description: |- + LatestCRDSpecHash stores the hash of ApiDefinition CRD created on K8s. This information is updated after + creating or updating the ApiDefinition. It is useful for Operator to understand running update + operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, Operator + runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + latestTransaction: + description: LatestTransaction provides status information about the + last reconciliation. + properties: + error: + description: Error corresponds to the error happened on Tyk API + level, if any. + type: string + status: + description: Status corresponds to the status of the last transaction. + type: string + time: + description: Time corresponds to the time of last transaction. + format: date-time + type: string + type: object + latestTykSpecHash: + description: |- + LatestTykSpecHash stores the hash of ApiDefinition created on Tyk. This information is updated after + creating or updating the ApiDefinition. It is useful for Operator to understand running update + operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, Operator + runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + linked_by_apis: + description: |- + LinkedByAPIs is a list of ApiDefinition namespaced/name that links to this + resource + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_by_policies: + description: LinkedByPolicies is a list policies that references this + api definition + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_to_apis: + description: |- + LinkedToAPIs is a list of ApiDefinition namespaced/name that this resource + links to. + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_to_subgraph: + description: |- + LinkedToSubgraph corresponds to the name of the Subgraph CR if the ApiDefinition is GraphQL Federation Subgraph. + ApiDefinition CR can only be linked to Subgraph CRs that are created in the same namespace as ApiDefinition CR. + type: string + orgId: + description: OrgID corresponds to the Organization ID that this API + belongs to. + type: string + required: + - api_id + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apidescriptions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: APIDescription + listKind: APIDescriptionList + plural: apidescriptions + singular: apidescription + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIDescription is the Schema for the apidescriptions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APIDescriptionSpec defines the desired state of APIDescription + properties: + auth_type: + description: AuthType displays as a badge next to the name of the + API + enum: + - keyless + - jwt + - oauth + - authToken + type: string + config: + description: |- + Config allows you to optionally override various fields in the PortalConfig. + TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues for + login users only. + type: boolean + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer token + to authenticate with against the registration endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it is read + only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which are asked + of the portal developer when requesting an api key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number of + OAuth clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are asked + of the portal developer when they register for an account + items: + type: string + type: array + type: object + contextRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + docs: + properties: + doc_type: + enum: + - swagger + - swagger_custom_url + - graphql + type: string + documentation: + type: string + required: + - doc_type + type: object + documentation: + description: Do not set Documentation. Use `docs` instead. + type: string + fields: + additionalProperties: + type: string + description: |- + Fields is a generic map of key:value pairs. + You may wish to use this to tag a catalogue as type:internal or type:public + Then apply logic at the template layer to dynamically display catalogue apis to different user types. + type: object + is_keyless: + description: IsKeyless toggles visibility of the `Request an API Key + button`. Use this when AuthType is keyless, jwt or oauth. + type: boolean + long_description: + description: |- + LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just + below the name and AuthType in the catalogue listing page. + type: string + name: + description: Name is the title of the API that you wish to be published + to the catalogue + type: string + policy_id: + description: |- + PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. + Rather, use `policyRef` instead. + type: string + policyRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + short_description: + description: 'TODO: I don''t think this is exposed to the default + portal templates.' + type: string + show: + description: Show toggles visibility of the API in the portal catalogue + type: boolean + version: + default: v2 + description: Version should always be v2 + enum: + - v2 + type: string + type: object + status: + description: APIDescriptionStatus defines the observed state of APIDescription + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: operatorcontexts.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: OperatorContext + listKind: OperatorContextList + plural: operatorcontexts + singular: operatorcontext + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OperatorContext is the Schema for the operatorcontexts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OperatorContextSpec defines the desired state of OperatorContext + properties: + env: + description: |- + Env is the values of the admin api endpoint that the operator will use to + reconcile resources + properties: + auth: + type: string + ingress: + properties: + httpPort: + type: integer + httpsPort: + type: integer + type: object + insecureSkipVerify: + type: boolean + mode: + description: |- + OperatorContextMode is the mode to which the admin api binding is done values are + ce for community edition and pro for dashboard + enum: + - ce + - pro + type: string + org: + type: string + url: + type: string + user_group_owners: + items: + type: string + type: array + user_owners: + items: + type: string + type: array + type: object + secretRef: + description: Reference to k8s secret resource that we load environment + from. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: object + status: + description: OperatorContextStatus defines the observed state of OperatorContext + properties: + linked_api_definitions: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_api_descriptions: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_portal_catalogues: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_portal_configs: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_security_policies: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + linked_tyk_oas_api_definition: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: portalapicatalogues.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: PortalAPICatalogue + listKind: PortalAPICatalogueList + plural: portalapicatalogues + shortNames: + - tykcatalogues + singular: portalapicatalogue + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.id + name: ID + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: PortalAPICatalogue is the Schema for the portalapicatalogues + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PortalAPICatalogueSpec defines the desired state of PortalAPICatalogue + properties: + apis: + description: APIDescriptionList is a list of PortalCatalogueDescription + published on this PortalAPICatalogue + items: + properties: + apiDescriptionRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + auth_type: + description: AuthType displays as a badge next to the name of + the API + enum: + - keyless + - jwt + - oauth + - authToken + type: string + config: + description: |- + Config allows you to optionally override various fields in the PortalConfig. + TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet. + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues + for login users only. + type: boolean + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer + token to authenticate with against the registration + endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration + document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it + is read only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which + are asked of the portal developer when requesting an api + key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number + of OAuth clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are + asked of the portal developer when they register for an + account + items: + type: string + type: array + type: object + docs: + properties: + doc_type: + enum: + - swagger + - swagger_custom_url + - graphql + type: string + documentation: + type: string + required: + - doc_type + type: object + documentation: + description: Do not set Documentation. Use `docs` instead. + type: string + fields: + additionalProperties: + type: string + description: |- + Fields is a generic map of key:value pairs. + You may wish to use this to tag a catalogue as type:internal or type:public + Then apply logic at the template layer to dynamically display catalogue apis to different user types. + type: object + is_keyless: + description: IsKeyless toggles visibility of the `Request an + API Key button`. Use this when AuthType is keyless, jwt or + oauth. + type: boolean + long_description: + description: |- + LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just + below the name and AuthType in the catalogue listing page. + type: string + name: + description: Name is the title of the API that you wish to be + published to the catalogue + type: string + policy_id: + description: |- + PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. + Rather, use `policyRef` instead. + type: string + policyRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + short_description: + description: 'TODO: I don''t think this is exposed to the default + portal templates.' + type: string + show: + description: Show toggles visibility of the API in the portal + catalogue + type: boolean + version: + default: v2 + description: Version should always be v2 + enum: + - v2 + type: string + type: object + type: array + contextRef: + description: |- + Context is reference to OperatorContext resource. Set this if you want to + target a specific OperatorContext. When omitted default OperatorContext is + used. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + email: + description: |- + Email is Catalogue owner email address.Catalogue owner will be notified at + this email address when an API subscription request is submitted or granted + type: string + org_id: + description: OrgID is the organization ID + type: string + type: object + status: + description: PortalAPICatalogueStatus defines the observed state of PortalAPICatalogue + properties: + id: + description: ID is the mongo ID of the PortalAPICatalogue object created + by the dashboard. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: portalconfigs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: PortalConfig + listKind: PortalConfigList + plural: portalconfigs + singular: portalconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PortalConfig is the Schema for the portalconfigs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PortalConfigSpec defines the desired state of PortalConfig + properties: + catalogue_login_only: + description: CatalogueLoginOnly limits access to catalogues for login + users only. + type: boolean + contextRef: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + dcr_options: + description: DCROptions dynamic client registration options. + properties: + access_token: + description: AccessToken represents an optional bearer token to + authenticate with against the registration endpoint + type: string + grant_types: + description: |- + GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at + the token endpoint. + items: + enum: + - client_credentials + - authorization_code + - refresh_token + type: string + type: array + idp_host: + description: |- + IDPHost is the fully qualified hostname of the Identity Provider. + e.g. https://mysubdomain.eu.auth0.com + type: string + provider: + description: |- + Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec + and perform provider specific logic. + If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend + support for your provider. + enum: + - gluu + - keycloak + - okta + type: string + registration_endpoint: + description: RegistrationEndpoint is the registration_endpoint + as presented in the /.well-known/openid-configuration document. + type: string + response_types: + description: |- + ResponseTypes is an array of OAuth 2.0 response type strings that the client can + use at the authorization endpoint. + items: + enum: + - code + - token + type: string + type: array + token_endpoint_auth_method: + description: |- + TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. + "none": The client is a public client and does not have a client secret. + "client_secret_post": The client uses the HTTP POST parameters + "client_secret_basic": The client uses HTTP Basic authentication + enum: + - client_secret_basic + - client_secret_post + - client_secret_jwt + - private_key_jwt + - none + type: string + required: + - grant_types + - idp_host + - registration_endpoint + - token_endpoint_auth_method + type: object + disable_auto_login: + type: boolean + disable_login: + description: |- + DisableLogin disables login on developer portal.If you do not want + developers to be able to login, set this value to true. You can use this + configuration option in the portal templates to display or hide the login + form as well as disabling the actual login method. + type: boolean + disable_signup: + description: |- + DisableSignup stop developer sign-up to the portal.This will stop developers + from being able to signup, they will need to be created manually, or + assigned keys via the key management API. + type: boolean + email: + type: string + enable_dcr: + description: EnableDCR activates dynamic client registration. + type: boolean + enable_multi_selection: + description: |- + EnableMultiSelection enables subscribing to multiple APIs with single + key.User will be able subscript any combination of exposed catalogues of the + same authentication type + type: boolean + id: + description: Set by the server. DO NOT set this field it is read only. + type: string + key_request_fields: + description: KeyRequestFields is a slice of fields which are asked + of the portal developer when requesting an api key + items: + type: string + type: array + mail_options: + properties: + email_copy: + properties: + key_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + reset_password_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + welcome_email: + properties: + body: + type: string + enabled: + type: boolean + hide_token_data: + type: boolean + sign_off: + type: string + subject: + type: string + required: + - body + - enabled + - hide_token_data + - sign_off + - subject + type: object + required: + - key_email + - reset_password_email + - welcome_email + type: object + mail_from_email: + type: string + mail_from_name: + type: string + required: + - email_copy + - mail_from_email + - mail_from_name + type: object + oauth_usage_limit: + description: OAuthUsageLimit is the maximum permitted number of OAuth + clients + type: integer + org_id: + description: OrgID is the organization ID + type: string + override: + description: |- + Override overides global settings. These Catalogue settings are currently + being overwritten by the Global Catalogue settings. Toggle the checkbox + below to override them for this Catalogue. + type: boolean + redirect_on_key_request: + description: |- + RedirectOnKeyRequest redirects key requests. WHen set to true it will + redirect key requests to the url specified in RedirectTo field + type: boolean + redirect_to: + description: RedirectTo is a url used to redirect key requests + type: string + require_key_approval: + description: |- + RequireKeyApproval requires reviewing of all key requests before approving + them. By default developers will auto-enroll into an API and be given an API + key. If you wish to review key requests before giving developers access to + the API, enable this option and you will manually need to approve them in + the 'Key requests' section of the dashboard. + type: boolean + secure_key_approval: + description: |- + SecureKeyApproval enables Secure key approval.By default, API keys when + approved are sent in an email to the Developer. By enabling this option, the + Developer will instead receive a link where they can go to generate the API + key securely + type: boolean + signup_fields: + description: SignUpFields is a slice of fields which are asked of + the portal developer when they register for an account + items: + type: string + type: array + type: object + status: + description: PortalConfigStatus defines the observed state of PortalConfig + properties: + id: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + controller-gen.kubebuilder.io/version: v0.14.0 + name: securitypolicies.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SecurityPolicy + listKind: SecurityPolicyList + plural: securitypolicies + shortNames: + - tykpolicies + singular: securitypolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityPolicy is the Schema for the securitypolicies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecurityPolicySpec defines the desired state of SecurityPolicy + properties: + _id: + description: |- + MID ("_id") is generated by Tyk once the resource is created. + Do NOT fill this in. + type: string + access_rights: + additionalProperties: + description: AccessDefinition defines which versions of an API a + key has access to + properties: + allowance_scope: + type: string + allowed_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + allowed_urls: + items: + description: AccessSpec defines what URLS a user has access + to and what methods are enabled + properties: + methods: + items: + type: string + type: array + url: + type: string + required: + - methods + - url + type: object + type: array + api_id: + description: 'TODO: APIID should not really be needed, as is + auto-set from the APIDefinition Resource' + type: string + api_name: + description: 'TODO: APIName should not really be needed, as + is auto-set from the APIDefinition Resource' + type: string + disable_introspection: + description: DisableIntrospection disables GraphQL introspection + if it is set to True. + type: boolean + endpoints: + description: Endpoints is a collection of Endpoint. + items: + description: Endpoint holds the configuration for endpoint + rate limiting. + properties: + methods: + description: EndpointMethods is a collection of EndpointMethod. + items: + description: EndpointMethod holds the configuration + on endpoint method level. + properties: + limit: + description: RateLimit holds rate limit configuration. + properties: + per: + description: Per is the interval at which rate + limit is enforced. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + rate: + description: Rate is the allowed number of requests + per interval. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + smoothing: + description: Smoothing contains rate limit smoothing + settings. + properties: + delay: + description: Delay is the minimum time between + rate limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit + smoothing is active. + type: boolean + step: + description: Step is the increment/decrement + for adjusting the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate + above which smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor + determining when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + required: + - per + - rate + type: object + name: + type: string + type: object + type: array + path: + type: string + type: object + type: array + field_access_rights: + description: FieldAccessRights is array of depth limit settings + per GraphQL APIs. + items: + description: FieldAccessDefinition represent a struct for + depth limit settings per API. + properties: + field_name: + description: FieldName represents the name of the Query + or Mutation which the limit applies to. + type: string + limits: + description: Limit specifies the numerical value of the + limit. + properties: + max_query_depth: + description: MaxQueryDepth represents the numerical + value of the limit. + format: int64 + type: integer + required: + - max_query_depth + type: object + type_name: + description: |- + TypeName points to a type on which depth limit is set. + It can be either Query (most common case) or Mutation + type: string + type: object + type: array + kind: + default: ApiDefinition + description: |- + Kind represents the kind of the linked API Definition resource. + It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). + By default, Kind is set to "ApiDefinition". + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + limit: + description: APILimit stores quota and rate limit on ACL level + (per API) + properties: + max_query_depth: + type: integer + per: + format: int64 + type: integer + quota_max: + format: int64 + type: integer + quota_renewal_rate: + format: int64 + type: integer + rate: + format: int64 + type: integer + smoothing: + description: Smoothing contains rate limit smoothing settings. + properties: + delay: + description: Delay is the minimum time between rate + limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit smoothing + is active. + type: boolean + step: + description: Step is the increment/decrement for adjusting + the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate above which + smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor determining + when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + throttle_interval: + format: int64 + type: integer + throttle_retry_limit: + type: integer + required: + - per + - quota_max + - quota_renewal_rate + - rate + - throttle_interval + - throttle_retry_limit + type: object + name: + description: Name of the ApiDefinition resource to target + type: string + namespace: + description: Namespace of the ApiDefinition resource to target + type: string + restricted_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + versions: + items: + type: string + type: array + required: + - name + - namespace + type: object + type: object + access_rights_array: + items: + description: AccessDefinition defines which versions of an API a + key has access to + properties: + allowance_scope: + type: string + allowed_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + allowed_urls: + items: + description: AccessSpec defines what URLS a user has access + to and what methods are enabled + properties: + methods: + items: + type: string + type: array + url: + type: string + required: + - methods + - url + type: object + type: array + api_id: + description: 'TODO: APIID should not really be needed, as is + auto-set from the APIDefinition Resource' + type: string + api_name: + description: 'TODO: APIName should not really be needed, as + is auto-set from the APIDefinition Resource' + type: string + disable_introspection: + description: DisableIntrospection disables GraphQL introspection + if it is set to True. + type: boolean + endpoints: + description: Endpoints is a collection of Endpoint. + items: + description: Endpoint holds the configuration for endpoint + rate limiting. + properties: + methods: + description: EndpointMethods is a collection of EndpointMethod. + items: + description: EndpointMethod holds the configuration + on endpoint method level. + properties: + limit: + description: RateLimit holds rate limit configuration. + properties: + per: + description: Per is the interval at which rate + limit is enforced. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + rate: + description: Rate is the allowed number of requests + per interval. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + smoothing: + description: Smoothing contains rate limit smoothing + settings. + properties: + delay: + description: Delay is the minimum time between + rate limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit + smoothing is active. + type: boolean + step: + description: Step is the increment/decrement + for adjusting the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate + above which smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor + determining when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + required: + - per + - rate + type: object + name: + type: string + type: object + type: array + path: + type: string + type: object + type: array + field_access_rights: + description: FieldAccessRights is array of depth limit settings + per GraphQL APIs. + items: + description: FieldAccessDefinition represent a struct for + depth limit settings per API. + properties: + field_name: + description: FieldName represents the name of the Query + or Mutation which the limit applies to. + type: string + limits: + description: Limit specifies the numerical value of the + limit. + properties: + max_query_depth: + description: MaxQueryDepth represents the numerical + value of the limit. + format: int64 + type: integer + required: + - max_query_depth + type: object + type_name: + description: |- + TypeName points to a type on which depth limit is set. + It can be either Query (most common case) or Mutation + type: string + type: object + type: array + kind: + default: ApiDefinition + description: |- + Kind represents the kind of the linked API Definition resource. + It can be either "ApiDefinition" or "TykOasApiDefinition" (case sensitive way). + By default, Kind is set to "ApiDefinition". + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + limit: + description: APILimit stores quota and rate limit on ACL level + (per API) + properties: + max_query_depth: + type: integer + per: + format: int64 + type: integer + quota_max: + format: int64 + type: integer + quota_renewal_rate: + format: int64 + type: integer + rate: + format: int64 + type: integer + smoothing: + description: Smoothing contains rate limit smoothing settings. + properties: + delay: + description: Delay is the minimum time between rate + limit changes (in seconds). + format: int64 + type: integer + enabled: + description: Enabled indicates if rate limit smoothing + is active. + type: boolean + step: + description: Step is the increment/decrement for adjusting + the rate limit. + format: int64 + type: integer + threshold: + description: Threshold is the request rate above which + smoothing is applied. + format: int64 + type: integer + trigger: + description: Trigger is the step factor determining + when smoothing events trigger. + pattern: ^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$ + type: string + required: + - enabled + type: object + throttle_interval: + format: int64 + type: integer + throttle_retry_limit: + type: integer + required: + - per + - quota_max + - quota_renewal_rate + - rate + - throttle_interval + - throttle_retry_limit + type: object + name: + description: Name of the ApiDefinition resource to target + type: string + namespace: + description: Namespace of the ApiDefinition resource to target + type: string + restricted_types: + description: |- + Field access of GraphQL APIs can be restricted by setting up an allowed types list in a policy + or directly on a key. + items: + description: GraphQLType represents a GraphQL Type for Tyk. + properties: + fields: + items: + type: string + type: array + name: + type: string + required: + - fields + - name + type: object + type: array + versions: + items: + type: string + type: array + required: + - name + - namespace + type: object + type: array + active: + description: Active must be set to `true` for Tyk to load the security + policy into memory. + type: boolean + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + enable_http_signature_validation: + type: boolean + hmac_enabled: + type: boolean + id: + description: |- + If you are linking an existing Policy ID to a new YAML CRD, then + fill in this ID field with the "_id" field. + See policies.md readme for more info + type: string + is_inactive: + description: IsInactive applies to the key itself. Allows enabling + or disabling the policy without deleting it. + type: boolean + key_expires_in: + description: KeyExpiresIn is the number of seconds till key expiry. + For 1 hour is 3600. Default never expire or 0 + format: int64 + type: integer + max_query_depth: + description: Max depth of a GraphQL query + type: integer + meta_data: + additionalProperties: + type: string + description: LastUpdated string `json:"last_updated"` + type: object + name: + description: Name represents the name of the security policy as displayed + in the Dashboard + type: string + org_id: + description: OrgID is overwritten - no point setting this + type: string + partitions: + properties: + acl: + type: boolean + complexity: + type: boolean + per_api: + type: boolean + quota: + type: boolean + rate_limit: + type: boolean + type: object + per: + description: |- + To be used in conjunction with "Rate". Per seconds. 1 minute=60. 1 hour=3600 + omit or "-1" for unlimited + format: int64 + type: integer + quota_max: + description: Value of Quota allowed, omit or "-1" for unlimited + format: int64 + type: integer + quota_renewal_rate: + description: Value reset length, in seconds, omit or "-1" for unlimited + format: int64 + type: integer + rate: + description: Rate limit per X seconds (x="Per"), omit or "-1" for + unlimited + format: int64 + type: integer + state: + description: |- + State can be active, draft or deny + active: All keys are active and new keys can be created. + draft: All keys are active but no new keys can be created. + deny: All keys are deactivated and no keys can be created. + enum: + - active + - draft + - deny + type: string + tags: + description: Custom tags to apply to the key, get transfered to the + analytics + items: + type: string + type: array + throttle_interval: + description: If rate limited, how many seconds to retry a request + for. omit or "-1" for unlimited + format: int64 + type: integer + throttle_retry_limit: + description: Number of retries before returning error. omit or "-1" + for unlimited + type: integer + required: + - active + - name + - state + type: object + status: + description: SecurityPolicyStatus defines the observed state of SecurityPolicy + properties: + latestCRDSpecHash: + type: string + latestTykSpecHash: + type: string + linked_apis: + items: + properties: + kind: + description: |- + LinkedApiKind represents the Kubernetes kind of the API Definition resource that + is being target by current resource. + enum: + - ApiDefinition + - TykOasApiDefinition + type: string + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + pol_id: + type: string + required: + - pol_id + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: subgraphs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SubGraph + listKind: SubGraphList + plural: subgraphs + singular: subgraph + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SubGraph is the Schema for the subgraphs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SubGraphSpec defines the desired state of SubGraph + properties: + schema: + type: string + sdl: + type: string + required: + - schema + - sdl + type: object + status: + description: SubGraphStatus defines the observed state of SubGraph + properties: + linked_by_api: + description: |- + LinkedByAPI specifies the ID of the ApiDefinition CR that is linked to this particular SubGraph CR. + Please note that SubGraph CR can only be linked to one ApiDefinition CR that is created in the same + namespace as SubGraph CR. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: supergraphs.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: SuperGraph + listKind: SuperGraphList + plural: supergraphs + singular: supergraph + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SuperGraph is the Schema for the supergraphs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SuperGraphSpec defines the desired state of SuperGraph + properties: + merged_sdl: + type: string + schema: + type: string + subgraph_refs: + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + required: + - subgraph_refs + type: object + status: + description: SuperGraphStatus defines the observed state of SuperGraph + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tykoasapidefinitions.tyk.tyk.io +spec: + group: tyk.tyk.io + names: + categories: + - tyk + kind: TykOasApiDefinition + listKind: TykOasApiDefinitionList + plural: tykoasapidefinitions + shortNames: + - tykoas + singular: tykoasapidefinition + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.domain.name + name: Domain + type: string + - jsonPath: .status.listenPath + name: ListenPath + type: string + - jsonPath: .status.targetURL + name: Proxy.TargetURL + type: string + - jsonPath: .status.enabled + name: Enabled + type: boolean + - jsonPath: .status.latestTransaction.status + name: SyncStatus + type: string + - jsonPath: .status.ingressTemplate + name: IngressTemplate + type: boolean + - jsonPath: .spec.categories + name: Categories + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TykOasApiDefinition is the Schema for the tykoasapidefinitions + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TykOasApiDefinitionSpec defines the desired state of TykOasApiDefinition + properties: + categories: + description: |- + Categories serve as identifiers for the API definitions, + subsequently enabling the filtering of API listings based on these categories. + items: + type: string + type: array + certificatePinning: + description: |- + CertificatePinning contains the configuration related to certificate pinning. + It is possible to set Kubernetes secrets containing certificates. + + + It is used to set `upstream.certificatePinning` in Tyk OAS API Definition. + properties: + domainToPublicKeysMapping: + description: |- + DomainToPublicKeysMapping maintains the mapping of domain to pinned public keys. + + + Tyk classic API definition: `pinned_public_keys` + items: + description: PinnedPublicKey contains a mapping from the domain + name into a list of public keys. + properties: + domain: + description: Domain contains the domain name. + type: string + publicKeyRefs: + description: |- + PublicKeyRefs holds a list of Kubernetes secret names that reside in the same namespace + as current TykOasApiDefinition resource. The secret needs to be a type of TLS secret + where the pinned public key is stored in `tls.crt` field. + Each secret must contain a public key associated with the specified domain name. + + + **NOTE** + If you want to continue using secrets that are already created on Tyk Dashboard, + specify their IDs in `publicKeys` field of TykOasApiDefinition CR. And then, + Tyk Operator will merge this array which is specified through `publicKeys` field + with new Tyk Secrets which will be created based on Kubernetes secrets + defined in `publicKeyRefs`. + items: + type: string + type: array + publicKeys: + description: |- + PublicKeys contains a list of the public keys IDs pinned to the domain name. + + + It only accepts Tyk IDs of the public keys. If you have Kubernetes secrets + containing public keys of the domain, please use `publicKeysRefs` field + instead of this one. As this one only works with already existing + public keys on Tyk Dashboard. + items: + type: string + type: array + required: + - domain + type: object + type: array + enabled: + description: |- + Enabled is a boolean flag, if set to `true`, it enables certificate pinning for the API. + + + Tyk classic API definition: `certificate_pinning_disabled` + type: boolean + required: + - enabled + type: object + clientCertificate: + description: |- + ClientCertificate is used to configure client certificates settings needed + for MTLS connection between Tyk and client. + It is used to set `server.clientCertificate` field of Tyk OAS API + properties: + allowlist: + description: Allowlist stores list of k8s secret names storing + client certificates + items: + type: string + type: array + enabled: + description: Enabled activates mTLS for the API. + type: boolean + type: object + contextRef: + description: |- + Context specify namespace/name of the OperatorContext object used for + reconciling this APIDefinition + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + customDomain: + description: |- + CustomDomain is the domain to bind this API to. This enforces domain matching for client requests. + + + Tyk classic API definition: `domain` + properties: + certificates: + description: |- + Certificates defines a field for specifying certificate IDs + that the Tyk can utilise to dynamically load certificates for your custom domain. + + + Tyk classic API definition: `certificates` + items: + type: string + type: array + certificatesRef: + description: |- + CertificatesRef defines a field for specifying certificates + through Kubernetes secrets. Secrets need to be installed within + the namespace of the TykOasApiDefinition resource. + items: + type: string + type: array + enabled: + description: Enabled allow/disallow the usage of the domain. + type: boolean + name: + description: Name is the name of the domain. + type: string + required: + - enabled + - name + type: object + mutualTLS: + description: MutualTLS represents the configuration for an Upstream + mTLS. + properties: + domainToCertificateMapping: + description: DomainToCertificateMapping contains the configuration + for an upstream server domain. + items: + description: CertificateMapping represents the mapping of a + domain to its certificate. + properties: + certificateID: + description: Certificate references to Tyk cert ID + type: string + certificateRef: + description: CertificateRef references the secret containing + the domain's SSL Certificate. + type: string + domain: + description: Domain refers to the domain name of an upstream + server. + type: string + required: + - domain + type: object + type: array + enabled: + description: Enabled indicates if MTLS should be enabled or not. + type: boolean + required: + - enabled + type: object + tykOAS: + description: TykOAS provides storage information about Tyk OAS + properties: + configmapRef: + description: ConfigmapRef provides information of configmap in + which Tyk OAS is stored + properties: + keyName: + description: KeyName is the key of configmap in which Tyk + OAS doc is stored + type: string + name: + description: Name is the name of configmap + type: string + namespace: + description: |- + Namespace is the namespace of configmap. + If Namespace is not provided, we assume that the ConfigMap is in the same + namespace as TykOasApiDefinition resource. + type: string + required: + - keyName + - name + type: object + required: + - configmapRef + type: object + versioning: + description: Versioning provides versioning information about this + OAS API + properties: + default: + description: Default contains the default version name if a request + is issued without a version. + type: string + enabled: + description: Enabled is a boolean flag, if set to true it will + enable versioning of the API. + type: boolean + fallbackToDefault: + description: |- + FallbackToDefault specifies that the default version of the OAS API should be used if + the requested version does not exist." + type: boolean + key: + description: Key contains the name of the key to check for versioning + information. + type: string + location: + description: |- + Location contains versioning location information. It can be one of the following: + header, url-param, url. + enum: + - header + - url-param + - url + type: string + name: + description: Name contains the name of the version. + type: string + stripVersioningData: + description: StripVersioningData if enabled, specifies that the + API responses will be stripped of versioning data. + type: boolean + urlVersioningPattern: + description: |- + UrlVersioningPattern configure with a regex that matches the versioning identifier format in your URLs. + This is essential when using stripVersioningData and fallbackToDefault with location=url." + type: string + versions: + description: Versions contains a list of versions that map to + individual API IDs. + items: + description: TykOASVersion represents each OAS API Definition + used as a version. + properties: + name: + description: Name contains the name of the referenced TykOasApiDefinition. + type: string + tykOasApiDefinitionRef: + description: TykOasApiDefinitionRef references a TykOasApiDefinition + Name and Namespace. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + required: + - name + - tykOasApiDefinitionRef + type: object + type: array + required: + - enabled + type: object + required: + - tykOAS + type: object + status: + description: TykOasApiDefinitionStatus defines the observed state of TykOasApiDefinition + properties: + certificatePinning: + description: |- + PinnedPublicKeys shows Tyk IDs of the all pinned public keys for each domain + specified in this particular TykOasApiDefinition. + items: + description: |- + PublicKeyStatus corresponds to the pinned public key details to be displayed in the status + of the TykOasApiDefinition CR. + properties: + domain: + type: string + publicKeys: + items: + type: string + type: array + required: + - domain + - publicKeys + type: object + type: array + domain: + description: |- + DomainStatus shows Tyk IDs of the certificates used for a particular domain + specified in this particular TykOasApiDefinition. + properties: + certificates: + description: Certificates corresponds to Tyk IDs of the certificates + that are uploaded to Tyk. + items: + type: string + type: array + enabled: + type: boolean + name: + description: Name corresponds to the name of the domain. + type: string + type: object + enabled: + description: Enabled represents if API is enabled or not + type: boolean + id: + description: ID is the unique identifier of the API within Tyk. + type: string + ingressTemplate: + description: IngressTemplate shows whether this CR is used as Ingress + Template or not. + type: boolean + latestCRDSpecHash: + description: |- + LatestCRDSpecHash stores the hash of TykOasApiDefinition CR created on K8s. This information is updated after + creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for + running update operation or not. If there is a change in latestCRDSpecHash as well as latestTykSpecHash, + Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + latestConfigMapHash: + description: LatestConfigMapHash stores the hash of ConfigMap that + is being used by TykOasApiDefinition. + type: string + latestTransaction: + description: LatestTransaction provides status information about the + last reconciliation. + properties: + error: + description: Error corresponds to the error happened on Tyk API + level, if any. + type: string + status: + description: Status corresponds to the status of the last transaction. + type: string + time: + description: Time corresponds to the time of last transaction. + format: date-time + type: string + type: object + latestTykSpecHash: + description: |- + LatestTykSpecHash stores the hash of OAS API Definition created on Tyk. This information is updated after + creating or updating the TykOasApiDefinition. It is useful for Operator to understand the need for + running update operation or not. If there is a change in latestTykSpecHash as well as latestCRDSpecHash, + Operator runs update logic and updates resources on Tyk Gateway or Tyk Dashboard. + type: string + linkedByPolicies: + description: LinkedByPolicies is a list policies that references this + OAS API Definition. + items: + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + type: array + listenPath: + description: ListenPath is the base path on Tyk to which requests + for this API will be sent. + type: string + name: + description: Name is the name of the OAS API within Tyk. + type: string + targetURL: + description: TargetURL is the upstream address to which requests will + be proxied. + type: string + versioningStatus: + description: VersioningStatus shows the status of a Versioned TykOasAPIDefinition. + properties: + baseAPIVersionContextRef: + description: |- + BaseAPIVersionContextRef specifies the namespace and name of the + Base API a versioned API is linked to. + properties: + name: + description: k8s resource name + type: string + namespace: + description: |- + The k8s namespace of the resource being targeted. When omitted this will be + set to the namespace of the object that is being reconciled. + type: string + required: + - name + type: object + isDefaultVersion: + description: IsDefaultVersion specifies if the OAS API is the + default Version. + type: boolean + isVersionedAPI: + description: IsVersionedAPI indicates if the API is versioned. + type: boolean + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} From a5261449fda88ee1145611a08018989178996a4c Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:22:13 +0530 Subject: [PATCH 2/9] Set operator license key --- .../tyk-bootstrap/templates/bootstrap-post-install.yaml | 9 +++++++++ components/tyk-bootstrap/values.yaml | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/components/tyk-bootstrap/templates/bootstrap-post-install.yaml b/components/tyk-bootstrap/templates/bootstrap-post-install.yaml index cc18a6a6..f5647202 100644 --- a/components/tyk-bootstrap/templates/bootstrap-post-install.yaml +++ b/components/tyk-bootstrap/templates/bootstrap-post-install.yaml @@ -98,6 +98,15 @@ spec: value: {{ .Values.bootstrap.dashboard | quote }} - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME value: {{ .Values.bootstrap.operatorSecret }} + - name: TYK_K8SBOOTSTRAP_OPERATORLICENSEKEY + {{ if .Values.global.secrets.useSecretName }} + valueFrom: + secretKeyRef: + key: OperatorLicense + name: {{ .Values.global.secrets.useSecretName }} + {{ else }} + value: {{ .Values.global.license.operator | quote }} + {{ end }} - name: TYK_K8SBOOTSTRAP_BOOTSTRAPPORTAL value: {{ .Values.bootstrap.portal | quote }} {{- if .Values.bootstrap.org.hybrid.enabled }} diff --git a/components/tyk-bootstrap/values.yaml b/components/tyk-bootstrap/values.yaml index 18151def..33b824a8 100644 --- a/components/tyk-bootstrap/values.yaml +++ b/components/tyk-bootstrap/values.yaml @@ -12,6 +12,11 @@ global: license: # The license key needed for the Tyk Dashboard. dashboard: "" + # The license key needed for Tyk Operator. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the operator license. Please see `.global.secrets.useSecretName`. + operator: "" adminUser: # If you don't want to store plaintext secrets for admin user in the Helm value file and would # rather provide the k8s Secret externally please populate the value below @@ -48,7 +53,10 @@ global: # If you don't want to store plaintext secrets in the Helm value file and would # rather provide the k8s Secret externally please populate the value below # You can set following fields in the secret + # APISecret - Sets node secret in both dashboard and tyk config # AdminSecret - Admin user secret key + # DashLicense - Tyk Dashboard license key + # OperatorLicense - Tyk Operator license key useSecretName: "" devPortal: tyk-dev-portal-conf From 528c5fa362f3cc4ea29db1b9b503072758566d87 Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:24:50 +0530 Subject: [PATCH 3/9] Update values of tyk-oss,tyk-stack and tyk-control-plane --- tyk-control-plane/values.yaml | 6 ++++++ tyk-oss/values.yaml | 10 +++++++++- tyk-stack/values.yaml | 6 ++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml index f32feb1b..d2e3b412 100644 --- a/tyk-control-plane/values.yaml +++ b/tyk-control-plane/values.yaml @@ -5,6 +5,11 @@ global: # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret # that stores the dashboard license. Please see `.global.secrets.useSecretName`. dashboard: "" + # The license key needed by Tyk Operator to work. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the operator license. Please see `.global.secrets.useSecretName`. + operator: "" # adminUser specifies credentials for Tyk Dashboard and Dev Portal admin user while bootstrapping. # Dashboard and Dev Portal admin information. @@ -79,6 +84,7 @@ global: # APISecret - Sets node secret in both dashboard and tyk config # AdminSecret - Admin user secret key # DashLicense - Tyk Dashboard license key + # OperatorLicense - Tyk Operator license key useSecretName: "" redis: diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml index 04621d98..2bbc0b93 100644 --- a/tyk-oss/values.yaml +++ b/tyk-oss/values.yaml @@ -20,6 +20,13 @@ global: # Tyk Operator needs cert-manager to be installed beforehand. Make sure that cert-manager is installed. # For further details, please refer to https://tyk.io/docs/tyk-stack/tyk-operator/installing-tyk-operator/ operator: false + + license: + # The license key needed by Tyk Operator to work. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the operator license. Please see `.global.secrets.useSecretName`. + operator: "" servicePorts: # The port at which the gateway service can be found at @@ -40,6 +47,7 @@ global: # rather provide the k8s Secret externally. # You can set following fields in the secret # - APISecret - Sets node_secret and secret in tyk.conf + # - OperatorLicense - Tyk Operator license key useSecretName: "" redis: @@ -487,7 +495,7 @@ tyk-operator: # image pull policy pullPolicy: IfNotPresent # image tag for Tyk Operator - tag: "v0.18.0" + tag: "v1.0.0" # number for replicas for Tyk Operator deployment. replicaCount: 1 # imagePullSecrets specify imagePullSecrets for ServiceAccount diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml index a1afd3e4..b40824a2 100644 --- a/tyk-stack/values.yaml +++ b/tyk-stack/values.yaml @@ -9,6 +9,11 @@ global: # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret # that stores the dashboard license. Please see `.global.secrets.useSecretName`. dashboard: "" + # The license key needed by Tyk Operator to work. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the operator license. Please see `.global.secrets.useSecretName`. + operator: "" # adminUser specifies credentials for Tyk Dashboard and Dev Portal admin user while bootstrapping. # Dashboard and Dev Portal admin information. @@ -80,6 +85,7 @@ global: # APISecret - Sets node secret in both dashboard and tyk config # AdminSecret - Admin user secret key # DashLicense - Tyk Dashboard license key + # OperatorLicense - Tyk Operator license key useSecretName: "" redis: From f4bc5c57b7312c02342005cdd39574050f306531 Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:30:58 +0530 Subject: [PATCH 4/9] Rename file --- tyk-operator-crds/{crd-v0.18.8-rc-test.yaml => crd-v1.0.0.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tyk-operator-crds/{crd-v0.18.8-rc-test.yaml => crd-v1.0.0.yaml} (100%) diff --git a/tyk-operator-crds/crd-v0.18.8-rc-test.yaml b/tyk-operator-crds/crd-v1.0.0.yaml similarity index 100% rename from tyk-operator-crds/crd-v0.18.8-rc-test.yaml rename to tyk-operator-crds/crd-v1.0.0.yaml From 613787f8d570c16a1201b59e3ca1c3a391260424 Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:31:21 +0530 Subject: [PATCH 5/9] Update values and chart of umbrella charts --- components/tyk-operator/Chart.yaml | 2 +- tyk-control-plane/Chart.yaml | 4 ++-- tyk-control-plane/values.yaml | 2 +- tyk-oss/Chart.yaml | 4 ++-- tyk-stack/Chart.yaml | 4 ++-- tyk-stack/values.yaml | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/tyk-operator/Chart.yaml b/components/tyk-operator/Chart.yaml index e2390903..85439636 100644 --- a/components/tyk-operator/Chart.yaml +++ b/components/tyk-operator/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: tyk-operator description: A Helm chart to install the tyk-operator type: application -version: 0.18.0 # version of the chart +version: 1.0.0 # version of the chart diff --git a/tyk-control-plane/Chart.yaml b/tyk-control-plane/Chart.yaml index 3f6a9cdb..d3bd0e32 100644 --- a/tyk-control-plane/Chart.yaml +++ b/tyk-control-plane/Chart.yaml @@ -47,8 +47,8 @@ dependencies: repository: file://../components/tyk-dev-portal condition: global.components.devPortal - name: tyk-operator - version: 0.18.0 - repository: https://helm.tyk.io/public/helm/charts/ + version: 1.0.0 + repository: file://../components/tyk-operator condition: global.components.operator annotations: artifacthub.io/category: networking diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml index d2e3b412..e47af25d 100644 --- a/tyk-control-plane/values.yaml +++ b/tyk-control-plane/values.yaml @@ -584,7 +584,7 @@ tyk-operator: # image pull policy pullPolicy: IfNotPresent # image tag for Tyk Operator - tag: "v0.18.0" + tag: "v1.0.0" # number for replicas for Tyk Operator deployment. replicaCount: 1 # imagePullSecrets specify imagePullSecrets for ServiceAccount diff --git a/tyk-oss/Chart.yaml b/tyk-oss/Chart.yaml index cc2162d0..a7cbeb46 100644 --- a/tyk-oss/Chart.yaml +++ b/tyk-oss/Chart.yaml @@ -43,8 +43,8 @@ dependencies: repository: file://../components/tyk-pump condition: global.components.pump - name: tyk-operator - version: 0.18.0 - repository: https://helm.tyk.io/public/helm/charts/ + version: 1.0.0 + repository: file://../components/tyk-operator condition: global.components.operator annotations: artifacthub.io/category: networking diff --git a/tyk-stack/Chart.yaml b/tyk-stack/Chart.yaml index f44d289e..6e6a93e3 100644 --- a/tyk-stack/Chart.yaml +++ b/tyk-stack/Chart.yaml @@ -42,8 +42,8 @@ dependencies: repository: file://../components/tyk-dev-portal condition: global.components.devPortal - name: tyk-operator - version: 0.18.0 - repository: https://helm.tyk.io/public/helm/charts/ + version: 1.0.0 + repository: file://../components/tyk-operator condition: global.components.operator annotations: artifacthub.io/category: networking diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml index b40824a2..4c102134 100644 --- a/tyk-stack/values.yaml +++ b/tyk-stack/values.yaml @@ -582,7 +582,7 @@ tyk-operator: # image pull policy pullPolicy: IfNotPresent # image tag for Tyk Operator - tag: "v0.18.0" + tag: "v1.0.0" # number for replicas for Tyk Operator deployment. replicaCount: 1 # imagePullSecrets specify imagePullSecrets for ServiceAccount From a010f0061097520ddc82279ac711be8db13a56ec Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:36:41 +0530 Subject: [PATCH 6/9] Upgrade tyk-bootstrap version --- components/tyk-bootstrap/values.yaml | 6 +++--- tyk-control-plane/values.yaml | 6 +++--- tyk-stack/values.yaml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/tyk-bootstrap/values.yaml b/components/tyk-bootstrap/values.yaml index 33b824a8..d4b2fd98 100644 --- a/components/tyk-bootstrap/values.yaml +++ b/components/tyk-bootstrap/values.yaml @@ -89,7 +89,7 @@ bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -103,7 +103,7 @@ bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -117,7 +117,7 @@ bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml index e47af25d..de2924aa 100644 --- a/tyk-control-plane/values.yaml +++ b/tyk-control-plane/values.yaml @@ -860,7 +860,7 @@ tyk-bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -874,7 +874,7 @@ tyk-bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -888,7 +888,7 @@ tyk-bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml index 4c102134..9246f7b0 100644 --- a/tyk-stack/values.yaml +++ b/tyk-stack/values.yaml @@ -861,7 +861,7 @@ tyk-bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -875,7 +875,7 @@ tyk-bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -889,7 +889,7 @@ tyk-bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.2 + tag: v2.1.3 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME From 339fc7ff1b18e000fc594fd4f8a2754d8dbd64ef Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:39:01 +0530 Subject: [PATCH 7/9] Upgrade tyk-bootstrap version --- components/tyk-bootstrap/values.yaml | 6 +++--- tyk-control-plane/values.yaml | 6 +++--- tyk-stack/values.yaml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/tyk-bootstrap/values.yaml b/components/tyk-bootstrap/values.yaml index d4b2fd98..175c1dfe 100644 --- a/components/tyk-bootstrap/values.yaml +++ b/components/tyk-bootstrap/values.yaml @@ -89,7 +89,7 @@ bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -103,7 +103,7 @@ bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -117,7 +117,7 @@ bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml index de2924aa..57c19714 100644 --- a/tyk-control-plane/values.yaml +++ b/tyk-control-plane/values.yaml @@ -860,7 +860,7 @@ tyk-bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -874,7 +874,7 @@ tyk-bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -888,7 +888,7 @@ tyk-bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml index 9246f7b0..ac48fc7e 100644 --- a/tyk-stack/values.yaml +++ b/tyk-stack/values.yaml @@ -861,7 +861,7 @@ tyk-bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -875,7 +875,7 @@ tyk-bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -889,7 +889,7 @@ tyk-bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.3 + tag: v2.2.0 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME From 6f2d02c371a321f7bc1590767d8c2e7d795b5352 Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:51:10 +0530 Subject: [PATCH 8/9] Update chart lock --- tyk-control-plane/Chart.lock | 8 ++++---- tyk-oss/Chart.lock | 8 ++++---- tyk-stack/Chart.lock | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tyk-control-plane/Chart.lock b/tyk-control-plane/Chart.lock index 65388f4a..26ff2148 100644 --- a/tyk-control-plane/Chart.lock +++ b/tyk-control-plane/Chart.lock @@ -18,7 +18,7 @@ dependencies: repository: file://../components/tyk-dev-portal version: 2.0.0 - name: tyk-operator - repository: https://helm.tyk.io/public/helm/charts/ - version: 0.18.0 -digest: sha256:463bf619200e80a9ea78a2f6b80d72668bcc59e2839c2281714163268a0b7cf5 -generated: "2024-09-26T17:44:45.219606+05:30" + repository: file://../components/tyk-operator + version: 1.0.0 +digest: sha256:0d87bb259e47763367395aaa34a2dd72ff4d30cbb543a3b18a148c8bb22ad653 +generated: "2024-10-03T20:51:01.210599+05:30" diff --git a/tyk-oss/Chart.lock b/tyk-oss/Chart.lock index e13b4a81..b9d05664 100644 --- a/tyk-oss/Chart.lock +++ b/tyk-oss/Chart.lock @@ -6,7 +6,7 @@ dependencies: repository: file://../components/tyk-pump version: 2.0.0 - name: tyk-operator - repository: https://helm.tyk.io/public/helm/charts/ - version: 0.18.0 -digest: sha256:f287be5f4c717f2ca596352573240bf399accb6cf79ec0be6f92e05be5607bcd -generated: "2024-09-26T17:44:07.772684+05:30" + repository: file://../components/tyk-operator + version: 1.0.0 +digest: sha256:5ff57c1b170a8ac540880a2807f1a9e0bf8d7b2f234e13fd7b81a6d305a7e0d5 +generated: "2024-10-03T20:50:45.037773+05:30" diff --git a/tyk-stack/Chart.lock b/tyk-stack/Chart.lock index f0f75ac7..6801bdc7 100644 --- a/tyk-stack/Chart.lock +++ b/tyk-stack/Chart.lock @@ -15,7 +15,7 @@ dependencies: repository: file://../components/tyk-dev-portal version: 2.0.0 - name: tyk-operator - repository: https://helm.tyk.io/public/helm/charts/ - version: 0.18.0 -digest: sha256:7eb69b5a572c2d3962cedca1f3e8f6331b7561ab711fde64e52cf51f9a97080d -generated: "2024-09-26T17:44:17.228125+05:30" + repository: file://../components/tyk-operator + version: 1.0.0 +digest: sha256:7524937e3bd8f242753f8adc7e6a9dfaeb52353e2b1ebd1f9e126c054911d585 +generated: "2024-10-03T20:50:53.672858+05:30" From edb106790a0e800659d79933f855584398fdc8e2 Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Thu, 3 Oct 2024 20:55:38 +0530 Subject: [PATCH 9/9] Fix lint error --- tyk-oss/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml index 2bbc0b93..f17c331d 100644 --- a/tyk-oss/values.yaml +++ b/tyk-oss/values.yaml @@ -20,7 +20,7 @@ global: # Tyk Operator needs cert-manager to be installed beforehand. Make sure that cert-manager is installed. # For further details, please refer to https://tyk.io/docs/tyk-stack/tyk-operator/installing-tyk-operator/ operator: false - + license: # The license key needed by Tyk Operator to work. #