v0.18.0

Added

• introspection option to enable/disable GraphQL introspection
• graphql.proxy.auth_headers
• graphql.proxy.subscription_type
• graphql.proxy.request_headers
• graphql.proxy.use_response_extensions
• graphql.proxy.request_headers_rewrite
• graphql.proxy.features

v0.17.1

Tyk Operator v0.17.1 has been released

• Addressed security vulnerabilities:
  • CVE-2023-45288
  • CVE-2024-24786
• Resolved issue regarding missing OrgID field in ApiDefinition template CRs generated by the Ingress Controller.
• Webhook and RBAC port configurations in Tyk Operator Helm chart.
• Sample updates:
  • Patched GraphQL engine version in GraphQL proxy examples.
  • Updated ClusterIssuer samples.

For a complete list of changes, please refer to the full changelog.

v0.17.0

Updated:

• Updated Kubernetes versions used in CI for testing to ["v1.25.0", "v1.26.0", "v1.27.0", "v1.28.0", "v1.29.0"]

Fixed:

• Fix creating duplicated APIDefinitions on Tyk in case of cluster failures. If network errors happen while updating the
  APIDefinition, Tyk Operator retries the reconciliation based on the underlying error type #679

v0.16.0

Overview/Highlights

Tyk Operator v0.16.0 added support for analytics plugin, UDG global header, and detailed tracing setting in ApiDefinition. See ApiDefinition CRD for the latest documentation.

Upgrading to v0.16.0

While upgrading Tyk Operator release via Helm, please make sure that the latest CRDs are also applied on the cluster, as follows:
kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-operator/v0.16.0/helm/crds/crds.yaml

What’s Changed?

Added

• Added imagePullSecrets configuration for ServiceAccount in Tyk Operator Helm chart
• Added tyk to categories field of CRDs. So, from now on, all CRs related to Tyk Operator is grouped into tyk category and can be displayed via kubectl get tyk.
• Added to ApiDefinition CRD: support of analytics plugin at spec.analytics_plugin. See Example CRD with Analytics Plugin for details.
• Added to ApiDefinition CRD: support for UDG Global Header at spec.graphql.engine.global_headers object in ApiDefinition CRD.
• Added to ApiDefinition CRD: support for detail tracing configuration at spec.detailed_tracing field in ApiDefinition CRD. Enable it for the API if you want to get detail span for each middleware involved in request processing.

Updated

• Updated Go version to 1.21

Fixed

• Fixed CVE-2023-39325 (NVD)
• Fixed a bug that prevents Tyk Operator to work with SecurityPolicy in OSS Mode. Now, SecurityPolicy controller will not modify spec.MID (_id) field in SecurityPolicy.

Compatibility Notes

Please see our version compatibility matrix

v0.15.1

What’s Changed?

Fixed

• Fixed 2 CVEs: GO-2023-1988, CVE-2023-3978

• Fixed typo in environment package

• Fixed linter issues that were raised after updating the package.

Compatibility Notes
Tested on Tyk 5.0 and Kubernetes v1.26.3, v1.25.2, v1.24.6, v1.23.12, v1.22.15, v1.21.14, v1.20.15

v0.15.0

Overview/Highlights

Tyk Operator v0.15.0 helps you understand API reconciliation status with a new 'latestTransaction' status subresource in APIDefinition CRD. We have added support for validate_json disabled field, additional volume options, and improved monitoring via ServiceMonitor for Prometheus. Fixes include allowing null value for subgraphs' headers and reconciliation issues.

Upgrading to v0.15.0

While upgrading Tyk Operator release via Helm, please make sure that the latest CRDs are also applied on the cluster, as follows:
kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-operator/v0.15.0/helm/crds/crds.yaml

What’s Changed?

Added

• Added ‘latestTransaction’ status subresource in APIDefinition CRD which holds information about API reconciliation status. You can use this status field to understand reconciliation status like whether the latest transaction is successful, transaction time, and in case of failure, the error description.
• Support for validate_json disabled field in APIDefinition CRD.
• Added extraVolume and extraVolumeMounts options to the helm chart. It can be used to mount CA certs.
• Added serviceMonitor option to the helm chart. Enabling this would expose /metrics endpoint via serviceMonitor object for Prometheus.

Fixed

• Allow subgraphs' header field to take null values to prevent errors when using an output from snapshot tool. While exporting GraphQL ApiDefinitions in older versions of Tyk via snapshot tool, spec.graphql.supergraph.subgraphs[].headers field is encoded as null because in Tyk v4.0, this field is not introduced and recognised as null value.
• Fix TLS secret reconciliation failure if certificate was already uploaded on Tyk.
• Fix reconciliation errors “the object has been modified; please apply your changes to the latest version and try again” that was created inside the reconciliation loop

Compatibility Notes

Tested on Tyk 5.0 and Kubernetes v1.26.3, v1.25.2, v1.24.6, v1.23.12, v1.22.15, v1.21.14, v1.20.15

v0.14.2

Update CRDs

ApiDefinition CRD is updated - it includes new fields in Status. Please update CRDs before upgrading to v0.14.2

kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-operator/v0.14.2/helm/crds/crds.yaml

Highlights

• Added support for multiple auth
• Performance improvements - Reduce number of PUT calls Tyk Operator made to Dashboard in reconciliation by detecting changes in Custom Resource or changes that has happened in Dashboard. It means Tyk Operator can ignore changes Dashboard automatically apply to APIs or Policies Definitions due to backward compatibility reason.
• Empty value (e.g. empty string or false boolean value) was omitted from APIDefinition and SecurityPolicies live manifests. This makes ArgoCD thinks that the the manifest has been out of sync. This issue is fixed in APIDefinition and SecurityPolicies CR with all bool and string fields.

Change Log

Added

• Added possibility to set base identity provider for multiple chained authentication by @bogumillaska in #621

Changed

• Update golangci-lint version to 1.50.1 by @buraksekili in #620
• [TT-8658] Changed optional fields of CRD to pointers by @komalsukhani in #627
• [TT-8822] Improve hash comparision in Reconciliation by @buraksekili in #625
• Update CHANGELOG according to latest hash comparison improvements by @buraksekili in #629

Fixed

• [TT-8935] Fix snapshot panic by @komalsukhani in #628

New Contributors

• @bogumillaska made their first contribution in #621 🎉

Full Changelog: v0.14.1...v0.14.2

v0.14.1

What's new?

Change Log

Fixed

• Fix Operator removes spec.contextRef from security policy definitions (#605)
• Fix panic caused while uploading certificate (#607)

Updated

• Bump http://github.com/Masterminds/goutils from 1.1.0 to 1.1.1 (#556)
• Bump http://github.com/prometheus/client_golang from 1.11.0 to 1.11.1 (#567)
• Bump http://golang.org/x/text from 0.3.7 to 0.3.8 (#572)
• Upgrade go version to 1.19 (#616)

Tested with

Tyk Gateway and Dashboard v3.2, v4.0, v4.3, v5.0
Kubernetes version v1.20.15, v1.21.14, v1.22.15, v1.23.12, v1.24.6, v1.25.2, v1.26.3

v0.14.0

What's new?

Highlights

Snapshot tool usability enhancements

1. We have released the Tyk Operator docker image so you can run snapshot tool directly now,

e.g. docker run -it --rm --env-file=.env -v "$(pwd)":/dist tykio/tyk-operator:{tag} [FLAGS]

2. Allow use of --category flag with --separate flag, so you can export API definitions from one category and Policies into separate files.

For details, please refer to updated snapshot documentation here.

Improve performance and fix errors during reconciliation

1. Reduce number of external API calls to Tyk Gateway / Dashboard by calling Update API only if the hashes of an existing resource and updated resource is different during reconciliation.
2. Adds an additional check in delete method of ApiDefinition to handle unexpected status responses (500) from older version of Tyk Gateway while deleting non-existent APIs.
3. Adds an additional check in update method of ApiDefinition to handle update of a non-existent API. If ApiDefinition does not exist in Tyk, Operator will create it; otherwise, Operator will update it.

Notes on updating to v0.14.0

We have updated the control-plane labels from controller-manager to tyk-operator-controller-manager. It is to avoid selector issues if you are running multiple controllers that was built with kubebuilder. In case of helm upgrade failure, please delete and install tyk-operator again.

Change Log

Updated

• Update github workflow to test each PR against Tyk v4.0 as well (#546) @zalbiraw
• Allow Snapshot tool to filter by category regardless of the flags set (#565) @zalbiraw @buraksekili @singhpr
• Documentation of snapshot tool, in order to explain how to use Snapshot with Docker. (#581) @buraksekili @caroltyk
• Remove hardcoded TLS keys from integration tests to prevent possible CI failures (#580) (#589) @buraksekili

Added

• Added hostNetwork Support(#537) @rdcwaldrop1 @singhpr @buraksekili
• Added venom tests for operator regression test set (#562) @singhpr @komalsukhani
• Added a new test case to cover whether reconciliation covers creation of (#575) @buraksekili
• Added venom test for QA-1053-mock-response-plugin (#578) @singhpr
• Added Contribution Guideline (#576) @buraksekili

Fixed

• Remove ORGID from SecurityPolicy CRs while using Snapshot tool (#577) @zalbiraw @singhpr
• Prevent reading Kubernetes config while using operator snapshot as a CLI command (this means you don't need to have a running Kubernetes cluster when running operator snapshot). (#569) @buraksekili @letzya
• Fixed reconciliation failures when ApiDefinition does not exist on Tyk storage. (#561) (#566) @buraksekili @singhpr
• Fixed BDD tests dependency of curl. Instead of running curl within a container, implemented a port-forward mechanism to send raw HTTP requests to pods. (#570) @buraksekili
• Fixed extra Update calls to Tyk GW / Dashboard. If no changes are made to ApiDefinition resource, Operator won't send a request to Tyk GW / Dashboard. (#571) @buraksekili
• Updated control-plane labels from controller-manager to tyk-operator-controller-manager to avoid selector issues (#583) @zalbiraw @singhpr

Tested with

Tyk Gateway and Dashboard v3.2, v4.0, v4.3, v5.0
Kubernetes version v1.19.16, v1.20.15, v1.21.14, v1.22.15, v1.23.12, v1.24.6, v1.25.2

v0.13.0

What's new?

Highlights

• Support security policies for OSS users. You can use the SecurityPolicy CRD to protect your APIs now. Note this feature requires Tyk Gateway v4.1 or later.
• Support policy settings for GraphQL. It includes query depth limiting in both global and API level, field based permissions (allowed_types or restricted_types), and enable/disable of introspection. Note allowed_types and disable_introspection requires Tyk v4.3 or later.
• Support Basic Auth authentication
• Ignore 404 when deleting an API. Tyk operator finalizer prevent APIs from being deleted in the cluster if the API cannot be found on Tyk. The fix assumes API is deleted from Tyk if 404 is returned from Dashboard. Note the fix does not apply to older version of Gateway because a different error code is returned. A separate fix will be raised for that in next release.

Added

• Added integration tests using Venom framework by @komalsukhani @singhpr (#520)
• Added new mock endpoint sample by @rewsmith (#533)
• Added Security Policies for Tyk OSS by @buraksekili (#536)
• Added Basic Authentication support by @andrei-tyk @bogumillaska @buraksekili (#545)
• Added Security policy settings for GraphQL by @buraksekili @singhpr (#550)
• Add nodeSelector support by @zalbiraw (#552)
• Move all operations regarding API configuration to a function by @buraksekili (#557)
• Add an ad-hoc Tyk API call to verify non-existent Policies in delete method by @buraksekili (#558)
• Add version compatibility notes by @caroltyk (#560)

Fixed

• Ignore 404 when deleting an API, fixes #469 by @patriziobruno (#541)
• Fix Security Policy Migration by @buraksekili (#540)
• Fix Attempting to remove an ApiDefinition fails if previously associated to a SecurityPolicy by @komalsukhani (#547)
• Fix Security Policy Tests by @komalsukhani @buraksekili (#553)

Tested with

• Tyk Gateway and Dashboard v3.2, v4.3
• Kubernetes version v1.19.16, v1.20.15, v1.21.14, v1.22.15, v1.23.12, v1.24.6, v1.25.2