v0.6.1

Changelog

a2992de Configurable ingress port (#291)
562bd49 Change tag to latest (#294)
d29e13e Update installation.md (#283)
bc85a27 defect: mismatch b64 url encoding vs b64 raw url encoding (#295)
940555c making installation a little clearer
feda181 properly check for SecurityPolicy resource (#287)
2ed0ef3 svg example in the readme (#288)
66321ce version to: v0.6.1

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.6
• docker pull tykio/tyk-operator:v0.6.1

v0.6.0

Breaking change

In this release we changed encoding of API_ID before it was base64 with padding,
now we use base64 without padding.

To ensure that the new APIs ids and policies are applied properly, it may be necessary to delete your existing APIs, upgrade the operator and reapply your APIs.

Some api keys may stop working if padding was previously applied, and now padding has been removed.

New features

Looping PR#132

In tyk you target api's by tyk://<API_ID>/<path> scheme.
this requires prior knowledge of the API_ID. Since the operator treats apis as objects and it manages them including assigning API_ID, we introduce a typed api to refer to other apis.

The operator automatically generates the correct url before sending it to the gateway.

Full sample file

URL Rewriting

A rewrite_to_internal field is used to target other api resources.

usage

url_rewrites:
  - path: "/{id}"
    match_pattern: "/basic/(.*)"
    method: GET
    rewrite_to_internal:
      target:
        name: proxy-api
        namespace: default
      path: proxy/$1

This api is targeting an ApiDefinition resource proxy-api in default namespace. The operator will take care of transforming this into something like this

url_rewrites:
- match_pattern: /basic/(.*)
  method: GET
  path: /{id}
  rewrite_to: tyk://ZGVmYXVsdC9wcm94eS1hcGk/proxy/$1

As a user you don't have to worry about the API_ID of the resource you want to target and the case when someone tries to delete a resource you are targeting.

URL Rewriting triggers

A rewrite_to_internal used to target other api resources in triggers.
For example

triggers:
  - "on": "all"
    options:
      header_matches:
        "Authorization":
          match_rx: "^Basic"
    rewrite_to_internal:
      target:
        name: basic-auth-internal
        namespace: default
      path: "basic/$2"

The operator transform that into something like this

triggers:
- "on": all
  options:
    header_matches:
      Authorization:
        match_rx: ^Basic
  rewrite_to: tyk://ZGVmYXVsdC9iYXNpYy1hdXRoLWludGVybmFs/basic/$2

Proxy to internal apis

A target_internal field on proxy object is used to target other api resources. This field properties are the same as the ones described for rewrite_to_internal.

Oauth2 client credentials

Usage

  oauth_meta:
    allowed_access_types:
      - client_credentials
    allowed_authorize_types:
      - token

Full sample file

Enhancements

• Use official tyk-helm-charts for development and ci PR#260
• Reduce permission of secret controller PR#376
• Add support for podAnnotations PR#262

Bug fixes

• Apply TYK_TLS_INSECURE_SKIP_VERIFY env var PR#267

v0.6.0 received 17 commits from 3 contributors
commit window started Mon Feb 22 2021 and ended Fri Apr 9 2021

committers

• Ahmet Soormally @asoorm
• Geofrey Ernest @gernest
• James Lucktaylor @jlucktay

Changelog

bfaddd6 Support podAnnotations (#262)
22eb533 Tyk helm chart (#269)
15d3179 Update README.md
b372f13 Update README.md
3d4af7b Update api_definitions.md
28ef546 Update installation.md
3e348c0 Update installation.md
75a6b04 Update policies.md
7373bf2 add support for internal looping API (#132)
2630f2f apply TYK_TLS_INSECURE_SKIP_VERIFY (#267)
ce4834e docs(installation): update, and clarify some points (#270)
cb2dd6d include k8s v1.20 in matrix tests (#280)
446e1e9 reducing permissions of secret controller (#276)
5ed8f4e simplify initialising client with TYK_TLS_INSECURE_SKIP_VERIFY (#278)
ea99cb5 support oauth2 client credentials for api protection (#271)
dace533 update looping documentation (#281)
22fa950 version to: v0.6.0

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.6
• docker pull tykio/tyk-operator:v0.6.0

v0.5.0

New features

Support JWT authentication

Massive shout out to the community for this one. Finally we have support for
JWT authentication.

Something notable with this change is how we refer to policies in jwt_default_policies and jwt_scope_to_policy_mapping we use {namespace}/{name} format, such as default/jwt to refer to a SecurityPolicy resource named jwt that is in the default namespace.

Check out these sample files on how to setup JWT authentication https://github.com/TykTechnologies/tyk-operator/tree/master/config/samples/jwt-auth

Support session_lifetime

Now you can use the operator to configure expiration duration of session keys.
We introduced session_lifetime on ApiDefinition resource for this.

Support IP whitelisting and IP blacklisting

Bug fixes

Handle float64 field values

k8s crd don't support float64 values, however tyk gateway expects float64 values
for example when configuring circuit breaker threshold_percent is a float64 value
that can be 0 <= threshold_percent <=1.

Essentially threshold_percent is a percentage where 1.0==100%,0.5==50%. We neded a way for the operator to accept this value and send it to the gateway as a float64.

PR #252 introduces two types Float64 and Percent which allows you to
describe float64 values as strings, that will be json encoded as floating point numbers.

With this change now the operator fully supports configuring CircuitBreakers

And lots of improvement on our docs and development environment**

---

v0.5.0 received 20 commits from 4 contributors
commit window started Wed Jan 6 2021 and ended Tue Feb 16 2021

committers

• Ahmet Soormally @asoorm
• Geofrey Ernest @gernest
• James Lucktaylor @jlucktay
• Jesse Michael @Jesse0Michael

Changelog

653af8e Add templates - GitHub issues and PRs (#207)
7046458 Cleanup JWT support (#248)
6c9c724 Create LICENSE.md (#256)
c96e787 Ensure dev make rules works for kind and minikube (#253)
2108ee5 Fixing Ingress docs
9e4102f Rename LICENSE.md to LICENSE
d7f1b66 Rename README to README.md
5d27f5d Rename README.md to README
e47993f Update README.md
5e9dc56 Update README.md
a1a3409 Update api_definitions.md
332caf5 add prerequisite for pro deployments (#259)
c54b147 add session_lifetime (#255)
b1623c3 configurable deployment resources (#242)
8875768 feat: add JWT authentication (#245)
bab6818 feat: support ip whitelisting and blacklisting (#238)
8e62cb7 handle float64 field (#252)
a7ee9a0 ingress documentation tweaks
210765f jwt helm (#246)
7134bff support method transform middleware (#240)
8af2bb4 version to: v0.5.0

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.5
• docker pull tykio/tyk-operator:v0.5.0

v0.4.1

A lot of efforts went into polishing our Ingress story, mainly fixing a bunch of defects.

Notable Highlights

Support for wildcard hostname in ingress

PR #233

Yes that is right, now you can declare your ingress resource to match wildcard hostname
and the operator will take care of the rest.

Now you can confidently ship this ingress resource

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin-ingress-wildcard-host
  annotations:
    kubernetes.io/ingress.class: tyk
    tyk.io/template: myapideftemplate
spec:
  rules:
    - host: "*.foo.com" # wildcard
       http:
        paths:
          - path: /httpbin
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 8000

And

• curl http://bar.foo.com/httpbin/get will match because both the wildcard and the prefix will match
• curl http://baz.bar.foo.com/httpbin/get will not match, wildcard only covers a single DNS label
• curl http://foo.com/httpbin/get will not match because this doesn't have wildcard subdomain

Support creating ingress resource without specifying api definition template

PR #235

There was a heard requirement every ingress must have tyk.io/template annotation. This
has been lifted. Now you can omit this, and the operator will create api's
using a default keyless template for you.

Connect api definition templates to ingress resources referencing it

PR #219 #228

Now we need to link to api definition template when creating an ingress resource.
This raises a few questions.

• What happens when I update the template?

ANSWER All ingresses referencing this will be updated and recreate the new API definition resources with the updated template.

• WHat happens when I delete a template whish is still referenced by an ingress resource ?

ANSWER This operation will block, you can't an api definition template will only be deleted if there is no any ingress referencing to it.

Support custom ingress class

PR 219

Before this, we were only listening to tyk ingress class annotation. Now this
value can be customized by setting environment variable WATCH_INGRESS_CLASS before
starting the controller.

This will make it possible to do WATCH_INGRESS_CLASS=nginx and use this
annotation that the operator will pickup.

kubernetes.io/ingress.class: nginx

Or you can take this further by using different ingress classes based on different
environments eg tyk-dev, tyk-staging and just tyk for production.

---

This comes with a small improvement on how we run tests, especially our bdd tests.

The bdd tests needs to make direct api calls to the running gateway in the cluster
to validate if reconciliations were correctly applied. This is an issue because
we don't expose the tyk service to the outside world meaning we can't just make direct
calls to it.

Our previous approach was doing a port forwarding

$ kubectl port-forward -n tykpro-control-plane svc/gw 8000:8000
Forwarding from 127.0.0.1:8000 -> 8000
Forwarding from [::1]:8000 -> 8000

Then we made calls to localhost:8000 to talk to the gateway. This approach worked
however it is error prone,flaky and took a bit longer to setup/teardown and making calls.

We have now moved to a new approach where we leverage kubectl exec and curl
to talk to the gateway.

SO now when we setup our test suite

• get the pod name running tyk

kubectl get pods -l name=tyk -n tykpro-control-plane -o jsonpath={.items..metadata.name}]

tyk-569d56d499-s5qww

We cache this value since we use it throughout the test suite lifetime.

Then calls directlt to the pod looks like

kubectl exec tyk-569d56d499-vbm4c -c tyk -n tykpro-control-plane -- curl -s -i -A Go-http-client/1.1 -H Accept: -X GET -H Authorization: foobarbaz http://localhost:8000/httpbin/headers

Changelog

23faba3 #210 sample wildcard host ingress (#233)
7d2fa45 Ci/hash keys (#224)
fb9dceb Fix regression (#232)
b2d382c Update README.md
f30f277 Update README.md
c6cf5dd Use controllerutil in security policy reconciler (#215)
83f32f0 block template deletion when there are ingresses depending on it. (#228)
93fb6d9 deterministic api control (#234)
757d72d document ingress limitations (#211)
258764d fix deletion of orphan apis (#230)
2b12941 ingress class docs (#227)
1c81065 istio ingress bookinfo example (#236)
d97b51c sync apidef templates changes with the ingress controller (#219)
712a1c0 use default template for ingress (#235)
f54cfb5 version to: v0.4.1

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.4
• docker pull tykio/tyk-operator:v0.4.1

v0.4.0

New features

TLS certificates management.

You can now load, rotate and delete TLS certificate inside tyk cert manager. This is good
news to our community edition users as it works for both pro and ce edition.

This feature adds the field certificate_secret_names (Technically this was
already there we are just add ing implementation to it), which is a list of secrets
name to use for certificates.

This features leverages cert manager.

let's say you issue your own certificate, and this is your issuer resource

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}

Then you care issue certificate that will be managed by tyk with

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: httpbin-cert
spec:
  secretName: httpbin-cert-tls
  dnsNames:
    - httpbin
  privateKey:
    rotationPolicy: Always
  issuerRef:
    name: selfsigned-issuer

Note that secretName is very important here. Because we use this to retrieve
the certificate when doing reconciliation.

You can now use the certificates inside your APIDefinition to support https
like this

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin
spec:
  name: httpbin
  use_keyless: true
  protocol: https
  listen_port: 8443
  certificate_secret_names:
    - httpbin-cert-tls
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /httpbin
    strip_listen_path: true

The controller will ensure httpbin-cert-tls is properly loaded into the APIDefinition
resource.

Ingress support

This is probably one of the biggest highlight of this release. The operator now
can manage ingress inside a k8s cluster. We follow same pattern with the rest of
the k8s eco system, but we have decided to avoid excess use of annotations that
has resulted into a a clean and concise API for ingress with tyk.

This introduces the concept of templates. So basically an APIDefinition can now
be labeled as a template, by setting a label template: "true" inside the resource
metadata.

Something like this

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: myapideftemplate
  labels:
    template: "true"
spec:
  name: foo
  protocol: http
  use_keyless: true
  active: true
  proxy:
    target_url: http://example.com
    strip_listen_path: true

What happen here is, this resource will be created inside k8s however it will not be reconciled.
The idea is, this will be used as a template to drive other APIDefinition resources.

We can now leverage this template in our Ingress resource to expose k8s services by adding tyk.io/template annotation that points to the name of the APIDefinitin template to use.

Your ingress will look like

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin-ingress
  annotations:
    kubernetes.io/ingress.class: tyk 
    tyk.io/template: myapideftemplate 
spec:
  rules:
    - host: foo
      http:
        paths:
          - path: / 
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 800

For every path we will create a APIDefinition resource using the
myapideftemplate template and path will replace proxy.listen_path and host
will replace domain. Stay tuned we will be adding more flexibility to the upcoming releases.

Stabilization

Idempotent security policy

Lots of tests were added to ensure our policy management is consistent. So ww are confident
now you can properly manage your SecurityPolicy resources with the operator.

Release pipeline

• now we can do make release VERSION=MAJOR.MINOR.PATCH to deploy releases
• Robust github release workflow
• matrix tests for K8s version compatibility v16, 17, 18 & 19. We ensure tests are passing for all these k8s version and all our supported environments.

And lots of bugfixes

---

stats

v0.4.0 received 19 commits from 3 contributors
commit window started Fri Nov 27 2020 and ended Fri Dec 18 2020

Changelog

34a63d6 105 tls certificates (#189)
d3123a7 Bumping helm chart version
a151c68 Chart.yaml (#194)
de19e36 Delete release_latest.yaml
64a2246 Delete test_action.yaml
ea28e5d Idempotent security policy (#200)
857722a Ignore refs to accommodate manual runs (#193)
ee4a152 Ingress Support (#201)
c6b09e7 Matrix tests for K8s version compatibility v16, 17, 18 & 19
7d7c21f Rel 1 (#195)
bdec8a4 Update helm chart & docker push tag when a version is pushed (#192)
3ced25c Update k3s.yml
24b6c18 Use Default webhooks to set default values (#184)
ec34ecf enabling strip_auth_data and detailed recording in the api definition object (#206)
efede3c ensuring everything is run on ci (#188)
8cc6fe2 make scrape - improved development workflow (#187)

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.4
• docker pull tykio/tyk-operator:v0.4.0

v0.3.0

Changelog

9ef5b22 Added IDE Integration section with VS Code support (#178)
6607a48 Update dev workflow with kind (#181)
b468600 remove kustomize pacthes for coversion webhook (#174)
aee6723 fixing flakey tests (#175)
b53b2ad replace sed with a go script (#173)
fec92ea validating webhooks for apidefinition resource (#172)

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.3
• docker pull tykio/tyk-operator:v0.3.0

v0.2.0

Changelog

217904e Bug/flakey bdd (#157)
57b936e Feat/helm (#156)
2828377 Feat/helm crds (#163)
90ea946 Resilent deploy_tyk_pro script (#120)
4da0268 Update installation.md
f7e7db2 ability to restrict watched resources by namespace (#164)
d55ac3d add CORS (#160)
6f5a4fe bumping helm version
b4851b1 faster build times using cross-build image rather than docker building (#167)
201d92d fixing goreleaser extra_files internal to pkg

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.2
• docker pull tykio/tyk-operator:v0.2.0

v0.1.0

Changelog

ddbf332 #149 scenarios for gRPC plugin support (#150)
36036b3 Add Dashboard API Policies (#15)
5079801 Add ability to reference existing APIs as well as declare new APIs (#102)
65ca534 Add custom plugin example (#48)
0b04c3b CRUD api definitions
d8c57bc Comment out organization controller (#129)
ccf1d41 Speed up tests for CI (#76)
7fb9e8b Default Rate limit (#56)
977d7c9 Docs updates for SecPolicies and other general (#53)
1b2082c Feat/68 ci cd (#72)
30bf4b7 Feat/admin license secret (#80)
f5e62bd Feat/api graphql proxy (#96)
84a44a9 Feat/api id override (#16)
5acd415 Feat/api udg (#97)
bf30b13 Feat/apidef generate ingress resource (#43)
ace4c65 Feat/bootstrap org test (#77)
2b8fe87 Feat/docs links examples (#118)
2b71376 Feat/docs links examples (#119)
b9ce927 Feat/env vars operator (#121)
eeaa53c Feat/envtest (#82)
3af93e7 Feat/fix oss gw (#136)
a15ef08 Feat/global response headers (#51)
22e8509 Feat/policies api improvements (#26)
53e4f6a Feat/policies api improvements (#27)
c3afa87 Feat/release (#85)
80263b8 Feat/release (#86)
0a2a35e Feat/release (#87)
35b38be Feat/security policy 2 (#24)
e67c04b Feat/security policy 2 (#25)
ec71f62 Feat/tags (#154)
c6bcc63 Feat/tags (#155)
0407825 Feat/transform (#35)
97b8678 Feat/universal client (#17)
ab3b411 Feat/v1alpha1 (#46)
de14475 Feat/webhook fix (#123)
24359a2 Feat/webhooks (#70)
fbd06ed Fix event recorder
aa54a5e Fix nonexisting apis (#101)
3271137 Fixes webhook manifests generation (#94)
feaa4ce Fixing links between READMEs (#115)
986bf24 Friendly ids (#31)
fb95b88 Idempotent Policy IDs (#103)
c7ef4a6 Policies stuff (#38)
5379af0 Policy CRUD with updated ID mapping logic (#47)
7b0bbc3 Small changes (#106)
841e1eb Store ids (#84)
1d9ff57 Update api_access.md (#111)
09d7e59 Update api_definitions.md
92f7a99 Update api_definitions.md
a6f985d Update api_definitions.md (#107)
401d395 Update api_definitions.md (#110)
b2fda76 Update api_definitions.md (#61)
bbddc11 Update api_definitions.md (#65)
911e732 Update docs, restructuring the pages to clean up the landing pages for CRDS by moving specific stuff into its own pages (#113)
c7350f5 ability to talk to the dashboard API
96d9776 adding TCP api def example (#37)
7bbdf33 adding TCP api def example (#39)
b943005 adding better dev docs
edc1490 adding feature file for certificates (#146)
4a2d845 adding files for docker build
e214903 adding hiring and installation disclaimer (#137)
ae7eb4d adding redis helper yaml
db1156f adds readme instructions
afe74f3 adds test
4cb1412 api definition object
e61aaa7 basics of the CRD and controller setup
0d13afb beginning admission webhook + shortname
ff41181 boilerplate for orgs (#73)
e9c7e3c broken validation example (#57)
57e224f changing apache2 to mpl2 (#30)
29db560 cleanup
395858b completing the tests for XML->JSON transform (#147)
c96c33b configuring API Definition types
d140588 containsString and removeString finalizer helper
d9e6788 context variables and gateway tags (#127)
e5cb570 create update delete api definitions
e6d5df0 default not versioned
b586842 disable archives
da57c13 disabling a lot of the goreleaser stuff
c793671 disabling a lot of the goreleaser stuff
9e6c2a4 documenting enforced timeout and circuitbreaker support (#58)
1c349b9 documenting request & response body transforms (#54)
94d767a enabling CRUD for APIDef operator
4fab55a enabling endpoint caching middleware (#32)
505df3b enhancing documentation for the api_definition cr (#60)
9b3823b feat: add coprocess auth (#139)
7a3c6aa few tweaks APIDef CRD
67c1057 improving documentation for the api definition custom resource. (#99)
3743443 initial commit
c06dbce installation documentation (#122)
7d630bd jq wrangling (#75)
af0ee4a login to docker when push to master (#83)
a4dd631 making some fields optional
e0fbae8 map to slice
9b3f6af move explanations to bottom
e510725 move explanations to bottom
a801ad6 moving api def tests to the api_test file
9a5059e newline
3bddf24 really simple api definition
5f94c00 refactor / cleanup the apidef reconciler (#29)
19308ed registering a finalizer for api definition
b9cd4b4 removing hardcoded dash / gateway configs from main (#28)
42e8fd4 rollback from v1 to v1beta1 (#125)
f5daeb5 routing & endpoint tracking (#130)
07be37a sample global header middlewares (#34)
1d478ca scenario to delete an Api (#145)
9c0a326 securitypolicy controller (#40)
707ec52 setting secret & node_secret as k8s secret
2bc832b some more TODOs (#23)
56e1fc6 starting webhook
8ffcb12 starting webhook work
72f0dde starting work on fleshing out a minmum viable security policy (#22)
d5ffba4 streamlining the reconciler. also, we are not using state (#36)
7c8a6aa supporting url rewrite and creating HttpMethod type (#135)
8f8add5 tidying dependencies
52e9e4d trim whitespace from env vars
6b62caf update path of tyk.yaml file to point to correct directory (#88)
917adda updating stuff
b1feabd usage demo (#20)
76dd962 validation on secrets

Docker images

• docker pull tykio/tyk-operator:latest
• docker pull tykio/tyk-operator:v0
• docker pull tykio/tyk-operator:v0.1
• docker pull tykio/tyk-operator:v0.1.0