/
api.go
1298 lines (1046 loc) · 48.5 KB
/
api.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
Licensed under the Mozilla Public License (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.mozilla.org/en-US/MPL/2.0/
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +kubebuilder:object:generate=true
package model
import (
"encoding/base64"
"encoding/json"
"fmt"
"net/url"
"strings"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/types"
)
// MapStringInterfaceType represents a generic struct used as a map[string]interface{}. Since an arbitrary
// JSON fields defined as map[string]interface{} is not feasible to use as a Kubernetes CRD, unstructured.Unstructured
// type is used.
type MapStringInterfaceType struct {
// +kubebuilder:pruning:PreserveUnknownFields
unstructured.Unstructured `json:",inline"`
}
// ApiDefinitionSpec defines the desired state of ApiDefinition
type (
AuthProviderCode string
SessionProviderCode string
StorageEngineCode string
TykEvent string
TykEventHandlerName string
EndpointMethodAction string
TemplateMode string
MiddlewareDriver string
IdExtractorSource string
IdExtractorType string
AuthTypeEnum string
RoutingTriggerOnType string
)
// HttpMethod represents HTTP request method
// +kubebuilder:validation:Enum=GET;POST;PUT;PATCH;DELETE;OPTIONS;HEAD;CONNECT;TRACE
type HttpMethod string
// GraphQLExecutionMode is the mode to define how an api behaves.
// +kubebuilder:validation:Enum="";proxyOnly;executionEngine;supergraph;subgraph
type GraphQLExecutionMode string
const (
SuperGraphExecutionMode GraphQLExecutionMode = "supergraph"
SubGraphExecutionMode GraphQLExecutionMode = "subgraph"
)
// APIProtocol is the network transport protocol supported by the gateway
// +kubebuilder:validation:Enum="";h2c;tcp;tls;http;https;
type APIProtocol string
type NotificationsManager struct {
SharedSecret string `json:"shared_secret"`
OAuthKeyChangeURL string `json:"oauth_on_keychange_url"`
}
type EndpointMethodMeta struct {
Action EndpointMethodAction `json:"action"`
Code int `json:"code"`
Data string `json:"data"`
Headers map[string]string `json:"headers"`
}
type EndPointMeta struct {
Path string `json:"path"`
IgnoreCase bool `json:"ignore_case"`
MethodActions map[string]EndpointMethodMeta `json:"method_actions"`
}
type CacheMeta struct {
Method HttpMethod `json:"method"`
Path string `json:"path"`
CacheKeyRegex string `json:"cache_key_regex"`
CacheOnlyResponseCodes []int `json:"cache_response_codes"`
}
type RequestInputType string
type TemplateData struct {
Input RequestInputType `json:"input_type"`
Mode TemplateMode `json:"template_mode"`
EnableSession bool `json:"enable_session"`
TemplateSource string `json:"template_source"`
// FromDashboard bool `json:"from_dashboard"`
}
type TemplateMeta struct {
TemplateData TemplateData `json:"template_data"`
Path string `json:"path"`
Method HttpMethod `json:"method"`
}
type TransformJQMeta struct {
Filter string `json:"filter"`
Path string `json:"path"`
Method HttpMethod `json:"method"`
}
type HeaderInjectionMeta struct {
DeleteHeaders []string `json:"delete_headers"`
AddHeaders map[string]string `json:"add_headers"`
Path string `json:"path"`
Method HttpMethod `json:"method"`
ActOnResponse bool `json:"act_on"`
}
type HardTimeoutMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
TimeOut int `json:"timeout"`
}
type TrackEndpointMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
}
type InternalMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
}
type RequestSizeMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
SizeLimit int64 `json:"size_limit"`
}
type CircuitBreakerMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
// ThresholdPercent is the percentage of requests that fail before breaker is tripped
ThresholdPercent Percent `json:"threshold_percent"`
// Samples defines the number of requests to base the ThresholdPercent on
Samples int64 `json:"samples"`
// ReturnToServiceAfter represents the time in seconds to return back to the service
ReturnToServiceAfter int `json:"return_to_service_after"`
DisableHalfOpenState *bool `json:"disable_half_open_state,omitempty"`
}
type StringRegexMap struct {
MatchPattern string `json:"match_rx"`
Reverse *bool `json:"reverse,omitempty"`
}
type RoutingTriggerOptions struct {
HeaderMatches map[string]StringRegexMap `json:"header_matches,omitempty"`
QueryValMatches map[string]StringRegexMap `json:"query_val_matches,omitempty"`
PathPartMatches map[string]StringRegexMap `json:"path_part_matches,omitempty"`
SessionMetaMatches map[string]StringRegexMap `json:"session_meta_matches,omitempty"`
RequestContextMatches map[string]StringRegexMap `json:"request_context_matches,omitempty"`
PayloadMatches *StringRegexMap `json:"payload_matches,omitempty"`
}
type RoutingTrigger struct {
On RoutingTriggerOnType `json:"on"`
Options RoutingTriggerOptions `json:"options"`
RewriteTo *string `json:"rewrite_to,omitempty"`
RewriteToInternal *RewriteToInternal `json:"rewrite_to_internal,omitempty"`
}
func (r *RoutingTrigger) collectLoopingTarget(fn func(Target)) {
if r.RewriteToInternal != nil {
x := r.RewriteToInternal.Target
rewriteToInternal := r.RewriteToInternal.String()
r.RewriteTo = &rewriteToInternal
r.RewriteToInternal = nil
fn(x)
}
}
type URLRewriteMeta struct {
// Path represents the endpoint listen path
Path string `json:"path"`
Method HttpMethod `json:"method"`
// MatchPattern is a regular expression pattern to match the path
MatchPattern string `json:"match_pattern"`
// RewriteTo is the target path on the upstream, or target URL we wish to rewrite to
RewriteTo *string `json:"rewrite_to,omitempty"`
// RewriteToInternal serves as rewrite_to but used when rewriting to target
// internal api's
// When rewrite_to and rewrite_to_internal are both provided then
// rewrite_to will take rewrite_to_internal
RewriteToInternal *RewriteToInternal `json:"rewrite_to_internal,omitempty"`
Triggers []RoutingTrigger `json:"triggers,omitempty"`
}
func (u *URLRewriteMeta) collectLoopingTarget(fn func(Target)) {
if u.RewriteToInternal != nil {
x := u.RewriteToInternal.Target
if u.RewriteTo == nil {
u.RewriteTo = new(string)
}
*u.RewriteTo = u.RewriteToInternal.String()
u.RewriteToInternal = nil
fn(x)
}
for i := 0; i < len(u.Triggers); i++ {
u.Triggers[i].collectLoopingTarget(fn)
}
}
// TargetInternal defines options that constructs a url that refers to an api that
// is loaded into the gateway.
type TargetInternal struct {
// API a namespaced/name to the api definition resource that you are
// targetting
Target Target `json:"target,omitempty"`
// Path path on target , this does not include query parameters.
// example /myendpoint
Path *string `json:"path,omitempty"`
// Query url query string to add to target
// example check_limits=true
Query *string `json:"query,omitempty"`
}
func (i TargetInternal) String() string {
host := i.Target.String()
host = base64.RawURLEncoding.EncodeToString([]byte(host))
path := ""
query := ""
if i.Path != nil {
path = *i.Path
}
if i.Query != nil {
query = *i.Query
}
u := url.URL{
Scheme: "tyk",
Host: host,
RawPath: path,
RawQuery: query,
}
return u.String()
}
// RewriteToInternal defines options that constructs a url that refers to an api that
// is loaded into the gateway.
type RewriteToInternal struct {
// API a namespaced/name to the api definition resource that you are
// targetting
Target Target `json:"target,omitempty"`
// Path path on target , this does not include query parameters.
// example /myendpoint
Path *string `json:"path,omitempty"`
// Query url query string to add to target
// example check_limits=true
Query *string `json:"query,omitempty"`
}
func (i RewriteToInternal) String() string {
host := i.Target.String()
host = base64.RawURLEncoding.EncodeToString([]byte(host))
path := ""
query := ""
if i.Path != nil {
path = *i.Path
}
if i.Query != nil {
query = *i.Query
}
u := url.URL{
Scheme: "tyk",
Host: host,
Path: path,
RawQuery: query,
}
return u.String()
}
type Target struct {
// k8s resource name
Name string `json:"name"`
// The k8s namespace of the resource being targetted. When omitted this will be
// set to the namespace of the object that is being reconciled.
Namespace *string `json:"namespace,omitempty"`
}
func (t *Target) Parse(v string) {
if strings.Contains(v, "/") {
if p := strings.Split(v, "/"); len(p) == 2 {
if t.Namespace == nil {
t.Namespace = new(string)
}
*t.Namespace = p[0]
t.Name = p[1]
}
}
}
func (t Target) String() string {
return t.NS("").String()
}
// Equal returns true if t and o are equal
func (t Target) Equal(o Target) bool {
namespaceMatches := false
if t.Namespace == nil {
if o.Namespace == nil {
namespaceMatches = true
} else if *o.Namespace == "" {
namespaceMatches = true
}
} else {
if *t.Namespace == "" && o.Namespace == nil {
namespaceMatches = true
} else if o.Namespace != nil {
namespaceMatches = *t.Namespace == *o.Namespace
}
}
return namespaceMatches && t.Name == o.Name
}
func (t Target) NS(defaultNS string) types.NamespacedName {
if t.Namespace != nil && *t.Namespace != "" {
defaultNS = *t.Namespace
}
return types.NamespacedName{Namespace: defaultNS, Name: t.Name}
}
func (t Target) NamespaceMatches(ns string) bool {
if t.Namespace == nil && ns == "" {
return true
}
if t.Namespace != nil && *t.Namespace == ns {
return true
}
return false
}
type VirtualMeta struct {
ResponseFunctionName string `json:"response_function_name"`
FunctionSourceType string `json:"function_source_type"`
FunctionSourceURI string `json:"function_source_uri"`
Path string `json:"path"`
Method HttpMethod `json:"method"`
UseSession bool `json:"use_session"`
ProxyOnError bool `json:"proxy_on_error"`
}
type MethodTransformMeta struct {
Path string `json:"path"`
Method HttpMethod `json:"method"`
ToMethod HttpMethod `json:"to_method"`
}
type ValidatePathMeta struct {
Disabled *bool `json:"disabled,omitempty"`
// Allows override of default 422 Unprocessable Entity response code for validation errors.
ErrorResponseCode int `json:"error_response_code"`
Path string `json:"path"`
Method HttpMethod `json:"method"`
// Schema represents schema field that verifies user requests against a specified
// JSON schema and check that the data sent to your API by a consumer is in the right format.
Schema *MapStringInterfaceType `json:"schema"`
}
type ExtendedPathsSet struct {
Ignored []EndPointMeta `json:"ignored,omitempty"`
WhiteList []EndPointMeta `json:"white_list,omitempty"`
BlackList []EndPointMeta `json:"black_list,omitempty"`
// List of paths which cache middleware should be enabled on
Cached []string `json:"cache,omitempty"`
Transform []TemplateMeta `json:"transform,omitempty"`
TransformResponse []TemplateMeta `json:"transform_response,omitempty"`
TransformJQ []TransformJQMeta `json:"transform_jq,omitempty"`
TransformJQResponse []TransformJQMeta `json:"transform_jq_response,omitempty"`
TransformHeader []HeaderInjectionMeta `json:"transform_headers,omitempty"`
TransformResponseHeader []HeaderInjectionMeta `json:"transform_response_headers,omitempty"`
AdvanceCacheConfig []CacheMeta `json:"advance_cache_config,omitempty"`
HardTimeouts []HardTimeoutMeta `json:"hard_timeouts,omitempty"`
CircuitBreaker []CircuitBreakerMeta `json:"circuit_breakers,omitempty"`
URLRewrite []URLRewriteMeta `json:"url_rewrites,omitempty"`
Virtual []VirtualMeta `json:"virtual,omitempty"`
SizeLimit []RequestSizeMeta `json:"size_limits,omitempty"`
MethodTransforms []MethodTransformMeta `json:"method_transforms,omitempty"`
TrackEndpoints []TrackEndpointMeta `json:"track_endpoints,omitempty"`
DoNotTrackEndpoints []TrackEndpointMeta `json:"do_not_track_endpoints,omitempty"`
ValidateJSON []ValidatePathMeta `json:"validate_json,omitempty"`
Internal []InternalMeta `json:"internal,omitempty"`
}
func (e *ExtendedPathsSet) collectLoopingTarget(fn func(Target)) {
if e == nil {
return
}
for i := 0; i < len(e.URLRewrite); i++ {
e.URLRewrite[i].collectLoopingTarget(fn)
}
}
type VersionInfo struct {
Name string `json:"name"`
Expires *string `json:"expires,omitempty"`
Paths *VersionInfoPaths `json:"paths,omitempty"`
UseExtendedPaths *bool `json:"use_extended_paths,omitempty"`
ExtendedPaths *ExtendedPathsSet `json:"extended_paths,omitempty"`
GlobalHeaders map[string]string `json:"global_headers,omitempty"`
GlobalHeadersRemove []string `json:"global_headers_remove,omitempty"`
GlobalResponseHeaders map[string]string `json:"global_response_headers,omitempty"`
GlobalResponseHeadersRemove []string `json:"global_response_headers_remove,omitempty"`
IgnoreEndpointCase *bool `json:"ignore_endpoint_case,omitempty"`
GlobalSizeLimit int64 `json:"global_size_limit,omitempty"`
OverrideTarget *string `json:"override_target,omitempty"`
}
func (v *VersionInfo) collectLoopingTarget(fn func(Target)) {
v.ExtendedPaths.collectLoopingTarget(fn)
}
type VersionInfoPaths struct {
Ignored []string `json:"ignored,omitempty"`
WhiteList []string `json:"white_list,omitempty"`
BlackList []string `json:"black_list,omitempty"`
}
type AuthProviderMeta struct {
Name AuthProviderCode `json:"name"`
StorageEngine StorageEngineCode `json:"storage_engine"`
// Meta map[string]interface{} `json:"meta"`
}
type SessionProviderMeta struct {
Name SessionProviderCode `json:"name"`
StorageEngine StorageEngineCode `json:"storage_engine"`
// Meta map[string]interface{} `json:"meta"`
}
type EventHandlerTriggerConfig struct {
Handler TykEventHandlerName `json:"handler_name"`
// HandlerMeta map[string]interface{} `json:"handler_meta"`
}
type EventHandlerMetaConfig struct {
Events map[TykEvent][]EventHandlerTriggerConfig `json:"events"`
}
type MiddlewareDefinition struct {
Name string `json:"name"`
Path string `json:"path"`
RequireSession *bool `json:"require_session,omitempty"`
RawBodyOnly *bool `json:"raw_body_only,omitempty"`
}
type IdExtractorConfig struct {
HeaderName *string `json:"header_name,omitempty"`
FormParamName *string `json:"param_name,omitempty"`
RegexExpression *string `json:"regex_expression,omitempty"`
RegexMatchIndex int `json:"regex_match_index,omitempty"`
}
type MiddlewareIdExtractor struct {
ExtractFrom IdExtractorSource `json:"extract_from"`
ExtractWith IdExtractorType `json:"extract_with"`
ExtractorConfig IdExtractorConfig `json:"extractor_config"`
}
type MiddlewareSection struct {
Pre []MiddlewareDefinition `json:"pre,omitempty"`
Post []MiddlewareDefinition `json:"post,omitempty"`
PostKeyAuth []MiddlewareDefinition `json:"post_key_auth,omitempty"`
AuthCheck MiddlewareDefinition `json:"auth_check,omitempty"`
Response []MiddlewareDefinition `json:"response,omitempty"`
Driver MiddlewareDriver `json:"driver"`
IdExtractor MiddlewareIdExtractor `json:"id_extractor,omitempty"`
}
type CacheOptions struct {
// EnableCache turns global cache middleware on or off.
// It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware.
// see `spec.version_data.versions.{VERSION}.extended_paths.cache[]`
EnableCache *bool `json:"enable_cache,omitempty"`
// CacheTimeout is the TTL for a cached object in seconds
CacheTimeout int64 `json:"cache_timeout"`
// CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests
// overrides per-path cache settings in versions, applies across versions
CacheAllSafeRequests *bool `json:"cache_all_safe_requests,omitempty"`
// CacheOnlyResponseCodes is an array of response codes which are safe to cache. e.g. 404
CacheOnlyResponseCodes []int `json:"cache_response_codes,omitempty"`
// EnableUpstreamCacheControl instructs Tyk Cache to respect upstream cache control headers
EnableUpstreamCacheControl *bool `json:"enable_upstream_cache_control,omitempty"`
// CacheControlTTLHeader is the response header which tells Tyk how long it is safe to cache the response for
CacheControlTTLHeader *string `json:"cache_control_ttl_header,omitempty"`
// CacheByHeaders allows header values to be used as part of the cache key
CacheByHeaders []string `json:"cache_by_headers,omitempty"`
}
type ResponseProcessor struct {
Name string `json:"name"`
// Options interface{} `json:"options"`
}
type HostCheckObject struct {
CheckURL string `json:"url"`
Protocol string `json:"protocol"`
Timeout time.Duration `json:"timeout"`
EnableProxyProtocol bool `json:"enable_proxy_protocol"`
Commands []CheckCommand `json:"commands"`
Method HttpMethod `json:"method"`
Headers map[string]string `json:"headers"`
Body string `json:"body"`
}
type CheckCommand struct {
Name string `json:"name"`
Message string `json:"message"`
}
type ServiceDiscoveryConfiguration struct {
UseDiscoveryService bool `json:"use_discovery_service"`
QueryEndpoint string `json:"query_endpoint"`
UseNestedQuery bool `json:"use_nested_query"`
ParentDataPath string `json:"parent_data_path"`
DataPath string `json:"data_path"`
PortDataPath string `json:"port_data_path"`
TargetPath string `json:"target_path"`
UseTargetList bool `json:"use_target_list"`
CacheTimeout int64 `json:"cache_timeout"`
EndpointReturnsList bool `json:"endpoint_returns_list"`
}
type OIDProviderConfig struct {
Issuer string `json:"issuer"`
ClientIDs map[string]string `json:"client_ids"`
}
type OpenIDOptions struct {
Providers []OIDProviderConfig `json:"providers"`
SegregateByClient bool `json:"segregate_by_client"`
}
// APIDefinitionSpec represents the configuration for a single proxied API and it's versions.
type APIDefinitionSpec struct {
// For server use only, do not use
ID *string `json:"id,omitempty" hash:"ignore"`
// Only set this field if you are referring
// to an existing API def.
// The Operator will use this APIID to link the CR with the API in Tyk
// Note: The values in the CR will become the new source of truth, overriding the existing API Definition
APIID *string `json:"api_id,omitempty"`
Name string `json:"name"`
// OrgID is overwritten - no point setting this
OrgID *string `json:"org_id,omitempty"`
// Active specifies if the api is enabled or not
Active *bool `json:"active,omitempty"`
// Proxy
Proxy Proxy `json:"proxy"`
// +optional
ListenPort int `json:"listen_port"`
Protocol APIProtocol `json:"protocol"`
EnableProxyProtocol *bool `json:"enable_proxy_protocol,omitempty"`
// Domain represents a custom host header that the gateway will listen on for this API
Domain *string `json:"domain,omitempty"`
// DoNotTrack disables endpoint tracking for this API
DoNotTrack *bool `json:"do_not_track,omitempty"`
// UseKeylessAccess will switch off all key checking. Some analytics will still be recorded, but rate-limiting,
// quotas and security policies will not be possible (there is no session to attach requests to).
UseKeylessAccess *bool `json:"use_keyless,omitempty"`
// UseOAuth2 enables oauth2 authorization
UseOauth2 *bool `json:"use_oauth2,omitempty"`
//+optional
Oauth2Meta *OAuth2Meta `json:"oauth_meta,omitempty"`
// UseOpenID bool `json:"use_openid"`
// OpenIDOptions OpenIDOptions `json:"openid_options"`
// StripAuthData ensures that any security tokens used for accessing APIs are stripped and not leaked to the upstream
StripAuthData *bool `json:"strip_auth_data,omitempty"`
Auth AuthConfig `json:"auth,omitempty"`
// +optional
AuthConfigs map[string]AuthConfig `json:"auth_configs,omitempty"`
// UseStandardAuth enables simple bearer token authentication
UseStandardAuth *bool `json:"use_standard_auth,omitempty"`
// UseBasicAuth enables basic authentication
UseBasicAuth *bool `json:"use_basic_auth,omitempty"`
// BasicAuth BasicAuthMeta `json:"basic_auth"`
// UseMutualTLSAuth enables mututal TLS authentication
UseMutualTLSAuth *bool `json:"use_mutual_tls_auth,omitempty"`
ClientCertificates []string `json:"client_certificates,omitempty"`
ClientCertificateRefs []string `json:"client_certificate_refs,omitempty"`
// PinnedPublicKeys allows you to whitelist public keys used to generate certificates, so you will be protected in
// case an upstream certificate is compromised. Please use PinnedPublicKeysRefs if using cert-manager.
PinnedPublicKeys map[string]string `json:"pinned_public_keys,omitempty"`
// PinnedPublicKeysRefs allows you to specify public keys using k8s secret.
// It takes domain name as a key and secret name as a value.
PinnedPublicKeysRefs map[string]string `json:"pinned_public_keys_refs,omitempty"`
// UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk
// Gateway to provide mTLS support for upstreams
UpstreamCertificates map[string]string `json:"upstream_certificates,omitempty"`
// UpstreamCertificateRefs is a map of domains and secret names that is used internally
// to obtain certificates from secrets in order to establish mTLS support for upstreams
UpstreamCertificateRefs map[string]string `json:"upstream_certificate_refs,omitempty"`
// EnableJWT set JWT as the access method for this API.
EnableJWT *bool `json:"enable_jwt,omitempty"`
// Enable Go Plugin Auth. Needs to be combined with "use_keyless:false"
UseGoPluginAuth *bool `json:"use_go_plugin_auth,omitempty"`
EnableCoProcessAuth *bool `json:"enable_coprocess_auth,omitempty"`
// JWTSigningMethod algorithm used to sign jwt token
// +kubebuilder:validation:Enum="";rsa;hmac;ecdsa
JWTSigningMethod *string `json:"jwt_signing_method,omitempty"`
// JWTSource Must either be a base64 encoded valid RSA/HMAC key or a url to a
// resource serving JWK, this key will then be used to validate inbound JWT and
// throttle them according to the centralised JWT options and fields set in the
// configuration.
JWTSource *string `json:"jwt_source,omitempty"`
// JWTIdentityBaseField Identifies the user or identity to be used in the
// Claims of the JWT. This will fallback to sub if not found. This field forms
// the basis of a new “virtual” token that gets used after validation. It means
// policy attributes are carried forward through Tyk for attribution purposes.
JWTIdentityBaseField *string `json:"jwt_identity_base_field,omitempty"`
// JWTClientIDBaseField is the name of the field on JWT claim to use for client
// id. This field is mutually exclusive to jwt_identity_base_field, meaning you
// can only set/use one and jwt_identity_base_field takes precedence when both
// are set.
JWTClientIDBaseField *string `json:"jwt_client_base_field,omitempty"`
// JWTPolicyFieldName The policy ID to apply to the virtual token generated for a JWT
JWTPolicyFieldName *string `json:"jwt_policy_field_name,omitempty"`
// JWTDefaultPolicies is a list of policies that will be used when base policy
// can't be extracted from the JWT token. When this list is provided the first
// element will be used as the base policy while the rest of elements will be applied.
JWTDefaultPolicies []string `json:"jwt_default_policies,omitempty"`
// JWTIssuedAtValidationSkew adds validation for issued at JWT claim.
// Given
// now = current unix time
// skew = jwt_issued_at_validation_skew
// iat = the issued at jwt claim
// If iat > (now + skew) then validation will fail with "token used before issued"
JWTIssuedAtValidationSkew uint64 `json:"jwt_issued_at_validation_skew,omitempty"`
// JWTExpiresAtValidationSkew adds validation for expired at JWT claim.
// Given
// now = current unix time
// skew = jwt_expires_at_validation_skew
// exp = expired at
// If exp > (now - skew) then validation will fail with "token has expired"
JWTExpiresAtValidationSkew uint64 `json:"jwt_expires_at_validation_skew,omitempty"`
// JWTNotBeforeValidationSkew adds validation for not before JWT claim.
// Given
// now = current unix time
// skew = jwt_not_before_validation_skew
// nbf = the not before jwt claim
// If nbf > (now + skew) then validation will fail with "token is not valid yet"
JWTNotBeforeValidationSkew uint64 `json:"jwt_not_before_validation_skew,omitempty"`
// JWTSkipKid when true we ingore using kid as the identity for a JWT token and
// instead use jwt_identity_base_field if it was set or fallback to sub JWT
// claim.
JWTSkipKid *bool `json:"jwt_skip_kid,omitempty"`
// JWTScopeToPolicyMapping this is a mapping of scope value to policy id. If
// this is set then a scope value found in this map will make the mappend
// policy to be applied.
JWTScopeToPolicyMapping map[string]string `json:"jwt_scope_to_policy_mapping,omitempty"`
// JWTScopeClaimName overides the key used for scope values in the JWT claims.
// By default the value is "scope"
JWTScopeClaimName *string `json:"jwt_scope_claim_name,omitempty"`
// NotificationsDetails NotificationsManager `json:"notifications"`
// EnableSignatureChecking bool `json:"enable_signature_checking"`
// HmacAllowedClockSkew json.Number `json:"hmac_allowed_clock_skew"` // TODO: convert to float64
// HmacAllowedAlgorithms []string `json:"hmac_allowed_algorithms"`
// RequestSigning RequestSigningMeta `json:"request_signing"`
// BaseIdentityProvidedBy sets Base Identity Provider for situation when multiple authentication mechanisms are used
// +kubebuilder:validation:Enum=auth_token;hmac_key;basic_auth_user;jwt_claim;oidc_user;oauth_key
BaseIdentityProvidedBy AuthTypeEnum `json:"base_identity_provided_by,omitempty"`
VersionDefinition VersionDefinition `json:"definition,omitempty"`
VersionData VersionData `json:"version_data,omitempty"`
// UptimeTests UptimeTests `json:"uptime_tests"`
// DisableRateLimit allows you to disable rate limits in a given API Definition.
DisableRateLimit *bool `json:"disable_rate_limit,omitempty"`
// DisableQuota allows you to disable quota middleware in a given API Definition.
DisableQuota *bool `json:"disable_quota,omitempty"`
// GlobalRateLimit is an API Level Global Rate Limit, which assesses all traffic coming into the API from all
// sources and ensures that the overall rate limit is not exceeded.
GlobalRateLimit GlobalRateLimit `json:"global_rate_limit,omitempty"`
CustomMiddleware MiddlewareSection `json:"custom_middleware,omitempty"`
CustomMiddlewareBundle *string `json:"custom_middleware_bundle,omitempty"`
CacheOptions CacheOptions `json:"cache_options,omitempty"`
// SessionLifetime this is duration in seconds before the session key expires
// in redis.
//
// Example:
// If you want the session keys to be alive only 24 hours you can set this
// value to 86400 that we can break down to
// 60 * 60 * 24 = Total seconds in a day
//+optional
SessionLifetime int64 `json:"session_lifetime,omitempty"`
// Internal tells Tyk Gateway that this is a virtual API. It can only be routed to from other APIs.
Internal *bool `json:"internal,omitempty"`
//AuthProvider AuthProviderMeta `json:"auth_provider"`
//SessionProvider SessionProviderMeta `json:"session_provider"`
////EventHandlers EventHandlerMetaConfig `json:"event_handlers"`
//EnableBatchRequestSupport bool `json:"enable_batch_request_support"`
// EnableIPWhiteListing activates the ip whitelisting middleware.
EnableIPWhiteListing *bool `json:"enable_ip_whitelisting,omitempty"`
// AllowedIPs is a list of IP address that are whitelisted.When this is
// provided all IP address that is not on this list will be blocked and a 403 http
// status will be returned. The IP address can be IPv4 or IPv6.IP in
// CIDR notation is also supported.
AllowedIPs []string `json:"allowed_ips,omitempty"`
// EnableIPBlacklisting activates the ip blacklisting middleware.
EnableIPBlacklisting *bool `json:"enable_ip_blacklisting,omitempty"`
// BlacklistedIPs is a list of IP address that will be blacklisted.This means if
// origin IP matches any IP in this list a 403 http status code will be
// returned. The IP address can be IPv4 or IPv6. IP in CIDR notation is also
// supported.
BlacklistedIPs []string `json:"blacklisted_ips,omitempty"`
// DontSetQuotasOnCreate bool `json:"dont_set_quota_on_create"`
// must have an expireAt TTL index set (http://docs.mongodb.org/manual/tutorial/expire-data/)
// ExpireAnalyticsAfter int64 `json:"expire_analytics_after"`
ResponseProcessors []ResponseProcessor `json:"response_processors,omitempty"`
CORS CORS `json:"CORS,omitempty"`
// Certificates is a list of Tyk Certificate IDs. e.g. orgid+fingerprint. Use CertificateSecretNames if using cert-manager
Certificates []string `json:"certificates,omitempty"`
// CertificateSecretNames represents the names of the secrets that the controller should look for in the current
// namespace which contain the certificates.
CertificateSecretNames []string `json:"certificate_secret_names,omitempty"`
// Tags are named gateway nodes which tell gateway clusters whether to load an API or not.
// for example, to load the API in an ARA gateway, you might want to include an `edge` tag.
Tags []string `json:"tags,omitempty"`
// EnableContextVars extracts request context variables from the start of the middleware chain.
// Set this to true to make them available to your transforms.
// Context Variables are available in the url rewriter, modify headers and body transforms.
EnableContextVars *bool `json:"enable_context_vars,omitempty"`
// ConfigData can be used to pass custom attributes (a JSON object) into your middleware, such
// as a virtual endpoint or header transform.
// +optional
// +nullable
ConfigData *MapStringInterfaceType `json:"config_data"`
TagHeaders []string `json:"tag_headers,omitempty"`
// EnableDetailedRecording instructs Tyk store the inbound request and outbound response data in HTTP Wire format
// as part of the Analytics data
EnableDetailedRecording *bool `json:"enable_detailed_recording,omitempty"`
GraphQL *GraphQLConfig `json:"graphql,omitempty"`
// AnalyticsPlugin is used to configure analytics plugin which enables editing or removal of all parts of analytics
// records, raw request and responses recorded by Tyk at the gateway level
// +optional
// +nullable
AnalyticsPlugin *AnalyticsPluginConfig `json:"analytics_plugin,omitempty"`
// +optional
// +nullable
DetailedTracing *bool `json:"detailed_tracing,omitempty"`
}
type AnalyticsPluginConfig struct {
Enabled bool `json:"enable"`
PluginPath string `json:"plugin_path,omitempty"`
FuncName string `json:"func_name,omitempty"`
}
func (a *APIDefinitionSpec) CollectLoopingTarget() (targets []Target) {
fn := func(t Target) {
targets = append(targets, t)
}
a.Proxy.collectLoopingTarget(fn)
a.VersionData.collectLoopingTarget(fn)
return
}
// Proxy outlines the API proxying functionality.
type Proxy struct {
// If PreserveHostHeader is set to true then the host header in the outbound request is retained to be the
// inbound hostname of the proxy.
PreserveHostHeader *bool `json:"preserve_host_header,omitempty"`
// ListenPath represents the path to listen on. e.g. `/api` or `/` or `/httpbin`.
// Any requests coming into the host, on the port that Tyk is configured to run on, that match this path will
// have the rules defined in the API Definition applied. Versioning assumes that different versions of an API
// will live on the same URL structure. If you are using URL-based versioning (e.g. /v1/function, /v2/function)
// then it is recommended to set up a separate non-versioned definition for each version as they are essentially
// separate APIs.
ListenPath *string `json:"listen_path,omitempty"`
// TargetURL defines the target URL that the request should be proxied to.
TargetURL string `json:"target_url"`
TargetInternal *TargetInternal `json:"target_internal,omitempty"`
// DisableStripSlash disables the stripping of the slash suffix from a URL.
// when `true` a request to http://foo.bar/baz/ will be retained.
// when `false` a request to http://foo.bar/baz/ will be matched to http://foo.bar/baz
DisableStripSlash *bool `json:"disable_strip_slash,omitempty"`
// StripListenPath removes the inbound listen path in the outgoing request.
// e.g. http://acme.com/httpbin/get where `httpbin` is the listen path. The `httpbin` listen path which is used
// to identify the API loaded in Tyk is removed, and the outbound request would be http://httpbin.org/get
StripListenPath *bool `json:"strip_listen_path,omitempty"`
// EnableLoadBalancing enables Tyk's round-robin loadbalancer. Tyk will ignore the TargetURL field, and rely on
// the hosts in the Targets list
EnableLoadBalancing *bool `json:"enable_load_balancing,omitempty"`
// Targets defines a list of upstream host targets. Tyk will then round-robin load balance between these targets.
// EnableLoadBalancing must be set to true in order to take advantage of this feature.
Targets []string `json:"target_list,omitempty"`
// CheckHostAgainstUptimeTests will check the hostname of the outbound request against the downtime list generated
// by the uptime test host checker. If the host is found, then it is skipped or removed from the load balancer.
// This is only valid if uptime tests for the api are enabled.
CheckHostAgainstUptimeTests *bool `json:"check_host_against_uptime_tests,omitempty"`
// Transport section exposes advanced transport level configurations such as minimum TLS version.
Transport ProxyTransport `json:"transport,omitempty"`
// TODO: Untested. Is there a use-case for SD inside a K8s environment?
ServiceDiscovery ServiceDiscoveryConfiguration `json:"service_discovery,omitempty"`
}
func (p *Proxy) collectLoopingTarget(fn func(Target)) {
if p.TargetInternal != nil {
x := p.TargetInternal.Target
p.TargetURL = p.TargetInternal.String()
p.TargetInternal = nil
fn(x)
}
}
type ProxyTransport struct {
// SSLInsecureSkipVerify controls whether it is possible to use self-signed certificates when connecting to the
// upstream. This is applied to `TykMakeHttpRequest` & `TykMakeBatchRequest` in virtual endpoint middleware.
SSLInsecureSkipVerify *bool `json:"ssl_insecure_skip_verify,omitempty"`
// SSLCipherSuites is an array of acceptable cipher suites. A list of allowed cipher suites can be found in the
// Go Crypto TLS package constants documentation https://golang.org/pkg/crypto/tls/#pkg-constants
SSLCipherSuites []string `json:"ssl_ciphers,omitempty"`
// SSLMinVersion defines the minimum TLS version the gateway will use to establish a connection to the upstream.
// 1.0: 769; 1.1: 770; 1.2: 771; 1.3: 772.
// +kubebuilder:validation:Enum=769;770;771;772
SSLMinVersion uint16 `json:"ssl_min_version,omitempty"`
// SSLForceCommonNameCheck forces hostname validation against the certificate Common Name
SSLForceCommonNameCheck *bool `json:"ssl_force_common_name_check,omitempty"`
// ProxyURL specifies custom forward proxy & port. e.g. `http(s)://proxy.url:1234`
ProxyURL *string `json:"proxy_url,omitempty"`
}
// CORS cors settings
type CORS struct {
// Enable when set to true it enables the cors middleware for the api
Enable *bool `json:"enable,omitempty"`
// AllowedOrigins is a list of origin domains to allow access from.
AllowedOrigins []string `json:"allowed_origins,omitempty"`
// AllowedMethods is a list of methods to allow access via.
AllowedMethods []HttpMethod `json:"allowed_methods,omitempty"`
// AllowedHeaders are headers that are allowed within a request.
AllowedHeaders []string `json:"allowed_headers,omitempty"`
// ExposedHeaders is a list of headers that are exposed back in the response.
ExposedHeaders []string `json:"exposed_headers,omitempty"`
// AllowCredentials if true will allow cookies
AllowCredentials *bool `json:"allow_credentials,omitempty"`
// MaxAge is the maximum age of credentials
MaxAge int `json:"max_age,omitempty"`
// OptionsPassthrough allow CORS OPTIONS preflight request to be proxied
// directly to upstream, without authentication and rest of checks. This means
// that pre-flight requests generated by web-clients such as SwaggerUI or the
// Tyk Portal documentation system will be able to test the API using trial
// keys. If your service handles CORS natively, then enable this option.
OptionsPassthrough *bool `json:"options_passthrough,omitempty"`
// Debug if true, this option produces log files for the CORS middleware
Debug *bool `json:"debug,omitempty"`
}
type UptimeTests struct {
CheckList []HostCheckObject `json:"check_list"`
Config UptimeTestConfig `json:"config"`
}
type UptimeTestConfig struct {
ExpireUptimeAnalyticsAfter int64 `json:"expire_utime_after"` // must have an expireAt TTL index set (http://docs.mongodb.org/manual/tutorial/expire-data/)
ServiceDiscovery ServiceDiscoveryConfiguration `json:"service_discovery"`
RecheckWait int `json:"recheck_wait"`
}
type VersionData struct {
NotVersioned bool `json:"not_versioned"`
DefaultVersion string `json:"default_version"`