This is a resource used to define values for communicating with admin api of tyk ce/pro deployment.
OperatorContext can be referenced on all custom resources by contextRef property.
When a custom resource is applied with contextRef set then all the operations
conducted by the operator will use the OperatorContext supplied by the contextRef
to perform reconciliation.
Note: If namespace is not specified in contextRef, default namespace will be used.
Annotated OperatorContext for a community edition deployment looks like this
apiVersion: tyk.tyk.io/v1alpha1
kind: OperatorContext
metadata:
name: community-edition
spec:
env:
# The mode of the admin api
# ce - community edition (open source gateway)
# pro - dashboard (requires a license)
mode: ce
# The authorization token this will be set in x-tyk-authorization header on the
# client while talking to the admin api
auth: foo
# Org ID to use
org: myorg
# The url to the tyk open source gateway deployment admin api
url: http://tyk.tykce-control-plane.svc.cluster.local:8001
# Set this to true if you want to skip tls certificate and host name verification
# this should only be used in testing
insecureSkipVerify: true
# For ingress the operator creates and manages ApiDefinition resources, use this to configure
# which ports the ApiDefinition resources managed by the ingress controller binds to.
# Use this to override default ingress http and https port
ingress:
httpPort: 8000
httpsPort: 8443
# The list of users who are authorized to update/delete the API.
# The user pointed by auth needs to be in this list, if not empty.
user_owners:
- a1b2c3d4e5f6
# The list of groups of users who are authorized to update/delete the API.
# The user pointed by auth needs to be a member of one of the groups in this list, if not empty.
user_group_owners:
- 1a2b3c4d5e6fWhilst it is possible to set .spec.env.auth directly in the OperatorContext object, better security can be achieved by replacing sensitive data with values contained within a referenced secret.
Create a k8s secret tyk-operator-conf with our sensitive info for auth and org
kubectl create secret -n tyk-operator-system generic tyk-operator-conf \
--from-literal "TYK_AUTH=foo" \
--from-literal "TYK_ORG=myorg" \
--from-literal "TYK_USER_OWNERS=a1b2c3d4e5f6,f6a1e5b2d4c3"We can now reference our secret in the OperatorContext resource with .spec.secretRef
apiVersion: tyk.tyk.io/v1alpha1
kind: OperatorContext
metadata:
name: community-edition
spec:
secretRef:
namespace: tyk-operator-system
name: tyk-operator-conf
env:
mode: ce
url: http://tyk.tykce-control-plane.svc.cluster.local:8001
insecureSkipVerify: true
ingress:
httpPort: 8000
httpsPort: 8443
user_owners:
- a1b2c3d4f5e6f7
user_group_owners:
- 1a2b3c4d5f6e7fMappings between .spec.env properties and secret .spec.data keys
| secret key | .spec.env |
|---|---|
| TYK_MODE | mode |
| TYK_URL | url |
| TYK_AUTH | auth |
| TYK_ORG | org |
| TYK_TLS_INSECURE_SKIP_VERIFY | insecureSkipVerify |
| TYK_USER_OWNERS (comma separated list) | user_owners |
| TYK_USER_GROUP_OWNERS (comma separated list) | user_group_owners |
We can refer to the OperatorContext we created above to ApiDefinition resource using contextRef property like
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
name: httpbin-with-context
spec:
contextRef:
name: community-edition
namespace: default
name: httpbin-with-context
use_keyless: true
protocol: http
active: true
proxy:
target_url: http://httpbin.org
listen_path: /httpbin-with-context
strip_listen_path: trueThen httpbin-with-context api will be created on the gateway defined in the community-edition OperatorContext resource.
The operator will not start without a valid context.
With our helm charts we have
envFrom:
- secretRef:
name: tyk-operator-conf
That loads the default env from secret tyk-operator-conf . This might not be desired if you are already using operator context for resources.
One work around is to set dummy values that way the operator will start, and provide valid context when applying resources that will be used by the operator for reconciliation.
You can update your values.yaml to include
envFrom:
envVars:
- name: TYK_AUTH
value: "xxx"
- name: TYK_ORG
value: "xxx"
- name: TYK_MODE
value: "pro"
- name: TYK_URL
value: "xxx"
- name: TYK_USER_OWNERS
value: "xxx,yyy"
- name: TYK_USER_GROUP_OWNERS
value: "xxx,yyy"This workaround will not be required in v0.8.0 release