apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) controller-gen.kubebuilder.io/version: v0.4.1 name: apidefinitions.tyk.tyk.io spec: group: tyk.tyk.io names: kind: ApiDefinition listKind: ApiDefinitionList plural: apidefinitions shortNames: - tykapis singular: apidefinition scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.domain name: Domain type: string - jsonPath: .spec.proxy.listen_path name: ListenPath type: string - jsonPath: .spec.proxy.target_url name: Proxy.TargetURL type: string - jsonPath: .spec.active name: Enabled type: boolean name: v1alpha1 schema: openAPIV3Schema: description: ApiDefinition is the Schema for the apidefinitions API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: APIDefinition represents the configuration for a single proxied API and it's versions. properties: CORS: properties: allow_credentials: description: AllowCredentials if true will allow cookies type: boolean allowed_headers: description: AllowedHeaders are headers that are allowed within a request. items: type: string type: array allowed_methods: description: AllowedMethods is a list of methods to allow access via. items: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string type: array allowed_origins: description: AllowedOrigins is a list of origin domains to allow access from. items: type: string type: array debug: description: Debug if true, this option produces log files for the CORS middleware type: boolean enable: description: Enable when set to true it enables the cors middleware for the api type: boolean exposed_headers: description: ExposedHeaders is a list of headers that are exposed back in the response. items: type: string type: array max_age: description: MaxAge is the maximum age of credentials type: integer options_passthrough: description: OptionsPassthrough allow CORS OPTIONS preflight request to be proxied directly to upstream, without authentication and rest of checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or the Tyk Portal documentation system will be able to test the API using trial keys. If your service handles CORS natively, then enable this option. type: boolean type: object active: description: Active specifies if the api is enabled or not type: boolean allowed_ips: description: AllowedIPs is a list of IP address that are whitelisted.When this is provided all IP address that is not on this list will be blocked and a 403 http status will be returned. The IP address can be IPv4 or IPv6.IP in CIDR notation is also supported. items: type: string type: array api_id: description: 'Only set this field if you are referring to an existing API def. The Operator will use this APIID to link the CR with the API in Tyk Note: The values in the CR will become the new source of truth, overriding the existing API Definition' type: string auth: properties: auth_header_name: type: string cookie_name: type: string param_name: type: string signature: properties: algorithm: type: string allowed_clock_skew: format: int64 type: integer error_code: type: integer error_message: type: string header: type: string secret: type: string required: - algorithm - allowed_clock_skew - error_code - error_message - header - secret type: object use_certificate: type: boolean use_cookie: type: boolean use_param: type: boolean validate_signature: type: boolean required: - auth_header_name type: object auth_configs: additionalProperties: properties: auth_header_name: type: string cookie_name: type: string param_name: type: string signature: properties: algorithm: type: string allowed_clock_skew: format: int64 type: integer error_code: type: integer error_message: type: string header: type: string secret: type: string required: - algorithm - allowed_clock_skew - error_code - error_message - header - secret type: object use_certificate: type: boolean use_cookie: type: boolean use_param: type: boolean validate_signature: type: boolean required: - auth_header_name type: object type: object blacklisted_ips: description: BlacklistedIPs is a list of IP address that will be blacklisted.This means if origin IP matches any IP in this list a 403 http status code will be returned. The IP address can be IPv4 or IPv6. IP in CIDR notation is also supported. items: type: string type: array cache_options: properties: cache_all_safe_requests: description: CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests overrides per-path cache settings in versions, applies across versions type: boolean cache_by_headers: description: CacheByHeaders allows header values to be used as part of the cache key items: type: string type: array cache_control_ttl_header: description: CacheControlTTLHeader is the response header which tells Tyk how long it is safe to cache the response for type: string cache_response_codes: description: CacheOnlyResponseCodes is an array of response codes which are safe to cache. e.g. 404 items: type: integer type: array cache_timeout: description: CacheTimeout is the TTL for a cached object in seconds format: int64 type: integer enable_cache: description: EnableCache turns global cache middleware on or off. It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware. see `spec.version_data.versions.{VERSION}.extended_paths.cache[]` type: boolean enable_upstream_cache_control: description: EnableUpstreamCacheControl instructs Tyk Cache to respect upstream cache control headers type: boolean required: - cache_timeout type: object certificate_secret_names: description: CertificateSecretNames represents the names of the secrets that the controller should look for in the current namespace which contain the certificates. items: type: string type: array certificates: description: Certificates is a list of Tyk Certificate IDs. e.g. orgid+fingerprint. Use CertificateSecretNames if using cert-manager items: type: string type: array config_data: description: ConfigData can be used to pass custom attributes (a JSON object) into your middleware, such as a virtual endpoint or header transform. nullable: true type: object x-kubernetes-preserve-unknown-fields: true contextRef: description: Context specify namespace/name of the OperatorContext object used for reconciling this APIDefinition properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object custom_middleware: properties: auth_check: properties: name: type: string path: type: string raw_body_only: type: boolean require_session: type: boolean required: - name - path type: object driver: type: string id_extractor: properties: extract_from: type: string extract_with: type: string extractor_config: properties: header_name: type: string param_name: type: string regex_expression: type: string regex_match_index: type: integer type: object required: - extract_from - extract_with - extractor_config type: object post: items: properties: name: type: string path: type: string raw_body_only: type: boolean require_session: type: boolean required: - name - path type: object type: array post_key_auth: items: properties: name: type: string path: type: string raw_body_only: type: boolean require_session: type: boolean required: - name - path type: object type: array pre: items: properties: name: type: string path: type: string raw_body_only: type: boolean require_session: type: boolean required: - name - path type: object type: array response: items: properties: name: type: string path: type: string raw_body_only: type: boolean require_session: type: boolean required: - name - path type: object type: array required: - driver type: object custom_middleware_bundle: type: string definition: properties: key: type: string location: type: string strip_path: type: boolean required: - key - location - strip_path type: object do_not_track: description: DoNotTrack disables endpoint tracking for this API type: boolean domain: description: Domain represents a custom host header that the gateway will listen on for this API type: string enable_context_vars: description: EnableContextVars extracts request context variables from the start of the middleware chain. Set this to true to make them available to your transforms. Context Variables are available in the url rewriter, modify headers and body transforms. type: boolean enable_coprocess_auth: type: boolean enable_detailed_recording: description: EnableDetailedRecording instructs Tyk store the inbound request and outbound response data in HTTP Wire format as part of the Analytics data type: boolean enable_ip_blacklisting: description: EnableIPBlacklisting activates the ip blacklisting middleware. type: boolean enable_ip_whitelisting: description: EnableIPWhiteListing activates the ip whitelisting middleware. type: boolean enable_jwt: description: EnableJWT set JWT as the access method for this API. type: boolean enable_proxy_protocol: type: boolean graphql: properties: enabled: description: Enabled indicates if GraphQL proxy should be enabled. type: boolean execution_mode: description: ExecutionMode is the mode to define how an api behaves. enum: - proxyOnly - executionEngine type: string playground: description: GraphQLPlayground is the Playground specific configuration. properties: enabled: description: Enabled indicates if the playground should be enabled. type: boolean path: description: Path sets the path on which the playground will be hosted if enabled. type: string required: - enabled - path type: object proxy: description: Proxy holds the configuration for a proxy only api. properties: auth_headers: additionalProperties: type: string nullable: true type: object required: - auth_headers type: object schema: description: Schema is the GraphQL Schema exposed by the GraphQL API/Upstream/Engine. type: string type_field_configurations: description: TypeFieldConfigurations is a rule set of data source and mapping of a schema field. items: properties: data_source: properties: data_source_config: description: Config is the DataSource specific configuration object Each Planner needs to make sure to parse their Config Object correctly properties: body: type: string default_type_name: type: string headers: items: type: string type: array method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string status_code_type_name_mappings: items: properties: status_code: type: integer type_name: type: string required: - status_code type: object type: array url: type: string required: - method - url type: object kind: description: Kind defines the unique identifier of the DataSource Kind needs to match to the Planner "DataSourceName" name enum: - GraphQLDataSource - HTTPJSONDataSource type: string required: - kind type: object field_name: type: string mapping: properties: disabled: type: boolean path: type: string required: - disabled - path type: object type_name: type: string required: - data_source - field_name - mapping - type_name type: object type: array required: - enabled - execution_mode - schema type: object id: description: For server use only, do not use type: string internal: description: Internal tells Tyk Gateway that this is a virtual API. It can only be routed to from other APIs. type: boolean jwt_client_base_field: description: JWTClientIDBaseField is the name of the field on JWT claim to use for client id. This field is mutually exclusive to jwt_identity_base_field, meaning you can only set/use one and jwt_identity_base_field takes precedence when both are set. type: string jwt_default_policies: description: JWTDefaultPolicies is a list of policies that will be used when base policy can't be extracted from the JWT token. When this list is provided the first element will be used as the base policy while the rest of elements will be applied. items: type: string type: array jwt_expires_at_validation_skew: description: "JWTExpiresAtValidationSkew adds validation for expired at JWT claim. Given \tnow = current unix time \tskew = jwt_expires_at_validation_skew \texp = expired at If exp > (now - skew) then validation will fail with \"token has expired\"" format: int64 type: integer jwt_identity_base_field: description: JWTIdentityBaseField Identifies the user or identity to be used in the Claims of the JWT. This will fallback to sub if not found. This field forms the basis of a new “virtual” token that gets used after validation. It means policy attributes are carried forward through Tyk for attribution purposes. type: string jwt_issued_at_validation_skew: description: "JWTIssuedAtValidationSkew adds validation for issued at JWT claim. Given \tnow = current unix time \tskew = jwt_issued_at_validation_skew \tiat = the issued at jwt claim If iat > (now + skew) then validation will fail with \"token used before issued\"" format: int64 type: integer jwt_not_before_validation_skew: description: "JWTNotBeforeValidationSkew adds validation for not before JWT claim. Given \tnow = current unix time \tskew = jwt_not_before_validation_skew \tnbf = the not before jwt claim If nbf > (now + skew) then validation will fail with \"token is not valid yet\"" format: int64 type: integer jwt_policy_field_name: description: JWTPolicyFieldName The policy ID to apply to the virtual token generated for a JWT type: string jwt_scope_claim_name: description: JWTScopeClaimName overides the key used for scope values in the JWT claims. By default the value is "scope" type: string jwt_scope_to_policy_mapping: additionalProperties: type: string description: JWTScopeToPolicyMapping this is a mapping of scope value to policy id. If this is set then a scope value found in this map will make the mappend policy to be applied. type: object jwt_signing_method: description: JWTSigningMethod algorithm used to sign jwt token enum: - rsa - hmac - ecdsa type: string jwt_skip_kid: description: JWTSkipKid when true we ingore using kid as the identity for a JWT token and instead use jwt_identity_base_field if it was set or fallback to sub JWT claim. type: boolean jwt_source: description: JWTSource Must either be a base64 encoded valid RSA/HMAC key or a url to a resource serving JWK, this key will then be used to validate inbound JWT and throttle them according to the centralised JWT options and fields set in the configuration. type: string listen_port: type: integer name: type: string oauth_meta: properties: allowed_access_types: description: AllowedAccessTypes are an array of allowable access types. items: enum: - authorization_code - refresh_token - password - client_credentials type: string type: array allowed_authorize_types: description: AllowedAuthorizeTypes is an array of allowable `response_type` parameters `token` or authorization code `code`. Choose token for client_credentials or implicit grant types. items: enum: - code - token type: string type: array auth_login_redirect: description: Login form to handle user login. type: string required: - allowed_access_types - allowed_authorize_types type: object org_id: description: OrgID is overwritten - no point setting this type: string pinned_public_keys: additionalProperties: type: string description: PinnedPublicKeys allows you to whitelist public keys used to generate certificates, so you will be protected in case an upstream certificate is compromised. Please use PinnedPublicKeysRefs if using cert-manager. type: object pinned_public_keys_refs: additionalProperties: type: string description: PinnedPublicKeysRefs allows you to specify public keys using k8s secret. It takes domain name as a key and secret name as a value. type: object protocol: description: APIProtocol is the network transport protocol supported by the gateway enum: - h2c - tcp - tls - http - https type: string proxy: description: Proxy properties: check_host_against_uptime_tests: description: CheckHostAgainstUptimeTests will check the hostname of the outbound request against the downtime list generated by the uptime test host checker. If the host is found, then it is skipped or removed from the load balancer. This is only valid if uptime tests for the api are enabled. type: boolean disable_strip_slash: description: DisableStripSlash disables the stripping of the slash suffix from a URL. when `true` a request to http://foo.bar/baz/ will be retained. when `false` a request to http://foo.bar/baz/ will be matched to http://foo.bar/baz type: boolean enable_load_balancing: description: EnableLoadBalancing enables Tyk's round-robin loadbalancer. Tyk will ignore the TargetURL field, and rely on the hosts in the Targets list type: boolean listen_path: description: ListenPath represents the path to listen on. e.g. `/api` or `/` or `/httpbin`. Any requests coming into the host, on the port that Tyk is configured to run on, that match this path will have the rules defined in the API Definition applied. Versioning assumes that different versions of an API will live on the same URL structure. If you are using URL-based versioning (e.g. /v1/function, /v2/function) then it is recommended to set up a separate non-versioned definition for each version as they are essentially separate APIs. type: string preserve_host_header: description: If PreserveHostHeader is set to true then the host header in the outbound request is retained to be the inbound hostname of the proxy. type: boolean service_discovery: description: 'TODO: Untested. Is there a use-case for SD inside a K8s environment?' properties: cache_timeout: format: int64 type: integer data_path: type: string endpoint_returns_list: type: boolean parent_data_path: type: string port_data_path: type: string query_endpoint: type: string target_path: type: string use_discovery_service: type: boolean use_nested_query: type: boolean use_target_list: type: boolean required: - cache_timeout - data_path - endpoint_returns_list - parent_data_path - port_data_path - query_endpoint - target_path - use_discovery_service - use_nested_query - use_target_list type: object strip_listen_path: description: StripListenPath removes the inbound listen path in the outgoing request. e.g. http://acme.com/httpbin/get where `httpbin` is the listen path. The `httpbin` listen path which is used to identify the API loaded in Tyk is removed, and the outbound request would be http://httpbin.org/get type: boolean target_internal: properties: path: description: "Path path on target , this does not include query parameters. \texample /myendpoint" type: string query: description: "Query url query string to add to target \texample check_limits=true" type: string target: description: API a namespaced/name to the api definition resource that you are targetting properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: object target_list: description: Targets defines a list of upstream host targets. Tyk will then round-robin load balance between these targets. EnableLoadBalancing must be set to true in order to take advantage of this feature. items: type: string type: array target_url: description: TargetURL defines the target URL that the request should be proxied to. type: string transport: description: Transport section exposes advanced transport level configurations such as minimum TLS version. properties: proxy_url: description: ProxyURL specifies custom forward proxy & port. e.g. `http(s)://proxy.url:1234` type: string ssl_ciphers: description: SSLCipherSuites is an array of acceptable cipher suites. A list of allowed cipher suites can be found in the Go Crypto TLS package constants documentation https://golang.org/pkg/crypto/tls/#pkg-constants items: type: string type: array ssl_force_common_name_check: description: SSLForceCommonNameCheck forces hostname validation against the certificate Common Name type: boolean ssl_insecure_skip_verify: description: SSLInsecureSkipVerify controls whether it is possible to use self-signed certificates when connecting to the upstream. This is applied to `TykMakeHttpRequest` & `TykMakeBatchRequest` in virtual endpoint middleware. type: boolean ssl_min_version: description: 'SSLMinVersion defines the minimum TLS version the gateway will use to establish a connection to the upstream. 1.0: 769; 1.1: 770; 1.2: 771; 1.3: 772.' enum: - 769 - 770 - 771 - 772 type: integer type: object required: - target_url type: object response_processors: items: properties: name: type: string required: - name type: object type: array session_lifetime: description: "SessionLifetime this is duration in seconds before the session key expires in redis. \n Example: If you want the session keys to be alive only 24 hours you can set this value to 86400 that we can break down to \t60 * 60 * 24 = Total seconds in a day" format: int64 type: integer strip_auth_data: description: StripAuthData ensures that any security tokens used for accessing APIs are stripped and not leaked to the upstream type: boolean tags: description: Tags are named gateway nodes which tell gateway clusters whether to load an API or not. for example, to load the API in an ARA gateway, you might want to include an `edge` tag. items: type: string type: array upstream_certificate_refs: additionalProperties: type: string description: UpstreamCertificateRefs is a map of domains and secret names that is used internally to obtain certificates from secrets in order to establish mTLS support for upstreams type: object upstream_certificates: additionalProperties: type: string description: UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk Gateway to provide mTLS support for upstreams type: object use_keyless: description: UseKeylessAccess will switch off all key checking. Some analytics will still be recorded, but rate-limiting, quotas and security policies will not be possible (there is no session to attach requests to). type: boolean use_oauth2: description: UseOAuth2 enables oauth2 authorization type: boolean use_standard_auth: description: UseStandardAuth enables simple bearer token authentication type: boolean version_data: properties: default_version: type: string not_versioned: type: boolean versions: additionalProperties: properties: expires: type: string extended_paths: properties: advance_cache_config: items: properties: cache_key_regex: type: string cache_response_codes: items: type: integer type: array method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - cache_key_regex - cache_response_codes - method - path type: object type: array black_list: items: properties: ignore_case: type: boolean method_actions: additionalProperties: properties: action: type: string code: type: integer data: type: string headers: additionalProperties: type: string type: object required: - action - code - data - headers type: object type: object path: type: string required: - ignore_case - method_actions - path type: object type: array cache: description: List of paths which cache middleware should be enabled on items: type: string type: array circuit_breakers: items: properties: disable_half_open_state: type: boolean method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string return_to_service_after: description: ReturnToServiceAfter represents the time in seconds to return back to the service type: integer samples: description: Samples defines the number of requests to base the ThresholdPercent on format: int64 type: integer threshold_percent: description: ThresholdPercent is the percentage of requests that fail before breaker is tripped pattern: ^0\.\d+|1\.0$ type: string required: - method - path - return_to_service_after - samples - threshold_percent type: object type: array do_not_track_endpoints: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - method - path type: object type: array hard_timeouts: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string timeout: type: integer required: - method - path - timeout type: object type: array ignored: items: properties: ignore_case: type: boolean method_actions: additionalProperties: properties: action: type: string code: type: integer data: type: string headers: additionalProperties: type: string type: object required: - action - code - data - headers type: object type: object path: type: string required: - ignore_case - method_actions - path type: object type: array internal: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - method - path type: object type: array method_transforms: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string to_method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string required: - method - path - to_method type: object type: array size_limits: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string size_limit: format: int64 type: integer required: - method - path - size_limit type: object type: array track_endpoints: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - method - path type: object type: array transform: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string template_data: properties: enable_session: type: boolean input_type: type: string template_mode: type: string template_source: type: string required: - enable_session - input_type - template_mode - template_source type: object required: - method - path - template_data type: object type: array transform_headers: items: properties: act_on: type: boolean add_headers: additionalProperties: type: string type: object delete_headers: items: type: string type: array method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - act_on - add_headers - delete_headers - method - path type: object type: array transform_jq: items: properties: filter: type: string method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - filter - method - path type: object type: array transform_jq_response: items: properties: filter: type: string method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - filter - method - path type: object type: array transform_response: items: properties: method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string template_data: properties: enable_session: type: boolean input_type: type: string template_mode: type: string template_source: type: string required: - enable_session - input_type - template_mode - template_source type: object required: - method - path - template_data type: object type: array transform_response_headers: items: properties: act_on: type: boolean add_headers: additionalProperties: type: string type: object delete_headers: items: type: string type: array method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string required: - act_on - add_headers - delete_headers - method - path type: object type: array url_rewrites: items: properties: match_pattern: description: MatchPattern is a regular expression pattern to match the path type: string method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: description: Path represents the endpoint listen path type: string rewrite_to: description: RewriteTo is the target path on the upstream, or target URL we wish to rewrite to type: string rewrite_to_internal: description: RewriteToInternal serves as rewrite_to but used when rewriting to target internal api's When rewrite_to and rewrite_to_internal are both provided then rewrite_to will take rewrite_to_internal properties: path: description: "Path path on target , this does not include query parameters. \texample /myendpoint" type: string query: description: "Query url query string to add to target \texample check_limits=true" type: string target: description: API a namespaced/name to the api definition resource that you are targetting properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: object triggers: items: properties: "on": type: string options: properties: header_matches: additionalProperties: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object type: object path_part_matches: additionalProperties: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object type: object payload_matches: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object query_val_matches: additionalProperties: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object type: object request_context_matches: additionalProperties: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object type: object session_meta_matches: additionalProperties: properties: match_rx: type: string reverse: type: boolean required: - match_rx type: object type: object type: object rewrite_to: type: string rewrite_to_internal: description: RewriteToInternal defines options that constructs a url that refers to an api that is loaded into the gateway. properties: path: description: "Path path on target , this does not include query parameters. \texample /myendpoint" type: string query: description: "Query url query string to add to target \texample check_limits=true" type: string target: description: API a namespaced/name to the api definition resource that you are targetting properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: object required: - "on" - options type: object type: array required: - match_pattern - method - path type: object type: array validate_json: items: properties: error_response_code: description: Allows override of default 422 Unprocessable Entity response code for validation errors. type: integer method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string schema: description: Schema represents schema field that verifies user requests against a specified JSON schema and check that the data sent to your API by a consumer is in the right format. type: object x-kubernetes-preserve-unknown-fields: true required: - error_response_code - method - path - schema type: object type: array virtual: items: properties: function_source_type: type: string function_source_uri: type: string method: description: Method represents HTTP request method enum: - GET - POST - PUT - PATCH - DELETE - OPTIONS - HEAD - CONNECT - TRACE type: string path: type: string proxy_on_error: type: boolean response_function_name: type: string use_session: type: boolean required: - function_source_type - function_source_uri - method - path - proxy_on_error - response_function_name - use_session type: object type: array white_list: items: properties: ignore_case: type: boolean method_actions: additionalProperties: properties: action: type: string code: type: integer data: type: string headers: additionalProperties: type: string type: object required: - action - code - data - headers type: object type: object path: type: string required: - ignore_case - method_actions - path type: object type: array type: object global_headers: additionalProperties: type: string type: object global_headers_remove: items: type: string type: array global_response_headers: additionalProperties: type: string type: object global_response_headers_remove: items: type: string type: array global_size_limit: format: int64 type: integer ignore_endpoint_case: type: boolean name: type: string override_target: type: string paths: properties: black_list: items: type: string type: array ignored: items: type: string type: array white_list: items: type: string type: array type: object use_extended_paths: type: boolean required: - name type: object type: object required: - default_version - not_versioned type: object required: - name - protocol - proxy type: object status: description: ApiDefinitionStatus defines the observed state of ApiDefinition properties: api_id: type: string linked_by_apis: description: LinkedByAPIs is a list of ApiDefinition namespaced/name that links to this resource items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_by_policies: description: LinkedByPolicies is a list policies that references this api definition items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_to_apis: description: LinkedToAPIs is a list of ApiDefinition namespaced/name that this resource links to. items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array required: - api_id type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 creationTimestamp: null name: apidescriptions.tyk.tyk.io spec: group: tyk.tyk.io names: kind: APIDescription listKind: APIDescriptionList plural: apidescriptions singular: apidescription scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: APIDescription is the Schema for the apidescriptions API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: APIDescriptionSpec defines the desired state of APIDescription properties: auth_type: description: AuthType displays as a badge next to the name of the API enum: - keyless - jwt - oauth - authToken type: string config: description: 'Config allows you to optionally override various fields in the PortalConfig. TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet.' properties: catalogue_login_only: description: CatalogueLoginOnly limits access to catalogues for login users only. type: boolean dcr_options: description: DCROptions dynamic client registration options. properties: access_token: description: AccessToken represents an optional bearer token to authenticate with against the registration endpoint type: string grant_types: description: GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at the token endpoint. items: enum: - client_credentials - authorization_code - refresh_token type: string type: array idp_host: description: IDPHost is the fully qualified hostname of the Identity Provider. e.g. https://mysubdomain.eu.auth0.com type: string provider: description: Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec and perform provider specific logic. If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend support for your provider. enum: - gluu - keycloak - okta type: string registration_endpoint: description: RegistrationEndpoint is the registration_endpoint as presented in the /.well-known/openid-configuration document. type: string response_types: description: ResponseTypes is an array of OAuth 2.0 response type strings that the client can use at the authorization endpoint. items: enum: - code - token type: string type: array token_endpoint_auth_method: description: 'TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. "none": The client is a public client and does not have a client secret. "client_secret_post": The client uses the HTTP POST parameters "client_secret_basic": The client uses HTTP Basic authentication' enum: - client_secret_basic - client_secret_post - client_secret_jwt - private_key_jwt - none type: string required: - grant_types - idp_host - registration_endpoint - token_endpoint_auth_method type: object disable_auto_login: type: boolean disable_login: description: DisableLogin disables login on developer portal.If you do not want developers to be able to login, set this value to true. You can use this configuration option in the portal templates to display or hide the login form as well as disabling the actual login method. type: boolean disable_signup: description: DisableSignup stop developer sign-up to the portal.This will stop developers from being able to signup, they will need to be created manually, or assigned keys via the key management API. type: boolean email: type: string enable_dcr: description: EnableDCR activates dynamic client registration. type: boolean enable_multi_selection: description: EnableMultiSelection enables subscribing to multiple APIs with single key.User will be able subscript any combination of exposed catalogues of the same authentication type type: boolean id: description: Set by the server. DO NOT set this field it is read only. type: string key_request_fields: description: KeyRequestFields is a slice of fields which are asked of the portal developer when requesting an api key items: type: string type: array mail_options: properties: email_copy: properties: key_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object reset_password_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object welcome_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object required: - key_email - reset_password_email - welcome_email type: object mail_from_email: type: string mail_from_name: type: string required: - email_copy - mail_from_email - mail_from_name type: object oauth_usage_limit: description: OAuthUsageLimit is the maximum permitted number of OAuth clients type: integer org_id: description: OrgID is the organization ID type: string override: description: Override overides global settings. These Catalogue settings are currently being overwritten by the Global Catalogue settings. Toggle the checkbox below to override them for this Catalogue. type: boolean redirect_on_key_request: description: RedirectOnKeyRequest redirects key requests. WHen set to true it will redirect key requests to the url specified in RedirectTo field type: boolean redirect_to: description: RedirectTo is a url used to redirect key requests type: string require_key_approval: description: RequireKeyApproval requires reviewing of all key requests before approving them. By default developers will auto-enroll into an API and be given an API key. If you wish to review key requests before giving developers access to the API, enable this option and you will manually need to approve them in the 'Key requests' section of the dashboard. type: boolean secure_key_approval: description: SecureKeyApproval enables Secure key approval.By default, API keys when approved are sent in an email to the Developer. By enabling this option, the Developer will instead receive a link where they can go to generate the API key securely type: boolean signup_fields: description: SignUpFields is a slice of fields which are asked of the portal developer when they register for an account items: type: string type: array type: object contextRef: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object docs: properties: doc_type: enum: - swagger - swagger_custom_url - graphql type: string documentation: type: string required: - doc_type type: object documentation: description: Do not set Documentation. Use `docs` instead. type: string fields: additionalProperties: type: string description: Fields is a generic map of key:value pairs. You may wish to use this to tag a catalogue as type:internal or type:public Then apply logic at the template layer to dynamically display catalogue apis to different user types. type: object is_keyless: description: IsKeyless toggles visibility of the `Request an API Key button`. Use this when AuthType is keyless, jwt or oauth. type: boolean long_description: description: LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just below the name and AuthType in the catalogue listing page. type: string name: description: Name is the title of the API that you wish to be published to the catalogue type: string policy_id: description: PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. Rather, use `policyRef` instead. type: string policyRef: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object short_description: description: 'TODO: I don''t think this is exposed to the default portal templates.' type: string show: description: Show toggles visibility of the API in the portal catalogue type: boolean version: default: v2 description: Version should always be v2 enum: - v2 type: string type: object status: description: APIDescriptionStatus defines the observed state of APIDescription type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 creationTimestamp: null name: operatorcontexts.tyk.tyk.io spec: group: tyk.tyk.io names: kind: OperatorContext listKind: OperatorContextList plural: operatorcontexts singular: operatorcontext scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: OperatorContext is the Schema for the operatorcontexts API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: OperatorContextSpec defines the desired state of OperatorContext properties: env: description: Env is the values of the admin api endpoint that the operator will use to reconcile resources properties: auth: type: string ingress: properties: httpPort: type: integer httpsPort: type: integer type: object insecureSkipVerify: type: boolean mode: description: OperatorContextMode is the mode to which the admin api binding is done values are ce for community edition and pro for dashboard enum: - ce - pro type: string org: type: string url: type: string type: object secretRef: description: Reference to k8s secret resource that we load environment from. properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: object status: description: OperatorContextStatus defines the observed state of OperatorContext properties: linked_api_definitions: items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_api_descriptions: items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_portal_catalogues: items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_portal_configs: items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array linked_security_policies: items: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object type: array type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 creationTimestamp: null name: portalapicatalogues.tyk.tyk.io spec: group: tyk.tyk.io names: kind: PortalAPICatalogue listKind: PortalAPICatalogueList plural: portalapicatalogues shortNames: - tykcatalogues singular: portalapicatalogue scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.id name: ID type: string name: v1alpha1 schema: openAPIV3Schema: description: PortalAPICatalogue is the Schema for the portalapicatalogues API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PortalAPICatalogueSpec defines the desired state of PortalAPICatalogue properties: apis: description: APIDescriptionList is a list of PortalCatalogueDescription published on this PortalAPICatalogue items: properties: apiDescriptionRef: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object auth_type: description: AuthType displays as a badge next to the name of the API enum: - keyless - jwt - oauth - authToken type: string config: description: 'Config allows you to optionally override various fields in the PortalConfig. TODO: This is an advanced capability which has not been fully tested with Tyk Operator as yet.' properties: catalogue_login_only: description: CatalogueLoginOnly limits access to catalogues for login users only. type: boolean dcr_options: description: DCROptions dynamic client registration options. properties: access_token: description: AccessToken represents an optional bearer token to authenticate with against the registration endpoint type: string grant_types: description: GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at the token endpoint. items: enum: - client_credentials - authorization_code - refresh_token type: string type: array idp_host: description: IDPHost is the fully qualified hostname of the Identity Provider. e.g. https://mysubdomain.eu.auth0.com type: string provider: description: Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec and perform provider specific logic. If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend support for your provider. enum: - gluu - keycloak - okta type: string registration_endpoint: description: RegistrationEndpoint is the registration_endpoint as presented in the /.well-known/openid-configuration document. type: string response_types: description: ResponseTypes is an array of OAuth 2.0 response type strings that the client can use at the authorization endpoint. items: enum: - code - token type: string type: array token_endpoint_auth_method: description: 'TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. "none": The client is a public client and does not have a client secret. "client_secret_post": The client uses the HTTP POST parameters "client_secret_basic": The client uses HTTP Basic authentication' enum: - client_secret_basic - client_secret_post - client_secret_jwt - private_key_jwt - none type: string required: - grant_types - idp_host - registration_endpoint - token_endpoint_auth_method type: object disable_auto_login: type: boolean disable_login: description: DisableLogin disables login on developer portal.If you do not want developers to be able to login, set this value to true. You can use this configuration option in the portal templates to display or hide the login form as well as disabling the actual login method. type: boolean disable_signup: description: DisableSignup stop developer sign-up to the portal.This will stop developers from being able to signup, they will need to be created manually, or assigned keys via the key management API. type: boolean email: type: string enable_dcr: description: EnableDCR activates dynamic client registration. type: boolean enable_multi_selection: description: EnableMultiSelection enables subscribing to multiple APIs with single key.User will be able subscript any combination of exposed catalogues of the same authentication type type: boolean id: description: Set by the server. DO NOT set this field it is read only. type: string key_request_fields: description: KeyRequestFields is a slice of fields which are asked of the portal developer when requesting an api key items: type: string type: array mail_options: properties: email_copy: properties: key_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object reset_password_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object welcome_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object required: - key_email - reset_password_email - welcome_email type: object mail_from_email: type: string mail_from_name: type: string required: - email_copy - mail_from_email - mail_from_name type: object oauth_usage_limit: description: OAuthUsageLimit is the maximum permitted number of OAuth clients type: integer org_id: description: OrgID is the organization ID type: string override: description: Override overides global settings. These Catalogue settings are currently being overwritten by the Global Catalogue settings. Toggle the checkbox below to override them for this Catalogue. type: boolean redirect_on_key_request: description: RedirectOnKeyRequest redirects key requests. WHen set to true it will redirect key requests to the url specified in RedirectTo field type: boolean redirect_to: description: RedirectTo is a url used to redirect key requests type: string require_key_approval: description: RequireKeyApproval requires reviewing of all key requests before approving them. By default developers will auto-enroll into an API and be given an API key. If you wish to review key requests before giving developers access to the API, enable this option and you will manually need to approve them in the 'Key requests' section of the dashboard. type: boolean secure_key_approval: description: SecureKeyApproval enables Secure key approval.By default, API keys when approved are sent in an email to the Developer. By enabling this option, the Developer will instead receive a link where they can go to generate the API key securely type: boolean signup_fields: description: SignUpFields is a slice of fields which are asked of the portal developer when they register for an account items: type: string type: array type: object docs: properties: doc_type: enum: - swagger - swagger_custom_url - graphql type: string documentation: type: string required: - doc_type type: object documentation: description: Do not set Documentation. Use `docs` instead. type: string fields: additionalProperties: type: string description: Fields is a generic map of key:value pairs. You may wish to use this to tag a catalogue as type:internal or type:public Then apply logic at the template layer to dynamically display catalogue apis to different user types. type: object is_keyless: description: IsKeyless toggles visibility of the `Request an API Key button`. Use this when AuthType is keyless, jwt or oauth. type: boolean long_description: description: LongDescription can be markdown. It allows you to describe the capabilities of the API and is displayed just below the name and AuthType in the catalogue listing page. type: string name: description: Name is the title of the API that you wish to be published to the catalogue type: string policy_id: description: PolicyID explicitly sets the policy_id to be published. We do not recommend that this value is set directly. Rather, use `policyRef` instead. type: string policyRef: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object short_description: description: 'TODO: I don''t think this is exposed to the default portal templates.' type: string show: description: Show toggles visibility of the API in the portal catalogue type: boolean version: default: v2 description: Version should always be v2 enum: - v2 type: string type: object type: array contextRef: description: Context is reference to OperatorContext resource. Set this if you want to target a specific OperatorContext. When omitted default OperatorContext is used. properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object email: description: Email is Catalogue owner email address.Catalogue owner will be notified at this email address when an API subscription request is submitted or granted type: string org_id: description: OrgID is the organization ID type: string type: object status: description: PortalAPICatalogueStatus defines the observed state of PortalAPICatalogue properties: id: description: ID is the mongo ID of the PortalAPICatalogue object created by the dashboard. type: string type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 creationTimestamp: null name: portalconfigs.tyk.tyk.io spec: group: tyk.tyk.io names: kind: PortalConfig listKind: PortalConfigList plural: portalconfigs singular: portalconfig scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: PortalConfig is the Schema for the portalconfigs API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PortalConfigSpec defines the desired state of PortalConfig properties: catalogue_login_only: description: CatalogueLoginOnly limits access to catalogues for login users only. type: boolean contextRef: properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object dcr_options: description: DCROptions dynamic client registration options. properties: access_token: description: AccessToken represents an optional bearer token to authenticate with against the registration endpoint type: string grant_types: description: GrantTypes is an array of OAuth 2.0 grant type strings that the client can use at the token endpoint. items: enum: - client_credentials - authorization_code - refresh_token type: string type: array idp_host: description: IDPHost is the fully qualified hostname of the Identity Provider. e.g. https://mysubdomain.eu.auth0.com type: string provider: description: Provider is an optional enum of the provider which allows Tyk to register clients outside the standard DCR spec and perform provider specific logic. If your provider is not in this list, please omit. Upon failure, submit a support ticket so that we may extend support for your provider. enum: - gluu - keycloak - okta type: string registration_endpoint: description: RegistrationEndpoint is the registration_endpoint as presented in the /.well-known/openid-configuration document. type: string response_types: description: ResponseTypes is an array of OAuth 2.0 response type strings that the client can use at the authorization endpoint. items: enum: - code - token type: string type: array token_endpoint_auth_method: description: 'TokenEndpointAuthMethod is an indicator of the requested authentication method for the token endpoint. "none": The client is a public client and does not have a client secret. "client_secret_post": The client uses the HTTP POST parameters "client_secret_basic": The client uses HTTP Basic authentication' enum: - client_secret_basic - client_secret_post - client_secret_jwt - private_key_jwt - none type: string required: - grant_types - idp_host - registration_endpoint - token_endpoint_auth_method type: object disable_auto_login: type: boolean disable_login: description: DisableLogin disables login on developer portal.If you do not want developers to be able to login, set this value to true. You can use this configuration option in the portal templates to display or hide the login form as well as disabling the actual login method. type: boolean disable_signup: description: DisableSignup stop developer sign-up to the portal.This will stop developers from being able to signup, they will need to be created manually, or assigned keys via the key management API. type: boolean email: type: string enable_dcr: description: EnableDCR activates dynamic client registration. type: boolean enable_multi_selection: description: EnableMultiSelection enables subscribing to multiple APIs with single key.User will be able subscript any combination of exposed catalogues of the same authentication type type: boolean id: description: Set by the server. DO NOT set this field it is read only. type: string key_request_fields: description: KeyRequestFields is a slice of fields which are asked of the portal developer when requesting an api key items: type: string type: array mail_options: properties: email_copy: properties: key_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object reset_password_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object welcome_email: properties: body: type: string enabled: type: boolean hide_token_data: type: boolean sign_off: type: string subject: type: string required: - body - enabled - hide_token_data - sign_off - subject type: object required: - key_email - reset_password_email - welcome_email type: object mail_from_email: type: string mail_from_name: type: string required: - email_copy - mail_from_email - mail_from_name type: object oauth_usage_limit: description: OAuthUsageLimit is the maximum permitted number of OAuth clients type: integer org_id: description: OrgID is the organization ID type: string override: description: Override overides global settings. These Catalogue settings are currently being overwritten by the Global Catalogue settings. Toggle the checkbox below to override them for this Catalogue. type: boolean redirect_on_key_request: description: RedirectOnKeyRequest redirects key requests. WHen set to true it will redirect key requests to the url specified in RedirectTo field type: boolean redirect_to: description: RedirectTo is a url used to redirect key requests type: string require_key_approval: description: RequireKeyApproval requires reviewing of all key requests before approving them. By default developers will auto-enroll into an API and be given an API key. If you wish to review key requests before giving developers access to the API, enable this option and you will manually need to approve them in the 'Key requests' section of the dashboard. type: boolean secure_key_approval: description: SecureKeyApproval enables Secure key approval.By default, API keys when approved are sent in an email to the Developer. By enabling this option, the Developer will instead receive a link where they can go to generate the API key securely type: boolean signup_fields: description: SignUpFields is a slice of fields which are asked of the portal developer when they register for an account items: type: string type: array type: object status: description: PortalConfigStatus defines the observed state of PortalConfig properties: id: type: string type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) controller-gen.kubebuilder.io/version: v0.4.1 name: securitypolicies.tyk.tyk.io spec: group: tyk.tyk.io names: kind: SecurityPolicy listKind: SecurityPolicyList plural: securitypolicies shortNames: - tykpolicies singular: securitypolicy scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: SecurityPolicy is the Schema for the securitypolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: SecurityPolicySpec defines the desired state of SecurityPolicy properties: _id: description: MID ("_id") is generated by Tyk once the resource is created. Do NOT fill this in. type: string access_rights: additionalProperties: description: from tyk/session.go AccessDefinition defines which versions of an API a key has access to properties: allowance_scope: description: RestrictedTypes []graphql.Type `json:"restricted_types"` Limit APILimit `json:"limit,omitempty"` type: string allowed_urls: items: description: AccessSpecs define what URLS a user has access to an what methods are enabled properties: methods: items: type: string type: array url: type: string required: - methods - url type: object type: array api_id: description: 'TODO: APIID should not really be needed, as is auto-set from the APIDefnition Resource' type: string api_name: description: 'TODO: APIName should not really be needed, as is auto-set from the APIDefnition Resource' type: string name: description: Name of the ApiDefinition resource to target type: string namespace: description: Namespace of the ApiDefinition resource to target type: string versions: items: type: string type: array required: - name - namespace type: object type: object access_rights_array: items: description: from tyk/session.go AccessDefinition defines which versions of an API a key has access to properties: allowance_scope: description: RestrictedTypes []graphql.Type `json:"restricted_types"` Limit APILimit `json:"limit,omitempty"` type: string allowed_urls: items: description: AccessSpecs define what URLS a user has access to an what methods are enabled properties: methods: items: type: string type: array url: type: string required: - methods - url type: object type: array api_id: description: 'TODO: APIID should not really be needed, as is auto-set from the APIDefnition Resource' type: string api_name: description: 'TODO: APIName should not really be needed, as is auto-set from the APIDefnition Resource' type: string name: description: Name of the ApiDefinition resource to target type: string namespace: description: Namespace of the ApiDefinition resource to target type: string versions: items: type: string type: array required: - name - namespace type: object type: array active: description: Active must be set to `true` for Tyk to load the security policy into memory. type: boolean contextRef: description: Reference to k8s secret resource that we load environment from. properties: name: description: k8s resource name type: string namespace: description: The k8s namespace of the resource being targetted. When omitted this will be set to the namespace of the object that is being reconciled. type: string required: - name type: object enable_http_signature_validation: type: boolean hmac_enabled: type: boolean id: description: If you are linking an existing Policy ID to a new YAML CRD, then fill in this ID field with the "_id" field. See policies.md readme for more info type: string is_inactive: description: IsInactive applies to the key itself. Allows enabling or disabling the policy without deleting it. type: boolean key_expires_in: description: KeyExpiresIn is the number of seconds till key expiry. For 1 hour is 3600. Default never expire or 0 format: int64 type: integer max_query_depth: description: Max depth of a GraphQL query type: integer meta_data: additionalProperties: type: string description: LastUpdated string `json:"last_updated"` type: object name: description: Name represents the name of the security policy as displayed in the Dashboard type: string org_id: description: OrgID is overwritten - no point setting this type: string partitions: properties: acl: type: boolean complexity: type: boolean per_api: type: boolean quota: type: boolean rate_limit: type: boolean type: object per: description: To be used in conjunction with "Rate". Per seconds. 1 minute=60. 1 hour=3600 omit or "-1" for unlimited format: int64 type: integer quota_max: description: Value of Quota allowed, omit or "-1" for unlimited format: int64 type: integer quota_renewal_rate: description: Value reset length, in seconds, omit or "-1" for unlimited format: int64 type: integer rate: description: Rate limit per X seconds (x="Per"), omit or "-1" for unlimited format: int64 type: integer state: description: 'State can be active, draft or deny active: All keys are active and new keys can be created. draft: All keys are active but no new keys can be created. deny: All keys are deactivated and no keys can be created.' enum: - active - draft - deny type: string tags: description: Custom tags to apply to the key, get transfered to the analytics items: type: string type: array throttle_interval: description: If rate limited, how many seconds to retry a request for. omit or "-1" for unlimited format: int64 type: integer throttle_retry_limit: description: Number of retries before returning error. omit or "-1" for unlimited type: integer required: - active - name - state type: object status: description: SecurityPolicyStatus defines the observed state of SecurityPolicy properties: pol_id: type: string required: - pol_id type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []