Merge branch 'main' into fix/TT-9524/remove_duplicate_fields

components/tyk-bootstrap/templates/bootstrap-post-install.yaml

@@ -81,6 +81,8 @@ spec:
               {{- else }}
               value: "dashboard-svc-tyk-dashboard"
               {{- end }}
+            - name: TYK_DASHBOARD_INSECURE_SKIP_VERIFY
+              value: {{ default "false" .Values.bootstrap.dashboard.sslInsecureSkipVerify | quote }}
             - name: TYK_DB_LISTENPORT
               value: "{{ .Values.global.servicePorts.dashboard }}"
             - name: TYK_DB_LICENSEKEY

components/tyk-bootstrap/values.yaml

@@ -67,6 +67,8 @@ bootstrap:
     enabled: true
     # Name of the deployment that we want to bootstrap
     deploymentName: dashboard-tyk-dashboard
+    # Skip validating the SSL certificates. Usually needed when using self-signed certs.
+    sslInsecureSkipVerify: false
     # Specify if dashboard has custom service name.
     serviceName: ""
   portal:

components/tyk-dashboard/templates/deployment-dashboard.yaml

@@ -82,8 +82,6 @@ spec:
             value: "{{ .Values.dashboard.homeDir }}"
           - name: "TYK_DB_USESHARDEDANALYTICS"
             value: "{{ .Values.dashboard.useShardedAnalytics }}"
-          - name: "TYK_DB_ENABLEAGGREGATELOOKUPS"
-            value: "{{ .Values.dashboard.enableAggregateLookups }}"
           - name: "TYK_DB_ENABLEANALYTICSCACHE"
             value: "{{ .Values.dashboard.enableAnalyticsCache }}"
           - name: "TYK_DB_ALLOWEXPLICITPOLICYID"
@@ -154,6 +152,12 @@ spec:
 
           - name: TYK_DB_HTTPSERVEROPTIONS_USESSL
             value: "{{ .Values.global.tls.dashboard }}"
+          - name: TYK_DB_HTTPSERVEROPTIONS_MINVERSION
+            value: "771"
+          - name: TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES
+            value: '{{ .Values.dashboard.tls.certificates | toJson }}'
+          - name: TYK_DB_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
+            value: {{ default "false" .Values.dashboard.tls.insecureSkipVerify | quote }}
 
           - name: TYK_DB_HOSTCONFIG_HOSTNAME
             value: "{{ .Values.dashboard.hostName }}"
@@ -194,16 +198,22 @@ spec:
                 key: {{ include "tyk-dashboard.mongo_url_secret_key" . }}
           - name: TYK_DB_MONGOUSESSL
             value: "{{ default "false" .Values.global.mongo.useSSL }}"
+          - name: "TYK_DB_ENABLEAGGREGATELOOKUPS"
+            value: "{{ .Values.dashboard.enableAggregateLookups }}"
           {{ end }}
           {{- if .Values.dashboard.extraEnvs }}
-          {{- include "tyk-dashboard.tplvalues.render" ( dict "value" .Values.dashboard.extraEnvs "context" $ ) | nindent 10 }}
+          {{- include "tyk-dashboard.tplvalues.render" (dict "value" .Values.dashboard.extraEnvs "context" $) | nindent 10 }}
           {{- end }}
         resources:
 {{ toYaml .Values.dashboard.resources | indent 12 }}
         command: ["/opt/tyk-dashboard/tyk-analytics"]
         ports:
         - containerPort: {{ .Values.global.servicePorts.dashboard }}
         volumeMounts:
+          {{ if .Values.global.tls.dashboard }}
+          - name: {{ .Values.dashboard.tls.secretName }}
+            mountPath: {{ .Values.dashboard.tls.certificatesMountPath }}
+          {{ end }}
           {{- if .Values.dashboard.extraVolumeMounts }}
           {{- include "tyk-dashboard.tplvalues.render" (dict "value" .Values.dashboard.extraVolumeMounts "context" $) | nindent 10 }}
           {{- end }}
@@ -230,6 +240,11 @@ spec:
       {{- toYaml .Values.dashboard.securityContext | nindent 10 }}
       {{- end }}
       volumes:
+        {{ if .Values.global.tls.dashboard }}
+        - name: {{ .Values.dashboard.tls.secretName }}
+          secret:
+            secretName: {{ .Values.dashboard.tls.secretName }}
+        {{ end }}
         {{- if .Values.dashboard.extraVolumes }}
         {{- include "tyk-dashboard.tplvalues.render" (dict "value" .Values.dashboard.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

components/tyk-dashboard/values.yaml

@@ -64,6 +64,10 @@ global:
     # variables in extraEnvs object array to define your SSL cert and key files.
     dashboard: false
 
+    # When true, it will install the certificate present in the templates folder, set to false when using
+    # a custom TLS certificate to avoid overwriting yours
+    useDefaultTykCertificate: true
+
   # Choose the storageType for Tyk. [ "mongo", "postgres" ]
   storageType: mongo
 
@@ -229,3 +233,15 @@ dashboard:
 
   # The hostname to bind the Dashboard to.
   hostName: tyk-dashboard.local
+
+  tls:
+    # The name of the secret which should contain the TLS certificate you want to use with the dashboard deployment
+    secretName: tyk-default-tls-secret
+    # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
+    insecureSkipVerify: false
+
+    certificatesMountPath: "/etc/certs/tyk-dashboard"
+    certificates:
+      - domain_name: "*"
+        cert_file: "/etc/certs/tyk-dashboard/tls.crt"
+        key_file: "/etc/certs/tyk-dashboard/tls.key"

components/tyk-enterprise-portal/templates/_helpers.tpl

@@ -49,3 +49,11 @@ Selector labels
 app.kubernetes.io/name: {{ include "tyk-enterprise-portal.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{- define "tyk-enterprise-portal.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}

components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml

@@ -209,6 +209,9 @@ spec:
             mountPath: /opt/portal/db
             subPath: db
           {{- end }}
+          {{- if .Values.extraVolumeMounts }}
+          {{- include "tyk-enterprise-portal.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 10 }}
+          {{- end }}
         livenessProbe:
           httpGet:
             scheme: "HTTP{{ if .Values.global.tls.enterprisePortal }}S{{ end }}"
@@ -228,12 +231,15 @@ spec:
           timeoutSeconds: 3
           failureThreshold: 3
 
-      {{- if and (eq .Values.kind "Deployment") .Values.storage.persistence.mountExistingPVC }}
       volumes:
+      {{- if and (eq .Values.kind "Deployment") .Values.storage.persistence.mountExistingPVC }}
       - name: enterprise-portal-pvc-{{ include "tyk-enterprise-portal.fullname" . }}
         persistentVolumeClaim:
           claimName: {{ .Values.storage.persistence.mountExistingPVC }}
       {{- end }}
+      {{- if .Values.extraVolumes }}
+      {{- include "tyk-enterprise-portal.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 6 }}
+      {{- end }}
 
       {{- if .Values.securityContext }}
       securityContext:

components/tyk-gateway/README.md

@@ -71,5 +71,5 @@ automatically enable TLS using the certificate provided under tyk-gateway/certs/
 If you want to use your own key/cert pair, you must follow the following steps:
 1. Create a tls secret using your cert and key pair.
 2. Set `global.tls.gateway`  to true.
-3. Set `gateway.tls.useDefaultTykCertificate` to false.
+3. Set `global.tls.useDefaultTykCertificate` to false.
 4. Set `gateway.tls.secretName` to the name of the newly created secret.

components/tyk-gateway/templates/deployment-gw-repset.yaml

@@ -220,7 +220,9 @@ spec:
           - name: TYK_GW_HTTPSERVEROPTIONS_MINVERSION
             value: "771"
           - name: TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
-            value: '[{"domain_name": "*", "cert_file": "/etc/certs/tls.crt", "key_file": "/etc/certs/tls.key"}]'
+            value: '{{ .Values.gateway.tls.certificates | toJson }}'
+          - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
+            value: {{ default "false" .Values.gateway.tls.insecureSkipVerify | quote }}
           - name: TYK_GW_ALLOWINSECURECONFIGS
             value: "true"
           - name: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESS
@@ -264,7 +266,7 @@ spec:
         volumeMounts:
           {{ if .Values.global.tls.gateway }}
           - name: {{ .Values.gateway.tls.secretName }}
-            mountPath: /etc/certs
+            mountPath: {{ .Values.gateway.tls.certificatesMountPath }}
           {{ end }}
           - name: tyk-scratch
             mountPath: /mnt/tyk-gateway

components/tyk-gateway/templates/secret-certs.yaml

@@ -1,4 +1,4 @@
-{{ if and .Values.gateway.tls.useDefaultTykCertificate .Values.global.tls.gateway }}
+{{ if and .Values.global.tls.useDefaultTykCertificate .Values.global.tls.gateway }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,4 +9,4 @@ data:
     {{ .Files.Get "certs/tlsCert.pem" | b64enc }}
   tls.key: |-
     {{ .Files.Get "certs/tlsKey.pem" | b64enc }}
-{{ end }}
+{{ end }}

components/tyk-gateway/values.yaml

@@ -28,6 +28,10 @@ global:
     # - TYK_DB_SERVEROPTIONS_CERTIFICATE_KEYFILE
     # variables in extraEnvs object array to define your SSL cert and key files.
     dashboard: false
+
+    # When true, it will install the certificate present in the templates folder, set to false when using
+    # a custom TLS certificate to avoid overwriting yours
+    useDefaultTykCertificate: true
   components:
     dashboard: false
   secrets:
@@ -119,11 +123,16 @@ gateway:
   hostName: tyk-gw.local
 
   tls:
-    # When true, it will install the certificate present in the templates folder, set to false when using
-    # a custom TLS certificate to avoid overwriting yours
-    useDefaultTykCertificate: true
     # The name of the secret which should contain the TLS certificate you want to use with the gateway deployment
     secretName: tyk-default-tls-secret
+    # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
+    insecureSkipVerify: false
+
+    certificatesMountPath: "/etc/certs/tyk-gateway"
+    certificates:
+    - domain_name: "*"
+      cert_file: "/etc/certs/tyk-gateway/tls.crt"
+      key_file: "/etc/certs/tyk-gateway/tls.key"
 
   # kind is type of k8s object to be created for gateway.
   kind: Deployment

tyk-mdcb-data-plane/README.md

@@ -180,13 +180,14 @@ automatically enable TLS using the certificate provided under tyk-gateway/certs/
 
 *Configure TLS secret*
 
-If you want to use your own key/cert pair, please follow the following steps:
-1. Create a TLS secret using your cert and key pair.
-2. Set `global.tls.gateway` to true.
-3. Set `tyk-gateway.gateway.tls.useDefaultTykCertificate` to false.
-4. Set `tyk-gateway.gateway.tls.secretName` to the name of the newly created secret.
 
-*Add Custom Certificates*
+If you want to use your own key/cert pair, you must follow the following steps:
+1. Create a tls secret using your cert and key pair.
+2. Set `global.tls.gateway`  to true.
+3. Set `global.tls.useDefaultTykCertificate` to false.
+4. Set `gateway.tls.secretName` to the name of the newly created secret.
+
+5. *Add Custom Certificates*
 
 To add your custom Certificate Authority(CA) to your containers, you can mount your CA certificate directly into /etc/ssl/certs folder.
 

tyk-mdcb-data-plane/values.yaml

@@ -44,6 +44,10 @@ global:
     # When true, sets the gateway protocol to HTTPS.
     gateway: false
 
+    # When true, it will install the certificate present in the templates folder, set to false when using
+    # a custom TLS certificate to avoid overwriting yours
+    useDefaultTykCertificate: true
+
   secrets:
     # APISecret sets node_secret and secret in tyk.conf
     APISecret: CHANGEME
@@ -131,11 +135,16 @@ tyk-gateway:
     hostName: tyk-gw.local
 
     tls:
-      # When true, it will install the certificate present in the templates folder, set to false when using
-      # a custom TLS certificate to avoid overwriting yours
-      useDefaultTykCertificate: true
       # The name of the secret which should contain the TLS certificate you want to use with the gateway deployment
       secretName: tyk-default-tls-secret
+      # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
+      insecureSkipVerify: false
+
+      certificatesMountPath: "/etc/certs/tyk-gateway"
+      certificates:
+        - domain_name: "*"
+          cert_file: "/etc/certs/tyk-gateway/tls.crt"
+          key_file: "/etc/certs/tyk-gateway/tls.key"
 
     # kind is type of k8s object to be created for gateway.
     kind: Deployment

tyk-oss/README.md

@@ -181,6 +181,12 @@ To add your custom Certificate Authority(CA) to your containers, you can mount y
 
 Default service port of gateway is 8080. You can change this at `global.servicePorts.gateway`.
 
+If you want to use your own key/cert pair, you must follow the following steps:
+1. Create a tls secret using your cert and key pair.
+2. Set `.Values.global.tls.gateway`  to true.
+3. Set `.Values.global.tls.useDefaultTykCertificate` to false.
+4. Set `.Values.tyk-gateway.tls.secretName` to the name of the newly created secret.
+
 *Ingress*
 
 An Ingress resource is created if `tyk-gateway.gateway.ingress.enabled` is set to true.