"Attempted administrative access with invalid or missing key!\"}\n"

Hello,
I apply the following apidefinition.

apiVersion: tyk.tyk.io/v1alpha1

kind: ApiDefinition

metadata:

  name: genel

  labels:

    template: "true"

spec:

  name: basit1

  protocol: http

  use_keyless: true

  active: true

  proxy:

    target_url: http://httpbin.default.svc.cluster.local

    strip_listen_path: true

  version_data:

    default_version: Default

    not_versioned: true

    versions:

      Default:

        name: Default

        paths:

          black_list: []

          ignored: []

          white_list: []

There is no any problem displays.
Then I apply the following ingress .

apiVersion: v1

kind: Service

metadata:

  name: httpbin

  labels:

    app: httpbin

spec:

  ports:

    - name: http

      port: 80

      targetPort: 80

  selector:

    app: httpbin

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: httpbin

spec:

  replicas: 1

  selector:

    matchLabels:

      app: httpbin

      version: v1

  template:

    metadata:

      labels:

        app: httpbin

        version: v1

    spec:

      containers:

        - image: docker.io/kennethreitz/httpbin

          imagePullPolicy: IfNotPresent

          name: httpbin

          ports:

            - containerPort: 80

---

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: httpbin-ingress

  annotations:

    kubernetes.io/ingress.class: tyk

    tyk.io/template: genel

spec:

  rules:

    - host: tyk-eks-dev-9892616921.eu-central-1.elb.amazonaws.com

      http:

        paths:

          - path: /httpbin # host + path routing: http://httpbin.ahmet/httpbin

            pathType: Prefix

            backend:

              service:

                name: httpbin

                port:

                  number: 80

When I apply the ingress above, “k apply -f appandingress.yaml” the following error is displayed.

{"level":"info","ts":1632725267.2816408,"logger":"controllers.ApiDefinition","msg":"Forbidden","ApiDefinition":"default/default-httpbin-ingress-6ca0a8e8a","body":"{\"status\":\"error\",\"message\":\"Attempted administrative access with invalid or missing key!\"}\n"}
{"level":"error","ts":1632725267.2816477,"logger":"controllers.ApiDefinition","msg":"Failed to create api definition","ApiDefinition":"default/default-httpbin-ingress-6ca0a8e8a","error":"Failed api call","stacktrace":"github.com/TykTechnologies/tyk-operator/controllers.(*ApiDefinitionReconciler).Reconcile.func1\n\t/workspace/controllers/apidefinition_controller.go:148\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.mutate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:341\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.CreateOrUpdate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:213\ngithub.com/TykTechnologies/tyk-operator/controllers.(*ApiDefinitionReconciler).Reconcile\n\t/workspace/controllers/apidefinition_controller.go:90\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:298\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214"}
{"level":"error","ts":1632725267.2817264,"logger":"controller-runtime.manager.controller.apidefinition","msg":"Reconciler error","reconciler group":"tyk.tyk.io","reconciler kind":"ApiDefinition","name":"default-httpbin-ingress-6ca0a8e8a","namespace":"default","error":"Failed api call","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214"}

Am I missing something?

Reagrds

Hello @tirelibirefe, hope you are doing great !!!

The error message "msg":"Forbidden","ApiDefinition":"default/default-httpbin-ingress-6ca0a8e8a","body":"{\"status\":\"error\",\"message\":\"Attempted administrative access with invalid or missing key!\"}\n"} says that you don’t have the necessary right privileges to access/refer the apis definition via the gateway.

The above error log message can be due to the wrong secret value passed to the parameter “TYK_AUTH” while creating the secret “tyk-operator-conf” as a pre-requisite before installing the operator.

Make sure the value of TYK_AUTH from tyk-operator-conf secret matches with the APISecret value from secrets-tyk-*** secret resource.

*** - can be pro or ce depending on your gateway installation .

Hope this helps !!!

It looks like the password is correct:

image1152×82 9.16 KB

kubectl get secret/tyk-operator-conf -n tyk-operator-system -o json | jq '.data' 
{
  "TYK_AUTH": "dHlrMTIz",
  "TYK_MODE": "b3Nz",
  "TYK_ORG": "a3U=",
  "TYK_TLS_INSECURE_SKIP_VERIFY": "dHJ1ZQ==",
  "TYK_URL": "aHR0cDovL2dhdGV3YXktc3ZjLXR5ay1jZS10eWstaGVhZGxlc3MudHlrLnN2Yy5jbHVzdGVyLmxvY2FsOjQ0Mw=="     
}

also

tyk123 >>> dHlrMTIz

Hello @tirelibirefe, yes your password is correct here but I spotted that your value of “TYK_MODE” from tyk-operator-conf is b3Nz >>> oss which is not correct. The value of TYK_MODE should be either ce or pro depending on your installation.

ce - Tyk Open Source mode

pro - Tyk Pro mode

In this case, since you are using a OSS gateway the value of TYK_MODE should be corrected to ce >>> Y2U= . Once you correct the secret value, restart the operator pod to pick up the changes from the secret and hopefully this should fix the issue.

thank you @Cherry it fixed the problem. I am very appreciated.

Now my second problem:
same app, same service, same tyk…

here is my ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin-ingress
  annotations:
    kubernetes.io/ingress.class: tyk
    tyk.io/template: httpbin
spec:
  rules:
    - host: tyk-eks-dev-5559379f91189a4c.elb.eu-central-1.amazonaws.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 80
          - path: /httpbin
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 80

No response.

image906×365 13 KB

image1113×197 16.7 KB

I’m still missing something…