Trying to play a round with API policies but nothing changed

I am trying to learn more about the security that the tyk-oss provide so I created a file named policies.json and using this command to replace the one in the pod

kubectl cp ./policies.json gateway-tyk-oss-tyk-gateway-8b59755-f5cfm:/mnt/tyk-gateway/policies/ -n tyk 

the policies.json content:

{
	"default": {
		"rate": 4,
		"per": 60,
		"quota_max": 100,
		"quota_renewal_rate": 60,
		"access_rights": {
			"1": {
				"api_name": "Keyless-HttpBin",
				"api_id": "1",
				"versions": [
					"Default"
				]
			}
		},
		"org_id": "default",
		"hmac_enabled": false
	}
}

The API I am depolying using postman:

{
  "name": "Keyless-HttpBin",
  "api_id": "1",
  "org_id": "default",
  "use_keyless": true,
  "auth": {
    "auth_header_name": ""
  },
  "version_data": {
    "not_versioned": true,
    "versions": {
      "Default": {
        "name": "Default",
        "expires": "3000-01-02 15:04",
        "use_extended_paths": true,
        "extended_paths": {
          "ignored": [],
          "white_list": [],
          "black_list": []
        }
      }
    }
  },
  "proxy": {
    "listen_path": "/httpbin/",
    "target_url": "https://httpbin.org",
    "strip_listen_path": true
  },
  "active": true,
  "policies":{
        "policy_source": "file",
        "policy_path": "/mnt/tyk-gateway/policies/policies.json"
    }
}

When I test it, it gave me no limit or any policies changed, like I can request 1000 time not 4 per 60s

In the Gateway logs - do you see that this policy was picked up? You can restart the Gateway to see the startup logs.

Also - I can see you’re in k8s, is there a reason you’re not using Tyk Operator to manage the Policies and API definitions? it’s the native way to manage API configs in k8s.

I really didn’t try the tyk operator is there any good guidance for it ? And how to connect it with the tyk-oss gateway?

I checked the Tyk getaway logs and the policies are loaded correctly but not working as expected

The reason you’re not seeing rate limiting being applied is because you’ve the API set to unauthenticated:

"use_keyless": true,

The API needs to be protected by auth, so that Tyk can use the auth method to generate an identity on clients in order to apply a rate limit to each identity.

Does that make sense?

And you can read about Tyk Operator here.

Ok It worked but know I have two questions
First:
Why the policies that applied are the one in the tyk key and not the one in the policies file for example here the rate limit is 3 and in the policies file is 4 but it gave the priorite for the one in the key

{
  "quota_max": 0,
  "rate": 3,
  "per": 60,
  "org_id": "1",
  "access_rights": {
      "1": {
          "api_name": "keyless-httpbin",
          "api_id": "1",
          "versions": [
              "Default"
          ],
          "allowed_urls": [],
          "limit": null,
          "allowance_scope": ""
      }
    }
}

second question:
when I tried to get the keys by using the tyk/keys I get an error

{
    "status": "error",
    "message": "Hashed key listing is disabled in config (enable_hashed_keys_listing)"
}

but I am applying an extra env to the deployment process useing

helm upgrade tyk-oss tyk-helm/tyk-oss -n tyk --devel \
  --install --wait \
  --set "global.redis.addrs[0]=tyk-redis-master.tyk.svc:6379" \
  --set global.redis.pass=$REDIS_PASSWORD \
  --set global.secrets.APISecret="$APISecret" \
  --set "tyk-gateway.extraEnvs[0].name=TYK_GW_ENABLEHASHEDKEYSLISTING" \
  --set "tyk-gateway.extraEnvs[0].value=true"

@sedky sorry for interrupt I solved the first problem but couldn’t solve the second, Any suggestion?

Have you enabled key hashing through the gateway config

“hash_keys”:true,
“enable_hashed_keys_listing”: true,

How to do that with helm deployment?
I don’t use any local file like values.yaml

Their corresponding environment variables are listed in the documentation linked. You only have to include them in the extraEnvs field if using helm