Tyk operator v1.20 does not support hmac related params

Product Bug Reports
1

Branch/Environment/Version

  • Branch/Version: main
  • Environment: hybrid,MDCB
    tyk dashboard version: 5.10.2
    gateway version: 5.10.2

Describe the bug

We use GitOps to create Tyk APIs via the Operator. Below is our YAML configuration:

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  labels:
    app: hmac-test
    team: test
  name: hmac-test-hcre
  namespace: test1
spec:
  name: "hmac-test-hcre"
  protocol: http
  active: true
  tags: 
    - myidc
  enable_context_vars: true
  domain: a.com
  proxy:
    target_url: https://httpbin.org
    listen_path: /test1
    strip_listen_path: true
  definition:
    location: url
    strip_versioning_data: true
  enable_detailed_recording: true
  use_basic_auth: false
  use_keyless: false
  use_oauth2: false
  enable_signature_checking: true
  hmac_allowed_clock_skew: -1
  hmac_allowed_algorithms:
    - hmac-sha256
  auth_configs:
    hmac:
      auth_header_name: x-test-1
      signature:
        allowed_clock_skew: -1
  version_data:
    default_version: Default
    not_versioned: false
    versions:
      Default:
        name: Default
        expires: ""
        paths: {}
        use_extended_paths: false
        ignore_endpoint_case: false
        override_target: "https://httpbin.org/anything"
      v1:
        name: v1
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-a.example.local:8000"
      v2:
        name: v2
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-b.example.local:3030"
      v3:
        name: v3
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-c.example.local:3030"
      v4:
        name: v4
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-d.example.local:3030"
      v5:
        name: v5
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-e.example.local:3030"
      v6:
        name: v6
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "http://service-f.example.local:8000"
      v7:
        name: v7
        expires: ""
        paths: {}
        use_extended_paths: true
        ignore_endpoint_case: false
        override_target: "https://external-api.example.com"

Expected behavior

When we apply the above YAML, the API is created successfully. However, when we check the API in the Tyk Dashboard, we find that the HMAC authentication configuration is missing.

Investigation

After reviewing the CRD schema at crd-v1.2.0.yaml, I noticed that the auth_configs.hmac field is not supported in the current CRD definition.

Questions

  1. Are there plans to update the CRD to support HMAC authentication configuration?
  2. Is there an alternative approach to configure HMAC authentication through the Operator?

Note: Using the Tyk Dashboard api to create APIs is not compatible with our business workflow, so please exclude that option from any suggestions.

2

Hi,

Thanks for posting this question.

Currently, HMAC authentication is not yet implemented for Classic APIs as per our docs.

  1. Are there plans to update the CRD to support HMAC authentication configuration?

Yes, there is currently an existing feature request that aims to update the Operator to fully support HMAC authentication in Classic APIs.

  1. Is there an alternative approach to configure HMAC authentication through the Operator?

You can opt to use Tyk OAS APIs instead - making use of the TykOasApiDefinition instead of ApiDefinition.
See more details on how to create and secure an OAS API in Operator at: Create and Secure an API with Tyk Operator - Tyk Documentation

Best,
Andres

3

Hi.thanks for the reply, may i know the timeline of this feature?

4

Hi,

Thanks for your interest in this feature.
To clarify my earlier response and to manage expectations, while there has been interest noted around HMAC support in Classic APIs, our current roadmap for the Operator is focused on advancing Tyk OAS. Because of this focus, we don’t have a timeline to share for extending Classic API features in Operator.
If your requirements can be expressed in OAS, that’s where you’ll see ongoing improvements and new functionality, and we’d be glad to help explore how your use case could be supported there.

Best,
Andres