Tyk-oss in kubernetes : tls: failed to verify certificate: x509

Hi,

for a POC I have deployed the Tyk Gateway in Kubernetes using the helm-charts.
I am able to create a new API in the Tyk-Gateway by sending the request within Intellj-IDE.
I have set the following environment variables in a configuration file (yaml) which I use with helm to apply the new configuration:

extraEnvs:
      - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
        value: "true"
      - name: TYK_LOGLEVEL
        value: "debug"

and in the tls section:

    tls:
      # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
      insecureSkipVerify: true

I can see in the shell (on the GW side) that the variables are correctly loaded and when checking the log, that the log level is debug. So I expect that ssl_insecure_skip_verify is also enabled.

When sending a request to the Tyk-GW which must be forwarded to a service (using https) I got the error message: “http: proxy error: tls: failed to verify certificate: x509: certificate signed by unknown authority”

This means that the SSL Verfication remains enabled. How can I disable it?
Why setting TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY here is not the solution?

Thank you in advance!

What section is this in? The API definition or the gateway config?

You can disable it via 2 scopes.

  1. The API definition scope from the proxy field proxy.transport.ssl_insecure_skip_verify
  2. The global scope from gateway field proxy_ssl_insecure_skip_verify

Because the call to skip the SSL certificates is within the proxy

@Olu , thank you very much for your answer.

This is how I have defined it in the gateway section:

tyk-gateway:
  ## Default values for tyk-gateway chart.
  ## This is a YAML-formatted file.
  ## Declare variables to be passed into your templates.
  ## See Tyk Helm documentation for installation details:
  ## https://tyk.io/docs/tyk-oss/ce-helm-chart/
  ## Registry for all Tyk images - https://hub.docker.com/u/tykio
  gateway:
    # The hostname to bind the Gateway to.
    hostName: tyk-gw.local

    extraEnvs:
      - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
        value: "true"
      - name: TYK_LOGLEVEL
        value: "debug"

    tls:
     
      # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
      insecureSkipVerify: true

Is there is something not correct in the configuration?

Well, yes. TYK_GW_PROXYSSLINSECURESKIPVERIFY is the correct environment variable