[TT-12309] Remove hardcoded environment variables (#379)

* TT-13751: add forbid security env to dashboard * Remove hardcoded env variables * Max pump env variables configurable * Fix field references * Fix conflict * Fix lint errors --------- Co-authored-by: olalekan odukoya <[email protected]>
TykTechnologies · Feb 23, 2025 · 860ec8c · 860ec8c
1 parent dffcc26
commit 860ec8c
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 13 deletions.
diff --git a/components/tyk-gateway/templates/deployment-gw-repset.yaml b/components/tyk-gateway/templates/deployment-gw-repset.yaml
@@ -211,10 +211,11 @@ spec:
                 name: {{ if .Values.global.secrets.useSecretName }} {{ .Values.global.secrets.useSecretName }} {{ else }} secrets-{{ include "tyk-gateway.fullname" . }} {{ end}}
                 key: APISecret
 
-          - name: TYK_GW_POLICIES_ALLOWEXPLICITPOLICYID
-            value: "true"
+
           - name: TYK_GW_HTTPSERVEROPTIONS_USESSL
             value: "{{ .Values.global.tls.gateway }}"
+          - name: TYK_GW_POLICIES_ALLOWEXPLICITPOLICYID
+            value: "true"
           - name: TYK_GW_TEMPLATEPATH
             value: "/opt/tyk-gateway/templates"
           - name: TYK_GW_TYKJSPATH
@@ -229,6 +230,7 @@ spec:
             value: "1000"
           - name: TYK_GW_ENABLENONTRANSACTIONALRATELIMITER
             value: "true"
+
           - name: TYK_GW_POLICIES_POLICYSOURCE
         {{- if .Values.global.remoteControlPlane.enabled }}
             value: "rpc"
@@ -301,26 +303,29 @@ spec:
             value: {{ .Values.global.hashKeys | quote }}
           - name: TYK_GW_HASHKEYFUNCTION
             value: "{{ .Values.gateway.hashKeyFunction }}"
+
           - name: TYK_GW_HTTPSERVEROPTIONS_ENABLEWEBSOCKETS
             value: "true"
           - name: TYK_GW_HTTPSERVEROPTIONS_MINVERSION
             value: "771"
+
           - name: TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
             value: '{{ .Values.gateway.tls.certificates | toJson }}'
           - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
-            value: {{ default "false" .Values.gateway.tls.insecureSkipVerify | quote }}
+            value: {{ .Values.gateway.tls.insecureSkipVerify | quote }}
           - name: TYK_GW_ALLOWINSECURECONFIGS
-            value: "true"
+            value: {{ .Values.gateway.allowInsecureConfigs | quote }}
           - name: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESS
             value: "true"
           - name: TYK_GW_GLOBALSESSIONLIFETIME
-            value: "100"
+            value: {{ .Values.gateway.globalSessionLifetime | quote }}
           - name: TYK_GW_MAXIDLECONNSPERHOST
-            value: "500"
+            value: {{ .Values.gateway.maxIdleConnectionsPerHost | quote }}
           - name: TYK_GW_ENABLECUSTOMDOMAINS
-            value: "true"
+            value: {{ .Values.gateway.enableCustomDomains | quote }}
           - name: TYK_GW_PIDFILELOCATION
             value: "/mnt/tyk-gateway/tyk.pid"
+
         {{- if .Values.gateway.sharding.enabled }}
           - name: TYK_GW_DBAPPCONFOPTIONS_NODEISSEGMENTED
             value: "{{ .Values.gateway.sharding.enabled }}"

diff --git a/components/tyk-gateway/values.yaml b/components/tyk-gateway/values.yaml
@@ -599,7 +599,19 @@ gateway:
   # - if enabled, `/app` only responds to `/app`, `/app/` and `/app/*` but not `/apple`
   # Regular expressions and parameterized routes will be left alone regardless of this setting.
   enableStrictRoutes: true
-
   # serviceAccountName field indicates the name of the Service Account that is going to be used by the Pods.
   # If a service account is to be used for Tyk Gateway, it should be manually created
   serviceAccountName: ""
+  # allowInsecureConfigs can be set to disable Dashboard message signature verification. 
+  # When set to true, public_key_path can be ignored.
+  # It is used to set TYK_GW_ALLOWINSECURECONFIGS
+  allowInsecureConfigs: true
+  # globalSessionLifetime sets session lifetime in seconds.
+  # It is used to set TYK_GW_GLOBALSESSIONLIFETIME
+  globalSessionLifetime: 100
+  # enableCustomDomains allows use of custom domains.
+  # It is used to set TYK_GW_ENABLECUSTOMDOMAINS
+  enableCustomDomains: true
+  # maxIdleConnectionsPerHost represents maximum idle connections, per API, per upstream, between Tyk and Upstream.
+  # It is used to set TYK_GW_MAXIDLECONNSPERHOST
+  maxIdleConnectionsPerHost: 500
diff --git a/components/tyk-pump/templates/deployment-pmp.yaml b/components/tyk-pump/templates/deployment-pmp.yaml
@@ -345,18 +345,18 @@ spec:
                name: {{ include "tyk-pump.redis_secret_name" . }}
                key: {{ include "tyk-pump.redis_secret_key" . }}
           - name: TYK_PMP_ANALYTICSSTORAGECONFIG_REDISUSESSL
-            value: "{{ default "false" .Values.global.redis.useSSL }}"
+            value: "{{ .Values.global.redis.useSSL }}"
 
           - name: TYK_PMP_OMITCONFIGFILE
-            value: "true"
+            value: {{ .Values.pump.omitConfigFile | quote}}
           - name: TYK_PMP_ANALYTICSSTORAGETYPE
             value: "redis"
           - name: TYK_PMP_ANALYTICSSTORAGECONFIG_MAXIDLE
-            value: "2000"
+            value: {{ .Values.pump.maxIdleConnections | quote }}
           - name: TYK_PMP_ANALYTICSSTORAGECONFIG_MAXACTIVE
-            value: "4000"
+            value: {{ .Values.pump.maxActiveConnections | quote }}
           - name: TYK_PMP_PURGEDELAY
-            value: "2"
+            value: {{ .Values.pump.purgeDelay | quote }}
         {{- if .Values.pump.healthCheckService.enabled }}
           - name: TYK_PMP_HEALTHCHECKENDPOINTNAME
             value: "{{ .Values.pump.healthCheckService.path }}"

diff --git a/components/tyk-pump/values.yaml b/components/tyk-pump/values.yaml
@@ -251,6 +251,19 @@ pump:
   # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus.
   # The default port is 9090.
   containerPort: 9090
+  # omitConfigFile defines if tyk-pump should ignore all the values in configuration file.
+  # It is used to set TYK_PMP_OMITCONFIGFILE
+  omitConfigFile: true
+  # purgeDelay configures number of seconds the Pump waits between checking for analytics data and purge it from Redis.
+  # It is used to set TYK_PMP_PURGEDELAY
+  purgeDelay: 2
+  # maxIdleConnections configures maximum number of idle connections in the pool
+  # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXIDLE
+  maxIdleConnections: 2000
+  # maxActiveConnections configures Maximum number of connections allocated by the pool at a given time. 
+  # When zero, there is no limit on the number of connections in the pool.
+  # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXACTIVE
+  maxActiveConnections: 4000
 
   # backend defines the pumps to be created by default, as an array of string.
   # Supported backends are:

diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml
@@ -638,6 +638,20 @@ tyk-gateway:
       # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
       format: "default"
 
+    # allowInsecureConfigs can be set to disable Dashboard message signature verification.
+    # When set to true, public_key_path can be ignored.
+    # It is used to set TYK_GW_ALLOWINSECURECONFIGS
+    allowInsecureConfigs: true
+    # globalSessionLifetime sets session lifetime in seconds.
+    # It is used to set TYK_GW_GLOBALSESSIONLIFETIME
+    globalSessionLifetime: 100
+    # enableCustomDomains allows use of custom domains.
+    # It is used to set TYK_GW_ENABLECUSTOMDOMAINS
+    enableCustomDomains: true
+    # maxIdleConnectionsPerHost represents maximum idle connections, per API, per upstream, between Tyk and Upstream.
+    # It is used to set TYK_GW_MAXIDLECONNSPERHOST
+    maxIdleConnectionsPerHost: 500
+
 tyk-operator:
   nameOverride: ""
   fullnameOverride: ""
@@ -806,6 +820,19 @@ tyk-pump:
     # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus.
     # The default port is 9090.
     containerPort: 9090
+    # omitConfigFile defines if tyk-pump should ignore all the values in configuration file.
+    # It is used to set TYK_PMP_OMITCONFIGFILE
+    omitConfigFile: true
+    # purgeDelay configures number of seconds the Pump waits between checking for analytics data and purge it from Redis.
+    # It is used to set TYK_PMP_PURGEDELAY
+    purgeDelay: 2
+    # maxIdleConnections configures maximum number of idle connections in the pool
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXIDLE
+    maxIdleConnections: 2000
+    # maxActiveConnections configures Maximum number of connections allocated by the pool at a given time.
+    # When zero, there is no limit on the number of connections in the pool.
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXACTIVE
+    maxActiveConnections: 4000
 
     # backend defines the pumps to be created by default, as an array of string.
     # Supported backends are:

diff --git a/tyk-data-plane/values.yaml b/tyk-data-plane/values.yaml
@@ -593,6 +593,20 @@ tyk-gateway:
       # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
       format: "default"
 
+    # allowInsecureConfigs can be set to disable Dashboard message signature verification.
+    # When set to true, public_key_path can be ignored.
+    # It is used to set TYK_GW_ALLOWINSECURECONFIGS
+    allowInsecureConfigs: true
+    # globalSessionLifetime sets session lifetime in seconds.
+    # It is used to set TYK_GW_GLOBALSESSIONLIFETIME
+    globalSessionLifetime: 100
+    # enableCustomDomains allows use of custom domains.
+    # It is used to set TYK_GW_ENABLECUSTOMDOMAINS
+    enableCustomDomains: true
+    # maxIdleConnectionsPerHost represents maximum idle connections, per API, per upstream, between Tyk and Upstream.
+    # It is used to set TYK_GW_MAXIDLECONNSPERHOST
+    maxIdleConnectionsPerHost: 500
+
 tyk-pump:
   ## Default values for tyk-pump chart.
   ## This is a YAML-formatted file.
@@ -687,6 +701,19 @@ tyk-pump:
     # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus.
     # The default port is 9090.
     containerPort: 9090
+    # omitConfigFile defines if tyk-pump should ignore all the values in configuration file.
+    # It is used to set TYK_PMP_OMITCONFIGFILE
+    omitConfigFile: true
+    # purgeDelay configures number of seconds the Pump waits between checking for analytics data and purge it from Redis.
+    # It is used to set TYK_PMP_PURGEDELAY
+    purgeDelay: 2
+    # maxIdleConnections configures maximum number of idle connections in the pool
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXIDLE
+    maxIdleConnections: 2000
+    # maxActiveConnections configures Maximum number of connections allocated by the pool at a given time.
+    # When zero, there is no limit on the number of connections in the pool.
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXACTIVE
+    maxActiveConnections: 4000
 
     # backend defines the pumps to be created by default, as an array of string.
     # Supported backends are:

diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml
@@ -559,6 +559,20 @@ tyk-gateway:
       # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
       format: "default"
 
+    # allowInsecureConfigs can be set to disable Dashboard message signature verification.
+    # When set to true, public_key_path can be ignored.
+    # It is used to set TYK_GW_ALLOWINSECURECONFIGS
+    allowInsecureConfigs: true
+    # globalSessionLifetime sets session lifetime in seconds.
+    # It is used to set TYK_GW_GLOBALSESSIONLIFETIME
+    globalSessionLifetime: 100
+    # enableCustomDomains allows use of custom domains.
+    # It is used to set TYK_GW_ENABLECUSTOMDOMAINS
+    enableCustomDomains: true
+    # maxIdleConnectionsPerHost represents maximum idle connections, per API, per upstream, between Tyk and Upstream.
+    # It is used to set TYK_GW_MAXIDLECONNSPERHOST
+    maxIdleConnectionsPerHost: 500
+
 tyk-operator:
   nameOverride: ""
   fullnameOverride: ""

diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml
@@ -653,6 +653,20 @@ tyk-gateway:
       # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
       format: "default"
 
+    # allowInsecureConfigs can be set to disable Dashboard message signature verification.
+    # When set to true, public_key_path can be ignored.
+    # It is used to set TYK_GW_ALLOWINSECURECONFIGS
+    allowInsecureConfigs: true
+    # globalSessionLifetime sets session lifetime in seconds.
+    # It is used to set TYK_GW_GLOBALSESSIONLIFETIME
+    globalSessionLifetime: 100
+    # enableCustomDomains allows use of custom domains.
+    # It is used to set TYK_GW_ENABLECUSTOMDOMAINS
+    enableCustomDomains: true
+    # maxIdleConnectionsPerHost represents maximum idle connections, per API, per upstream, between Tyk and Upstream.
+    # It is used to set TYK_GW_MAXIDLECONNSPERHOST
+    maxIdleConnectionsPerHost: 500
+
 tyk-operator:
   nameOverride: ""
   fullnameOverride: ""
@@ -824,6 +838,19 @@ tyk-pump:
     # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus.
     # The default port is 9090.
     containerPort: 9090
+    # omitConfigFile defines if tyk-pump should ignore all the values in configuration file.
+    # It is used to set TYK_PMP_OMITCONFIGFILE
+    omitConfigFile: true
+    # purgeDelay configures number of seconds the Pump waits between checking for analytics data and purge it from Redis.
+    # It is used to set TYK_PMP_PURGEDELAY
+    purgeDelay: 2
+    # maxIdleConnections configures maximum number of idle connections in the pool
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXIDLE
+    maxIdleConnections: 2000
+    # maxActiveConnections configures Maximum number of connections allocated by the pool at a given time.
+    # When zero, there is no limit on the number of connections in the pool.
+    # It is used to set TYK_PMP_ANALYTICSSTORAGECONFIG_MAXACTIVE
+    maxActiveConnections: 4000
 
     # backend defines the pumps to be created by default, as an array of string.
     # Supported backends are: