[TT-12648 DX-1578] Docs Operator Migration (API Definition and policy feature list)

tyk-docs/content/advanced-configuration/manage-multiple-environments/with-tyk-multi-cloud.md

@@ -41,4 +41,26 @@ Scroll down to the **Segment Tags** options:
 
 Set the tag name you want to apply, and click **Add**.
 
-When you save the API, the tags will become immediately active. If any Gateways are configured to only load tagged API Definitions then this configuration will only be loaded by the relevant Gateway.
+When you save the API, the tags will become immediately active. If any Gateways are configured to only load tagged API Definitions then this configuration will only be loaded by the relevant Gateway.
+
+## Tag an API for a shard using Tyk Operator
+
+Add the tag names to the tags mapping field within an API Definition as shown in the example below:
+
+```yaml {linenos=table,hl_lines=["8-9"],linenostart=1}
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin
+spec:
+  name: httpbin
+  use_keyless: true
+  tags:
+    - edge
+  protocol: http
+  active: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+```

tyk-docs/content/basic-config-and-security/control-limit-traffic/rate-limiting.md

@@ -81,6 +81,28 @@ Check out the following video to see this being done.
 
 Using the `global_rate_limit` field in the API definition you can specify the API-level rate limit in the following format: `{"rate": 10, "per": 60}`.
 
+An equivalent example using Tyk Operator is given below:
+
+```yaml {linenos=table,hl_lines=["14-17"],linenostart=1}
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin-global-rate-limit
+spec:
+  name: httpbin-global-rate-limit
+  use_keyless: true
+  protocol: http
+  active: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+  # setting a global rate-limit for the API of 10 requests per 60 seconds
+  global_rate_limit:
+    rate: 10
+    per: 60
+```
+
 ## Configuring the rate limiter on the session object
 
 All actions on the session object must be done via the Gateway API.

tyk-docs/content/basic-config-and-security/security/authentication-authorization/basic-auth.md

@@ -71,6 +71,10 @@ To enable Basic Authentication, the API Definition file needs to be set up to al
 
 As you can see in the above example, enabling Basic Authentication is as simple as setting a flag for the feature in your API Definition object. Since Basic Authentication is a standard, Tyk will always look for the credentials as part of the `Authorization` header.
 
+### Enable basic authentication using Tyk Operator
+
+Please consult the Tyk Operator supporting documentation for an example of how to [enable basic authentication]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#basic-authentication" >}}) with Tyk Operator.
+
 ## Create a Basic Authentication user
 
 When using Basic Authentication, the API key used to access the API is not generated by the Tyk system, instead you need to create at least one Basic Authentication user in the Tyk Gateway. Tyk will compare the Basic Authentication key provided in the request against the list of users you have created.

tyk-docs/content/basic-config-and-security/security/authentication-authorization/bearer-tokens.md

@@ -99,3 +99,7 @@ If you are migrating from platforms like Mashery, which use request signing, you
 ### Custom tokens
 
 It is possible to provide Tyk with your own custom tokens, this can be achieved using the Tyk Gateway REST API. This is very useful if you have your own identity provider and don't want Tyk to create and manage tokens for you, and instead just mirror those tokens within Tyk to off-load access control, quotas and rate limiting from your own application.
+
+## Enabling bearer tokens with Tyk Operator
+
+Please consult the Tyk Operator supporting documentation for an example of how to [enable a bearer tokens]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#auth-token-bearer-token" >}}) with Tyk Operator.

tyk-docs/content/basic-config-and-security/security/authentication-authorization/json-web-tokens.md

@@ -237,3 +237,7 @@ Several scopes in JWT claim will lead to have several policies applied to a key.
 
 ### JWT Diagram in Tyk API Gateway
 {{< img src="/img/diagrams/[email protected]" alt="JSON Web Tokens Flow" >}}
+
+### JWT authentication with Tyk Operator
+
+Please consult the Tyk Operator supporting documentation for an example of how to [configure JWT authentication]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#jwt" >}}) with Tyk Operator.

tyk-docs/content/basic-config-and-security/security/authentication-authorization/multiple-auth.md

@@ -53,4 +53,8 @@ To enable this mode you must set the `base_identity_provided_by` field in your A
 
 The provider set here will then be the one that provides the session object that determines rate limits, ACL rules and quotas.
 
-Tyk will chain the auth mechanisms as they appear in the code and will default to auth token if none are specified. You can explicitly set auth token support by setting `use_standard_auth` to true.
+Tyk will chain the auth mechanisms as they appear in the code and will default to auth token if none are specified. You can explicitly set auth token support by setting `use_standard_auth` to true.
+
+## Enable Multi (Chained) Authentication with Tyk Operator
+
+Please consult the Tyk Operator supporting documentation for an example of how to enable [multi chained authentication]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#multiple-chained-auth" >}}) with Tyk Operator.

tyk-docs/content/basic-config-and-security/security/authentication-authorization/open-keyless.md

@@ -11,10 +11,14 @@ weight: 5
 
 Tyk keyless access represents completely open access for your API and causes Tyk to bypass any session-based middleware (middleware that requires access to token-related metadata). Most middleware will work with keyless access (header transformation, mocks, virtual endpoints, etc.).
 
+## Use Case
+
 Open access is very useful for situations where analytics is the key reason for tracking usage, using the Tyk node as a reverse logging proxy, since it adds extremely low latency to proxied requests. It can offer a great way to monitor how an API is being used by existing users without having to use a key store.
 
 Keyless access will allow all requests through. All access control, versioning, quotas and rate limiting will not be possible as individual sessions are not identified.
 
+## Example
+
 To implement keyless access, simply set the flag in your API Definition:
 
 ```{.copyWrapper}
@@ -35,4 +39,6 @@ This will stop checking keys that are proxied by Tyk.
 Keyless APIs cannot be selected for [Access Rights]({{< ref "getting-started/create-security-policy" >}}) in a security policy.
 {{< /note >}}
 
+## Tyk Operator Example
 
+Please consult the Tyk Operator supporting documentation for an example of how to configure an API within Tyk Operator for [Open Access]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#keyless-open" >}}).

tyk-docs/content/basic-config-and-security/security/mutual-tls/client-mtls.md

@@ -86,13 +86,15 @@ $ curl -k \
 
 Static mTLS simply means to allow client certs at the API level.
 
-to set it up, in the API authentication settings, choose mTLS and one other authentication type.  If you don't want to use additional authentication type, i.e. only client cert alone, then select "keyless" as the other.
+To set it up, in the API authentication settings, choose mTLS and one other authentication type.  If you don't want to use additional authentication type, i.e. only client cert alone, then select "keyless" as the other.
 
 The base Identity can be anything as the client cert is the only thing configured.
 
 Here's what it should look like:
 {{< img src="/img/2.10/client_mtls_multiple_auth.png" alt="enable_cert" >}}
 
+Please consult the Tyk Operator supporting documentation for an example of how to [configure static mTLS]({{< ref "product-stack/tyk-operator/advanced-configurations/client-authentication#client-mtls" >}}) with Tyk Operator.
+
 ## FAQ
 
 #### Why am I getting "Unauthorized! Header Not Found" Error?

tyk-docs/content/basic-config-and-security/security/mutual-tls/upstream-mtls.md

@@ -15,21 +15,134 @@ If your upstream API is protected with mutual TLS you can configure Tyk to send
 - Specified client certificates will be used not only for internal Tyk calls but also for HTTP calls inside your JSVM middleware. 
 
 
-### How To Set Up
+## How To Set Up
 
-**Via API Definition**
+### Via API Definition
 
 Inside your API definition you should set the `upstream_certificates` field to the following format:
 `{"example.com": "<cert-id>"}`. Defining on a global level looks the same, but should be specified via the `security.certificates.upstream` field in your Gateway configuration file.
 
-**Via Dashboard**
+
+### Via Dashboard
 
 To do the same via the Tyk Dashboard, go to the **API Designer** > **Advanced Options** panel > **Upstream certificates** section.
 
 {{< img src="/img/2.10/attach_upstream_cert.png" alt="upstream_cert" >}}
 
-
-### Domain
+### Via Tyk Operator
+
+Tyk Operator supports configuring upstream mTLS using one of the following fields within the ApiDefinition object:
+
+- **upstream_certificate_refs**: Configure using certificates stored within Kubernetes secret objects.
+- **upstream_certificates**: Configure using certificates stored within Tyk Dashboard's certificate store.
+
+#### upstream_certificate_refs
+
+The `upstream_certificate_refs` field can be used to configure certificates for different domains. References can be held to multiple secrets which are used for the domain mentioned in the key. Currently "*" is used as a wildcard for all the domains
+
+The example listed below shows that the certificate in the secret, *my-test-tls*, is used for all domains.
+
+```yaml
+# First apply this manifest using the command
+# "kubectl apply -f config/samples/httpbin_upstream_cert.yaml"
+#
+# The operator will try to create the ApiDefinition and will succeed but will log an error that a certificate is missing
+# in the cluster for an upstream
+#
+# Generate your public-private key pair , for test you can use the following command to obtain one fast:
+# "openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out tls.crt -keyout tls.key"
+#
+# Run the following command to obtain the values that must be put inside the yaml that contians the secret resource:
+# "kubectl create secret tls my-test-tls --key="tls.key" --cert="tls.crt" -n default -o yaml --dry-run=client"
+#
+# Apply your TLS certificate using the following command: (we already have an example one in our repo)
+# "kubectl apply -f config/sample/simple_tls_secret.yaml"
+#
+# NOTE: the upstream_certificate_refs can hold references to multiple secrets which are used for the domain
+# mentioned in the key (currently "*" is used as a wildcard for all the domains)
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin
+spec:
+  name: httpbin
+  use_keyless: true
+  upstream_certificate_refs:
+    "*": my-test-tls
+  protocol: http
+  active: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+  version_data:
+    default_version: Default
+    not_versioned: true
+    versions:
+      Default:
+        name: Default
+```
+
+A secret can be created and output in yaml format using the following command:
+
+```bash
+kubectl create secret tls my-test-tls --key="keyfile.key" --cert="certfile.crt" -n default -o yaml --dry-run=client
+kubectl apply -f path/to/your/tls_secret.yaml
+```
+
+#### upstream_certificates
+
+The `upstream_certificates` field allows certificates uploaded to the certificate store in Tyk Dashboard to be referenced in the Api Definition:
+
+```yaml
+# Skip the concatenation and .pem file creation if you already have a certificate in the correct format
+
+# First generate your public-private key pair , for test use you can use the following command to obtain one fast:
+# "openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out tls.crt -keyout tls.key"
+
+# Concatenate the above files to obtain a .pem file which we will upload using the dashboard UI
+# "cat tls.crt tls.key > cert.pem"
+
+# Upload it to the tyk certificate store using the dashboard
+
+# Fill in the manifest with the certificate id (the long hash) that you see is given to it in the dashboard
+# (in place of "INSERT UPLOADED CERTIFICATE NAME FROM DASHBOARD HERE")
+# Optional: Change the domain from "*" to something more specific if you need to use different
+# upstream certificates for different domains
+
+# Then apply this manifest using the command
+# "kubectl apply -f config/samples/httpbin_upstream_cert_manual.yaml"
+
+# The operator will try create the ApiDefinition and will succeed and it will have the requested domain upstream certificate
+# in the cluster for an upstream
+
+# NOTE: the upstream_certificate can hold multiple domain-certificateName pairs
+# (currently "*" is used as a wildcard for all the domains)
+
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin
+spec:
+  name: httpbin
+  use_keyless: true
+  upstream_certificates:
+    "*": #INSERT UPLOADED CERTIFICATE NAME FROM DASHBOARD HERE#
+  protocol: http
+  active: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+  version_data:
+    default_version: Default
+    not_versioned: true
+    versions:
+      Default:
+        name: Default
+```
+
+## Domain
 
 Do **NOT** include the protocol or Tyk will not match your certificates to the correct domain.   
 
@@ -44,7 +157,7 @@ Do **NOT** include the protocol or Tyk will not match your certificates to the c
  ✅ `api.production.myupstream.com:8443`
 
 
-### Wild Cards
+## Wild Cards
 
 You may use wild cards in combination with text to match the domain, but it only works one level deep.
 
@@ -57,5 +170,3 @@ Example, if your domain is `api.production.myupstream.com`
 #### Default Upstream Cert
 
 To set a default client certificate, use `*` instead of domain name: `{"*": "<cert-id>"}`
-
-

tyk-docs/content/context-variables.md

@@ -90,4 +90,25 @@ URL Rewriter and Header Transform middleware cannot iterate through list indices
 
 {{< img src="/img/2.10/context_variables.png" alt="Context Variables" >}}
 
-If not using a Tyk Dashboard, add the field `enable_context_vars` to your API definition file at root level and set it to `true`.
+If not using a Tyk Dashboard, add the field `enable_context_vars` to your API definition file at root level and set it to `true`.
+
+If you are using Tyk Operator, set the field `spec.enable_context_vars` to `true`.
+
+The example API Definition below enabled context variable:
+
+```yaml {linenos=true, linenostart=1, hl_lines=["10-10"]}
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin
+spec:
+  name: httpbin
+  use_keyless: true
+  protocol: http
+  active: true
+  enable_context_vars: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+```