Secure an OAS API with Tyk Operator
Last updated: 4 minutes read.
In this guide, we’ll walk you through adding authentication to an existing API managed by Tyk Operator TykOasApiDefinition
custom resource. We’ll assume you’ve completed the previous tutorial on creating an OAS API with Tyk Operator.
By the end of this tutorial, your API will require an API key for access, enhancing its security.
Prerequisites
- Completed previous tutorial on creating an OAS API with Tyk Operator.
- A Kubernetes cluster with kubectl configured to interact with it.
- Tyk Operator v1.0+ installed in your Kubernetes cluster.
- Basic knowledge of Kubernetes resources like ConfigMaps, Secrets, and custom resources.
- Basic knowledge of configuring Authentication with Tyk OAS.
Overview
In this tutorial, you’ll:
- Update your Tyk OAS API Definition to include API key authentication.
- Update the ConfigMap containing your API definition.
- Verify the changes to ensure your API is updated at Tyk.
- Test the API Endpoint to ensure your API now requires an API key.
Step 1: Update your Tyk OAS API Definition
First, you’ll modify your existing Tyk OAS API Definition to include the API key authentication configuration.
In the previous tutorial, you stored your OAS definition in a file named oas-api-definition.json
and created a ConfigMap named tyk-oas-api-config
in the tyk
namespace.
Modify your Tyk OAS API Definition oas-api-definition.json
as follow.
|
|
In this example, we added the following sections to configure key authentication for this API.
components.securitySchemes
defines the authentication method (in this case,apiKey
in the header).security
: Applies the authentication globally to all endpoints.x-tyk-api-gateway.server.authentication
: Tyk-specific extension to enable the authentication scheme.
You can configure your API for any Tyk supported authentication method by following Authentication with Tyk OAS documentation.
Save your updated API definition in the same file, oas-api-definition.json
.
Step 2: Update the ConfigMap with the new Tyk OAS API Definition
Update the existing ConfigMap that contains your Tyk OAS API Definition with the following command:
kubectl create configmap tyk-oas-api-config --from-file=oas-api-definition.json -n tyk --dry-run=client -o yaml | kubectl replace -f -
This command updates the existing ConfigMap named tyk-oas-api-config
in the tyk
namespace (replace tyk
with your actual namespace if different) with the new Tyk OAS API Definition stored in oas-api-definition.json
.
Since a TykOasApiDefinition
resource has been created with reference to this ConfigMap in the previous tutorial:
apiVersion: tyk.tyk.io/v1alpha1
kind: TykOasApiDefinition
metadata:
name: petstore
spec:
tykOAS:
configmapRef:
name: tyk-oas-api-config # Metadata name of the ConfigMap resource that stores the OAS API Definition
namespace: tyk # Metadata namespace of the ConfigMap resource
keyName: oas-api-definition.json # Key for retrieving OAS API Definition from the ConfigMap
Any changes in the ConfigMap would be detected by Tyk Operator. Tyk Operator will then automatically reconcile the changes and update the API configuration at Tyk.
Step 3: Verify the changes
Verify that the TykOasApiDefinition
has been updated successfully:
kubectl get tykoasapidefinition petstore -o yaml
Look for the latestTransaction
field in status
:
status:
latestTransaction:
status: Successful
time: "2024-09-16T11:48:20Z"
The Successful status shows that Tyk Operator has reconciled the API with Tyk successfully. The last update time is shown in the time
field.
Step 4: Test the API Endpoint
Now, test your API endpoint to confirm that it requires an API key.
For example, if your API endpoint is /store/inventory"
, you can use curl
or any API client to test it:
curl -v "TYK_GATEWAY_URL/petstore/store/inventory"
Replace TYK_GATEWAY_URL with a URL of Tyk Gateway.
Request should fail with a 401 Unauthorized
response now as an API key is required for access. Your API has been secured by Tyk Gateway.
Conclusion
You have now secured your Tyk OAS APIs with authentication and authorization by modifying the Tyk OAS stored in the ConfigMap.
If you plan to secure your API using Client mTLS, also review Manage TLS certificates documentation to see how to let Tyk Operator manage the TLS certificates stored in Kubernetes.
Next, you can protect access to your APIs by applying Security Policy.