Comments (10)
Hi @jakub-bochenski, I've highlighted the PR to my colleague who looks after that repo - they will take a look and pick it up there.
from tyk.
@jakub-bochenski When the same environment variable is set in multiple places in a Kubernetes deployment, the last entry will take precedence and override any previous settings.
So in the case of TYK_GW_HASHKEYFUNCTION, if it is already set as part of the base Tyk Gateway chart values, and you also specify it in extraEnvs, the extraEnvs value will override the base chart value.
The order of precedence works like this:
- Default value in Gateway chart values.yaml
- Value overridden in umbrella chart (e.g. tyk-single-dc values.yaml)
- extraEnvs value in Gateway or umbrella chart
So the extraEnvs value is always the last one applied and will override anything set in the base chart or umbrella chart values.
The only exception is if you explicitly set a valueFrom entry in extraEnvs that references a secret or configMap, that would take precedence over a plain value.
But in summary - yes, extraEnvs would override a value like TYK_GW_HASHKEYFUNCTION that is already set in the base Gateway chart. The extraEnvs value would win.
from tyk.
It always about the ballance between security and performance. Key hashing is an operation which performed on each API call. So yes, if you need add it to public reports, you may consider use sha256 hashing instead, or "hash" tyk hashes before showing them in reports.
from tyk.
Thanks for confirming this.
tyk hashes before showing them in reports.
Actually, I think even more important is that keys are not stored in Redis, and instead only hashes are there for security reasons.
If the Redis DB is compromised, then the attacker could recreate all the keys if murmur is used.
from tyk.
The whole point of hashing, in any way, is to be used for DB lookups, so you can turn any kind of content, to some predictable hash value, which you can use as DB identifier. So it depends on your security requirments, and if you ready to sacrifice some speed for less security. For example FIPS security framework (required for gov agencies) put some strict guidelines on crypto and hashing algorithms, and will force your company to use algorithms like SHA256. But when using SHA256 key hashing algorithm, as mentioned above, it will be stored in redis as sha256 keys which is crypto algorithm,.
from tyk.
Hi @jakub-bochenski,
As @buger has explained, you can use SHA256 with Tyk for cryptographic hashing of keys, for info please see the docs here: https://tyk.io/docs/basic-config-and-security/security/key-hashing/#custom-key-hash-algorithms
I'll close this issue as resolved, but if you have further questions please don't hesitate to reply and I can reopen it, or you could open a new issue.
Thanks for supporting Tyk!
from tyk.
@andyo-tyk well I can't if I use the official Helm Chart
Can you act on this PR? TykTechnologies/tyk-charts#110
from tyk.
@jakub-bochenski in meantime while it gets reviewed, you can unblock yourself just by setting his env var like this:
gateway:
extraEnvs:
- name: MY_CUSTOM_ENV
value: "foo"
This example assumes tyk-single-dc umbrella chart. But key here is this MY_CUSTOM_ENV env option.
from tyk.
Nice idea
So if an ENV entry is specified multiple times in k8s config the last value is the effective one? I didn't know that
from tyk.
@buger I don't think overriding envs like that is a good idea.
This causes unexpected errors during deployment The order in patch list … doesn't match $setElementOrder list:
e.g. https://stackoverflow.com/q/60727150/1237617
from tyk.
Related Issues (20)
- Feature Request: Dark/Light Mode Toggle HOT 3
- Tyk API Gateway 5.0.7 : When creating the key for Basic Auth, the key value in responce is "" HOT 1
- OAuth2 client_credentials authentication does not seem to be RFC6749 compliant HOT 3
- Rate limit does not get reset when using more than 1 gateway pods in kubernetes HOT 1
- Optimize rate limit using Lua script
- [Q]: Adding more tests and increasing the Code Coverage HOT 4
- Double response from go plugin virtual endpoint HOT 1
- [TT-5070]Wrong HTTP status code when panic happens inside Go plugin HOT 1
- [TT-11223]ERROR: Tyk PUMP not able to connect to Redis Sentinels HOT 1
- Error with middleware in one gateway while other pods are working fine HOT 1
- KV Store config not read in tyk.conf (security.certificates.upstream) HOT 4
- User not authorized when using basic authentication HOT 1
- OAS API: transformRequestMethod.toMethod expects boolean instead of string HOT 1
- Automatic retries when there are specific errors from Upstream
- How to define proxy.listen_path as exact path? HOT 4
- HTTP/2 Continuation Frame Vulnerability
- graphql playground error for federation
- Add HTTP proxy support to MDCB
- Tyk cannot validate client certificates against a certificate authority
- Profile Raw Editor cursor placement HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tyk.