[TT-5237] Creating a new security policy which is reconciled by the operator has mismatched IDs

[jdieterich-brav]

Expected Behavior

When we create a new security policy and deploy it to our k8s cluster, the operator will pick this up, and push it up to the dashboard. From here we can use the policy to generate keys for it, add APIs etc.

Current Behavior

The security policy is picked up by the operator and pushed to the dashboard. However when we then try to generate a key for example, we get an error message that the policy isn't found, and the ID associated with it. However this ID doesn't match with the ID that is presented in the dashboard. When we inspect the security policy in our cluster, the pol_id value is set to the ID that is displayed on the dashboard, whereas _id is set to the ID it can't find on key generation. It looks like this ID is <namespace>/<apiName> encoded in base64.

Possible Solution

When the operator pushed the security policy it get's the ID back from the dashboard and then updates _id to match that value.

Steps to Reproduce

1. Have a k8s cluster with the operator and hybrid gateway deployed
2. Create a security policy in the cluster
3. Try to generate a key for the policy

Context

We are looking to add security policies in a gitops way, by adding them to a repo, which then reconciles them to the cluster through the use of flux. We would like to then be able to use these policies without having to change any config on the dashboard.

Your Environment

• OS: Linux
• Tyk Hybrid Gateway Version: 3.2.1
• Tyk Cloud Gateway Dashboard Version: 3.2.0
• Tyk Operator Version: 0.8.2

[komalsukhani]

I am not able to reproduce this. Can you please share Security Policy yaml file?

[jdieterich-brav]

apiVersion: tyk.tyk.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: tenants
  namespace: flux-system
spec:
  id: 62500c5fb6e263000139f791
  name: tenants
  active: true
  state: active
  access_rights_array:
    - name: internal-developer-platform-internal-developer-platform-a86b6fab5
      namespace: internal-developer-platform
      versions:
        - Default

This is the file, however the initial policy didn't have the ID, that was added later

[asoorm]

Quick question - are you using the Ingress Controller? e.g. was the API Definition created via Ingress?

https://github.com/TykTechnologies/tyk-operator-internal/issues/18

Is this issue related?

[jdieterich-brav]

Yes we are using the ingress controller, and we did come across that issue, however we ended up finding a solution for it where we found the way the name was generated and inserted that.

I'd say this issue isn't closely related to the one we're currently seeing though, because it's the policy ID which is causing us issues

[George-Grasham]

Is there any known workaround for this at the moment, or an ETA on a fix? We're running into the same problem for any policy created via the operator we cannot assign keys to it with the same error:

Tyk: Failed to create key - policy not found: "cmVzdC1zYW1wbGUvcmVzdC1zYW1wbGUtc2FtcGxlLXBvbGljeQ"

where the policy id shown in the dashboard is different

Also, our API Definitions aren't created via an ingress they're made via an ApiDefinition object.

[asoorm]

@George-Grasham please confirm you have allow explicit policy id as true in Tyk configs?

https://github.com/TykTechnologies/tyk-operator/blob/master/docs/installation/installation.md#prerequisites

[George-Grasham]

We are using Tyk Cloud so I'm not sure we can set this config. we're using hybrid gateways so I can change the config there but not on the control plane (which I imagine is the one we actually need to change)

Thanks for your help 👍

[sedkis]

@George-Grasham you can reach out to support and they can change your control plane config :)

[caroltyk]

This issue is resolved, thanks all