You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The documentation includes a "TODO" note regarding the host_config.generate_secure_paths flag in the tyk_analytics.conf file. This should be clarified or completed to avoid confusion for users.
The note mentions that Subject.CommonName is deprecated and its support will be removed in Tyk V5. Ensure this is clearly communicated and alternatives are provided to users.
`Subject.CommonName` is deprecated and its support will be removed in Tyk V5.
{{< /note >}}
The example for certificate pinning using Kubernetes secrets could benefit from additional clarity, especially regarding the tls.crt field and its expected content.
{{< /warning >}}
The example below illustrates a scenario where the public key from the Kubernetes secret object, *httpbin-secret*, is used for all domains, denoted by the wildcard character '*'. In this example the *tls.crt* field of the secret is set to the actual public key of *httpbin.org*. Subsequently, if you any URL other than https://httpbin.org is targetted (e.g. https://github.com/) a *public key pinning error* will be raised for that particular domain. This is because the public key of *httpbin.org* has been configured for all domains.
```yaml# ApiDefinition object 'pinned_public_keys_refs' field uses the following format:# spec:# pinned_public_keys_refs:# "domain.org": <secret_name> # the name of the Kubernetes Secret Object that holds the public key for the 'domain.org'.## In this way, you can refer to Kubernetes Secret Objects through 'pinned_public_keys_refs' field.## In this example, we have an HTTPS upstream target as `https://httpbin.org`. The public key of httpbin.org is obtained# with the following command:# $ openssl s_client -connect httpbin.org:443 -servername httpbin.org 2>/dev/null | openssl x509 -pubkey -noout## Note: Please set tls.crt field of your secret to actual public key of httpbin.org.## We are creating a secret called 'httpbin-secret'. In the 'tls.crt' field of the secret, we are specifying the public key of the# httpbin.org obtained through above `openssl` command, in the decoded manner.#apiVersion: v1kind: Secretmetadata:
name: httpbin-secrettype: kubernetes.io/tlsdata:
tls.crt: <PUBLIC_KEY> # Use tls.crt field for the public key.tls.key: ""
Replace or resolve the TODO placeholder to provide clear instructions for users
Ensure that the TODO placeholder for setting the host_config.generate_secure_paths flag is replaced with the correct instructions or removed if not applicable, as leaving it unresolved could confuse users.
-TODO:
Finally, set the [host_config.generate_secure_paths]({{< ref "tyk-dashboard/configuration#host_configgenerate_secure_paths" >}}) flag to `true` in your `tyk_analytics.conf`
Suggestion importance[1-10]: 9
Why: Resolving the TODO placeholder is crucial for providing clear and actionable instructions to users. Leaving it unresolved could lead to confusion and incomplete configurations.
9
Clarify the deprecation of Subject.CommonName to help users prepare for its removal
Add a warning or clarification about the deprecation of Subject.CommonName to ensure users are aware of its upcoming removal and can plan accordingly.
-`Subject.CommonName` is deprecated and its support will be removed in Tyk V5.+`Subject.CommonName` is deprecated and its support will be removed in Tyk V5. Please ensure to update your configurations to use `DNSNames` instead to avoid future compatibility issues.
Suggestion importance[1-10]: 8
Why: Adding clarification about the deprecation helps users plan for future changes and ensures compatibility with upcoming versions, which is important for smooth transitions.
8
Fix a typo in the documentation to improve clarity and professionalism
Correct the typo in "ceritficate" to "certificate" in the section about dynamically setting SSL certificates for custom domains to maintain professionalism and clarity.
-If you include certificateID or certificate path to an API definition `certificates` field, Gateway will dynamically load this ceritficate for your custom domain, so you will not need to restart the process.+If you include certificateID or certificate path to an API definition `certificates` field, Gateway will dynamically load this certificate for your custom domain, so you will not need to restart the process.
Suggestion importance[1-10]: 7
Why: Correcting the typo enhances the professionalism and readability of the documentation, ensuring users clearly understand the instructions.
7
Security
Emphasize the security risks of disabling SSL verification in production environments
Clarify the statement about disabling SSL verification in production environments to emphasize the security risks and discourage its use unless absolutely necessary.
-Alternatively, you can disable the verification of SSL certs in the component configurations below. **You shouln't do this in production!**+Alternatively, you can disable the verification of SSL certs in the component configurations below. **This is highly discouraged in production environments due to significant security risks and should only be used for testing purposes.**
Suggestion importance[1-10]: 8
Why: The suggestion improves the documentation by strongly discouraging insecure practices in production environments, which is critical for maintaining security.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
For internal users - Please add a Jira DX PR ticket to the subject!
Preview Link
https://deploy-preview-5879--tyk-docs.netlify.app/docs/nightly/api-management/certificates/
Description
Screenshots (if appropriate)
Checklist
master.PR Type
Documentation
Description
Introduced a new consolidated documentation page
certificates.mdfor TLS/SSL and certificate management.Removed redundant and outdated documentation files related to TLS/SSL and certificate pinning.
Updated navigation and aliases to reflect the new structure and remove deprecated paths.
Added a new FAQ entry for adding custom certificates to Docker images.
Changes walkthrough 📝
certificates.md
New consolidated TLS/SSL and certificate management documentationtyk-docs/content/api-management/certificates.md
and Dashboard.
cipher suites.
page.
troubleshooting-debugging.md
Added FAQ for custom certificates in Docker imagestyk-docs/content/api-management/troubleshooting-debugging.md
images.
tls-and-ssl.md
Removed outdated TLS and SSL documentationtyk-docs/content/basic-config-and-security/security/tls-and-ssl.md
certificates.md.add-custom-certificates-to-docker-images.md
Removed redundant FAQ for custom certificatestyk-docs/content/frequently-asked-questions/add-custom-certificates-to-docker-images.md
certificate-pinning.md
Removed outdated certificate pinning documentationtyk-docs/content/security/certificate-pinning.md
certificates.md.alias.json
Updated aliases for new documentation structuretyk-docs/data/alias.json
certificates.md.menu.yaml
Updated navigation for new documentation structuretyk-docs/data/menu.yaml
certificates.mdpage.