[TT-15398] added basic configuration for ExternalServiceConfig

[andrei-tyk]

User description

TT-15398

Summary	Foundation for external proxy service
Type	Story
Status	In Dev
Points	N/A
Labels	-

---

Description

This PR introduces foundational support for external service configuration in Tyk Gateway, enabling centralized proxy and mTLS configuration for all external service communications. Additionally, it includes improvements to API versioning validation and OAS utility functions.

Key Changes:

External Service Configuration (TT-15398):

• Added ExternalServiceConfig to main gateway configuration with support for:
  • Global and service-specific HTTP proxy configuration
  • mTLS client certificate support for secure external communications
  • Environment variable proxy configuration support
  • NO_PROXY support for bypassing proxy for specific hosts
• Created ExternalHTTPClientFactory for creating configured HTTP clients for different service types:
  • OAuth/JWK endpoints
  • Analytics services
  • Webhook deliveries
  • Storage backends
  • Health check endpoints
  • Service discovery
• Comprehensive unit tests covering all proxy and mTLS scenarios

API Versioning Improvements:

• Enhanced validation for API versioning parameters, particularly for new_version_name requirement
• Added VersionQueryParameters utility for handling version-related HTTP parameters
• Improved error handling and validation logic for version creation workflows
• Added proper HTTP 422 status code for version validation errors

OAS and Utility Enhancements:

• Added server utilities for OAS processing
• Enhanced duration parsing capabilities
• Various improvements to OAS handling and test coverage

Related Issue

Tyk: TT-15398 - Foundation for External Proxy Service

Motivation and Context

This change is required to provide a unified way to configure external service communications across Tyk Gateway. Currently, different parts of the system handle external communications inconsistently, with no centralized way to configure proxy settings or mTLS for external service calls.

Problems solved:

• Lack of proxy support for external service communications
• No centralized mTLS configuration for external services
• Inconsistent HTTP client configuration across different service types
• Missing validation for API versioning parameters that could lead to runtime errors

How This Has Been Tested

External Service Configuration:

• Unit tests covering all proxy configuration scenarios (HTTP/HTTPS proxy, environment variables, NO_PROXY)
• mTLS configuration tests with client certificates and CA validation
• Service-specific configuration override tests
• HTTP client factory tests for all service types

API Versioning:

• Unit tests for validation logic with various parameter combinations
• Error case testing for missing required parameters
• Integration tests for version parameter processing

Test Coverage:

• config/external_service_test.go: 331 lines of comprehensive configuration tests
• gateway/external_http_client_test.go: 535 lines of HTTP client factory tests
• lib/apidef/version_test.go: 188 lines of versioning validation tests
• Various other test enhancements across modified files

Screenshots (if appropriate)

N/A - Infrastructure changes only

Types of changes

• New feature (non-breaking change which adds functionality)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

Note: This PR does not modify go.mod dependencies. All changes use existing standard library and internal packages only.

---

PR Type

Enhancement, Tests

---

Description

• Introduced ExternalServiceConfig for external proxy and mTLS configuration

• Added ExternalHTTPClientFactory for service-specific HTTP clients

• Updated JSON schema to support new external service config structure

• Comprehensive unit tests for configuration and HTTP client logic

---

Diagram Walkthrough

flowchart LR
  configGo["config.go: Add ExternalServiceConfig to main config"]
  externalServiceGo["external_service.go: Define proxy & mTLS structs"]
  externalServiceTestGo["external_service_test.go: Unit tests for config"]
  schemaJson["schema.json: Update JSON schema for new config"]
  extHttpClientGo["external_http_client.go: HTTP client factory for services"]
  extHttpClientTestGo["external_http_client_test.go: Tests for HTTP client factory"]

  configGo -- "references" --> externalServiceGo
  configGo -- "validated by" --> schemaJson
  externalServiceGo -- "tested by" --> externalServiceTestGo
  extHttpClientGo -- "uses" --> externalServiceGo
  extHttpClientGo -- "tested by" --> extHttpClientTestGo

Loading

File Walkthrough

	Relevant files
Enhancement	config.go Add ExternalServices config field for proxy/mTLS                  config/config.go Added ExternalServices field to main Config struct Integrates external service proxy and mTLS configuration +3/-0      external_service.go Define structs for external service proxy/mTLS config        config/external_service.go Introduced ExternalServiceConfig, ProxyConfig, ServiceConfig, and MTLSConfig structs Defined service type constants for external services Structured for extensible proxy and mTLS support +60/-0    external_http_client.go Add HTTP client factory for external services                        gateway/external_http_client.go Implemented ExternalHTTPClientFactory for service-specific HTTP clients Handles proxy and mTLS configuration hierarchy Provides specialized client creators (JWK, webhook, analytics, etc.) +246/-0  schema.json Update JSON schema for external service config                      cli/linter/schema.json Updated JSON schema to support external_services config Added definitions for ServiceConfig, ProxyConfig, and MTLSConfig Ensured schema validation for new config fields +87/-0
Tests	external_service_test.go Unit tests for external service config structs                      config/external_service_test.go Added comprehensive unit tests for new config structs Tested JSON marshaling/unmarshaling and zero/partial values Validated service type constants and mTLS config logic +331/-0  external_http_client_test.go Unit tests for external HTTP client factory                            gateway/external_http_client_test.go Added extensive tests for HTTP client factory logic Covered proxy, mTLS, NO_PROXY, and service config merging Tested specialized client creation and error handling +535/-0

---

[buger]

I'm a bot and I 👍 this PR title. 🤖

[buger]

This PR is too huge for one to review 💔

Additions	1175 🙅‍♀️
Expected	⬇️ 800

Consider breaking it down into multiple small PRs.

Check out this guide to learn more about PR best-practices.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 42c142a)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 PR contains tests

🔒 Security concerns Insecure TLS Configuration: The InsecureSkipVerify option in the mTLS configuration disables server certificate verification, which can expose clients to man-in-the-middle attacks if enabled in production. This should be used with caution, and ideally, there should be clear documentation and/or runtime warnings when this option is set to true.

⚡ Recommended focus areas for review Proxy and mTLS Configuration Logic The new HTTP client factory introduces logic for merging service-specific and global proxy/mTLS settings, and for handling environment-based proxy configuration. The reviewer should validate that the merging and fallback logic is robust and does not result in unexpected proxy or TLS settings, especially in edge cases where partial configurations are provided. func (f *ExternalHTTPClientFactory) CreateClient(serviceType string) (*http.Client, error) { serviceConfig := f.getServiceConfig(serviceType) transport := &http.Transport{ // Set reasonable defaults MaxIdleConns: 100, MaxIdleConnsPerHost: 10, IdleConnTimeout: 30 * time.Second, } // Configure proxy proxyFunc, err := f.getProxyFunction(serviceConfig) if err != nil { return nil, fmt.Errorf("failed to configure proxy: %w", err) } transport.Proxy = proxyFunc // Configure TLS tlsConfig, err := f.getTLSConfig(serviceConfig) if err != nil { return nil, fmt.Errorf("failed to configure TLS: %w", err) } transport.TLSClientConfig = tlsConfig return &http.Client{ Transport: transport, Timeout: 30 * time.Second, }, nil } // getServiceConfig returns the merged configuration for a specific service type. func (f *ExternalHTTPClientFactory) getServiceConfig(serviceType string) config.ServiceConfig { var serviceConfig config.ServiceConfig // Get service-specific configuration switch serviceType { case config.ServiceTypeOAuth: serviceConfig = f.config.OAuth case config.ServiceTypeAnalytics: serviceConfig = f.config.Analytics case config.ServiceTypeStorage: serviceConfig = f.config.Storage case config.ServiceTypeWebhook: serviceConfig = f.config.Webhooks case config.ServiceTypeHealth: serviceConfig = f.config.Health case config.ServiceTypeDiscovery: serviceConfig = f.config.Discovery default: // Use empty service config, will fall back to global settings serviceConfig = config.ServiceConfig{} } // Merge with global proxy configuration if service-specific is not set if serviceConfig.Proxy.HTTPProxy == "" && serviceConfig.Proxy.HTTPSProxy == "" && !serviceConfig.Proxy.UseEnvironment { if f.config.Proxy.HTTPProxy != "" || f.config.Proxy.HTTPSProxy != "" || f.config.Proxy.UseEnvironment { serviceConfig.Proxy = f.config.Proxy } } return serviceConfig } InsecureSkipVerify Handling The code allows disabling server certificate verification via the insecure_skip_verify flag in mTLS config. This is a potential security risk if enabled in production. The reviewer should ensure that this behavior is clearly documented and that there are safeguards or warnings in place for production deployments. func (f *ExternalHTTPClientFactory) getTLSConfig(serviceConfig config.ServiceConfig) (*tls.Config, error) { tlsConfig := &tls.Config{ InsecureSkipVerify: serviceConfig.MTLS.InsecureSkipVerify, } // Configure mTLS if enabled if serviceConfig.MTLS.Enabled { // Load client certificate if serviceConfig.MTLS.CertFile != "" && serviceConfig.MTLS.KeyFile != "" { cert, err := tls.LoadX509KeyPair(serviceConfig.MTLS.CertFile, serviceConfig.MTLS.KeyFile) if err != nil { return nil, fmt.Errorf("failed to load client certificate: %w", err) } tlsConfig.Certificates = []tls.Certificate{cert} } // Load CA certificate if serviceConfig.MTLS.CAFile != "" { caCert, err := ioutil.ReadFile(serviceConfig.MTLS.CAFile) if err != nil { return nil, fmt.Errorf("failed to read CA certificate: %w", err) } caCertPool := x509.NewCertPool() if !caCertPool.AppendCertsFromPEM(caCert) { return nil, fmt.Errorf("failed to parse CA certificate") } tlsConfig.RootCAs = caCertPool } } return tlsConfig, nil }

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.

[github-actions]

API Changes

--- prev.txt	2025-08-12 19:18:34.419550397 +0000
+++ current.txt	2025-08-12 19:18:25.002526828 +0000
@@ -5571,6 +5571,16 @@
 
 	DefaultOTelResourceName = "tyk-gateway"
 )
+const (
+	ServiceTypeOAuth     = "oauth"
+	ServiceTypeAnalytics = "analytics"
+	ServiceTypeStorage   = "storage"
+	ServiceTypeWebhook   = "webhook"
+	ServiceTypeHealth    = "health"
+	ServiceTypeDiscovery = "discovery"
+)
+    Service type constants for identifying different external service types
+
 const GracefulShutdownDefaultDuration = 30
 
 VARIABLES
@@ -5817,6 +5827,9 @@
 	// Global Certificate configuration
 	Security SecurityConfig `json:"security"`
 
+	// External service configuration for proxy and mTLS support
+	ExternalServices ExternalServiceConfig `json:"external_services"`
+
 	// Gateway HTTP server configuration
 	HttpServerOptions HttpServerOptionsConfig `json:"http_server_options"`
 
@@ -6388,6 +6401,20 @@
 }
     EventMessage is a standard form to send event data to handlers
 
+type ExternalServiceConfig struct {
+	// Global proxy configuration that applies to all external services
+	Proxy ProxyConfig `json:"proxy"`
+	// Service-specific configurations that can override global settings
+	OAuth     ServiceConfig `json:"oauth"`
+	Analytics ServiceConfig `json:"analytics"`
+	Storage   ServiceConfig `json:"storage"`
+	Webhooks  ServiceConfig `json:"webhooks"`
+	Health    ServiceConfig `json:"health"`
+	Discovery ServiceConfig `json:"discovery"`
+}
+    ExternalServiceConfig defines configuration for external service
+    interactions including proxy settings and mTLS client certificate support.
+
 type HealthCheckConfig struct {
 	// Setting this value to `true` will enable the health-check endpoint on /Tyk/health.
 	EnableHealthChecks bool `json:"enable_health_checks"`
@@ -6542,6 +6569,20 @@
 	CacheSessionEviction int `json:"cached_session_eviction"`
 }
 
+type MTLSConfig struct {
+	// Enabled controls whether mTLS is enabled for this service
+	Enabled bool `json:"enabled"`
+	// CertFile path to the client certificate file
+	CertFile string `json:"cert_file"`
+	// KeyFile path to the client private key file
+	KeyFile string `json:"key_file"`
+	// CAFile path to the CA certificate file for server verification
+	CAFile string `json:"ca_file"`
+	// InsecureSkipVerify disables server certificate verification (not recommended for production)
+	InsecureSkipVerify bool `json:"insecure_skip_verify"`
+}
+    MTLSConfig defines mTLS client certificate configuration.
+
 type MonitorConfig struct {
 	// Set this to `true` to have monitors enabled in your configuration for the node.
 	EnableTriggerMonitors bool               `json:"enable_trigger_monitors"`
@@ -6667,6 +6708,20 @@
 func (p Private) GetOAuthTokensPurgeInterval() time.Duration
     GetOAuthTokensPurgeInterval returns purge interval for lapsed OAuth tokens.
 
+type ProxyConfig struct {
+	// UseEnvironment enables reading proxy configuration from environment variables
+	// (HTTP_PROXY, HTTPS_PROXY, NO_PROXY)
+	UseEnvironment bool `json:"use_environment"`
+	// HTTPProxy sets the HTTP proxy URL (e.g., http://proxy:8080)
+	HTTPProxy string `json:"http_proxy"`
+	// HTTPSProxy sets the HTTPS proxy URL (e.g., https://proxy:8080)
+	HTTPSProxy string `json:"https_proxy"`
+	// NoProxy defines addresses that should bypass the proxy (comma-separated)
+	NoProxy string `json:"no_proxy"`
+}
+    ProxyConfig defines HTTP proxy configuration for external service
+    connections.
+
 type RateLimit struct {
 	// EnableFixedWindow enables fixed window rate limiting.
 	EnableFixedWindowRateLimiter bool `json:"enable_fixed_window_rate_limiter"`
@@ -6760,6 +6815,15 @@
 	Certificates CertificatesConfig `json:"certificates"`
 }
 
+type ServiceConfig struct {
+	// Proxy configuration for this specific service type
+	Proxy ProxyConfig `json:"proxy"`
+	// MTLS configuration for secure external communications
+	MTLS MTLSConfig `json:"mtls"`
+}
+    ServiceConfig defines service-specific configuration that can override
+    global settings.
+
 type ServiceDiscoveryConf struct {
 	// Service discovery cache timeout
 	DefaultCacheTimeout int `json:"default_cache_timeout"`
@@ -9482,6 +9546,37 @@
 	SetUser(string, *user.SessionState, int64) error
 }
 
+type ExternalHTTPClientFactory struct {
+	// Has unexported fields.
+}
+    ExternalHTTPClientFactory creates HTTP clients for external service
+    interactions with support for proxy configuration and mTLS client
+    certificates.
+
+func NewExternalHTTPClientFactory(gw *Gateway) *ExternalHTTPClientFactory
+    NewExternalHTTPClientFactory creates a new HTTP client factory.
+
+func (f *ExternalHTTPClientFactory) CreateAnalyticsClient() (*http.Client, error)
+    CreateAnalyticsClient creates an HTTP client for analytics requests.
+
+func (f *ExternalHTTPClientFactory) CreateClient(serviceType string) (*http.Client, error)
+    CreateClient creates an HTTP client configured for the specified service
+    type. It applies proxy settings and mTLS configuration based on the service
+    configuration hierarchy: 1. Service-specific configuration 2. Global
+    configuration 3. Environment variables (for proxy) 4. Default settings
+
+func (f *ExternalHTTPClientFactory) CreateIntrospectionClient() (*http.Client, error)
+    CreateIntrospectionClient creates an HTTP client for OAuth introspection
+    requests.
+
+func (f *ExternalHTTPClientFactory) CreateJWKClient(insecureSkipVerify bool) (*http.Client, error)
+    CreateJWKClient creates an HTTP client specifically configured for JWK
+    endpoint requests. This method preserves existing SSL skip verify behavior
+    while adding proxy support.
+
+func (f *ExternalHTTPClientFactory) CreateWebhookClient() (*http.Client, error)
+    CreateWebhookClient creates an HTTP client for webhook requests.
+
 type ExternalOAuthMiddleware struct {
 	*BaseMiddleware
 }

[github-actions]

🚀 Performance Snapshot

Effort	Perf Risk	Hot Paths	Benchmarks	TL;DR
Low	🟢	✅	❔	Minimal performance impact with good connection pooling defaults

## Performance Impact Analysis

This PR introduces external service configuration for proxy and mTLS settings with minimal performance impact. The main overhead comes from proxy determination logic that runs per request and mTLS handshakes when enabled. However, the implementation uses connection pooling with reasonable defaults (MaxIdleConns: 100, MaxIdleConnsPerHost: 10) and performs expensive operations like certificate loading only during initialization.

## Critical Areas

The proxy determination logic in getProxyFunction adds a small overhead to each request, especially when NO_PROXY checking is involved. When mTLS is enabled, there will be additional TLS handshake overhead for new connections, but this is mitigated by connection pooling. Certificate loading during initialization could slightly increase startup time but doesn't affect request handling.

## Optimization Recommendations

Consider caching the results of proxy determination for frequently accessed hosts to reduce per-request overhead. For large NO_PROXY lists, a more efficient matching algorithm could be implemented. The default timeout of 30 seconds seems reasonable, but consider making it configurable per service type for fine-tuning in production environments.

## Summary

• The PR adds minimal runtime overhead with most expensive operations happening during initialization
• Connection pooling with good defaults helps mitigate connection establishment costs
• Proxy determination logic runs per-request but is relatively lightweight
• mTLS adds overhead only during connection establishment, mitigated by connection pooling
• No significant performance concerns identified in the implementation

---

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

[github-actions]

🛡️ Security Snapshot

Effort	Risk Level	Tests	Compliance	TL;DR
Medium	🟡	✅	✔️	Introduces external service config with proxy/mTLS support; InsecureSkipVerify option requires caution

## Security Impact Analysis

This PR introduces a new ExternalServiceConfig system that centralizes proxy and mTLS configuration for external service communications. The implementation properly handles certificate loading, validation, and proxy configuration. However, it exposes the InsecureSkipVerify option which, while documented as "not recommended for production," could lead to certificate validation bypassing if misconfigured.

The code demonstrates good security practices with proper error handling for certificate loading failures and clear separation between global and service-specific configurations. The implementation of NO_PROXY support enhances security by allowing selective proxy bypassing.

## Identified Vulnerabilities

Medium Risk:

• The InsecureSkipVerify option in MTLSConfig allows disabling TLS certificate verification, which could expose the system to man-in-the-middle attacks if enabled in production environments.

Low Risk:

• No explicit logging of TLS configuration errors beyond returning errors to callers, which might make troubleshooting certificate issues in production more difficult.
• No runtime warnings when InsecureSkipVerify is enabled, which could lead to it being left enabled unintentionally.

## Security Recommendations

1. Consider adding runtime warnings (logs) when InsecureSkipVerify is enabled to alert operators of the potential security risk.

2. Add more detailed documentation about the security implications of enabling InsecureSkipVerify in the configuration examples or documentation.

3. Consider implementing a development/production mode flag that prevents InsecureSkipVerify from being enabled in production environments.

4. Add more comprehensive logging for certificate loading and validation failures to aid in troubleshooting.

5. Consider implementing certificate pinning as an additional security measure for critical external services.

## OWASP Compliance

The implementation generally aligns with OWASP best practices:

• A3:2017-Sensitive Data Exposure: Properly handles certificates and private keys.
• A5:2017-Broken Access Control: Provides proper mTLS support for service authentication.
• A6:2017-Security Misconfiguration: The InsecureSkipVerify option could lead to security misconfiguration if not properly documented and controlled.

The code could be improved regarding:

• A10:2017-Insufficient Logging & Monitoring: More detailed logging for TLS configuration and certificate validation would improve security monitoring.

## Summary

• The PR introduces a well-structured system for external service communication security.
• The implementation of mTLS support enhances security for external service communications.
• The InsecureSkipVerify option presents a moderate security risk if misused.
• Additional runtime warnings and documentation would improve security awareness.
• Overall, the changes represent a security improvement with appropriate cautions.

---

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

[github-actions]

🛡️ Security Snapshot

Effort	Risk Level	Tests	Compliance	TL;DR
Medium	🟡	✅	✔️	New external service configuration introduces InsecureSkipVerify option that requires careful usage

## Security Impact Analysis

The PR introduces a new ExternalServiceConfig structure for configuring HTTP clients used for external service communications. From a security perspective, the key components are:

1. Proxy Configuration - Allows configuring HTTP/HTTPS proxies for external communications, which can enhance security by routing traffic through controlled channels.

2. mTLS Support - Adds proper mutual TLS authentication for external services, which is a security enhancement that allows for stronger authentication.

3. InsecureSkipVerify Option - Includes an option to disable TLS certificate verification, which presents a security risk if misused.

4. Certificate Authority Configuration - Allows specifying custom CA certificates for validating server certificates, which is a security best practice.

The implementation follows secure coding practices with proper error handling, input validation, and comprehensive test coverage.

## Identified Vulnerabilities

Medium Risk:

• InsecureSkipVerify Option: The MTLSConfig struct includes an InsecureSkipVerify option that disables certificate validation when set to true. This could expose the system to man-in-the-middle attacks if enabled in production environments. The code comment indicates it should only be used for testing or trusted environments, but there's no runtime enforcement of this recommendation.

Low Risk:

• Environment Variable Dependency: The proxy configuration can use environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY), which could potentially be manipulated in some deployment scenarios. However, this is a standard practice and the implementation follows established patterns.

• Certificate and Key File Paths: The implementation reads certificate and key files from paths specified in the configuration. If these paths are not properly secured, it could lead to unauthorized access to sensitive cryptographic material.

## Security Recommendations

1. Add Warnings for InsecureSkipVerify: Consider adding runtime warnings when InsecureSkipVerify is enabled in production environments. This could help prevent accidental misuse.

2. Implement Certificate Pinning: For highly sensitive external services, consider adding certificate pinning capabilities to provide an additional layer of security beyond CA validation.

3. Add Secure Default TLS Versions: Consider setting secure default minimum TLS versions (e.g., TLS 1.2+) for external connections to prevent fallback to insecure protocol versions.

4. Add Logging for Security Events: Implement detailed logging for security-related events such as certificate validation failures or proxy connection issues to aid in troubleshooting and security monitoring.

5. Consider Adding Certificate Rotation Support: For long-running services, consider adding support for certificate rotation without requiring a gateway restart.

## OWASP Compliance

The implementation generally aligns with OWASP security best practices:

• A2:2017 Broken Authentication: The mTLS implementation provides strong authentication for external services, which is a positive security control.

• A3:2017 Sensitive Data Exposure: The code properly handles sensitive data like certificates and keys, loading them from files rather than embedding them in configuration.

• A6:2017 Security Misconfiguration: The InsecureSkipVerify option could lead to security misconfiguration if misused. The code includes a warning comment, but additional runtime safeguards would be beneficial.

• A9:2017 Using Components with Known Vulnerabilities: The implementation uses standard Go libraries for TLS and HTTP client functionality, which are generally well-maintained and secure.

## Summary

• The PR introduces a well-structured and flexible configuration system for external service communications with good security controls.
• The inclusion of mTLS support enhances security for external service communications.
• The InsecureSkipVerify option presents a potential security risk if misused in production environments.
• The implementation includes comprehensive test coverage for both normal and error cases.
• Additional runtime warnings or safeguards for insecure options would further improve security.

---

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

[github-actions]

📦 Impact Review Snapshot

Effort	Downstream Updates	Compatibility	Docs	TL;DR
Low	⚠️	🟢	⚠️	Configuration changes for external services require updates to tyk-charts but are backward compatible

## Impact Assessment

The PR introduces a new ExternalServiceConfig structure in the gateway configuration that centralizes proxy and mTLS settings for external service communications. This primarily affects tyk-charts which needs to expose these new configuration options. The changes don't modify API definitions or schemas, so tyk-operator is unaffected. No RPC protocol changes impact tyk-sink. The portal is unaffected as these changes focus on gateway outbound connections.

## Required Updates

• tyk-charts: Update values.yaml and templates to expose the new ExternalServices configuration section
• tyk-charts: Add documentation for the new proxy and mTLS configuration options
• Documentation: Update configuration documentation to describe the new external service options

## Compatibility Concerns

The changes are backward compatible as they add new optional configuration without modifying existing behavior. Default values ensure existing deployments continue to work without changes. The InsecureSkipVerify option should be documented with appropriate security warnings.

## Summary & Recommendations

• Update tyk-charts to expose the new ExternalServices configuration section
• Add documentation for the new configuration options, especially highlighting security implications of InsecureSkipVerify
• Consider adding examples of common proxy and mTLS configurations for different environments

---

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

[github-actions]

📦 Impact Review Snapshot

Effort	Downstream Updates	Compatibility	Docs	TL;DR
Low	⚠️	🟢	📖	New external service config requires tyk-charts updates

## Impact Assessment

The PR introduces a new ExternalServiceConfig structure in the Tyk Gateway configuration, enabling centralized proxy and mTLS configuration for external service communications. This change primarily affects tyk-charts which would need to expose these new configuration options. The changes don't modify API definitions, policy structures, or RPC protocols, so tyk-operator, portal, and tyk-sink are unlikely to be directly affected.

## Required Updates

tyk-charts:

• Update values.yaml to include the new external_services configuration section
• Update templates that generate the Tyk Gateway configuration to include these new options
• Add documentation for the new configuration options in the chart's README

No updates required for tyk-operator, portal, or tyk-sink as the changes don't affect their integration points.

## Compatibility Concerns

The changes are additive and don't modify existing behavior, so backward compatibility is maintained. The new configuration is optional, and services will continue to work with direct connections if no proxy or mTLS is configured.

The InsecureSkipVerify option in the mTLS configuration should be documented with appropriate security warnings, as it disables certificate verification which could expose the system to man-in-the-middle attacks if enabled in production.

## Summary & Recommendations

• Create a corresponding PR in tyk-charts to expose the new external service configuration options
• Add documentation for the new configuration options, particularly highlighting security considerations for the InsecureSkipVerify option
• Consider adding examples in the documentation showing how to configure proxy and mTLS for different service types

---

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

[github-actions]

🚦 Connectivity Review Snapshot

Effort	Tests	Security	Perf	TL;DR
Medium	✅	🔒 ⚠️	🟢	Adds centralized proxy and mTLS configuration for external service communications without modifying existing Redis/RPC connections

## Connectivity Assessment

• Redis Connections: No direct changes to Redis connectivity; this PR establishes a foundation for potentially configuring Redis connections via the new external service framework in the future.
• RPC Connections: No modifications to existing RPC connectivity; the new framework could be extended to support RPC configuration.
• Synchronization Mechanisms: Introduces a centralized configuration approach for external HTTP clients that could be leveraged for Redis/RPC in future PRs.

## Test Coverage Validation

• Redis Tests: N/A - Redis connections are not directly affected by this PR.
• RPC Tests: N/A - RPC connections are not directly affected by this PR.
• Failure Scenario Tests: The PR includes comprehensive tests for proxy configuration, mTLS setup, and error handling in the new external HTTP client factory.

## Security & Performance Impact

• Authentication Changes: Adds support for mTLS client certificates which enhances security for external service communications.
• Performance Considerations: HTTP client configuration includes sensible defaults for connection pooling (MaxIdleConns: 100, MaxIdleConnsPerHost: 10).
• Error Handling: Proper error handling for certificate loading and proxy configuration with clear error messages.

## Summary & Recommendations

• The InsecureSkipVerify option in MTLSConfig should include stronger warnings in documentation about security implications.
• Consider adding a mechanism to validate proxy URLs at configuration load time rather than only when clients are created.
• In future PRs, consider extending this framework to standardize Redis and RPC connection configuration.
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

[github-actions]

🚀 Performance Snapshot

Effort	Perf Risk	Hot Paths	Benchmarks	TL;DR
Low	🟢	✅	❔	Minimal performance impact with good connection pooling practices

## Performance Impact Analysis

The new external service configuration introduces minimal performance overhead. The HTTP client factory creates clients with proper connection pooling (MaxIdleConns: 100, MaxIdleConnsPerHost: 10) and reasonable timeouts. Client creation happens infrequently, typically at startup or on-demand, not in hot request paths. The proxy resolution logic adds negligible overhead per request.

## Critical Areas

Certificate loading from disk occurs during client initialization, not per-request. The proxy function execution adds a small overhead to each external request for determining which proxy to use, but the implementation efficiently handles NO_PROXY rules with minimal string operations. The configuration merging logic (service-specific vs. global) is straightforward and has negligible impact.

## Optimization Recommendations

Consider adding metrics to track external service request latencies to monitor any potential proxy-related slowdowns. The shouldBypassProxy function could potentially be optimized further by pre-compiling patterns or using a more efficient matching algorithm for large NO_PROXY lists. Consider adding connection timeout parameters to the configuration for fine-tuning in high-latency environments.

## Summary

• The PR introduces a well-designed external service configuration with minimal performance impact
• HTTP client creation is properly optimized with connection pooling and reasonable defaults
• Certificate loading happens at initialization time, not in request hot paths
• Proxy resolution adds negligible overhead per external request
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

[github-actions]

🚦 Connectivity Review Snapshot

Effort	Tests	Security	Perf	TL;DR
Medium	✅	🔒 InsecureSkipVerify	🟢	Adds foundation for external service proxy/mTLS config without modifying existing Redis/RPC connections

## Connectivity Assessment

• Redis Connections: No direct changes to Redis connectivity. The PR adds ExternalServiceConfig but doesn't yet integrate it with Redis connections, which still use the existing ConnectionHandler.
• RPC Connections: No modifications to RPC client connectivity. The foundation is laid for future integration, but current RPC connections remain unchanged.
• Synchronization Mechanisms: No changes to Redis pub/sub or notification mechanisms. The PR focuses on HTTP client configuration for external services.

## Test Coverage Validation

• Redis Tests: No new Redis-specific tests as Redis connectivity is not modified.
• RPC Tests: No new RPC-specific tests as RPC connectivity is not modified.
• Failure Scenario Tests: Comprehensive tests for proxy configuration including environment variables, NO_PROXY handling, and service-specific overrides. Good coverage for mTLS client certificate loading and validation.

## Security & Performance Impact

• Authentication Changes: Adds mTLS client certificate support for external service authentication, which is a security enhancement when properly configured.
• Performance Considerations: HTTP connection pooling is properly configured with reasonable defaults (MaxIdleConns: 100, MaxIdleConnsPerHost: 10, IdleConnTimeout: 30s).
• Error Handling: Proper error propagation for certificate loading failures, but consider adding more detailed logging for certificate validation issues in production.

## Summary & Recommendations

• The PR provides a solid foundation for external service connectivity without disrupting existing Redis/RPC connections.
• Consider documenting the InsecureSkipVerify option with explicit warnings about security implications in production.
• Future work should integrate this client factory with Redis and RPC connections for a unified approach to all external communications.
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

[github-actions]

🚀 Performance Snapshot

Effort	Perf Risk	Hot Paths	Benchmarks	TL;DR
Low	🟢	✅	❔	Minimal performance impact with good connection pooling defaults

## Performance Impact Analysis

This PR introduces external service configuration for proxy and mTLS settings with minimal performance impact. The main overhead comes from proxy determination logic that runs per request and mTLS handshakes when enabled. However, the implementation uses connection pooling with reasonable defaults (MaxIdleConns: 100, MaxIdleConnsPerHost: 10) and performs expensive operations like certificate loading only during initialization.

## Critical Areas

The proxy determination logic in getProxyFunction adds a small overhead to each request, especially when NO_PROXY checking is involved. When mTLS is enabled, there will be additional TLS handshake overhead for new connections, but this is mitigated by connection pooling. Certificate loading during initialization could slightly increase startup time but doesn't affect request handling.

## Optimization Recommendations

Consider caching the results of proxy determination for frequently accessed hosts to reduce per-request overhead. For large NO_PROXY lists, a more efficient matching algorithm could be implemented. The default timeout of 30 seconds seems reasonable, but consider making it configurable per service type for fine-tuning in production environments.

## Summary

• The PR adds minimal runtime overhead with most expensive operations happening during initialization
• Connection pooling with good defaults helps mitigate connection establishment costs
• Proxy determination logic runs per-request but is relatively lightweight
• mTLS adds overhead only during connection establishment, mitigated by connection pooling
• No significant performance concerns identified in the implementation

---

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

[github-actions]

📦 Impact Review Snapshot

Effort	Downstream Updates	Compatibility	Docs	TL;DR
Low	⚠️	🟢	⚠️	Configuration changes for external services require updates to tyk-charts but are backward compatible

## Impact Assessment

The PR introduces a new ExternalServiceConfig structure in the gateway configuration that centralizes proxy and mTLS settings for external service communications. This primarily affects tyk-charts which needs to expose these new configuration options. The changes don't modify API definitions or schemas, so tyk-operator is unaffected. No RPC protocol changes impact tyk-sink. The portal is unaffected as these changes focus on gateway outbound connections.

## Required Updates

• tyk-charts: Update values.yaml and templates to expose the new ExternalServices configuration section
• tyk-charts: Add documentation for the new proxy and mTLS configuration options
• Documentation: Update tyk.conf.example to include the new ExternalServices section with example configuration
• Documentation: Add documentation for the new configuration options, particularly highlighting security considerations for InsecureSkipVerify

## Compatibility Concerns

The changes are backward compatible as they add new optional configuration without modifying existing behavior. Default values ensure existing deployments continue to work without changes. The InsecureSkipVerify option should be documented with appropriate security warnings to prevent misuse in production environments.

## Summary & Recommendations

• Create a corresponding PR in tyk-charts to expose the new external service configuration options
• Update tyk.conf.example to include an example of the new ExternalServices configuration
• Add documentation for the new configuration options, especially highlighting security implications of InsecureSkipVerify
• Consider adding examples of common proxy and mTLS configurations for different environments

---

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

[github-actions]

🚦 Connectivity Review Snapshot

Effort	Tests	Security	Perf	TL;DR
Medium	✅	🔒 ⚠️	🟢	Adds centralized proxy and mTLS configuration for external service communications without modifying existing Redis/RPC connections

## Connectivity Assessment

• Redis Connections: No direct changes to Redis connectivity; this PR establishes a foundation for potentially configuring Redis connections via the new external service framework in the future.
• RPC Connections: No modifications to existing RPC connectivity; the new framework could be extended to support RPC configuration.
• Synchronization Mechanisms: Introduces a centralized configuration approach for external HTTP clients that could be leveraged for Redis/RPC in future PRs.

## Test Coverage Validation

• Redis Tests: N/A - Redis connections are not directly affected by this PR.
• RPC Tests: N/A - RPC connections are not directly affected by this PR.
• Failure Scenario Tests: The PR includes comprehensive tests for proxy configuration, mTLS setup, and error handling in the new external HTTP client factory.

## Security & Performance Impact

• Authentication Changes: Adds support for mTLS client certificates which enhances security for external service communications.
• Performance Considerations: HTTP client configuration includes sensible defaults for connection pooling (MaxIdleConns: 100, MaxIdleConnsPerHost: 10).
• Error Handling: Proper error handling for certificate loading and proxy configuration with clear error messages.

## Summary & Recommendations

• The InsecureSkipVerify option in MTLSConfig should include stronger warnings in documentation about security implications.
• Consider adding a mechanism to validate proxy URLs at configuration load time rather than only when clients are created.
• In future PRs, consider extending this framework to standardize Redis and RPC connection configuration.
• No suggestions to provide – change LGTM.

---

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

[github-actions]

🛡️ Security Snapshot

Effort	Risk Level	Tests	Compliance	TL;DR
Medium	🟡	✅	✔️	New external service config introduces InsecureSkipVerify option that requires careful usage

## Security Impact Analysis

This PR introduces a new ExternalServiceConfig structure for configuring HTTP clients used for external service communications. From a security perspective, the key components are:

1. Proxy Configuration - Allows configuring HTTP/HTTPS proxies for external communications, which can enhance security by routing traffic through controlled channels.

2. mTLS Support - Adds proper mutual TLS authentication for external services, which is a security enhancement that allows for stronger authentication.

3. InsecureSkipVerify Option - Includes an option to disable TLS certificate verification, which presents a security risk if misused.

4. Certificate Authority Configuration - Allows specifying custom CA certificates for validating server certificates, which is a security best practice.

The implementation follows secure coding practices with proper error handling, input validation, and comprehensive test coverage.

## Identified Vulnerabilities

Medium Risk:

• InsecureSkipVerify Option: The MTLSConfig struct includes an InsecureSkipVerify option that disables certificate validation when set to true. This could expose the system to man-in-the-middle attacks if enabled in production environments. The code comment indicates it should only be used for testing or trusted environments, but there's no runtime enforcement of this recommendation.

Low Risk:

• Environment Variable Dependency: The proxy configuration can use environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY), which could potentially be manipulated in some deployment scenarios. However, this is a standard practice and the implementation follows established patterns.

• Certificate and Key File Paths: The implementation reads certificate and key files from paths specified in the configuration. If these paths are not properly secured, it could lead to unauthorized access to sensitive cryptographic material.

## Security Recommendations

1. Add Warnings for InsecureSkipVerify: Consider adding runtime warnings when InsecureSkipVerify is enabled in production environments. This could help prevent accidental misuse.

2. Implement Certificate Pinning: For highly sensitive external services, consider adding certificate pinning capabilities to provide an additional layer of security beyond CA validation.

3. Add Secure Default TLS Versions: Consider setting secure default minimum TLS versions (e.g., TLS 1.2+) for external connections to prevent fallback to insecure protocol versions.

4. Add Logging for Security Events: Implement detailed logging for security-related events such as certificate validation failures or proxy connection issues to aid in troubleshooting and security monitoring.

5. Consider Adding Certificate Rotation Support: For long-running services, consider adding support for certificate rotation without requiring a gateway restart.

## OWASP Compliance

The implementation generally aligns with OWASP security best practices:

• A2:2017 Broken Authentication: The mTLS implementation provides strong authentication for external services, which is a positive security control.

• A3:2017 Sensitive Data Exposure: The code properly handles sensitive data like certificates and keys, loading them from files rather than embedding them in configuration.

• A6:2017 Security Misconfiguration: The InsecureSkipVerify option could lead to security misconfiguration if misused. The code includes a warning comment, but additional runtime safeguards would be beneficial.

• A9:2017 Using Components with Known Vulnerabilities: The implementation uses standard Go libraries for TLS and HTTP client functionality, which are generally well-maintained and secure.

## Summary

• The PR introduces a well-structured and flexible configuration system for external service communications with good security controls.
• The inclusion of mTLS support enhances security for external service communications.
• The InsecureSkipVerify option presents a potential security risk if misused in production environments.
• The implementation includes comprehensive test coverage for both normal and error cases.
• Additional runtime warnings or safeguards for insecure options would further improve security.

---

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

[github-actions]

Persistent review updated to latest commit 42c142a

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.

[github-actions]

🚀 Performance Snapshot

Effort	Perf Risk	Hot Paths	Benchmarks	TL;DR
Low	🟢	✅	❔	Minimal performance impact with good connection pooling defaults

The PR introduces a well-designed external service configuration system with minimal performance impact. The implementation uses proper connection pooling (MaxIdleConns: 100, MaxIdleConnsPerHost: 10) and performs expensive operations like certificate loading only during initialization, not in request hot paths.

Performance Analysis

The ExternalHTTPClientFactory creates HTTP clients with appropriate connection pooling settings, which is crucial for performance when making external requests. The factory follows a hierarchical configuration approach (service-specific → global → environment → defaults) that adds negligible overhead during client creation.

The proxy determination logic in getProxyFunction and shouldBypassProxy adds a small per-request overhead, especially when NO_PROXY checking is involved. However, this overhead is minimal compared to the actual network I/O time for external requests.

When mTLS is enabled, there will be additional TLS handshake overhead for new connections, but this is mitigated by connection pooling which allows connections to be reused. Certificate loading happens during client initialization rather than per request, which is the correct approach.

The default timeout of 30 seconds is reasonable for most external service communications, and the connection pool settings strike a good balance between resource usage and performance.

Overall, this PR follows best practices for HTTP client management and should have minimal performance impact on the gateway's operation.

---

Tip: Mention me again using /performance <request>.
Powered by Probe AI
Performance Impact Reviewer Prompt

[github-actions]

🛡️ Security Snapshot

Effort	Risk Level	Tests	Compliance	TL;DR
Medium	🟡	✅	✔️	New external service config introduces InsecureSkipVerify option that requires careful usage

## Security Impact Analysis

This PR introduces a new ExternalServiceConfig structure for configuring HTTP clients used for external service communications. From a security perspective, the key components are:

1. Proxy Configuration - Allows configuring HTTP/HTTPS proxies for external communications, which can enhance security by routing traffic through controlled channels.

2. mTLS Support - Adds proper mutual TLS authentication for external services, which is a security enhancement that allows for stronger authentication.

3. InsecureSkipVerify Option - Includes an option to disable TLS certificate verification, which presents a security risk if misused.

4. Certificate Authority Configuration - Allows specifying custom CA certificates for validating server certificates, which is a security best practice.

The implementation follows secure coding practices with proper error handling, input validation, and comprehensive test coverage.

## Identified Vulnerabilities

Medium Risk:

• InsecureSkipVerify Option: The MTLSConfig struct includes an InsecureSkipVerify option that disables certificate validation when set to true. This could expose the system to man-in-the-middle attacks if enabled in production environments. The code comment indicates it should only be used for testing or trusted environments, but there's no runtime enforcement of this recommendation.

Low Risk:

• Environment Variable Dependency: The proxy configuration can use environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY), which could potentially be manipulated in some deployment scenarios. However, this is a standard practice and the implementation follows established patterns.

• Certificate and Key File Paths: The implementation reads certificate and key files from paths specified in the configuration. If these paths are not properly secured, it could lead to unauthorized access to sensitive cryptographic material.

## Security Recommendations

1. Add Warnings for InsecureSkipVerify: Consider adding runtime warnings when InsecureSkipVerify is enabled in production environments. This could help prevent accidental misuse.

2. Implement Certificate Pinning: For highly sensitive external services, consider adding certificate pinning capabilities to provide an additional layer of security beyond CA validation.

3. Add Secure Default TLS Versions: Consider setting secure default minimum TLS versions (e.g., TLS 1.2+) for external connections to prevent fallback to insecure protocol versions.

4. Add Logging for Security Events: Implement detailed logging for security-related events such as certificate validation failures or proxy connection issues to aid in troubleshooting and security monitoring.

5. Consider Adding Certificate Rotation Support: For long-running services, consider adding support for certificate rotation without requiring a gateway restart.

## OWASP Compliance

The implementation generally aligns with OWASP security best practices:

• A2:2017 Broken Authentication: The mTLS implementation provides strong authentication for external services, which is a positive security control.

• A3:2017 Sensitive Data Exposure: The code properly handles sensitive data like certificates and keys, loading them from files rather than embedding them in configuration.

• A6:2017 Security Misconfiguration: The InsecureSkipVerify option could lead to security misconfiguration if misused. The code includes a warning comment, but additional runtime safeguards would be beneficial.

• A9:2017 Using Components with Known Vulnerabilities: The implementation uses standard Go libraries for TLS and HTTP client functionality, which are generally well-maintained and secure.

## Summary

• The PR introduces a well-structured and flexible configuration system for external service communications with good security controls.
• The inclusion of mTLS support enhances security for external service communications.
• The InsecureSkipVerify option presents a potential security risk if misused in production environments.
• The implementation includes comprehensive test coverage for both normal and error cases.
• Additional runtime warnings or safeguards for insecure options would further improve security.

---

Tip: Mention me again using /security <request>.
Powered by Probe AI
Security Impact Reviewer Prompt

[github-actions]

External Service Configuration PR Analysis

This PR introduces a well-structured foundation for configuring external service communications in Tyk Gateway, providing centralized proxy and mTLS configuration capabilities.

Key Components

Configuration Structure

• Adds ExternalServiceConfig to the main gateway configuration with:
  • Global proxy settings that apply to all services
  • Service-specific configurations that can override global settings
  • Support for environment variable-based proxy configuration
  • NO_PROXY support for bypassing proxies for specific hosts
  • mTLS client certificate support for secure communications

HTTP Client Factory

• Implements ExternalHTTPClientFactory that creates properly configured HTTP clients
• Follows a clear configuration hierarchy: service-specific → global → environment → defaults
• Provides specialized client creation methods for different service types (OAuth/JWK, analytics, webhooks, etc.)
• Sets sensible connection pooling defaults (MaxIdleConns: 100, MaxIdleConnsPerHost: 10)

Schema Updates

• Updates JSON schema to include the new configuration structures
• Properly documents all configuration options
• Maintains backward compatibility with existing configurations

Implementation Quality

• Well-structured code with clear separation of concerns
• Comprehensive test coverage for all configuration scenarios
• Good error handling for certificate loading and proxy configuration
• Proper documentation of security considerations (e.g., InsecureSkipVerify)

Security Considerations

The InsecureSkipVerify option in mTLS configuration could pose a security risk if misused in production environments. The code includes a comment warning that this is not recommended for production, but additional runtime warnings might be beneficial.

Overall Assessment

This PR provides a solid foundation for external service communications that can be leveraged by different parts of the Tyk Gateway. The implementation follows good software engineering practices with proper abstraction, configuration hierarchy, and comprehensive test coverage. The changes are additive and backward compatible, making it a safe enhancement to the codebase.

---

Tip: Mention me again using /connectivity <request>.
Powered by Probe AI
Connectivity Issues Reviewer Prompt for Tyk Gateway

[github-actions]

📦 Impact Review Snapshot

Effort	Downstream Updates	Compatibility	Docs	TL;DR
Low	⚠️	🟢	⚠️	Configuration changes for external services require updates to tyk-charts but are backward compatible

## Impact Assessment

The PR introduces a new ExternalServiceConfig structure in the gateway configuration that centralizes proxy and mTLS settings for external service communications. This primarily affects tyk-charts which needs to expose these new configuration options. The changes don't modify API definitions or schemas, so tyk-operator is unaffected. No RPC protocol changes impact tyk-sink. The portal is unaffected as these changes focus on gateway outbound connections.

## Required Updates

• tyk-charts: Update values.yaml and templates to expose the new ExternalServices configuration section
• tyk-charts: Add documentation for the new proxy and mTLS configuration options
• Documentation: Update tyk.conf.example to include the new ExternalServices section with example configuration
• Documentation: Add documentation for the new configuration options, particularly highlighting security considerations for InsecureSkipVerify

## Compatibility Concerns

The changes are backward compatible as they add new optional configuration without modifying existing behavior. Default values ensure existing deployments continue to work without changes. The InsecureSkipVerify option should be documented with appropriate security warnings to prevent misuse in production environments.

## Summary & Recommendations

• Create a corresponding PR in tyk-charts to expose the new external service configuration options
• Update tyk.conf.example to include an example of the new ExternalServices configuration
• Add documentation for the new configuration options, especially highlighting security implications of InsecureSkipVerify
• Consider adding examples of common proxy and mTLS configurations for different environments

---

Tip: Mention me again using /dependency <request>.
Powered by Probe AI
Tyk Gateway Dependency Impact Reviewer

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud