Emma Kriskinans

[Video] Tyk Kubernetes ingress controller: an explainer

Tyk Founder & CEO Martin Buhr wants to tell you all about Tyk’s new Kubernetes ingress controller, and we weren’t about to stop him. In this 5 minute video he outlines what is an ingress controller, and how you can use Tyk’s to secure and push your service to the outside world.

Prefer text? A full transcript of the video is below, and you can read Martin’s accompanying ‘How to use the Tyk ingress controller’ blog for more info.

Already know that you want to get started? Take a look at our Tyk helm chart, which installs it for you.

Hi, I’m Martin from Tyk. If you haven’t heard about us, Tyk is an open source API gateway and API management platform that is fast, easy-to-use, and has a friendly and intuitive user interface. In this video I’d like to tell you about our new Kubernetes ingress controller. We think it’s pretty cool and I want to tell you [about it].

I’m going to assume you already know what Kubernetes is and what an ingress controller does, but if you don’t, here’s the cliffnotes. Kubernetes is an ever growing cloud, conquering container orchestration system that large and small companies alike use to deliver their APIs and services to users.

One of the first things folks want to do when they start on the journey is look for a way to get traffic from the outside of their cluster into their services. For that, we would use something called an ingress. And ingresses are controlled by an ingress controller. So far, so simple.

The interesting thing is there’s a lot of choice out there when it comes to how you bring traffic from the outside, in. For a lot of people, their requirements are as simple as just making sure the connections are encrypted, but for most there’s a bunch of extra things you want to be looking for such as authentication, rate-limiting, and of course encryption. And that’s where Tyk comes in.

As I mentioned earlier, Tyk is a platform that is designed to securely manage and secure traffic from the outside of your network to the inside, whether using Kubernetes, a standard AWS account, or your own server in a data centre somewhere. Tyk will work anywhere.

What we’ve done here though is make Tyk work especially well with the workflows and practices that come with using Kubernetes. In particular, Kubernetes ingress. With the Tyk ingress controller, you simply specify your ingress using a standard specification, then add an annotation to tell the Tyk controller to do something with this ingress. When you push the ingress to Kubernetes, as if by magic, your service will be available to the outside world.

What’s interesting here is that when you create this ingress, Tyk automatically generates a route for your service and its API list, and it also set some defaults such as not adding any rate limiting and adding a request ID so you can trust track requests as they pass through your cluster.

However, you probably want to secure the service, so first off, you’ll want to add an SSL certificate to encrypt the connection, and then you’ll want to make sure that only authorised users can actually use your services and only use them within certain boundaries.

Let’s start with the first problem: adding an SSL certificate. To get the SSL certificate into Kubernetes, you create something called a secret, and then you reference that secret in a special TLS section in your ingress specification. When you push your ingress type will automatically make a copy of that certificate and load it up for you. Easy as pie.

Now, for the second requirement, protecting the service with an access token, we can do it two ways. First off, we could just go into the dashboard, select the token security option in the API, and save the service. That service will now be protected and you don’t need to do anything else.

However, if you go and delete that ingress or it changes, then those settings might get overwritten or lost, which isn’t great for making sure your infrastructure is easy to use, tear down and recreate. One of the main use cases for Kubernetes is to keep as much of your infrastructure as code as possible. With the Tyk ingress controller, you can also set any variable and the API definition. That’s the options that make up how a service is handled by the gateway, using special annotations in the Kubernetes specification.

Now to make our ingress work as if it’s protected by an authentication token, all we need to do is set the correct values in the definition to ‘true’. In this case, it’s a field called ‘use default off’ and ‘use keyless off’. We will set the first to ‘true’ and the second to ‘false’ using the special Tyk boolean adaptation modifiers. When this definition is pushed into the cluster, Tyk will set these options for you in the generated API definition and make it live, and then hey, presto. Bingo. You’ve got yourself a token authenticated service that you can set up and tear down using your Kubernetes files.

There’s a few more cool things you can do with this ingress, which you can see in our documentation or on our website, or in some of our other videos about this topic. Thanks for watching and happy hacking.

Need more information? Mosey on over to Martin’s accompanying post for this video: How to use the Tyk ingress controller.

You can also contribute to the development of our controller here. Want to take it for a spin, take a look at our Tyk helm chart, which installs it for you.