> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# How to install Tyk in Air-Gapped Deployments

> How to deploy Tyk in air-gapped or network-restricted environments using private container registries and local package mirrors

## Overview

In some environments, direct access to public container registries and package repositories is restricted. This guide provides instructions for deploying Tyk in such air-gapped or network-restricted environments.

There are two main deployment scenarios covered:

* **Kubernetes (Helm)** — Mirroring container images and packaging Helm charts for offline installation.
* **Bare Metal / VMs (Linux packages)** — Creating a local mirror of Tyk's PackageCloud repositories for `apt` or `yum` based installations.

## Kubernetes: Image Mirroring and Helm Chart Packaging

### Step 1: Identify Required Container Images

Use `helm template` on an internet-connected machine to extract all container images referenced by the Tyk chart you plan to deploy.

First, add the Tyk Helm repository:

```bash theme={null}
helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update
```

Then render the chart templates and extract the image references. The example below uses `tyk-stack` (Tyk Self-Managed). Replace it with the chart that matches your deployment (e.g. `tyk-oss`, `tyk-data-plane`, `tyk-control-plane`):

```bash theme={null}
helm template tyk tyk-helm/tyk-stack | yq e '..|.image? | select(.)' - | sort -u
```

<Note>
  Enable optional components with `--set` flags so their images are included in the output. For example, add `--set global.components.devPortal=true` for the Developer Portal or `--set global.components.operator=true` for the Tyk Operator.
</Note>

Typical output includes images such as:

```text theme={null}
busybox:1.32
curlimages/curl:8.8.0
tykio/portal:v1.16.0
tykio/tyk-dashboard:v5.8.9
tykio/tyk-gateway-ee:v5.8.9
tykio/tyk-k8s-bootstrap-post:v2.2.0
tykio/tyk-k8s-bootstrap-pre-delete:v2.2.0
tykio/tyk-k8s-bootstrap-pre-install:v2.2.0
tykio/tyk-operator:v1.2.0
tykio/tyk-pump-docker-pub:v1.12.0
zalbiraw/alpine-curl-jq
```

### Step 2: Pull, Re-tag, and Push Images to Your Private Registry

On an internet-connected machine, pull each image, re-tag it for your private registry, and push it:

```bash theme={null}
PRIVATE_REGISTRY="my-private-registry.com"

# Example for the Gateway image
docker pull docker.tyk.io/tyk-gateway/tyk-gateway:v5.8
docker tag  docker.tyk.io/tyk-gateway/tyk-gateway:v5.8 ${PRIVATE_REGISTRY}/tyk-gateway/tyk-gateway:v5.8
docker push ${PRIVATE_REGISTRY}/tyk-gateway/tyk-gateway:v5.8
```

Alternatively, you can use `docker save` and `docker load` to transfer images via archive files if your air-gapped environment does not have a private registry:

```bash theme={null}
# Save all images to a tar archive on the connected machine
docker save -o tyk-images.tar \
  docker.tyk.io/tyk-gateway/tyk-gateway:v5.8 \
  tykio/tyk-dashboard:v5.8 \
  docker.tyk.io/tyk-pump/tyk-pump:v1.13

# Transfer tyk-images.tar to the air-gapped environment, then load
docker load -i tyk-images.tar
```

### Step 3: Package Helm Charts for Offline Use

On the internet-connected machine, pull and package the chart as a `.tgz` archive:

```bash theme={null}
# Pull the chart archive
helm pull tyk-helm/tyk-stack --version <chart-version>

# This creates a file like tyk-stack-<chart-version>.tgz in the current directory
```

Transfer the `.tgz` file to the air-gapped environment. You can then install directly from the archive:

```bash theme={null}
helm install tyk ./tyk-stack-<chart-version>.tgz -f values.yaml
```

### Step 4: Configure Helm Charts to Use the Private Registry

Set `global.imageRegistry` in your `values.yaml` to point all image pulls at your private registry:

```yaml theme={null}
global:
  imageRegistry: "my-private-registry.com/"
```

This prefix is prepended to every image repository defined in the chart, so all components (Gateway, Dashboard, Pump, bootstrap jobs, etc.) will pull from your private registry.

If your private registry requires authentication, create an image pull secret and reference it:

```bash theme={null}
kubectl create secret docker-registry tyk-registry-secret \
  --docker-server=my-private-registry.com \
  --docker-username=<user> \
  --docker-password=<password> \
  -n tyk
```

Then in your `values.yaml`:

```yaml theme={null}
global:
  imageRegistry: "my-private-registry.com/"
  imagePullSecrets:
    - name: tyk-registry-secret
```

### Alternative: Container Runtime (CRI) Mirror Configuration

Instead of changing Helm values, you can configure your container runtime (Docker, containerd, CRI-O) to transparently redirect pull requests from public registries to your private registry. This is done at the Kubernetes node level and avoids any changes to your Helm configuration.

Refer to your container runtime's documentation for mirror configuration instructions.

## Bare Metal / VMs: Linux Package Mirror

For installations on bare metal servers or VMs that use Linux packages (`deb` or `rpm`), you can create a local mirror of the Tyk repositories hosted on [PackageCloud](https://packagecloud.io/tyk/).

### Required Tyk Packages

A standard Tyk Self-Managed deployment requires these packages:

| Package         | Description          |
| :-------------- | :------------------- |
| `tyk-gateway`   | API Gateway          |
| `tyk-dashboard` | Management Dashboard |
| `tyk-pump`      | Analytics Pump       |

Optional packages depending on your deployment:

| Package               | Description                                            |
| :-------------------- | :----------------------------------------------------- |
| `tyk-identity-broker` | SSO / Identity Broker                                  |
| `tyk-sync`            | Git-based API definition sync                          |
| `tyk-mdcb`            | Multi Data Center Bridge (from `tyk-mdcb-stable` repo) |

### Option A: Mirroring Repositories

Use a tool like `debmirror` (Debian/Ubuntu) or `reposync` (RHEL/CentOS) to create a local mirror of the Tyk repositories from PackageCloud. This allows you to maintain an up-to-date mirror that can be easily accessed by multiple machines in the air-gapped environment.

### Option B: Direct Package Download

If mirroring the full repository is not practical, you can download individual `.deb` or `.rpm` packages directly from PackageCloud and transfer them manually.

<Tabs>
  <Tab title="Debian / Ubuntu">
    ```bash theme={null}
    # On the connected machine, download the .deb files
    # Visit https://packagecloud.io/tyk/tyk-gateway to find package URLs, or use:
    apt-get download tyk-gateway tyk-dashboard tyk-pump

    # Transfer the .deb files, then install on the air-gapped machine
    sudo dpkg -i tyk-gateway_*.deb tyk-dashboard_*.deb tyk-pump_*.deb
    ```
  </Tab>

  <Tab title="RHEL / CentOS">
    ```bash theme={null}
    # On the connected machine, download the .rpm files
    yumdownloader tyk-gateway tyk-dashboard tyk-pump

    # Transfer the .rpm files, then install on the air-gapped machine
    sudo rpm -ivh tyk-gateway-*.rpm tyk-dashboard-*.rpm tyk-pump-*.rpm
    ```
  </Tab>
</Tabs>