Skip to main content

Overview

In some environments, direct access to public container registries and package repositories is restricted. This guide provides instructions for deploying Tyk in such air-gapped or network-restricted environments. There are two main deployment scenarios covered:
  • Kubernetes (Helm) — Mirroring container images and packaging Helm charts for offline installation.
  • Bare Metal / VMs (Linux packages) — Creating a local mirror of Tyk’s PackageCloud repositories for apt or yum based installations.

Kubernetes: Image Mirroring and Helm Chart Packaging

Step 1: Identify Required Container Images

Use helm template on an internet-connected machine to extract all container images referenced by the Tyk chart you plan to deploy. First, add the Tyk Helm repository: 
helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update
Then render the chart templates and extract the image references. The example below uses tyk-stack (Tyk Self-Managed). Replace it with the chart that matches your deployment (e.g. tyk-oss, tyk-data-plane, tyk-control-plane): 
helm template tyk tyk-helm/tyk-stack | yq e '..|.image? | select(.)' - | sort -u
Enable optional components with --set flags so their images are included in the output. For example, add --set global.components.devPortal=true for the Developer Portal or --set global.components.operator=true for the Tyk Operator.
Typical output includes images such as: 
busybox:1.32
curlimages/curl:8.8.0
tykio/portal:v1.16.0
tykio/tyk-dashboard:v5.8.9
tykio/tyk-gateway-ee:v5.8.9
tykio/tyk-k8s-bootstrap-post:v2.2.0
tykio/tyk-k8s-bootstrap-pre-delete:v2.2.0
tykio/tyk-k8s-bootstrap-pre-install:v2.2.0
tykio/tyk-operator:v1.2.0
tykio/tyk-pump-docker-pub:v1.12.0
zalbiraw/alpine-curl-jq

Step 2: Pull, Re-tag, and Push Images to Your Private Registry

On an internet-connected machine, pull each image, re-tag it for your private registry, and push it: 
PRIVATE_REGISTRY="my-private-registry.com"

# Example for the Gateway image
docker pull docker.tyk.io/tyk-gateway/tyk-gateway:v5.8
docker tag  docker.tyk.io/tyk-gateway/tyk-gateway:v5.8 ${PRIVATE_REGISTRY}/tyk-gateway/tyk-gateway:v5.8
docker push ${PRIVATE_REGISTRY}/tyk-gateway/tyk-gateway:v5.8
Alternatively, you can use docker save and docker load to transfer images via archive files if your air-gapped environment does not have a private registry: 
# Save all images to a tar archive on the connected machine
docker save -o tyk-images.tar \
  docker.tyk.io/tyk-gateway/tyk-gateway:v5.8 \
  tykio/tyk-dashboard:v5.8 \
  docker.tyk.io/tyk-pump/tyk-pump:v1.13

# Transfer tyk-images.tar to the air-gapped environment, then load
docker load -i tyk-images.tar

Step 3: Package Helm Charts for Offline Use

On the internet-connected machine, pull and package the chart as a .tgz archive: 
# Pull the chart archive
helm pull tyk-helm/tyk-stack --version <chart-version>

# This creates a file like tyk-stack-<chart-version>.tgz in the current directory
Transfer the .tgz file to the air-gapped environment. You can then install directly from the archive: 
helm install tyk ./tyk-stack-<chart-version>.tgz -f values.yaml

Step 4: Configure Helm Charts to Use the Private Registry

Set global.imageRegistry in your values.yaml to point all image pulls at your private registry: 
global:
  imageRegistry: "my-private-registry.com/"
This prefix is prepended to every image repository defined in the chart, so all components (Gateway, Dashboard, Pump, bootstrap jobs, etc.) will pull from your private registry. If your private registry requires authentication, create an image pull secret and reference it: 
kubectl create secret docker-registry tyk-registry-secret \
  --docker-server=my-private-registry.com \
  --docker-username=<user> \
  --docker-password=<password> \
  -n tyk
Then in your values.yaml: 
global:
  imageRegistry: "my-private-registry.com/"
  imagePullSecrets:
    - name: tyk-registry-secret

Alternative: Container Runtime (CRI) Mirror Configuration

Instead of changing Helm values, you can configure your container runtime (Docker, containerd, CRI-O) to transparently redirect pull requests from public registries to your private registry. This is done at the Kubernetes node level and avoids any changes to your Helm configuration. Refer to your container runtime’s documentation for mirror configuration instructions.

Bare Metal / VMs: Linux Package Mirror

For installations on bare metal servers or VMs that use Linux packages (deb or rpm), you can create a local mirror of the Tyk repositories hosted on PackageCloud.

Required Tyk Packages

A standard Tyk Self-Managed deployment requires these packages:
PackageDescription
tyk-gatewayAPI Gateway
tyk-dashboardManagement Dashboard
tyk-pumpAnalytics Pump
Optional packages depending on your deployment:
PackageDescription
tyk-identity-brokerSSO / Identity Broker
tyk-syncGit-based API definition sync
tyk-mdcbMulti Data Center Bridge (from tyk-mdcb-stable repo)

Option A: Mirroring Repositories

Use a tool like debmirror (Debian/Ubuntu) or reposync (RHEL/CentOS) to create a local mirror of the Tyk repositories from PackageCloud. This allows you to maintain an up-to-date mirror that can be easily accessed by multiple machines in the air-gapped environment.

Option B: Direct Package Download

If mirroring the full repository is not practical, you can download individual .deb or .rpm packages directly from PackageCloud and transfer them manually. 
# On the connected machine, download the .deb files
# Visit https://packagecloud.io/tyk/tyk-gateway to find package URLs, or use:
apt-get download tyk-gateway tyk-dashboard tyk-pump

# Transfer the .deb files, then install on the air-gapped machine
sudo dpkg -i tyk-gateway_*.deb tyk-dashboard_*.deb tyk-pump_*.deb