Deploy Tyk Self Managed using Helm Chart

Last updated: 23 minutes read.

Tyk is working to provide a new set of helm charts, and will progressively roll them out at tyk-charts. It will provide component charts for all Tyk Components, as well as umbrella charts as reference configurations for open source and Tyk Self Managed users. Please check out the latest status from our Github repository.

To deploy Tyk Self Managed (for single data center) using the new helm chart, please use tyk-stack chart.

What components are deployed with Tyk Stack Chart?

tyk-stack provides the default deployment of Tyk Self Managed on a Kubernetes cluster. It will deploy all required Tyk components with the settings provided in the values.yaml file.

It includes:

  • Tyk Gateway, an Open Source Enterprise API Gateway (supporting REST, GraphQL, TCP and gRPC protocols).
  • Tyk Pump, an analytics purger that moves the data generated by your Tyk nodes to any back-end. Furthermore, it has all the required modifications to easily connect to Tyk Cloud or Multi Data Center (MDCB) control plane.
  • Tyk Dashboard, a license based component that provides a graphical management interface and analytics platform for Tyk.
  • Tyk Enterprise Developer Portal, a full-fledged CMS-like system for API providers to publish, monetise and drive the adoption of APIs.

By default, this chart installs the following components as sub-charts on a Kubernetes cluster using the Helm package manager.

Component Enabled by Default? Flag
Tyk Gateway true n/a
Tyk Dashboard true n/a
Tyk Pump true global.components.pump
Tyk Enterprise Developer Portal false global.components.devPortal

To enable or disable each component, change the corresponding enabled flag.

Also, you can set the version of each component through image.tag. You could find the list of version tags available from Docker hub.


Prerequisites

Note

If you want to enable Tyk Enterprise Developer Portal, please use PostgreSQL. MongoDB is not supported in Developer Portal.


Quick Start Guides

The following guides provide instructions to install Redis, PostgreSQL/MongoDB, and Tyk stack with default configurations. It is intended for quick start only. For production, you should install and configure Redis and MongoDB / PostgreSQL separately.

The following quick start guide explains how to use the Tyk Stack Helm chart to configure a Dashboard that includes:

  • Redis for key storage
  • PostgreSQL for app config
  • Tyk Pump to send analytics to PostgreSQL. It also opens a metrics endpoint where Prometheus (if available) can scrape from.

At the end of this quickstart Tyk Dashboard should be accessible through service dashboard-svc-tyk-tyk-dashboard at port 3000. You can login to Dashboard using the admin email and password to start managing APIs. Tyk Gateway will be accessible through service gateway-svc-tyk-tyk-gateway.tyk.svc at port 8080.

1. Setup required credentials

First, you need to provide Tyk license, admin email and password, and API keys. We recommend to store them in secrets.

NAMESPACE=tyk

API_SECRET=changeit
ADMIN_KEY=changeit
TYK_LICENSE=changeit
ADMIN_EMAIL=[email protected]
ADMIN_PASSWORD=changeit

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update

kubectl create namespace $NAMESPACE

kubectl create secret generic my-secrets -n $NAMESPACE \
    --from-literal=APISecret=$API_SECRET \
    --from-literal=AdminSecret=$ADMIN_KEY \
    --from-literal=DashLicense=$TYK_LICENSE

kubectl create secret generic admin-secrets -n $NAMESPACE \
    --from-literal=adminUserFirstName=Admin \
    --from-literal=adminUserLastName=User \
    --from-literal=adminUserEmail=$ADMIN_EMAIL \
    --from-literal=adminUserPassword=$ADMIN_PASSWORD

2. Install Redis (if you don’t already have Redis installed)

If you do not already have Redis installed, you may use these charts provided by Bitnami.

helm upgrade tyk-redis oci://registry-1.docker.io/bitnamicharts/redis -n $NAMESPACE --install --set image.tag=6.2.13

Follow the notes from the installation output to get connection details and password. The DNS name of your Redis as set by Bitnami is tyk-redis-master.tyk.svc:6379 (Tyk needs the name including the port)

The Bitnami chart also creates a secret tyk-redis which stores the connection password in redis-password. We will make use of this secret in installation later.

3. Install PostgreSQL (if you don’t already have PostgreSQL installed)

If you do not already have PostgreSQL installed, you may use these charts provided by Bitnami.

helm upgrade tyk-postgres oci://registry-1.docker.io/bitnamicharts/postgresql --set "auth.database=tyk_analytics" -n $NAMESPACE --install

Follow the notes from the installation output to get connection details.

We require the PostgreSQL connection string for Tyk installation. This can be stored in a secret and will be used in installation later.

POSTGRESQLURL=host=tyk-postgres-postgresql.$NAMESPACE.svc\ port=5432\ user=postgres\ password=$(kubectl get secret --namespace $NAMESPACE tyk-postgres-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)\ database=tyk_analytics\ sslmode=disable

kubectl create secret generic postgres-secrets  -n $NAMESPACE --from-literal=postgresUrl="$POSTGRESQLURL"

Note

Ensure that you are installing PostgreSQL versions that are supported by Tyk. Please consult the list of supported versions that are compatible with Tyk.

4. Install Tyk

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/

helm repo update

helm upgrade tyk tyk-helm/tyk-stack -n $NAMESPACE \
  --install \
  --set global.adminUser.useSecretName=admin-secrets \
  --set global.secrets.useSecretName=my-secrets \
  --set global.redis.addrs="{tyk-redis-master.$NAMESPACE.svc:6379}" \
  --set global.redis.passSecret.name=tyk-redis \
  --set global.redis.passSecret.keyName=redis-password \
  --set global.postgres.connectionStringSecret.name=postgres-secrets \
  --set global.postgres.connectionStringSecret.keyName=postgresUrl

5. Done! Now Tyk Dashboard should be accessible through service dashboard-svc-tyk-tyk-dashboard at port 3000. You can login to Dashboard using the admin email and password to start managing APIs. Tyk Gateway will be accessible through service gateway-svc-tyk-tyk-gateway.tyk.svc at port 8080.

Keep reading to learn about other configuration options included in the Helm Chart.

The following quick start guide explains how to use the Tyk Stack Helm chart to configure a Dashboard that includes:

  • Redis for key storage
  • MongoDB for app config
  • Tyk Pump to send analytics to MongoDB. It also opens a metrics endpoint where Prometheus (if available) can scrape from.

At the end of this quickstart Tyk Dashboard should be accessible through service dashboard-svc-tyk-tyk-dashboard at port 3000. You can login to Dashboard using the admin email and password to start managing APIs. Tyk Gateway will be accessible through service gateway-svc-tyk-tyk-gateway.tyk.svc at port 8080.

1. Setup required credentials

First, you need to provide Tyk license, admin email and password, and API keys. We recommend to store them in secrets.

NAMESPACE=tyk

API_SECRET=changeit
ADMIN_KEY=changeit
TYK_LICENSE=changeit
ADMIN_EMAIL=[email protected]
ADMIN_PASSWORD=changeit

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update

kubectl create namespace $NAMESPACE

kubectl create secret generic my-secrets -n $NAMESPACE \
    --from-literal=APISecret=$API_SECRET \
    --from-literal=AdminSecret=$ADMIN_KEY \
    --from-literal=DashLicense=$TYK_LICENSE

kubectl create secret generic admin-secrets -n $NAMESPACE \
    --from-literal=adminUserFirstName=Admin \
    --from-literal=adminUserLastName=User \
    --from-literal=adminUserEmail=$ADMIN_EMAIL \
    --from-literal=adminUserPassword=$ADMIN_PASSWORD

2. Install Redis (if you don’t have a Redis instance)

If you do not already have Redis installed, you may use these charts provided by Bitnami.

helm upgrade tyk-redis oci://registry-1.docker.io/bitnamicharts/redis -n $NAMESPACE --install --set image.tag=6.2.13

Follow the notes from the installation output to get connection details and password. The DNS name of your Redis as set by Bitnami is tyk-redis-master.tyk.svc:6379 (Tyk needs the name including the port)

The Bitnami chart also creates a secret tyk-redis which stores the connection password in redis-password. We will make use of this secret in installation later.

3. Install MongoDB (if you don’t have a MongoDB instance)

If you do not already have MongoDB installed, you may use these charts provided by Bitnami.

helm upgrade tyk-mongo oci://registry-1.docker.io/bitnamicharts/mongodb -n $NAMESPACE --install

We require the MongoDB connection string for Tyk installation. You can store it in a secret and provide the secret in installation later.

MONGOURL=mongodb://root:$(kubectl get secret --namespace $NAMESPACE tyk-mongo-mongodb -o jsonpath="{.data.mongodb-root-password}" | base64 -d)@tyk-mongo-mongodb.$NAMESPACE.svc:27017/tyk_analytics?authSource=admin

kubectl create secret generic mongourl-secrets --from-literal=mongoUrl=$MONGOURL -n $NAMESPACE

Note

Ensure that you are installing MongoDB versions that are supported by Tyk. Please consult the list of supported versions that are compatible with Tyk.

4. Install Tyk

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/

helm repo update

helm upgrade tyk tyk-helm/tyk-stack -n $NAMESPACE \
  --install \
  --set global.adminUser.useSecretName=admin-secrets \
  --set global.secrets.useSecretName=my-secrets \
  --set global.redis.addrs="{tyk-redis-master.$NAMESPACE.svc:6379}" \
  --set global.redis.passSecret.name=tyk-redis \
  --set global.redis.passSecret.keyName=redis-password \
  --set global.mongo.driver=mongo-go \
  --set global.mongo.connectionURLSecret.name=mongourl-secrets \
  --set global.mongo.connectionURLSecret.keyName=mongoUrl \
  --set global.storageType=mongo \
  --set tyk-pump.pump.backend='{prometheus,mongo}' 

5. Done! Now Tyk Dashboard should be accessible through service dashboard-svc-tyk-tyk-dashboard at port 3000. You can login to Dashboard using the admin email and password to start managing APIs. Tyk Gateway will be accessible through service gateway-svc-tyk-tyk-gateway.tyk.svc at port 8080.

Keep reading to learn about other configuration options included in the Helm Chart.


Tyk Charts Installations

Installing The Chart

To install the chart from Helm repository in namespace tyk with the release name tyk-stack:

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update
helm show values tyk-helm/tyk-stack > values.yaml

For further documentation relating to helm command usage, please refer to the helm repo.

At a minimum, modify values.yaml for the following settings:

  1. Set Redis connection details
  2. Set Mongo or PostgresSQL connection details
  3. Dashboard License

If you would like to use Enterprise Developer Portal, additional license is required:

  1. Enterprise Developer Portal License

Then just run:

helm install tyk-stack tyk-helm/tyk-stack -n tyk --create-namespace -f values.yaml

Uninstalling The Chart

helm uninstall tyk-stack -n tyk

This removes all the Kubernetes components associated with the chart and deletes the release.

Upgrading Chart

helm upgrade tyk-stack tyk-helm/tyk-stack -n tyk -f values.yaml

Note: Migrating from tyk-pro chart

If you were using tyk-pro chart for existing release, you cannot upgrade directly. Please modify the values.yaml base on your requirements and install using the new tyk-stack chart.


Configuration

To get all configurable options with detailed comments:

helm show values tyk-helm/tyk-stack > values.yaml

You can update any value in your local values.yaml file and use -f [filename] flag to override default values during installation. Alternatively, you can use --set flag to set it in Tyk installation. See Using Helm for examples.

Set Redis Connection Details (Required)

Tyk uses Redis for distributed rate-limiting and token storage. You may set global.redis.addr and global.redis.pass with redis connection string and password respectively.

If you do not already have Redis installed, you may use these charts provided by Bitnami

helm repo add bitnami https://charts.bitnami.com/bitnami
helm install tyk-redis bitnami/redis -n tyk --create-namespace --set image.tag=6.2.13

Follow the notes from the installation output to get connection details and password. The DNS name of your Redis as set by Bitnami is tyk-redis-master.tyk.svc:6379 (Tyk needs the name including the port)

Set Mongo or PostgresSQL Connection Details (Required)

If you have already installed MongoDB or PostgreSQL, you can set the connection details in global.mongo and global.postgres section of values file respectively.

If not, you can use these rather excellent charts provided by Bitnami to install MongoDB or PostgreSQL:

Mongo Installation

helm install tyk-mongo bitnami/mongodb --version {HELM_CHART_VERSION} --set "replicaSet.enabled=true" -n tyk

PostgresSQL Installation

helm install tyk-postgres bitnami/postgresql --set "auth.database=tyk_analytics" -n tyk

Follow the notes from the installation output to get connection details.

NOTE: Please make sure you are installing MongoDB or PostgreSQL versions that are supported by Tyk. Please refer to Tyk docs to get list of supported versions.

Protect Confidential Fields with Kubernetes Secrets

In the values.yaml file, some fields are considered confidential, such as APISecret, connection strings, etc. Declaring values for such fields as plain text might not be desired for all use cases. Instead, for certain fields, Kubernetes secrets can be referenced, and the chart will define container environment variables using Secret data.

This section describes how to use Kubernetes secrets to declare confidential fields.

Tyk Dashboard Admin

If Tyk Dashboard bootstrapping is enabled, Tyk Dashboard admin user will be created according to the global.adminUser field.

All admin credentials can also be set through Kubernetes secret.

[!NOTE] Once global.adminUser.useSecretName is declared, it takes precedence over global.adminUser.firstName, global.adminUser.lastName, global.adminUser.email and global.adminUser.password.

[!WARNING] If global.adminUser.useSecretName is in use, please add all keys mentioned below to the secret.

Admin First Name

It can be configured via global.adminUser.firstName as a plain text or Kubernetes secret which includes adminUserFirstName key in it. Then, this secret must be referenced via global.adminUser.useSecretName.

Admin Last Name

It can be configured via global.adminUser.lastName as a plain text or Kubernetes secret which includes adminUserLastName key in it. Then, this secret must be referenced via global.adminUser.useSecretName.

Admin Email

It can be configured via global.adminUser.email as a plain text or Kubernetes secret which includes adminUserEmail key in it. Then, this secret must be referenced via global.adminUser.useSecretName.

Admin Password

It can be configured via global.adminUser.password as a plain text or Kubernetes secret which includes adminUserPassword key in it. Then, this secret must be referenced via global.adminUser.useSecretName.

APISecret

The global.secrets.APISecret field configures a header value used in every interaction with Tyk Gateway API.

It can be configured via global.secrets.APISecret as a plain text or Kubernetes secret which includes APISecret key in it. Then, this secret must be referenced via global.secrets.useSecretName.

global:
    secrets:
        APISecret: CHANGEME
        useSecretName: "mysecret" # where mysecret includes `APISecret` key with the desired value.

AdminSecret

The global.secrets.AdminSecret field sets a secret for Admin API.

It can be configured via global.secrets.AdminSecret as a plain text or Kubernetes secret which includes AdminSecret key in it. Then, this secret must be referenced via global.secrets.useSecretName.

global:
    secrets:
        useSecretName: "mysecret" # where mysecret includes `useSecretName` key with the desired value.

[!NOTE] Once global.secrets.useSecretName is declared, it takes precedence over global.secrets.APISecret and global.secrets.AdminSecret.

Dashboard License

In order to refer Tyk Dashboard license through Kubernetes secret, please use global.secrets.useSecretName, where the secret should contain a key called DashLicense.

Tyk Enterprise Developer Portal License

In order to refer Tyk Enterprise Developer Portal license through Kubernetes secret, please use tyk-dev-portal.useSecretName, where the secret should contain a key called DevPortalLicense.

Tyk Enterprise Developer Portal Admin Password

In order to refer Tyk Enterprise Developer Portal’s admin password through Kubernetes secret, please use global.adminUser.useSecretName, where the secret should contain a key called adminUserPassword.

Tyk Enterprise Developer Portal Storage Connection String

In order to refer Tyk Enterprise Developer Portal connection string to the selected database through Kubernetes secret, please use tyk-dev-portal.useSecretName, where the secret should contain a key called DevPortalStorageConnectionString.

[!WARNING] If tyk-dev-portal.useSecretName is in use, please add all keys mentioned to the secret.

Tyk Enterprise Developer Portal AWS S3 Access Key ID

In order to refer Tyk Enterprise Developer Portal AWS S3 Access Key ID through Kubernetes secret, please use tyk-dev-portal.useSecretName, where the secret should contain a key called DevPortalAwsAccessKeyId.

[!WARNING] If tyk-dev-portal.useSecretName is in use, please add all keys mentioned to the secret.

Tyk Enterprise Developer Portal AWS S3 Secret Access Key

In order to refer Tyk Enterprise Developer Portal connection string to the selected database through Kubernetes secret, please use tyk-dev-portal.useSecretName, where the secret should contain a key called DevPortalAwsSecretAccessKey.

[!WARNING] If tyk-dev-portal.useSecretName is in use, please add all keys mentioned to the secret.

Redis Password

Redis password can also be provided via a secret. Store Redis password in Kubernetes secret and refer to this secret via global.redis.passSecret.name and global.redis.passSecret.keyName field, as follows:

global:  
  redis:
     passSecret:
       name: "yourSecret"
       keyName: "redisPassKey"

MongoDB or Postgres connection strings

Storage connection strings can also be provided via a secret. Store the connection string in Kubernetes secret and refer to this secret via global.{mongo,postgres}.connectionURLSecret.name and global.{mongo,postgres}.connectionURLSecret.keyName field, as follows:

  • MongoDB:
global:  
  mongo:
    connectionURLSecret:
       name: "yourSecret"
       keyName: "redisPassKey"
  • Postgres:
global:
  postgres:
    connectionURLSecret:
       name: "yourSecret"
       keyName: "redisPassKey"

Gateway Configurations

Configure below inside tyk-gateway section.

Update Tyk Gateway Version

Set version of gateway at tyk-gateway.gateway.image.tag. You can find the list of version tags available from Docker hub. Please check Tyk Release notes carefully while upgrading or downgrading.

Enabling TLS

Enable TLS

We have provided an easy way to enable TLS via the global.tls.gateway flag. Setting this value to true will automatically enable TLS using the certificate provided under tyk-gateway/certs/.

Configure TLS secret

If you want to use your own key/cert pair, please follow the following steps:

  1. Create a TLS secret using your cert and key pair.
  2. Set global.tls.gateway to true.
  3. Set tyk-gateway.gateway.tls.useDefaultTykCertificate to false.
  4. Set tyk-gateway.gateway.tls.secretName to the name of the newly created secret.

Add Custom Certificates

To add your custom Certificate Authority(CA) to your containers, you can mount your CA certificate directly into /etc/ssl/certs folder.

   extraVolumes: 
     - name: self-signed-ca
       secret:
         secretName: self-signed-ca-secret
   extraVolumeMounts: 
     - name: self-signed-ca
       mountPath: "/etc/ssl/certs/myCA.pem"
       subPath: myCA.pem

Enabling gateway autoscaling

You can enable autoscaling of the gateway by --set tyk-gateway.gateway.autoscaling.enabled=true. By default, it will enable Horizontal Pod Autoscaler resource with target average CPU utilisation at 60%, scaling between 1 and 3 instances. To customize those values you can modify below section of values.yaml:

tyk-gateway:
  gateway:
    autoscaling:
      enabled: true
      minReplicas: 3
      maxReplicas: 30

Built-in rules include tyk-gateway.gateway.autoscaling.averageCpuUtilization for CPU utilization (set by default at 60%) and tyk-gateway.gateway.autoscaling.averageMemoryUtilization for memory (disabled by default). In addition to that you can define rules for custom metrics using tyk-gateway.gateway.autoscaling.autoscalingTemplate list:

tyk-gateway:
  gateway:
    autoscaling:
      autoscalingTemplate:
        - type: Pods
          pods:
            metric:
              name: nginx_ingress_controller_nginx_process_requests_total
            target:
              type: AverageValue
              averageValue: 10000m

Accessing Gateway

Service port

Default service port of gateway is 8080. You can change this at global.servicePorts.gateway.

Ingress

An Ingress resource is created if tyk-gateway.gateway.ingress.enabled is set to true.

    ingress:
      # if enabled, creates an ingress resource for the gateway
      enabled: true

      # specify ingress controller class name
      className: ""

      # annotations for ingress
      annotations: {}

      # ingress rules
      hosts:
        - host: tyk-gw.local
          paths:
            - path: /
              pathType: ImplementationSpecific

      # tls configuration for ingress
      #  - secretName: chart-example-tls
      #    hosts:
      #      - chart-example.local
      tls: []

Control Port

Set tyk-gateway.gateway.control.enabled to true will allow you to run the Gateway API on a separate port and protect it behind a firewall if needed.

Sharding

Configure the gateways to load APIs with specific tags only by enabling tyk-gateway.gateway.sharding.enabled, and set tags to comma separated lists of matching tags.

    # Sharding gateway allows you to selectively load APIs to specific gateways.
    # If enabled make sure you have at least one gateway that is not sharded.
    # Also be sure to match API segmentation tags with the tags selected below.
    sharding:
      enabled: true
      tags: "edge,dc1,product"

Deploy additional gateway groups

tyk-stack chart manages one Gateway Deployment in the same namespace as Tyk Dashboard. You can flexibly deploy additional gateways using tyk-gateway component chart. With gateway sharding, it is useful for:

  • Deploy Gateways in different networks,
  • Deploy Gateways with different resources and autoscaling parameters,
  • Allow different teams to manage their own Gateway instances in their own namespace.

Here is an example configuration for tyk-gateway values.yaml.

global:
  redis:
    addrs:
      - tyk-redis-master.tyk-stack.svc:6379       # New Gateway groups should connect to the same Redis
    pass: "xxxxxxx"

gateway:
  # If this option is set to true, it will enable polling the Tyk Dashboard service for API definitions
  useDashboardAppConfig:
    enabled: true
      # Set it to the URL to your Dashboard instance (or a load balanced instance)
      # The URL needs to be formatted as: http://dashboard_host:port
      # It is used to set TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING
      dashboardConnectionString: "http://dashboard-svc-tyk-tyk-dashboard.tyk-stack.svc:3000"

      # This option is required if Policy source is set to Tyk Dashboard (`service`).
      # Set this to the URL of your Tyk Dashboard installation.
      # The URL needs to be formatted as: http://dashboard_host:port.
      # It is used to set TYK_GW_POLICIES_POLICYCONNECTIONSTRING
      policyConnectionString: "http://dashboard-svc-tyk-tyk-dashboard.tyk-stack.svc:3000"

  ...

  # Sharding gateway allows you to selectively load APIs to specific gateways.
  # If enabled make sure you have at least one gateway that is not sharded.
  # Also be sure to match API segmentation tags with the tags selected below.
  sharding:
    enabled: true
    tags: "gw-dmz"

  ...

  # analyticsEnabled property is used to enable/disable analytics.
  # If set to empty or nil, analytics will be enabled/disabled based on `global.components.pump`.
  analyticsEnabled: "true"

  # used to decide whether to send the results back directly to Tyk without a hybrid pump
  # if you want to send analytics to control plane instead of pump, change analyticsConfigType to "rpc"
  analyticsConfigType: ""

Run the following command to deploy additional Gateways in namespace another-namespace.

helm install another-gateway tyk-helm/tyk-gateway --namespace another-namespace -f values.yaml

OpenTelemetry

To enable OpenTelemetry for Gateway set gateway.opentelemetry.enabled flag to true. It is disabled by default.

You can also configure connection settings for it’s exporter. By default grpc exporter is enabled on localhost:4317 endpoint.

To enable TLS settings for the exporter, you can set gateway.opentelemetry.tls.enabled to true.

Pump Configurations

To enable Pump, set global.components.pump to true, and configure below inside tyk-pump section.

Pump Configuration
Prometheus Pump (Default) Add the value prometheus to the tyk-pump.pump.backend entry, and add connection details for Prometheus under tyk-pump.pump.prometheusPump.
Mongo Pump Add mongo to tyk-pump.pump.backend, and add connection details for mongo under global.mongo.
Mongo Selective Pump Add mongo-selective to tyk-pump.pump.backend, and add connection details for mongo under global.mongo.
Mongo Aggregate Pump Add mongo-aggregate to tyk-pump.pump.backend, and add connection details for mongo under global.mongo.
Postgres Pump Add postgres to tyk-pump.pump.backend, and add connection details for postgres under global.postgres.
Postgres Aggregate Pump Add postgres-aggregate to tyk-pump.pump.backend, and add connection details for postgres under global.postgres.
Uptime Pump Set tyk-pump.pump.uptimePumpBackend to mongo or postgres or ""
Other Pumps Add the required environment variables in tyk-pump.pump.extraEnvs

Note

For additional information on Tyk Pump configurations, refer to the Setup Dashboard Analytics documentation.

To explore the list of supported backends for Tyk Pump, please visit Pump Backends.

Prometheus Pump

Add prometheus to tyk-pump.pump.backend, and add connection details for Prometheus under tyk-pump.pump.prometheusPump.

We also support monitoring using Prometheus Operator. All you have to do is set tyk-pump.pump.prometheusPump.prometheusOperator.enabled to true.

This will create a PodMonitor resource for your Pump instance.

    # prometheusPump configures Tyk Pump to expose Prometheus metrics.
    # Please add "prometheus" to .Values.pump.backend in order to enable Prometheus Pump.
    prometheusPump:
      # host represents the host without port, where Tyk Pump serve the metrics for Prometheus.
      host: ""
      # port represents the port where Tyk Pump serve the metrics for Prometheus.
      port: 9090
      # path represents the path to the Prometheus collection. For example /metrics.
      path: /metrics
      # customMetrics allows defining custom Prometheus metrics for Tyk Pump.
      # It accepts a string that represents a JSON object. For instance,
      #
      # customMetrics: '[{"name":"tyk_http_requests_total","description":"Total of API requests","metric_type":"counter","labels":["response_code","api_name","method","api_key","alias","path"]},          {              "name":"tyk_http_latency",              "description":"Latency of API requests",              "metric_type":"histogram",              "labels":["type","response_code","api_name","method","api_key","alias","path"]          }]'
      customMetrics: ""
      # If you are using prometheus Operator, set the fields in the section below.
      prometheusOperator:
        # enabled determines whether the Prometheus Operator is in use or not. By default,
        # it is disabled.
        # Tyk Pump can be monitored with PodMonitor Custom Resource of Prometheus Operator.
        # If enabled, PodMonitor resource is created based on .Values.pump.prometheusPump.prometheusOperator.podMonitorSelector
        # for Tyk Pump.
        enabled: false
        # podMonitorSelector represents a podMonitorSelector of your Prometheus resource. So that
        # your Prometheus resource can select PodMonitor objects based on selector defined here.
        # Please set this field to the podMonitorSelector field of your monitoring.coreos.com/v1
        # Prometheus resource's spec.
        #
        # You can check the podMonitorSelector via:
        #   kubectl describe prometheuses.monitoring.coreos.com <PROMETHEUS_POD>
        podMonitorSelector:
          release: prometheus-stack

Mongo pump

If you are using the MongoDB pumps in the tyk-oss installation you will require MongoDB installed for that as well.

To install Mongo you can use these rather excellent charts provided by Bitnami:

helm install tyk-mongo bitnami/mongodb --version {HELM_CHART_VERSION} --set "replicaSet.enabled=true" -n tyk

(follow notes from the installation output to get connection details and update them in values.yaml file)

NOTE: Here is list of supported MongoDB versions. Please make sure you are installing mongo helm chart that matches these versions.

Important Note regarding MongoDB: This helm chart enables the PodDisruptionBudget for MongoDB with an arbiter replica-count of 1. If you intend to perform system maintenance on the node where the MongoDB pod is running and this maintenance requires for the node to be drained, this action will be prevented due the replica count being 1. Increase the replica count in the helm chart deployment to a minimum of 2 to remedy this issue.

 # Set mongo connection details if you want to configure mongo pump.     
 mongo:
    # The mongoURL value will allow you to set your MongoDB address.
    # Default value: mongodb://mongo.{{ .Release.Namespace }}.svc.cluster.local:27017/tyk_analytics
    # mongoURL: mongodb://mongo.tyk.svc.cluster.local:27017/tyk_analytics
    # If your MongoDB has a password you can add the username and password to the url
    # mongoURL: mongodb://root:[email protected]:27017/tyk_analytics?authSource=admin
    mongoURL: <MongoDB address>

    # Enables SSL for MongoDB connection. MongoDB instance will have to support that.
    # Default value: false
    # useSSL: false

SQL pump

If you are using the SQL pumps in the tyk-oss installation you will require PostgreSQL installed for that as well.

To install PostgreSQL you can use these rather excellent charts provided by Bitnami:

helm install tyk-postgres bitnami/postgresql --set "auth.database=tyk_analytics" -n tyk

(follow notes from the installation output to get connection details and update them in values.yaml file)

  # Postgres connection string parameters.
  postgres:
    # host corresponds to the host name of postgres
    host: tyk-postgres-postgresql.tyk.svc
    # port corresponds to the port of postgres
    port: 5432
    # user corresponds to the user of postgres
    user: postgres
    # password corresponds to the password of the given postgres user in selected database
    password:
    # database corresponds to the database to be used in postgres
    database: tyk_analytics
    # sslmode corresponds to if postgres runs in sslmode (https)
    sslmode: disable
    # Connection string can also be set using a secret. Provide the name of the secret and key below.
    # connectionStringSecret:
    #   name: ""
    #   keyName: ""

Uptime Pump

Uptime Pump can be configured by setting pump.uptimePumpBackend in values.yaml file. It support following values

  1. mongo: Used to set mongo pump for uptime analytics. Mongo Pump should be enabled.
  2. postgres: Used to set postgres pump for uptime analytics. Postgres Pump should be enabled.
  3. empty: Used to disable uptime analytics.
    # uptimePumpBackend configures uptime Tyk Pump. ["", "mongo", "postgres"].
    # Set it to "" for disabling uptime Tyk Pump. By default, uptime pump is disabled.
    uptimePumpBackend: ""

Other Pumps

To setup other backends for pump, refer to this document and add the required environment variables in pump.extraEnvs

Tyk Dashboard

Tyk Dashboard License (Required)

Tyk Dashboard License is required. It can be set up in global.license.dashboard or through secret global.secrets.useSecretName. The secret should contain a key called DashLicense.

global:
  license:
    # The license key needed by Tyk Dashboard to work.
    #
    # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret
    # that stores the dashboard license. Please see `.global.secrets.useSecretName`.
    dashboard: ""

Tyk Bootstrap

To enable bootstrapping, set global.components.bootstrap to true. It would run tyk-k8s-bootstrap to bootstrap tyk-stack and to create Kubernetes secrets that can be utilized in Tyk Operator and Tyk Enterprise Developer Portal.

Bootstrapped Environments

If Tyk is already bootstrapped, the application will bypass the creation of the Tyk Organization and Admin User, proceeding directly with the creation of Kubernetes Secrets.

Given that the Kubernetes Secrets require values for TYK_AUTH and TYK_ORG, it is essential to provide these values through the respective environment variables, called TYK_K8SBOOTSTRAP_TYK_ADMIN_AUTH for TYK_AUTH and TYK_K8SBOOTSTRAP_TYK_ORG_ID for TYK_ORG.

Ensure that these environment variables are set appropriately to postInstall hook for bootstrapped environments.

Tyk Enterprise Developer Portal Configurations

To enable Tyk Enterprise Developer Portal, set global.components.devPortal to true, and configure below inside tyk-dev-portal section.

Tyk Enterprise Developer Portal License (Required)

Tyk Enterprise Developer Portal License is required. It can be set up in tyk-dev-portal.license or through secret global.secrets.useSecretName. The secret should contain a key called DevPortalLicense.

tyk-dev-portal:
  # Tyk Developer Portal license.
  license: ""

Tyk Enterprise Developer Portal Database

By default, Tyk Enterprise Developer Portal use sqlite3 to store portal metadata. If you want to use other SQL Database, please modify the section below.

tyk-dev-portal:
  database:
    # This selects the SQL dialect to be used
    # The supported values are mysql, postgres and sqlite3
    dialect: "sqlite3"
    connectionString: "db/portal.db"
    enableLogs: false
    maxRetries: 3
    retryDelay: 5000

Storage Settings

Tyk Enterprise Developer Portal supports different storage options for storing the portal’s CMS assets such as images, theme files and Open API Specification files. Please see the Enterprise Developer Portal Storage settings page for all the available options.

If you use the file system as storage, please set tyk-dev-portal.storage.type to fs, and configure tyk-dev-portal.storage.persistence to mount an existing persistent volume to Tyk Enterprise Developer Portal.

If you use AWS S3 as storage, please set tyk-dev-portal.storage.type to s3, and configure tyk-dev-portal.storage.s3 section with credentials to access AWS S3 bucket.

If you use database as storage, please set tyk-dev-portal.storage.type to db, and configure tyk-dev-portal.database section with database connection details.

tyk-dev-portal:
  # Sensitive configuration of Portal could be set using k8s secret
  # You can set following fields:
  # - DevPortalLicense - Sets LicenseKey for Developer Portal
  # - DevPortalStorageConnectionString - Sets connectionString for Developer Portal
  # - DevPortalAwsAccessKeyId - Sets AWS S3 Access Key ID
  # - DevPortalAwsSecretAccessKey - Sets AWS S3 Secret Access Key
  useSecretName: ""
  # The hostname to bind the Developer Portal to.
  hostName: tyk-dev-portal.org
  # Developer Portal license.
  license: ""
  # Developer portal can be deployed as StatefulSet or as Deployment
  kind: StatefulSet
  storage:
    # User can set the storage type for portal.
    # Supported types: fs, s3, db
    type: "db"
    # Configuration values for using s3 as storage for Tyk Developer Portal
    # In case you want to provide the key ID and access key via secrets please
    # refer to the existing secret inside the helm chart or the
    # .Values.useSecretName field
    s3:
      awsAccessKeyid: your-access-key
      awsSecretAccessKey: your-secret-key
      region: sa-east-1
      endpoint: https://s3.sa-east-1.amazonaws.com
      bucket: your-portal-bucket
      acl: private
      presign_urls: true
    persistence:
      mountExistingPVC: ""
      storageClass: ""
      accessModes:
        - ReadWriteOnce
      size: 8Gi
      annotations: {}
      labels: {}
      selector: {}
  database:
    # This selects the SQL dialect to be used
    # The supported values are mysql, postgres and sqlite3
    dialect: "sqlite3"
    connectionString: "db/portal.db"
    enableLogs: false
    maxRetries: 3
    retryDelay: 5000

Other Configurations

Other Enterprise Developer Portal configurations can be set by using environment variables with extraEnvs fields, e.g.:

tyk-dev-portal:
  extraEnvs:
  - name: PORTAL_LOG_LEVEL
    value: debug