The Complete Kubernetes Tyk Demo

Last updated: 8 minutes read.

The tyk-k8s-demo repository allows you to start up an entire Tyk Stack with all its dependencies as well as other tools that can integrate with Tyk. The repository will spin up everything in Kubernetes using helm and bash magic to get you started.


Minimize the amount of effort needed to start up the Tyk infrastructure and show examples of how Tyk can be setup in k8s using different deployment architectures as well as different integrations.

Getting Started


You will need the following tools to be able to run this library.

Tested on Linux/Unix based systems on AMD64 and ARM architectures

Initial setup

Create .env file and update the appropriate fields with your licenses. If you require a trial license, you can obtain one here. If you are looking to use the tyk-gateway deployment only you will not require any licensing as that is the open-source deployment.

git clone
cd tyk-k8s-demo
cp .env.example .env

Depending on the deployments you would like install set values of the LICENSE, MDCB_LICENSE and PORTAL_LICENSE inside the .env file.


If you are deploying this on Minikube, you will need to enable the ingress addon. You can do so by running the following commands:

minikube start
minikube addons enable ingress

Quick Start

./ --deployments portal,operator-httpbin tyk-stack

This quick start command will stard up the entire Tyk stack along with the Tyk Enterprise Portal, Tyk Operator and httpbin CRD example.

Possible deployments

  • tyk-stack: Tyk single region self-managed deployment
  • tyk-cp: Tyk self-managed multi region control plane (Will be available in Q1 2024 with new Tyk Charts. Please use the v2 tag if you would like to deploy this)
  • tyk-dp: Tyk self-managed data plane, this can connect to Tyk Cloud or a Tyk Control Plane
  • tyk-gateway: Tyk oss self-managed single region

Dependencies Options

Redis Options

  • redis: Bitnami Redis deployment
  • redis-cluster: Bitnami Redis Cluster deployment
  • redis-sentinel: Bitnami Redis Sentinel deployment

Storage Options

Supplementary Deployments

Please see this page for Tyk deployments compatibility charts.

  • cert-manager: Deploys cert-manager.
  • datadog: Deploys Datadog agent and starts up Tyk Pump to push analytics data from the Tyk platform to Datadog. It will also create a Datadog dashboard for you to view the analytics.
  • Elasticsearch
    • elasticsearch: deploys Elasticsearch and starts up Tyk Pump to push analytics data from the Tyk platform to Elasticsearch.
    • elasticsearch-kibana: deploys an Elasticsearch and Kibana deployment. A Kibana dashboard will be created for you to view the analytics.
  • Jaeger: deploys the Jaeger operator, a Jaeger instance and the OpenTelemetry collector. Configures the Tyk deployment to send telemetry data to Jaeger through the OpenTelemetry collector.
  • k6
    • k6: deploys a Grafana K6 Operator.
    • k6-slo-traffic: deploys a k6 CRD to generate a load of traffic to seed analytics data.
  • keycloak
    • keycloak: deploys the Keycloak Operator and a Keycloak instance.
    • keycloak-dcr: starts up a Keycloak Dynamic Client Registration example.
    • keycloak-jwt: starts up a Keycloak JWT Authentication example with Tyk.
    • keycloak-sso: starts up a Keycloak SSO example with the Tyk dashboard.
  • Tyk Operator
  • Tyk Operator
  • portal: deploys the Tyk Enterprise Developer Portal as well as its dependency PostgreSQL.
  • Prometheus
    • Prometheus: deploys Prometheus and starts up Tyk Pump to push analytics data from the Tyk platform to Prometheus.
    • prometheus-grafana: deploys the Prometheus and Grafana deployments. Creates a Grafana dashboard for you to view the analytics.
  • vault: deploys Vault Operator and a Vault instance.

If you are running a POC and would like an example of how to integrate a specific tool, you are welcome to submit a feature request


./ \
  --storage postgres \
  --deployments prometheus-grafana,k6-slo-traffic \

The deployment will take 10 minutes, as the installation is sequential and the dependencies require a bit of time before they are started up. Once the installation is complete, the script will print out a list of all the services that were started and how those can be accessed. The k6 job will start running after the script is finished and will run in the background for 15 minutes to generate traffic over that period of time. To visualize the live traffic, you can use the credentials provided by the script to access Grafana or the Tyk Dashboard.


Start Tyk deployment

Create and start up the deployments

./ [flags] [command]

Available Commands:

-v, --verbose         bool     set log level to debug
--dry-run         bool     set the execution mode to dry run. This will dump the kubectl and helm commands rather than execute them
-n, --namespace       string   namespace the tyk stack will be installed in, defaults to 'tyk'
-f, --flavor          enum     k8s environment flavor. This option can be set 'openshift' and defaults to 'vanilla'
-e, --expose          enum     set this option to 'port-forward' to expose the services as port-forwards or to 'load-balancer' to expose the services as load balancers or 'ingress' which exposes services as a k8s ingress object
-r, --redis           enum     the redis mode that tyk stack will use. This option can be set 'redis', 'redis-sentinel' and defaults to 'redis-cluster'
-s, --storage         enum     database the tyk stack will use. This option can be set 'mongo' and defaults to 'postgres'
-d, --deployments     string   comma separated list of deployments to launch
-c, --cloud           enum     stand up k8s infrastructure in 'aws', 'gcp' or 'azure'. This will require Terraform and the CLIs associate with the cloud of choice
-l, --ssl             bool     enable ssl on deployments

Stop Tyk deployment

Shutdown deployment

  ./ [flags]

  -v, --verbose         bool     set log level to debug
  -n, --namespace       string   namespace the tyk stack will be installed in, defaults to 'tyk'
  -p, --ports           bool     disconnect port connections only
  -c, --cloud           enum     tear down k8s cluster stood up


You can get the library to create demo clusters for you on AWS, GCP, or Azure. That can be set using the --cloud flag and requires the respective cloud CLI to be installed and authorized on your system. You will also need to specify the CLUSTER_LOCATION, CLUSTER_MACHINE_TYPE, CLUSTER_NODE_COUNT and GCP_PROJECT (for GCP only) parameters in the .env file.

You can find examples of .env files here:

For more information about cloud CLIs:


This library can also act as a guide to help you get set up with Tyk. If you just want to know how to set up a specific tool with Tyk, you can run the library with the --dry-run and --verbose flags. This will output all the commands that the library will run to stand up any installation. This can be helpful for debugging as well as figuring out what configuration options are required to set these tools up.

Furthermore, you can also add any Tyk environment variables to your .env file and those variables will be mapped to their respective Tyk deployments.




The script has defaults for minimal settings in a .env file and it will give errors if something is missing. You can also add or change any Tyk environments variables in the .env file and they will be mapped to the respective extraEnvs section in the helm charts.

Variable Default Comments
DASHBOARD_VERSION v5.2 Dashboard version
GATEWAY_VERSION v5.2 Gateway version
MDCB_VERSION v2.3 MDCB version
PUMP_VERSION v1.8 Pump version
PORTAL_VERSION v1.8 Portal version
TYK_HELM_CHART_PATH tyk-helm Path to charts, can be a local directory or a helm repo
TYK_USERNAME [email protected] Default password for all the services deployed
TYK_PASSWORD topsecretpassword Default password for all the services deployed
LICENSE Dashboard license
PORTAL_LICENSE Portal license
TYK_WORKER_ORGID Org ID of dashboard user
TYK_WORKER_AUTHTOKEN Auth token of dashboard user
TYK_WORKER_USESSL true Set to true when the MDCB is serving on a TLS connection
TYK_WORKER_SHARDING_ENABLED false Set to true to enable API Sharding
TYK_WORKER_SHARDING_TAGS API Gateway segmentation tags
TYK_WORKER_GW_PORT 8081 Set the gateway service port to use
TYK_WORKER_OPERATOR_CONNECTIONSTRING Set the dashboard URL for the operator to be able manage APIs and Policies
DATADOG_APPKEY Datadog Application key. This is used to create a dashboard and create a pipeline for the Tyk logs
DATADOG_SITE Datadog site. Change to if using the european site
GCP_PROJECT The GCP project for terraform authentication on GCP
CLUSTER_LOCATION Cluster location that will be created on AKS, EKS, or GKE
CLUSTER_MACHINE_TYPE Machine type for the cluster that will be created on AKS, EKS, or GKE
CLUSTER_NODE_COUNT Number of nodes for the cluster that will be created on AKS, EKS, or GKE
INGRESS_CLASSNAME nginx The ingress classname to be used to associate the k8s ingress objects with the ingress controller/load balancer