Skip to main content

Availability

EditionDeployment Type
EnterpriseSelf-Managed, Hybrid
This guide focuses on the Enterprise Edition of Tyk AI Studio. For the Community Edition, please refer to the Tyk AI Studio GitHub repository. The Community Edition uses different Docker images (tykio/tyk-ai-studio and tykio/tyk-microgateway) and does not require a license key.
This guide explains how to deploy Tyk AI Studio (control plane), an Edge Gateway (data plane), and PostgreSQL on Kubernetes using Helm. AI Studio manages configuration centrally and the Edge Gateway processes AI requests, receiving configuration via gRPC.

Prerequisites

  • Kubernetes 1.16+
  • Helm 3.0+
  • kubectl configured with access to your cluster
  • A Tyk AI License key (contact support@tyk.io or your account manager to obtain)
  • For production with TLS: cert-manager installed in your cluster
Running on Podman, containerd, or another container runtime? See Container Runtimes.

Generate Secrets

Before installing, generate three secret keys to secure communication and encrypt data: 
# Secret key for encryption (used for secrets management and SSO)
openssl rand -hex 16
# Example output: a35b3f7b0fb4dd3a048ba4fc6e9fe0a8

# Encryption key for Edge Gateway communication (must be exactly 32 hex chars)
openssl rand -hex 16
# Example output: 822d3d1e0e2d849263e45fc7bb842364

# gRPC auth token (for hub-spoke communication)
openssl rand -hex 16
# Example output: 9f2c4a6b8d0e1f3a5c7d9e1b3a5c7d9e
Save these values — you will substitute them into the values file below.

Option 1: Testing / Quickstart

For local development or test clusters. Uses NodePort services, internal PostgreSQL, and no ingress.

1. Add the Helm Chart

cd /path/to/tyk-ai-studio/helm
helm dependency update .

2. Create values-testing.yaml

Replace the placeholder secrets with your generated values. The grpcAuthToken / edgeAuthToken and microgatewayEncryptionKey / encryptionKey pairs must match.
Expandable
midsommar:
  image:
    repository: tykio/tyk-ai-studio-ent
    tag: v2.0.0
  service:
    type: NodePort
    ports:
      - name: http
        port: 8080
        targetPort: 8080
        nodePort: 32580
      - name: gateway
        port: 9090
        targetPort: 9090
        nodePort: 32590
      - name: grpc
        port: 50051
        targetPort: 50051

config:
  allowRegistrations: "true"
  siteUrl: "http://localhost:32580"                       # Update post-install if not localhost
  fromEmail: "noreply@localhost"
  devMode: "true"                                       # Required for login over plain HTTP
  databaseType: "postgres"
  tykAiSecretKey: "CHANGE-ME-first-secret"
  tykAiLicense: "your-license-key"
  ociCacheDir: "./data/cache/plugins"
  ociRequireSignature: "false"
  gatewayMode: "control"
  grpcPort: "50051"
  grpcHost: "0.0.0.0"
  grpcTlsInsecure: "true"
  grpcAuthToken: "CHANGE-ME-third-secret"
  microgatewayEncryptionKey: "CHANGE-ME-second-secret"
  # proxyUrl auto-resolves to the Edge Gateway k8s service — no need to set it

database:
  internal: true
  user: "tyk"
  password: "your-db-password"
  name: "tyk_ai_studio"

postgres:
  persistence:
    enabled: true
    size: 1Gi

microgateway:
  enabled: true
  image:
    repository: tykio/tyk-microgateway-ent
    tag: v2.0.0
  service:
    type: NodePort
    port: 8080
    nodePort: 32591
  config:
    edgeId: "edge-1"
    edgeNamespace: "default"
  secrets:
    edgeAuthToken: "CHANGE-ME-third-secret"             # Must match config.grpcAuthToken
    encryptionKey: "CHANGE-ME-second-secret"             # Must match config.microgatewayEncryptionKey
    tykAiLicense: "your-license-key"

3. Install

helm install midsommar . -f values-testing.yaml

4. Set External Gateway URL

The Edge Gateway’s internal service URL is used for routing by default, but the portal needs to display the correct external URL for tools and datasources. After install, patch the config with your cluster’s node IP: 
# Get the node IP and set the gateway URL
NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
GATEWAY_URL="http://${NODE_IP}:32591"

# Patch the configmap with correct URLs and restart AI Studio
STUDIO_URL="http://${NODE_IP}:32580"
kubectl patch configmap midsommar-config -p \
  "{\"data\":{\"SITE_URL\":\"${STUDIO_URL}\",\"TOOL_DISPLAY_URL\":\"${GATEWAY_URL}\",\"DATASOURCE_DISPLAY_URL\":\"${GATEWAY_URL}\"}}"
kubectl rollout restart deployment midsommar
Tip: If you know your cluster’s external IP or hostname upfront, you can skip this step by setting config.toolDisplayUrl and config.datasourceDisplayUrl in your values file instead.

5. Verify

# Check all pods are running
kubectl get pods

# Check AI Studio health (via NodePort)
curl -s http://${NODE_IP}:32580/health

# Check Edge Gateway health (via NodePort)
curl -s http://${NODE_IP}:32591/health

Access Points

PortURLPurpose
32580http://<node-ip>:32580AI Studio UI + REST API
32590http://<node-ip>:32590Embedded AI Gateway
32591http://<node-ip>:32591Edge Gateway

Option 2: Production with TLS

For production deployments with Ingress, TLS via cert-manager, and an external database.

1. Create values-production.yaml

Replace all placeholder values with your actual configuration.
Expandable
midsommar:
  image:
    repository: tykio/tyk-ai-studio-ent
    tag: v2.0.0
  ingress:
    enabled: true
    certificateEnabled: true
    className: nginx
    certManager:
      issuer: letsencrypt-prod
    hosts:
      - host: studio.yourdomain.com
        paths:
          - path: /
            pathType: Prefix
            port: 8080
    tls:
      - secretName: studio-tls-secret
        hosts:
          - studio.yourdomain.com
  service:
    ports:
      - name: http
        port: 8080
        targetPort: 8080
      - name: gateway
        port: 9090
        targetPort: 9090
      - name: grpc
        port: 50051
        targetPort: 50051

config:
  allowRegistrations: "true"
  siteUrl: "https://studio.yourdomain.com"
  fromEmail: "noreply@yourdomain.com"
  devMode: "false"
  databaseType: "postgres"
  tykAiSecretKey: "CHANGE-ME-first-secret"
  tykAiLicense: "your-license-key"
  ociCacheDir: "./data/cache/plugins"
  ociRequireSignature: "false"
  gatewayMode: "control"
  grpcPort: "50051"
  grpcHost: "0.0.0.0"
  grpcTlsInsecure: "true"                               # Set to "false" with TLS certs
  grpcAuthToken: "CHANGE-ME-third-secret"
  microgatewayEncryptionKey: "CHANGE-ME-second-secret"
  # proxyUrl, toolDisplayUrl, datasourceDisplayUrl auto-resolve from Edge Gateway ingress config

database:
  internal: false
  url: "postgres://user:password@your-db-host:5432/tyk_ai_studio?sslmode=require"

microgateway:
  enabled: true
  image:
    repository: tykio/tyk-microgateway-ent
    tag: v2.0.0
  ingress:
    enabled: true
    certificateEnabled: true
    className: nginx
    certManager:
      issuer: letsencrypt-prod
    hosts:
      - host: gateway.yourdomain.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: gateway-tls-secret
        hosts:
          - gateway.yourdomain.com
  config:
    edgeId: "edge-1"
    edgeNamespace: "default"
    allowInsecure: "false"
    tlsEnabled: "false"                                  # gRPC client TLS to AI Studio
  secrets:
    edgeAuthToken: "CHANGE-ME-third-secret"
    encryptionKey: "CHANGE-ME-second-secret"
    tykAiLicense: "your-license-key"

2. Install

helm dependency update .
helm install midsommar . -f values-production.yaml

3. Verify

kubectl get pods
kubectl get ingress
curl -s https://studio.yourdomain.com/health
curl -s https://gateway.yourdomain.com/health

After Deployment

First User Registration

After deployment, you need to create your first admin user:
  1. Access the application: Navigate to your configured SITE_URL (e.g., https://studio.yourdomain.com)
  2. Register with admin email: Use the EXACT email address you set in the ADMIN_EMAIL environment variable in your configuration.
  3. Complete registration: The first user who registers with the admin email will automatically become the administrator.
Important: The first user registration must use the same email address specified in the ADMIN_EMAIL environment variable. This user will have full administrative privileges.

Add Your API Keys

AI Studio pre-populates OpenAI and Anthropic LLM configurations on first startup with placeholder secrets (OPENAI_KEY and ANTHROPIC_KEY). To start using them:
  1. Open AI Studio at the siteUrl you configured and log in with your admin account
  2. Navigate to Governance → Secrets in the sidebar
  3. Click on OPENAI_KEY and edit it to add your OpenAI API key
  4. Click on ANTHROPIC_KEY and edit it to add your Anthropic API key

Push Configuration to the Edge Gateway

  1. Navigate to AI Portal → Edge Gateways in the sidebar
  2. Verify your edge gateway (edge-1) shows as Connected
  3. Click Push Configuration to sync the latest settings to the Edge Gateway
Once the sync status shows Synced, the Edge Gateway is ready to proxy LLM requests. For further setup (additional LLMs, users, applications), see the Initial Configuration guide.

Shared Secrets Reference

These values must match between AI Studio and Edge Gateway configuration:
AI Studio ConfigEdge Gateway ConfigPurpose
config.grpcAuthTokenmicrogateway.secrets.edgeAuthTokenAuthenticates the gRPC connection
config.microgatewayEncryptionKeymicrogateway.secrets.encryptionKeyEncrypts synced configuration data
config.tykAiLicensemicrogateway.secrets.tykAiLicenseEnterprise license

Port Reference

PortComponentPurpose
8080AI StudioAdmin UI + REST API
9090AI StudioEmbedded AI Gateway
50051AI StudiogRPC control server (internal)
8080Edge GatewayEdge AI Gateway
5432PostgreSQLDatabase

Advanced Configuration

Message Queue (NATS)

For distributed deployments with message persistence, add NATS configuration to your values file: 
config:
  queueType: "nats"
  natsUrl: "nats://nats-server:4222"
  natsStorageType: "file"
  natsRetentionPolicy: "interest"
  natsMaxAge: "4h"
  natsTlsEnabled: true
  natsCredentialsFile: "/etc/nats/user.creds"

Optional Components

Reranker Service

Improves RAG result relevance: 
reranker:
  enabled: true
  image:
    repository: tykio/reranker_cpu
    tag: latest
  resources:
    requests:
      cpu: 500m
      memory: 1Gi

Transformer Server

Handles embedding generation: 
transformer-server:
  enabled: true
  image:
    repository: tykio/transformer_server_cpu
    tag: latest
  resources:
    requests:
      cpu: 500m
      memory: 1Gi

Scaling Edge Gateways

To deploy multiple edge gateways for different regions, override edgeId and edgeNamespace per instance. You can either deploy separate Helm releases or create additional Kubernetes Deployments with unique values: 
microgateway:
  config:
    edgeId: "edge-eu-west-1"
    edgeNamespace: "eu-west"
Each edge instance registers independently with AI Studio and receives only the configuration assigned to its namespace.

Database Options

Internal PostgreSQL (testing/small deployments): 
database:
  internal: true
  user: "tyk"
  password: "secure-password"
  name: "tyk_ai_studio"

postgres:
  persistence:
    enabled: true
    size: 10Gi
    storageClass: "standard"
External Database (production): 
database:
  internal: false
  url: "postgres://user:password@your-db-host:5432/tyk_ai_studio?sslmode=require"

Maintenance

Upgrading

helm upgrade midsommar . -f your-values.yaml

Uninstalling

helm uninstall midsommar

Viewing Logs

# AI Studio logs
kubectl logs -l app.kubernetes.io/name=midsommar

# Edge Gateway logs
kubectl logs -l app=microgateway

# Database logs (internal postgres)
kubectl logs -l app=postgres

Troubleshooting

kubectl get pods
kubectl get ingress
kubectl describe pod <pod-name>
  • Database connection failures: Check credentials and network access
  • Ingress not working: Verify DNS records and TLS configuration
  • Login fails on HTTP: Set devMode: "true" — session cookies require this when not using HTTPS
  • Marketplace page is empty: Set ociCacheDir: "./data/cache/plugins" in your config values — the marketplace service will not start without it
  • Plugin signature verification: Docker images use distroless bases without cosign. Set ociRequireSignature: "false" to disable signature verification
  • Verify the Edge Gateway pod logs:
kubectl logs -l app=microgateway
  • Check that CONTROL_ENDPOINT resolves to the AI Studio service (default: midsommar:50051)
  • Verify edgeAuthToken matches grpcAuthToken exactly
  • Verify encryptionKey matches microgatewayEncryptionKey exactly
  • Check that GATEWAY_MODE=control is set in AI Studio config