Installing Tyk Operator

Follow this guide to install and configure Tyk Operator using Helm to manage API resources on one Tyk Gateway or Dashboard. Since Tyk Operator is a cluster-scoped resource, it should be deployed once for a cluster only. For advanced usage where you need to connect to multiple Tyk installations or Organizations, see Managing Multiple Organizations with Operator Context.

Prerequisites

• Kubernetes v1.19+
• Helm 3+
• Kubernetes Cluster Admin rights for installing CustomResourceDefinitions
• cert-manager v1.8+. Check cert-manager installation guide if you do not have it.
• Tyk Gateway or Tyk Dashboard v3+. Check Required Tyk configurations for necessary configurations.
• Tyk Operator license key. Starting from Tyk Operator v1.0, a valid license key is required.

Configuring Tyk

We assume you have already installed Tyk. If you don’t have it, check out Tyk Cloud or Tyk Self Managed page. Tyk Helm Chart is the preferred (and easiest) way to install Tyk on Kubernetes.

In order for policy ID matching to work correctly, Dashboard must have allow_explicit_policy_id and enable_duplicate_slugs set to true and Gateway must have policies.allow_explicit_policy_id set to true.

Tyk Operator needs a user credential to connect with Tyk Dashboard. The Operator user should have write access to the resources it is going to manage, e.g. APIs, Certificates, Policies, and Portal. It is the recommended practice to turn off write access for other users for the above resources. See Using Tyk Operator to enable GitOps with Tyk about maintaining a single source of truth for your API configurations.

Installing cert-manager

Tyk Operator uses cert-manager to provision certificates for the webhook server. If you don’t have cert-manager installed, you can follow this command to install it:

$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.8.0/cert-manager.yaml

Since Tyk Operator supports Kubernetes v1.19+, the minimum cert-manager version you can use is v1.8. If you run into the cert-manager related errors, please ensure that the desired version of Kubernetes version works with the chosen version of cert-manager by checking supported releases page and cert-manager documentation.

Please wait for the cert-manager to become available before continuing with the next step.

Installation steps

Option 1: Installing Tyk Operator via Tyk’s Umbrella Helm Charts

If you are using Tyk Stack, Tyk Control Plane, or Tyk Open Source Chart, you can install Tyk Operator alongside other Tyk components by setting value global.components.operator to true.

Starting from Tyk Operator v1.0, a license key is required to use the Tyk Operator. You can provide it while installing Tyk Stack, Tyk Control Plane or Tyk OSS helm chart by setting global.license.operator field. You can also set license key via a Kubernetes secret using global.secrets.useSecretName field. The secret should contain a key called OperatorLicense

Option 2: Installing Tyk Operator via stand-alone Helm Chart

If you prefer to install Tyk Operator separately, follow this section to install Tyk Operator using Helm.

Step 1: Configure Tyk Operator via environment variable or tyk-operator-conf secret

Tyk Operator configurations can be set using envVars field of helm chart. See the table below for a list of expected environment variable names and example values.

envVars:
  - name: TYK_OPERATOR_LICENSEKEY
    value: "{YOUR_LICENSE_KEY}"
  - name: TYK_MODE
    value: "pro"
  - name: TYK_URL
    value: "http://dashboard-svc-tyk-tyk-dashboard.tyk.svc:3000"
  - name: TYK_AUTH
    value: "2d095c2155774fe36d77e5cbe3ac963b"
  - name: TYK_ORG
    value: "5e9d9544a1dcd60001d0ed20"

It can also be set via a Kubernetes secret. The default K8s secret name is tyk-operator-conf. If you want to use another name, configure it through Helm Chart envFrom value.

The Kubernetes secret or envVars field should set the following keys:

Connection to Tyk Gateway or Dashboard

If you install Tyk using Helm Chart, tyk-operator-conf will have been created with the following keys: TYK_OPERATOR_LICENSEKEY, TYK_AUTH, TYK_MODE, TYK_ORG, and TYK_URL by default. If you didn’t use Helm Chart for installation, please prepare tyk-operator-conf secret yourself using the commands below:

$ kubectl create namespace tyk-operator-system

$ kubectl create secret -n tyk-operator-system generic tyk-operator-conf \
  --from-literal "TYK_OPERATOR_LICENSEKEY=${TYK_OPERATOR_LICENSEKEY}" \
  --from-literal "TYK_AUTH=${TYK_AUTH}" \
  --from-literal "TYK_ORG=${TYK_ORG}" \
  --from-literal "TYK_MODE=${TYK_MODE}" \
  --from-literal "TYK_URL=${TYK_URL}"

Watching Namespaces

Tyk Operator is installed with cluster permissions. However, you can optionally control which namespaces it watches by setting the WATCH_NAMESPACE through tyk-operator-conf secret or the environment variable to a comma separated list of k8s namespaces. For example:

• WATCH_NAMESPACE="" will watch for resources across the entire cluster.
• WATCH_NAMESPACE="foo" will watch for resources in the foo namespace.
• WATCH_NAMESPACE="foo,bar" will watch for resources in the foo and bar namespace.

Watching custom ingress class

You can configure Tyk Operator as Ingress Controller so that Ingress resources can be managed by Tyk as APIs. By default, Tyk Operator looks for the value tyk in Ingress resources kubernetes.io/ingress.class annotation and will ignore all other ingress classes. If you want to override this default behavior, you may do so by setting WATCH_INGRESS_CLASS through tyk-operator-conf or the environment variable.

Step 2: Installing Tyk Operator and Custom Resource Definitions (CRDs)

You can install CRDs and Tyk Operator using the stand-alone Helm Chart by running the following command:

$ helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
$ helm repo update

$ helm install tyk-operator tyk-helm/tyk-operator -n tyk-operator-system

This process will deploy Tyk Operator and its required Custom Resource Definitions (CRDs) into your Kubernetes cluster in tyk-operator-system namespace.

Helm configurations

Upgrading Tyk Operator

Upgrading from v0.x to v1.0+

Starting from Tyk Operator v1.0, a valid license key is required for the Tyk Operator to function. If Tyk Operator is upgraded from v0.x versions to one of v1.0+ versions, Tyk Operator needs a valid license key that needs to be provided during upgrade process. This section describes how to set Tyk Operator license key to make sure Tyk Operator continues functioning.

To provide the license key for Tyk Operator, Kubernetes secret used to configure Tyk Operator (typically named tyk-operator-conf as described above) requires an additional field called TYK_OPERATOR_LICENSEKEY. Populate this field with your Tyk Operator license key.

To configure the license key:

1. Locate the Kubernetes Secret used to configure Tyk Operator (typically named tyk-operator-conf).
2. Add a new field called TYK_OPERATOR_LICENSEKEY to this Secret.
3. Set the value of TYK_OPERATOR_LICENSEKEY to your Tyk Operator license key.

After updating the Kubernetes secret with this field, proceed with the standard upgrade process outlined below.

Upgrading Tyk Operator and CRDs

You can upgrade Tyk Operator through Helm Chart by running the following command:

$ helm upgrade -n tyk-operator-system tyk-operator tyk-helm/tyk-operator --wait

Helm does not upgrade or delete CRDs when performing an upgrade. Because of this restriction, an additional step is required when upgrading Tyk Operator with Helm.

$ kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-charts/refs/heads/main/tyk-operator-crds/crd-$TYK_OPERATOR_VERSION.yaml

Uninstalling Tyk Operator

To uninstall Tyk Operator, you need to run the following command:

$ helm delete tyk-operator -n tyk-operator-system