Skip to main content

Overview

Tyk is an open-source API management platform that controls, secures, and monitors API traffic. This template deploys a Tyk API Gateway workload on Control Plane alongside Redis and Redis Sentinel, which serve as the backing store for tokens, analytics, rate limits, and gateway state.
This template does not create a GVC. You must deploy it into an existing GVC.

What Gets Created

  • Standard Workload — Tyk API Gateway (RELEASE_NAME-tyk-api-gateway): the gateway process, autoscaling between minScale and maxScale replicas. API definitions and policies are mounted from Control Plane secrets at startup.
  • Secret — Gateway admin secret (RELEASE_NAME-tyk-gateway-secret): a dictionary secret containing the admin API key used for management operations.
  • Identity & Policy — An identity (RELEASE_NAME-tyk-identity) bound to the gateway workload with reveal access to the gateway secret, Redis auth secrets, and optionally the API definitions and policy secrets.
  • Redis and Redis Sentinel — The Redis template (v3.1.1) is deployed as a dependency, creating a Redis workload, a Sentinel workload, and their associated secrets, identities, and policies.

Prerequisites

Tyk loads API definitions and policies from files at startup. You must create the corresponding Control Plane secrets before deploying the template.

1. Create the API Definitions Secret

Each key in the dictionary is a filename (e.g. app1.json) containing a Tyk API definition object. Create the secret using cpln apply: 
kind: secret
name: my-tyk-apis
description: my-tyk-apis
tags: {}
type: dictionary
data:
  app1.json: >-
    { "api_id": "app1", "name": "app1", "org_id": "default", "use_keyless":
    true, "use_jwt": false, "disable_rate_limit": true, "definition": {
    "location": "header", "key": "version" }, "version_data": { "not_versioned":
    true, "versions": { "Default": { "name": "Default", "use_extended_paths":
    true } } }, "proxy": { "listen_path": "/app1", "target_url":
    "http://app1.example-gvc.cpln.local:80", "strip_listen_path": true },
    "active": true}
Set apiSecretName in your values to the name of this secret. To omit API definitions entirely, leave apiSecretName empty.

2. Create the Policies Secret

The policies secret is a single opaque secret containing a JSON object where each key is a policy ID: 
kind: secret
name: my-tyk-policies
description: my-tyk-policies
tags: {}
type: opaque
data:
  encoding: plain
  payload: |-
    {
      "app1-rate-limit": {
        "org_id": "default",
        "active": true,
        "rate": 20,
        "per": 100,
        "quota_max": 0,
        "quota_renewal_rate": 0,
        "quota_remaining": 0,
        "access_rights": {
          "app1": {
            "api_id": "app1",
            "api_name": "app1",
            "versions": ["Default"]
          }
        }
      }
    }
Set policySecretName in your values to the name of this secret. To omit policies entirely, leave policySecretName empty.

Installation

To install, follow the instructions for your preferred method:

UI

Browse, install, and manage templates visually

CLI

Manage templates from your terminal

Terraform

Declare templates in your Terraform configurations

Pulumi

Declare templates in your Pulumi programs

Configuration

The default values.yaml for this template: 
image: tykio/tyk-gateway:v5.10.0

listenPort: 8080 # REQUIRED - The port exposed on the Tyk workload

apiSecretName: my-tyk-apis # REQUIRED - The name of the pre-configured Control Plane secret that contains your API definitions
policySecretName: my-tyk-policies # REQUIRED - The name of the pre-configured Control Plane secret that contains your policies
# Note: if you wish to omit one of these secrets, leave the value empty and it will be omitted from the workload's configuration

adminSecret: mysecret # REQUIRED - The value you set to be the admin API key for management of Tyk

resources:
  cpu: 50m
  memory: 128Mi

autoscaling:
  maxScale: 3
  metric: cpu
  minScale: 1
  scaleToZeroDelay: 300
  target: 100

multiZone: false # OPTIONAL - Deploys replicas across multiple zones (confirm availability in your location)

externalAccess: true # OPTIONAL - Set to true to expose the workload to the internet; set to false for internal-only access
internalAccess: # OPTIONAL - Sets the internal firewall scope
  type: none # options: none, same-gvc, same-org, workload-list
  workloads:  # Note: can only be used if type is same-gvc or workload-list
    #- //gvc/GVC_NAME/workload/WORKLOAD_NAME

redis:
  redis:
    resources:
      cpu: 200m
      memory: 256Mi
      minCpu: 80m
      minMemory: 128Mi
    replicas: 2
    auth:
      password:
        enabled: true
        value: myRedisPassword
    firewall:
      internal_inboundAllowType: same-gvc
    persistence:
      enabled: true
  sentinel:
    resources:
      cpu: 200m
      memory: 256Mi
      minCpu: 80m
      minMemory: 128Mi
    replicas: 3
    auth:
      password:
        enabled: true
        value: mySentinelPassword
    firewall:
      internal_inboundAllowType: same-gvc
    persistence:
      enabled: true

API Definitions & Policies

  • apiSecretName — Name of the pre-existing Control Plane secret containing API definitions. Each key in the dictionary is a JSON filename mounted at /opt/tyk-gateway/apps. Must be created before deploying.
  • policySecretName — Name of the pre-existing Control Plane opaque secret containing the policies JSON, mounted at /opt/tyk-gateway/policies/policies.json. Must be created before deploying.
Leave either value empty to omit that mount from the gateway workload.

Admin Secret

  • adminSecret — The admin API key used for gateway management operations (e.g. creating keys, reloading APIs). Change before deploying to production. Stored in a dictionary secret and injected into the gateway at startup.

Resources & Autoscaling

  • resources.cpu / resources.memory — CPU and memory allocated to the Tyk Gateway workload.
  • autoscaling.minScale / autoscaling.maxScale — Minimum and maximum number of gateway replicas.
  • autoscaling.metric — Scaling metric (cpu by default).
  • autoscaling.target — Target metric value that triggers a scale-up.
  • autoscaling.scaleToZeroDelay — Seconds of inactivity before scaling to zero (only applies when minScale is 0).
  • multiZone — When true, spreads replicas across availability zones within the location.

Access

  • externalAccess — Set to true to expose the gateway publicly. Set to false for internal-only access.
  • internalAccess.type — Controls which workloads can connect to the gateway internally:
TypeDescription
noneNo internal access allowed
same-gvcAllow access from all workloads in the same GVC
same-orgAllow access from all workloads in the same organization
workload-listAllow access only from specific workloads listed in workloads
  • internalAccess.workloads — List of specific workload links, used when type is workload-list.

Redis

The Redis subchart is configured under the redis key. See the Redis template for full configuration details. Key options:
  • redis.redis.replicas — Number of Redis replicas.
  • redis.redis.auth.password.enabled / redis.redis.auth.password.value — Redis password authentication. Change before deploying to production.
  • redis.redis.persistence.enabled — Persist Redis data to a volume set.
  • redis.sentinel.replicas — Number of Sentinel replicas (3 recommended for production).
  • redis.sentinel.auth.password.enabled / redis.sentinel.auth.password.value — Sentinel password authentication. Change before deploying to production.
  • redis.sentinel.persistence.enabled — Persist Sentinel state to a volume set.

Connecting to the Gateway

Access the gateway from within the same GVC at: 
RELEASE_NAME-tyk-api-gateway.GVC_NAME.cpln.local:8080
When externalAccess is true, the gateway is also reachable via its public Control Plane endpoint. The Tyk management API is available on the same port under the /tyk/ path. Requests require the x-tyk-authorization header set to the value of adminSecret.

Ports

PortProtocolDescription
8080HTTPAPI traffic and management API (/tyk/)

External References

Tyk Documentation

Official Tyk API Gateway documentation

Tyk API Definition Objects

Reference for the API definition JSON structure

Tyk Policies Guide

Guide for configuring Tyk access policies

Tyk Template

View the source files, default values, and chart definition