Introduction

We assume you have already installed Tyk. If you don’t have it, check out Tyk Cloud or Tyk Self Managed page. Tyk Helm Chart is the preferred (and easiest) way to install Tyk on Kubernetes. In order for policy ID matching to work correctly, Dashboard must have allow_explicit_policy_id and enable_duplicate_slugs set to true and Gateway must have policies.allow_explicit_policy_id set to true. Tyk Operator needs a user credential to connect with Tyk Dashboard. The Operator user should have write access to the resources it is going to manage, e.g. APIs, Certificates, Policies, and Portal. It is the recommended practice to turn off write access for other users for the above resources. See Using Tyk Operator to enable GitOps with Tyk about maintaining a single source of truth for your API configurations.

Install cert-manager

Tyk Operator uses cert-manager to provision certificates for the webhook server. If you don’t have cert-manager installed, you can follow this command to install it: Alternatively, you have the option to manually handle TLS certificates by disabling the cert-manager requirement. For more details, please refer to this configuration. 
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.8.0/cert-manager.yaml
Since Tyk Operator supports Kubernetes v1.19+, the minimum cert-manager version you can use is v1.8. If you run into the cert-manager related errors, please ensure that the desired version of Kubernetes version works with the chosen version of cert-manager by checking supported releases page and cert-manager documentation. Please wait for the cert-manager to become available before continuing with the next step.

Option 1: Install Tyk Operator via Tyk’s Umbrella Helm Charts

If you are using Tyk Stack, Tyk Control Plane, or Tyk Open Source Chart, you can install Tyk Operator alongside other Tyk components by setting value global.components.operator to true. Starting from Tyk Operator v1.0, a license key is required to use the Tyk Operator. You can provide it while installing Tyk Stack, Tyk Control Plane or Tyk OSS helm chart by setting global.license.operator field. You can also set license key via a Kubernetes secret using global.secrets.useSecretName field. The secret should contain a key called OperatorLicense Note: If you are using global.secrets.useSecretName, you must configure the operator license in the referenced Kubernetes secret. global.license.operator will not be used in this case.

Option 2: Install Tyk Operator via stand-alone Helm Chart

If you prefer to install Tyk Operator separately, follow this section to install Tyk Operator using Helm.

Configure Tyk Operator via environment variable or tyk-operator-conf secret

Tyk Operator configurations can be set using envVars field of helm chart. See the table below for a list of expected environment variable names and example values. 
envVars:
  - name: TYK_OPERATOR_LICENSEKEY
    value: "{YOUR_LICENSE_KEY}"
  - name: TYK_MODE
    value: "pro"
  - name: TYK_URL
    value: "http://dashboard-svc-tyk-tyk-dashboard.tyk.svc:3000"
  - name: TYK_AUTH
    value: "2d095c2155774fe36d77e5cbe3ac963b"
  - name: TYK_ORG
    value: "5e9d9544a1dcd60001d0ed20"
It can also be set via a Kubernetes secret. The default K8s secret name is tyk-operator-conf. If you want to use another name, configure it through Helm Chart envFrom value. The Kubernetes secret or envVars field should set the following keys:
KeyMandatoryExample ValueDescription
TYK_OPERATOR_LICENSEKEYYes<JWT_ENCODED_LICENSE_KEY>Tyk Operator license key
TYK_MODEYespro“ce” for Tyk Open Source mode, “pro” for Tyk licensed mode.
TYK_URLYeshttp://dashboard-svc-tyk-tyk-dashboard.tyk.svc:3000Management URL of Tyk Gateway (Open Source) or Tyk Dashboard
TYK_AUTHYes2d095c2155774fe36d77e5cbe3ac963bOperator user API key.
TYK_ORGYes5e9d9544a1dcd60001d0ed20Operator user ORG ID.
TYK_TLS_INSECURE_SKIP_VERIFYNotrueSet to “true” if the Tyk URL is HTTPS and has a self-signed certificate. If it isn’t set, the default value is false.
WATCH_NAMESPACENofoo,barComma separated list of namespaces for Operator to operate on. The default is to operate on all namespaces if not specified.
WATCH_INGRESS_CLASSNocustomclassDefine the ingress class Tyk Operator should watch. Default is tyk
TYK_HTTPS_INGRESS_PORTNo8443Define the ListenPort for HTTPS ingress. Default is 8443.
TYK_HTTP_INGRESS_PORTNo8080Define the ListenPort for HTTP ingress. Default is 8080.
Connect to Tyk Gateway or Dashboard If you install Tyk using Helm Chart, tyk-operator-conf will have been created with the following keys: TYK_OPERATOR_LICENSEKEY, TYK_AUTH, TYK_MODE, TYK_ORG, and TYK_URL by default. If you didn’t use Helm Chart for installation, please prepare tyk-operator-conf secret yourself using the commands below: 
$ kubectl create namespace tyk-operator-system

$ kubectl create secret -n tyk-operator-system generic tyk-operator-conf \
  --from-literal "TYK_OPERATOR_LICENSEKEY=${TYK_OPERATOR_LICENSEKEY}" \
  --from-literal "TYK_AUTH=${TYK_AUTH}" \
  --from-literal "TYK_ORG=${TYK_ORG}" \
  --from-literal "TYK_MODE=${TYK_MODE}" \
  --from-literal "TYK_URL=${TYK_URL}"
User API key and Organization ID can be found under “Add / Edit User” page within Tyk Dashboard. TYK_AUTH corresponds to Tyk Dashboard API Access Credentials. TYK_ORG corresponds to Organization ID.
If the credentials embedded in the tyk-operator-conf are ever changed or updated, the tyk-operator-controller-manager pod must be restarted to pick up these changes.
Watch Namespaces Tyk Operator is installed with cluster permissions. However, you can optionally control which namespaces it watches by setting the WATCH_NAMESPACE through tyk-operator-conf secret or the environment variable to a comma separated list of k8s namespaces. For example:
  • WATCH_NAMESPACE="" will watch for resources across the entire cluster.
  • WATCH_NAMESPACE="foo" will watch for resources in the foo namespace.
  • WATCH_NAMESPACE="foo,bar" will watch for resources in the foo and bar namespace.
Watch custom ingress class You can configure Tyk Operator as Ingress Controller so that Ingress resources can be managed by Tyk as APIs. By default, Tyk Operator looks for the value tyk in Ingress resources kubernetes.io/ingress.class annotation and will ignore all other ingress classes. If you want to override this default behavior, you may do so by setting WATCH_INGRESS_CLASS through tyk-operator-conf or the environment variable.

Install Tyk Operator and Custom Resource Definitions (CRDs)

You can install CRDs and Tyk Operator using the stand-alone Helm Chart by running the following command: 
$ helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
$ helm repo update

$ helm install tyk-operator tyk-helm/tyk-operator -n tyk-operator-system
This process will deploy Tyk Operator and its required Custom Resource Definitions (CRDs) into your Kubernetes cluster in tyk-operator-system namespace. Helm configurations
Starting from Tyk Operator v1.2.0, webhookPort is deprecated in favor of webhooks.port.
KeyTypeDefault
envFrom[0].secretRef.namestring"tyk-operator-conf"
envVars[0].namestring"TYK_OPERATOR_LICENSEKEY"
envVars[0].valuestring"{OPERATOR_LICENSEKEY}"
envVars[1].namestring"TYK_HTTPS_INGRESS_PORT"
envVars[1].valuestring"8443"
envVars[2].namestring"TYK_HTTP_INGRESS_PORT"
envVars[2].valuestring"8080"
extraVolumeMountslist[]
extraVolumeslist[]
fullnameOverridestring""
healthProbePortint8081
hostNetworkboolfalse
image.pullPolicystring"IfNotPresent"
image.repositorystring"tykio/tyk-operator"
image.tagstring"v1.0.0"
imagePullSecretslist[]
metricsPortint8080
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podSecurityContext.allowPrivilegeEscalationboolfalse
rbac.portint8443
rbac.resourcesobject{}
replicaCountint1
resourcesobject{}
serviceMonitorboolfalse
webhookPortint9443
webhooks.enabledbooltrue
webhooks.portint9443
webhooks.annotationsobject{}
webhooks.tls.useCertManagerbooltrue
webhooks.tls.secretNamestringwebhook-server-cert
webhooks.tls.certificatesMountPathstring/tmp/k8s-webhook-server/serving-certs

Upgrading Tyk Operator

Upgrading from v0.x to v1.0+

Starting from Tyk Operator v1.0, a valid license key is required for the Tyk Operator to function. If Tyk Operator is upgraded from v0.x versions to one of v1.0+ versions, Tyk Operator needs a valid license key that needs to be provided during upgrade process. This section describes how to set Tyk Operator license key to make sure Tyk Operator continues functioning. To provide the license key for Tyk Operator, Kubernetes secret used to configure Tyk Operator (typically named tyk-operator-conf as described above) requires an additional field called TYK_OPERATOR_LICENSEKEY. Populate this field with your Tyk Operator license key. To configure the license key:
  1. Locate the Kubernetes Secret used to configure Tyk Operator (typically named tyk-operator-conf).
  2. Add a new field called TYK_OPERATOR_LICENSEKEY to this Secret.
  3. Set the value of TYK_OPERATOR_LICENSEKEY to your Tyk Operator license key.
After updating the Kubernetes secret with this field, proceed with the standard upgrade process outlined below.

Upgrading Tyk Operator and CRDs

You can upgrade Tyk Operator through Helm Chart by running the following command: 
$ helm upgrade -n tyk-operator-system tyk-operator tyk-helm/tyk-operator --wait
Helm does not upgrade or delete CRDs when performing an upgrade. Because of this restriction, an additional step is required when upgrading Tyk Operator with Helm. 
$ kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-charts/refs/heads/main/tyk-operator-crds/crd-$TYK_OPERATOR_VERSION.yaml
Replace TYKOPERATORVERSIONwiththeimagetagcorrespondingtotheTykOperatorversiontowhichtheCustomResourceDefinitions(CRDs)belong.Forexample,toinstallCRDscompatiblewithTykOperatorv1.0.0,setTYK_OPERATOR_VERSION with the image tag corresponding to the Tyk Operator version to which the Custom Resource Definitions (CRDs) belong. For example, to install CRDs compatible with Tyk Operator v1.0.0, set TYK_OPERATOR_VERSION to v1.0.0.

Uninstalling Tyk Operator

To uninstall Tyk Operator, you need to run the following command: 
$ helm delete tyk-operator -n tyk-operator-system

Webhook Configuration

Starting from Operator v1.2.0 release, Kubernetes Webhooks can now be configured using the Helm chart by specifying the necessary settings in the values.yaml file of the operator. Since webhooks are enabled by default, there will be no impact to existing users. 
webhooks:
  enabled: true
  port: 9443
  annotations: {}
  tls:
    useCertManager: true
    secretName: webhook-server-cert
    certificatesMountPath: "/tmp/k8s-webhook-server/serving-certs"
  • enabled: Enables or disables webhooks.
  • port: Specifies the port for webhook communication.
  • annotations: Allows adding custom annotations.
  • tls.useCertManager: If true, Cert-Manager will handle TLS certificates.
  • tls.secretName: The name of the Kubernetes Secret storing the TLS certificate.
  • tls.certificatesMountPath: Path where the webhook server mounts its certificates.