Automations Tools
Tyk Operator - API Management in Kubernetes
Introduction
Using Tyk Operator within Kubernetes allows you to manage API lifecycles declaratively. This section provides instructions for setting up and configuring the Tyk Operator to automate API creation, updates, and security in Kubernetes clusters, ensuring your APIs align with Kubernetes management practices.What is Tyk Operator?
If you’re using Kubernetes, or if you’re building an API that operates within a Kubernetes environment, the Tyk Operator is a powerful tool for automating the API lifecycle. Tyk Operator is a native Kubernetes operator, allowing you to define and manage APIs as code. This means you can deploy, update, and secure APIs using the same declarative configuration approach Kubernetes uses for other application components.
Key Concepts
GitOps With Tyk
With Tyk Operator, you can configure your APIs using Kubernetes native manifest files. You can use the manifest files in a GitOps workflow as the single source of truth for API deployment.If you use Tyk Operator to manage your APIs, you should set up RBAC such that human users cannot have the “write” permission on the API definition endpoints using Tyk Dashboard.
What is GitOps?
“GitOps” refers to the operating model of using Git as the “single source of truth” to drive continuous delivery for infrastructure and software through automated CI/CD workflow.Tyk Operator in your GitOps workflow
You can install Argo CD, Flux CD or the GitOps tool of your choice in a cluster, and connect it to the Git repository where you version control your API manifests. The tool can synchronise changes from Git to your cluster. The API manifest updates in cluster would be detected by Tyk Operator, which has a Kubernetes controller to automatically reconcile the API configurations on your Tyk Gateway or Tyk Dashboard. Kubernetes-Native Developer Experience API Developers enjoy a smoother Continuous Integration process as they can develop, test, and deploy the microservices. API configurations together use familiar development toolings and pipeline. Reliability With declarative API configurations, you have a single source of truth to recover after any system failures, reducing the meantime to recovery from hours to minutes.Single Source of Truth for API Configurations
Tyk Operator will reconcile any divergence between the Kubernetes desired state and the actual state in Tyk Gateway or Tyk Dashboard. Therefore, you should maintain the API definition manifests in Kubernetes as the single source of truth for your system. If you update your API configurations using Tyk Dashboard, those changes would be reverted by Tyk Operator eventually. To learn more about Gitops with Tyk, refer the following blog posts:- GitOps-enabled API management in Kubernetes
- A practical guide using Tyk Operator, ArgoCD, and Kustomize
Custom Resources in Tyk
In Kubernetes, a Custom Resource (CR) is an extension of the Kubernetes API that allows you to introduce custom objects in your cluster. Custom Resources enable you to define and manage custom configurations and settings specific to your applications, making Kubernetes highly extensible. These custom objects are defined using Custom Resource Definitions (CRDs), which specify the schema and structure of the resource. Tyk Operator manages multiple custom resources to help users create and maintain their API configurations: TykOasApiDefinition: Available from Tyk Operator v1.0. It represents a Tyk OAS API configuration. Tyk OAS API is based on the OpenAPI specification (OAS) and is the recommended format for standard HTTP APIs. ApiDefinition: Available on all versions of Tyk Operator. It represents a Tyk Classic API configuration. Tyk Classic API is the traditional format used for defining all APIs in Tyk, and now the recommended format for non-HTTP APIs such as TCP, GraphQL, and Universal Data Graph (UDG). Tyk Operator supports the major features of Tyk Classic API and the feature support details can be tracked here. TykStreamsApiDefinition: Available from Tyk Operator v1.1. It represents an Async API configuration which is based on Tyk OAS API Definition. Tyk Operator supports all Tyk Streams features as they become available on the Gateway. SecurityPolicy: Available on all versions of Tyk Operator. It represents a Tyk Security Policy configuration. Security Policies in Tyk provide a way to define and enforce security controls, including authentication, authorization, and rate limiting for APIs managed in Tyk. Tyk Operator supports essential features of Security Policies, allowing users to centrally manage access control and security enforcement for all APIs across clusters. These custom resources enable users to leverage Kubernetes’ declarative configuration management to define, modify, and version their APIs, seamlessly integrating with other Kubernetes-based workflows and tools.Custom Resources for API and Policy Configuration
The following custom resources can be used to configure APIs and policies at Tyk Gateway or Tyk Dashboard.| Kind | Group | Version | Description |
|---|---|---|---|
| TykOasApiDefinition | tyk.tyk.io | v1alpha1 | Defines configuration of Tyk OAS API Definition object |
| ApiDefinition | tyk.tyk.io | v1alpha1 | Defines configuration of Tyk Classic API Definition object |
| TykStreamsApiDefinition | tyk.tyk.io | v1alpha1 | Defines configuration of Tyk Streams |
| SecurityPolicy | tyk.tyk.io | v1alpha1 | Defines configuration of security policies. Operator supports linking ApiDefinition custom resources in SecurityPolicy’s access list so that API IDs do not need to be hardcoded in the resource manifest. |
| SubGraph | tyk.tyk.io | v1alpha1 | Defines a GraphQL federation subgraph. |
| SuperGraph | tyk.tyk.io | v1alpha1 | Defines a GraphQL federation supergraph. |
| OperatorContext | tyk.tyk.io | v1alpha1 | Manages the context in which the Tyk Operator operates, affecting its overall behavior and environment. See Operator Context for details. |
Tyk Classic Developer Portal
The following custom resources can be used to configure Tyk Classic Developer Portal.| Kind | Group | Version | Description |
|---|---|---|---|
| APIDescription | tyk.tyk.io | v1alpha1 | Configures Portal Documentation. |
| PortalAPICatalogue | tyk.tyk.io | v1alpha1 | Configures Portal API Catalogue. |
| PortalConfig | tyk.tyk.io | v1alpha1 | Configures Portal Configuration. |
Reconciliation With Tyk Operator
Controllers & Operators
In Kubernetes, controllers watch one or more Kubernetes resources, which can be built-in types like Deployments or custom resources like ApiDefinition - in this case, we refer to Controller as Operator. The purpose of a controller is to match the desired state by using Kubernetes APIs and external APIs.A Kubernetes operator is an application-specific controller that extends the functionality of the Kubernetes API to create, configure, and manage instances of complex applications on behalf of a Kubernetes user.
Desired State vs Observed State
Let’s start with the Desired State. It is defined through Kubernetes Manifests, most likely YAML or JSON, to describe what you want your system to be in. Controllers will watch the resources and try to match the actual state (the observed state) with the desired state for Kubernetes Objects. For example, you may want to create a Deployment that is intended to run three replicas. So, you can define this desired state in the manifests, and Controllers will perform necessary operations to make it happen. How about Observed State? Although the details of the observed state may change controller by controller, usually controllers update the status field of Kubernetes objects to store the observed state. For example, in Tyk Operator, we update the status to include api_id, so that Tyk Operator can understand that the object was successfully created on Tyk.Reconciliation
Reconciliation is a special design paradigm used in Kubernetes controllers. Tyk Operator also uses the same paradigm, which is responsible for keeping our Kubernetes objects in sync with the underlying external APIs - which is Tyk in our case. When would reconciliation happen?Before diving into Tyk Operator reconciliation, let’s briefly mention some technical details about how and when reconciliation happens. Reconciliation only happens when certain events happen on your cluster or objects. Therefore, Reconciliation will NOT be triggered when there is an update or modification on Tyk’s side. It only watches certain Kubernetes events and is triggered based on them. Usually, the reconciliation happens when you modify a Kubernetes object or when the cache used by the controller expires - side note, controllers, in general, use cached objects to reduce the load in the Kube API server. Typically, caches expire in ~10 hours or so but the expiration time might change based on Operator configurations. So, in order to trigger Reconciliation, you can either
- modify an object, which will trigger reconciliation over this modified object or,
- restart Tyk Operator pod, which will trigger reconciliation over each of the objects watched by Tyk Operator.
Tyk Operator will compare desired state of the Kubernetes object with the observed state in Tyk. If there is a drift, Tyk Operator will update the actual state on Tyk with the desired state. In the reconciliation, Tyk Operator mainly controls three operations; DELETE, CREATE, and UPDATE.
- CREATE - an object is created in Kubernetes but not exists in Tyk
- UPDATE - an object is in different in Kubernetes and Tyk (we compare that by hash)
- DELETE - an object is deleted in Kubernetes but exists in Tyk
If human operators or any other system delete or modify API Definition from Tyk Gateway or Dashboard, Tyk Operator will restore the desired state back to Tyk during reconciliation. This is called Drift Detection. It can protect your systems from unauthorized or accidental modifications. It is a best practice to limit user access rights on production environment to read-only in order to prevent accidental updates through API Manager directly.
CRD Versioning
Tyk follows standard practices for naming and versioning custom resources as outlined by the Kubernetes Custom Resource Definition versioning guidelines. Although we are currently on thev1alpha1 version, no breaking changes will be introduced to existing Custom Resources without a version bump. This means that any significant changes or updates that could impact existing resources will result in a new version (e.g., v1beta1 or v1) and Operator will continue supporting all CRD versions for a reasonable time before deprecating an older version. This ensures a smooth transition and compatibility, allowing you to upgrade without disrupting your current configurations and workflows.
For more details on Kubernetes CRD versioning practices, refer to the Kubernetes Custom Resource Definition Versioning documentation.
Operator User
Tyk Operator is a Kubernetes Controller that manages Tyk Custom Resources (CRs) such as API Definitions and Security Policies. Developers define these resources as Custom Resource (CRs), and Tyk Operator ensures that the desired state is reconciled with the Tyk Gateway or Dashboard. This involves creating, updating, or deleting API configurations until the target state matches the desired state. For the Tyk Dashboard, Tyk Operator functions as a system user, bound by Organization and RBAC rules. During start up, Tyk Operator looks for these keys fromtyk-operator-conf secret or from the environment variables (listed in the table below).
| Key or Environment Variable | Description |
|---|---|
TYK_MODE | ”ce” for OSS or “pro” for licensed users |
TYK_URL | URL of Tyk Gateway or Dashboard API |
TYK_ORG | Organization ID of Operator user |
TYK_AUTH | API key of Operator user |
Multi-tenancy in Tyk
Tyk Dashboard is multi-tenant capable, which means you can use a single Tyk Dashboard instance to host separate organizations for each team or department. Each organization is a completely isolated unit with its own:- API Definitions
- API Keys
- Users
- Developers
- Domain
- Tyk Classic Portal
Define OperatorContext for Multi-Tenant API Management
TheOperatorContext in Tyk Operator allows you to create isolated management environments by defining specific access parameters for different teams or departments within a shared Tyk Operator instance. It helps you specify:
- The Tyk Dashboard with which the Operator interacts
- The organization under which API management occurs
- The user identity utilized for requests
- The environment in which the Operator operates
OperatorContext configurations, you can define unique access and management contexts for different teams. These contexts can then be referenced directly in your ApiDefinition, TykOasApiDefinition, TykStreamsApiDefinition or SecurityPolicy custom resource definitions (CRDs) using the contextRef field, enabling precise control over API configurations.
Example Scenarios Using OperatorContext
-
No OperatorContext Defined
- If no
OperatorContextis defined, Tyk Operator defaults to using credentials from thetyk-operator-confsecret or from environment variables. This means all API management actions are performed under the system’s default user credentials, with no specific contextual isolation.
- If no
-
OperatorContext Defined but Not Referenced
- When an
OperatorContextis defined but not referenced in an API configuration, Tyk Operator continues to use the default credentials fromtyk-operator-conf. The specifiedOperatorContextis ignored, resulting in API operations being managed under default credentials.
- When an
-
OperatorContext Defined and Referenced
- If a specific
OperatorContextis both defined and referenced in an API or policy, Tyk Operator utilizes the credentials and parameters from the referencedOperatorContextto perform API operations. This allows each API or policy to be managed with isolated configurations, enabling team-based or department-specific API management within the same Kubernetes cluster.
- If a specific
OperatorContext offers flexibility for multi-tenancy, helping organizations manage and isolate API configurations based on their specific team or departmental needs.
TLS Certificates
Tyk Operator is designed to offer a seamless Kubernetes-native experience by managing TLS certificates stored within Kubernetes for your API needs. Traditionally, to use a certificate (e.g., as a client certificate, domain certificate, or certificate for accessing an upstream service), you would need to manually upload the certificate to Tyk and then reference it using a ‘Certificate ID’ in your API definitions. This process can become cumbersome, especially in a Kubernetes environment where certificates are often managed as secrets and may rotate frequently. To address this challenge, Tyk Operator allows you to directly reference certificates stored as Kubernetes secrets within your custom resource definitions (CRDs). This reduces operational overhead, minimizes the risk of API downtime due to certificate mismatches, and provides a more intuitive experience for API developers.Benefits of Managing Certificates with Tyk Operator
- Reduced operational overhead: Automates the process of updating certificates when they rotate.
- Minimized risk of API downtime: Ensures that APIs continue to function smoothly, even when certificates are updated.
- Improved developer experience: Removes the need for API developers to manage certificate IDs manually.
Examples
| Certificate Type | Supported in ApiDefinition | Supported in TykOasApiDefinition | Supported in TykStreamsApiDefinition |
|---|---|---|---|
| Client certifates | ✅ Client mTLS | ✅ Client mTLS | Certificate ID can be set in the API Definition but configuring certificates from Secrets in CRD is not supported. |
| Custom domain certificates | ✅ TLS and SSL | ✅ TLS and SSL | Certificate ID can be set in the API Definition but configuring certificates from Secrets in CRD is not supported. |
| Public keys pinning | ✅ Certificate pinning | ✅ Certificate pinning | Certificate ID can be set in the API Definition but configuring certificates from Secrets in CRD is not supported. |
| Upstream mTLS | ✅ Upstream mTLS via Operator | ✅ Upstream mTLS via Operator | Certificate ID can be set in the API Definition but configuring certificates from Secrets in CRD is not supported. |
Install and Configure Tyk Operator
We assume you have already installed Tyk. If you don’t have it, check out Tyk Cloud or Tyk Self Managed page. Tyk Helm Chart is the preferred (and easiest) way to install Tyk on Kubernetes. In order for policy ID matching to work correctly, Dashboard must haveallow_explicit_policy_id and
enable_duplicate_slugs set to true and Gateway must have policies.allow_explicit_policy_id set to true.
Tyk Operator needs a user credential to connect with
Tyk Dashboard. The Operator user should have write access to the resources it is going to manage, e.g. APIs, Certificates,
Policies, and Portal. It is the recommended practice to turn off write access for other users for the above resources. See
Using Tyk Operator to enable GitOps with Tyk about
maintaining a single source of truth for your API configurations.
Install cert-manager
Tyk Operator uses cert-manager to provision certificates for the webhook server. If you don’t have cert-manager installed, you can follow this command to install it: Alternatively, you have the option to manually handle TLS certificates by disabling thecert-manager requirement. For more details, please refer to this configuration.
Option 1: Install Tyk Operator via Tyk’s Umbrella Helm Charts
If you are using Tyk Stack, Tyk Control Plane, or Tyk Open Source Chart, you can install Tyk Operator alongside other Tyk components by setting valueglobal.components.operator to true.
Starting from Tyk Operator v1.0, a license key is required to use the Tyk Operator. You can provide it while installing
Tyk Stack, Tyk Control Plane or Tyk OSS helm chart by setting global.license.operator field. You can also set license
key via a Kubernetes secret using global.secrets.useSecretName field. The secret should contain a key called
OperatorLicense
Note: If you are using global.secrets.useSecretName, you must configure the operator license in the referenced Kubernetes secret. global.license.operator will not be used in this case.
Option 2: Install Tyk Operator via stand-alone Helm Chart
If you prefer to install Tyk Operator separately, follow this section to install Tyk Operator using Helm.Configure Tyk Operator via environment variable or tyk-operator-conf secret
Tyk Operator configurations can be set usingenvVars field of helm chart. See the table below for a list of expected
environment variable names and example values.
tyk-operator-conf. If you want to use
another name, configure it through Helm Chart envFrom value.
The Kubernetes secret or envVars field should set the following keys:
| Key | Mandatory | Example Value | Description |
|---|---|---|---|
| TYK_OPERATOR_LICENSEKEY | Yes | <JWT_ENCODED_LICENSE_KEY> | Tyk Operator license key |
| TYK_MODE | Yes | pro | “ce” for Tyk Open Source mode, “pro” for Tyk licensed mode. |
| TYK_URL | Yes | http://dashboard-svc-tyk-tyk-dashboard.tyk.svc:3000 | Management URL of Tyk Gateway (Open Source) or Tyk Dashboard |
| TYK_AUTH | Yes | 2d095c2155774fe36d77e5cbe3ac963b | Operator user API key. |
| TYK_ORG | Yes | 5e9d9544a1dcd60001d0ed20 | Operator user ORG ID. |
| TYK_TLS_INSECURE_SKIP_VERIFY | No | true | Set to “true” if the Tyk URL is HTTPS and has a self-signed certificate. If it isn’t set, the default value is false. |
| WATCH_NAMESPACE | No | foo,bar | Comma separated list of namespaces for Operator to operate on. The default is to operate on all namespaces if not specified. |
| WATCH_INGRESS_CLASS | No | customclass | Define the ingress class Tyk Operator should watch. Default is tyk |
| TYK_HTTPS_INGRESS_PORT | No | 8443 | Define the ListenPort for HTTPS ingress. Default is 8443. |
| TYK_HTTP_INGRESS_PORT | No | 8080 | Define the ListenPort for HTTP ingress. Default is 8080. |
tyk-operator-conf will have been created with the following keys:
TYK_OPERATOR_LICENSEKEY, TYK_AUTH, TYK_MODE, TYK_ORG, and TYK_URL by default. If you didn’t use Helm Chart for
installation, please prepare tyk-operator-conf secret yourself using the commands below:
User API key and Organization ID can be found under “Add / Edit User” page within Tyk Dashboard.
TYK_AUTH corresponds
to Tyk Dashboard API Access Credentials. TYK_ORG corresponds to Organization ID.If the credentials embedded in the
tyk-operator-conf are ever changed or updated, the tyk-operator-controller-manager
pod must be restarted to pick up these changes.WATCH_NAMESPACE through tyk-operator-conf secret or the environment variable to a comma separated list
of k8s namespaces. For example:
WATCH_NAMESPACE=""will watch for resources across the entire cluster.WATCH_NAMESPACE="foo"will watch for resources in thefoonamespace.WATCH_NAMESPACE="foo,bar"will watch for resources in thefooandbarnamespace.
tyk in Ingress resources kubernetes.io/ingress.class annotation
and will ignore all other ingress classes. If you want to override this default behavior, you may do so by setting
WATCH_INGRESS_CLASS through tyk-operator-conf or the environment variable.
Install Tyk Operator and Custom Resource Definitions (CRDs)
You can install CRDs and Tyk Operator using the stand-alone Helm Chart by running the following command:tyk-operator-system namespace.
Helm configurations
Starting from Tyk Operator v1.2.0,
webhookPort is deprecated in favor of webhooks.port.| Key | Type | Default |
|---|---|---|
| envFrom[0].secretRef.name | string | "tyk-operator-conf" |
| envVars[0].name | string | "TYK_OPERATOR_LICENSEKEY" |
| envVars[0].value | string | "{OPERATOR_LICENSEKEY}" |
| envVars[1].name | string | "TYK_HTTPS_INGRESS_PORT" |
| envVars[1].value | string | "8443" |
| envVars[2].name | string | "TYK_HTTP_INGRESS_PORT" |
| envVars[2].value | string | "8080" |
| extraVolumeMounts | list | [] |
| extraVolumes | list | [] |
| fullnameOverride | string | "" |
| healthProbePort | int | 8081 |
| hostNetwork | bool | false |
| image.pullPolicy | string | "IfNotPresent" |
| image.repository | string | "tykio/tyk-operator" |
| image.tag | string | "v1.0.0" |
| imagePullSecrets | list | [] |
| metricsPort | int | 8080 |
| nameOverride | string | "" |
| nodeSelector | object | {} |
| podAnnotations | object | {} |
| podSecurityContext.allowPrivilegeEscalation | bool | false |
| rbac.port | int | 8443 |
| rbac.resources | object | {} |
| replicaCount | int | 1 |
| resources | object | {} |
| serviceMonitor | bool | false |
| webhookPort | int | 9443 |
| webhooks.enabled | bool | true |
| webhooks.port | int | 9443 |
| webhooks.annotations | object | {} |
| webhooks.tls.useCertManager | bool | true |
| webhooks.tls.secretName | string | webhook-server-cert |
| webhooks.tls.certificatesMountPath | string | /tmp/k8s-webhook-server/serving-certs |
Upgrading Tyk Operator
Upgrading from v0.x to v1.0+
Starting from Tyk Operator v1.0, a valid license key is required for the Tyk Operator to function. If Tyk Operator is upgraded from v0.x versions to one of v1.0+ versions, Tyk Operator needs a valid license key that needs to be provided during upgrade process. This section describes how to set Tyk Operator license key to make sure Tyk Operator continues functioning. To provide the license key for Tyk Operator, Kubernetes secret used to configure Tyk Operator (typically named tyk-operator-conf as described above) requires an additional field calledTYK_OPERATOR_LICENSEKEY. Populate this field
with your Tyk Operator license key.
To configure the license key:
- Locate the Kubernetes Secret used to configure Tyk Operator (typically named
tyk-operator-conf). - Add a new field called
TYK_OPERATOR_LICENSEKEYto this Secret. - Set the value of
TYK_OPERATOR_LICENSEKEYto your Tyk Operator license key.
Upgrading Tyk Operator and CRDs
You can upgrade Tyk Operator through Helm Chart by running the following command:Replace TYK_OPERATOR_VERSION to v1.0.0.
Uninstalling Tyk Operator
To uninstall Tyk Operator, you need to run the following command:Webhook Configuration
Starting from Operator v1.2.0 release, Kubernetes Webhooks can now be configured using the Helm chart by specifying the necessary settings in the values.yaml file of the operator. Since webhooks are enabled by default, there will be no impact to existing users.enabled: Enables or disables webhooks.port: Specifies the port for webhook communication.annotations: Allows adding custom annotations.tls.useCertManager: If true, Cert-Manager will handle TLS certificates.tls.secretName: The name of the Kubernetes Secret storing the TLS certificate.tls.certificatesMountPath: Path where the webhook server mounts its certificates.
Set Up Tyk OAS API
Setting up OpenAPI Specification (OAS) APIs with Tyk involves preparing an OAS-compliant API definition and configuring it within your Kubernetes cluster using Tyk Operator. This process allows you to streamline API management by storing the OAS definition in a Kubernetes ConfigMap and linking it to Tyk Gateway through a TykOasApiDefinition resource.Create your Tyk OAS API
Prepare the Tyk OAS API Definition
First, you need to have a complete Tyk OAS API definition file ready. This file will contain all the necessary configuration details for your API in OpenAPI Specification (OAS) format. Here is an example of what the Tyk OAS API definition might look like. Note that Tyk extensionx-tyk-api-gateway section should be present.
oas-api-definition.json) locally.
TipsYou can create and configure your API easily using Tyk Dashboard in a developer environment, and then obtain the Tyk OAS API definition following these instructions:
- Open the Tyk Dashboard
- Navigate to the API you want to manage with the Tyk Operator
- Click on the “Actions” menu button and select “View API Definition.”
- This will display the raw Tyk OAS API definition of your API, which you can then copy and save locally.
Create a ConfigMap for the Tyk OAS API Definition
You need to create a ConfigMap in Kubernetes to store your Tyk OAS API definition. The Tyk Operator will reference this ConfigMap to retrieve the API configuration. To create the ConfigMap, run the following command:tyk-oas-api-config in the tyk namespace (replace tyk with your actual namespace if different).
NotesThere is inherent size limit to a ConfigMap. The data stored in a ConfigMap cannot exceed 1 MiB. In case your OpenAPI document exceeds this size limit, it is recommended to split your API into smaller sub-APIs for easy management. For details, please consult Best Practices for Describing Large APIs from the OpenAPI initiative.
NotesIf you prefer to create ConfigMap with a manifest using
kubectl apply command, you may get an error that the annotation metadata cannot exceed 256KB. It is because by using kubectl apply, kubectl automatically saves the whole configuration in the annotation kubectl.kubernetes.io/last-applied-configuration for tracking changes. Your Tyk OAS API Definition may easily exceed the size limit of annotations (256KB). Therefore, kubectl create is used here to get around the problem.Create a TykOasApiDefinition Custom Resource
Now, create aTykOasApiDefinition resource to tell the Tyk Operator to use the Tyk OAS API definition stored in the ConfigMap.
Create a manifest file named tyk-oas-api-definition.yaml with the following content:
Apply the TykOasApiDefinition Manifest
Usekubectl to apply the TykOasApiDefinition manifest to your cluster:
TykOasApiDefinition resource in your cluster. The Tyk Operator will watch for this resource and configures Tyk Gateway or Tyk Dashboard with a new API using the provided Tyk OAS API definition.
Verify the Tyk OAS API Creation
To verify that the API has been successfully created, check the status of the TykOasApiDefinition resource:Test the Tyk OAS API
After the Tyk OAS API has been successfully created, you can test it by sending a request to the API endpoint defined in your OAS file. For example, if your API endpoint is/store/inventory", you can use curl or any API client to test it:
Manage and Update the Tyk OAS API
To make any changes to your API configuration, update the OAS file in your ConfigMap and then re-apply the ConfigMap usingkubectl replace:
Notes
kubectl replace without --save-config option is used here instead of kubectl apply because we do not want to save the Tyk OAS API definition in its annotation. If you want to enable --save-config option or use kubectl apply, the Tyk OAS API definition size would be further limited to at most 262144 bytes.Tyk OAS API Example
This example shows the minimum resources and fields required to define a Tyk OAS API using Tyk Operator."41-44"],linenos=true}
ConfigMap is created that contains the Tyk OAS API Definition with the data field with key test_oas.json. This is linked to from a TykOasApiDefinition resource via spec.tykOAS.configmapRef.
To apply it, simply save the manifest into a file (e.g., tyk-oas-api.yaml) and use kubectl apply -f tyk-oas-api.yaml to create the required resources in your Kubernetes cluster. This command will create the necessary ConfigMap and TykOasApiDefinition resources in the default namespace.
Secure your Tyk OAS API
Update your Tyk OAS API Definition
First, you’ll modify your existing Tyk OAS API Definition to include the API key authentication configuration. When creating the Tyk OAS API, you stored your OAS definition in a file namedoas-api-definition.json and created a ConfigMap named tyk-oas-api-config in the tyk namespace.
Modify your Tyk OAS API Definition oas-api-definition.json as follow.
components.securitySchemesdefines the authentication method (in this case,apiKeyin the header).security: Applies the authentication globally to all endpoints.x-tyk-api-gateway.server.authentication: Tyk-specific extension to enable the authentication scheme.
oas-api-definition.json.
Update the ConfigMap with the new Tyk OAS API Definition
Update the existing ConfigMap that contains your Tyk OAS API Definition with the following command:tyk-oas-api-config in the tyk namespace (replace tyk with your actual namespace if different) with the new Tyk OAS API Definition stored in oas-api-definition.json.
Since a TykOasApiDefinition resource has been created with reference to this ConfigMap in the previous tutorial:
Verify the changes
Verify that theTykOasApiDefinition has been updated successfully:
latestTransaction field in status:
time field.
Test the API Endpoint
Now, test your API endpoint to confirm that it requires an API key. For example, if your API endpoint is/store/inventory", you can use curl or any API client to test it:
401 Unauthorized response now as an API key is required for access. Your API has been secured by Tyk Gateway.
Set Up Tyk Classic API
Create a Tyk Classic API
First, specify the details of your API using the ApiDefinition CRD, then deploy it to create the corresponding Kubernetes resource. Tyk Operator will take control of the CRD and create the actual API in the Tyk data plane.Create an ApiDefinition resource in YAML format
Create a file calledhttpbin.yaml, then add the following:
Deploy the ApiDefinition resource
We are going to create an ApiDefinition from the httpbin.yaml file, by running the following command:Understanding the ApiDefinition CRD
We have an ApiDefinition calledhttpbin, as specified in spec.name field, which listens to path /httpbin and proxies requests to http://httpbin.org, as specified under spec.proxy field. Now, any requests coming to the /httpbin endpoint will be proxied to the target URL that we defined in spec.proxy.target_url, which is http://httpbin.org in our example.
You can visit the ApiDefinition CRD page to see all the latest API Definitions fields and features we support.
Configure Kubernetes service as an upstream target
Tyk Gateway deployed in your Kubernetes cluster can easily access other Kubernetes services as an upstream proxy target. In the ApiDefinition manifest, set theproxy.target_url as a Kubernetes Service following DNS for Services and Pods guideline, so that the requests will be proxied to your service.
In general, Kubernetes Services have a <service-name>.<namespace-name>.svc.cluster.local DNS entry once they are created.
For example, if you have a service called httpbin in default namespace, you can contact httpbin service with httpbin.default.svc DNS record in the cluster, instead of IP addresses.
Please visit the official Kubernetes documentation for more details.
Suppose you want to create a Deployment of httpbin service using ci/upstreams/httpbin.yaml file. You are going to expose the application through port 8000 as described under the Service specification.
You can create Service and Deployment by either applying the manifest defined in our repository:
1/1 and STATUS Running state.
Once the pod is ready, you can update your httpbin API’s target_url field to proxy your requests to the Service that you created above.
You can check all services in the <ns> namespace as follows:
httpbin as follows:
spec.proxy.target_url field.
It is set to http://httpbin.default.svc:8000 by following the convention described above (<service_name>.<namespace>.svc:<service_port>).
Now, if you send your request to the /httpbin endpoint of the Tyk Gateway, the request will be proxied to the httpbin Service:
httpbin.default.svc:8000.
Secure your Classic API
Update your API to Require a Key
You might already have realized that ourhttpbin API is keyless. If you check the APIDefinition’s specification, the use_keyless field is set to true.
Tyk keyless access represents completely open access for your API and causes Tyk to bypass any session-based middleware (middleware that requires access to token-related metadata). Keyless access will enable all requests through.
You can disable keyless access by setting use_keyless to false.
- Update your
httpbin.yamlfile
- Apply the changes
use_keyless to false, the default authentication mode is Authentication token.
Now, to access httpbin API, you need to include a key to the header. Otherwise, you will get a HTTP 401 Unauthorized response.
Tyk Operator supported authentication types are listed in the API Definition features section.
Create an API key
You need to generate a key to access thehttpbin API now. Follow this guide to see how to create an API key for your installation.
You can obtain the API name and API ID of our example httpbin API by following command:
name and status.api_id field.
In our example, it is as follows:
- : httpbin
- : ZGVmYXVsdC9odHRwYmlu
httpbin API.
HTTP 401 Unauthorized response.
Set Up Tyk Classic API Authentication
Client to Gateway Authentication in Tyk ensures secure communication between clients and the Tyk Gateway. Tyk supports various authentication methods to authenticate and authorize clients before they can access your APIs. These methods include API keys, Static Bearer Tokens, JWT, mTLS, Basic Authentication, and more. This document provides example manifests for each authentication method supported by Tyk.Keyless (Open)
This configuration allows keyless (open) access to the API without any authentication.Auth Token (Bearer Token)
This setup requires a bearer token for access. In the below example, the authentication token is set by default to theAuthorization header of the request. You can customize this behavior by configuring the following fields:
use_cookie: Set to true to use a cookie value for the token.cookie_name: Specify the name of the cookie if use_cookie is enabled.use_param: Set to true to allow the token to be passed as a query parameter.param_name: Specify the parameter name if use_param is enabled.use_certificate: Enable client certificate. This allows you to create dynamic keys based on certificates.validate_signature: Enable signature validation.
JWT
This configuration uses JWT tokens for authentication. Users can configure JWT authentication by defining the following fields:jwt_signing_method: Specify the method used to sign the JWT. Refer to JWT Signing Method for supported methods.jwt_source: Specify the public key used for verifying the JWT.jwt_identity_base_field: Define the identity source, typically set tosub(subject), which uniquely identifies the user or entity.jwt_policy_field_name: Specify the claim within the JWT payload that indicates the policy ID to apply.jwt_default_policies(Optional): Define default policies to apply if no policy claim is found in the JWT payload.
sub claim as the identity source, uses the pol claim for policy ID, and assigns a default policy (jwt-policy SecurityPolicy in default namespace) if no policy is specified in the token.
- JWT with default policy
- JWT with explicit policy
Basic Authentication
This configuration uses Basic Authentication, requiring a username and password for access.Custom Plugin Auth (go)
This configuration uses a Golang plugin for custom authentication. The following example shows how to create an API definition with a Golang custom plugin forhttpbin-go-auth.
For an example of Golang authentication middleware, see Performing custom authentication with a Golang plugin.
Custom Plugin Auth (gRPC)
This configuration uses a gRPC plugin for custom authentication. The following example shows how to create an API definition with a gRPC custom plugin forhttpbin-grpc-auth.
For a detailed walkthrough on setting up Tyk with gRPC authentication plugins, refer to Extending Tyk with gRPC Authentication Plugins.
Multiple (Chained) Auth
This setup allows for multiple authentication methods to be chained together, requiring clients to pass through each specified authentication provider. To enable multiple (chained) auth, you should setbase_identity_provided_by field to one of the supported chained enums. Consult the Multi (Chained) Authentication section for the supported auths.
In this example, we are creating an API definition with basic authentication and mTLS with basic authentication as base identity for httpbin-multiple-authentications.
IP Allowlist
To enable IP Allowlist, set the following fields:enable_ip_whitelisting: Enables IPs allowlist. When set totrue, only requests coming from the explicit list of IP addresses defined in (allowed_ips) are allowed through.allowed_ips: A list of strings that defines the IP addresses (in CIDR notation) that are allowed access via Tyk.
IP Blocklist
To enable IP Blocklist, set the following fields:enable_ip_blacklisting: Enables IPs blocklist. If set totrue, requests coming from the explicit list of IP addresses (blacklisted_ips) are not allowed through.blacklisted_ips: A list of strings that defines the IP addresses (in CIDR notation) that are blocked access via Tyk. This list is explicit and wildcards are currently not supported.
403).
Set Up Manifest for GraphQL
In the example below we can see that the configuration is contained within thegraphql configuration object. A GraphQL schema is specified within the schema field and the execution mode is set to proxyOnly. The GraphQL public playground is enabled with the path set to /playground.
Set Up Manifest for HTTP
HTTP Proxy
This example creates a basic API definition that routes requests to listen path/httpbin to target URL http://httpbin.org.
Traffic routing can be configured under spec.proxy:
target_urldefines the upstream address (or target URL) to which requests should be proxied.listen_pathis the base path on Tyk to which requests for this API should be sent. Tyk listens out for any requests coming into the host at this path, on the port that Tyk is configured to run on and processes these accordingly. For example,/api/or/or/httpbin/.strip_listen_pathremoves the inbound listen path (as accessed by the client) when generating the outbound request for the upstream service. For example, consider the scenario where the Tyk base address ishttp://acme.com/, the listen path isexample/and the upstream URL ishttp://httpbin.org/: If the client application sends a request tohttp://acme.com/example/getthen the request will be proxied tohttp://httpbin.org/example/get
HTTP Host-based Proxy
spec.domain is the domain to bind this API to. This enforces domain matching for client requests.
In this example, requests to httpbin.tyk.io will be proxied to upstream URL http://httpbin.org
HTTPS Proxy
This example creates a API definition that routes requests to a http://httpbin.org via port 8443.Set Up Manifest for TCP
This example creates a API definition that proxies request from TCP port6380 to tcp://localhost:6379.
Set Up Manifest for UDG
UDG v2 (Tyk 3.2 and above)
If you are on Tyk 3.2 and above, you can use the following manifest to create an UDG API. This example configures a Universal Data Graph from a GraphQL datasource and a REST Datasource.UDG v1 (Tyk 3.1 or before)
If you are on Tyk 3.1, you can use the following manifest to create an UDG API. This example creates a Universal Data Graph with GraphQL datasource and HTTP JSON datasource.Set Up Tyk Streams API
Tyk Streams integrates natively with Tyk OpenAPI Specification (OAS), allowing you to manage APIs as code and automate processes in Kubernetes using Tyk Operator. Setting up Tyk Streams API is similar to configuring a standard Tyk OAS API. You can store the Tyk Streams OAS definition in a Kubernetes ConfigMap and connect it to Tyk Gateway through aTykStreamsApiDefinition resource.
Create your Tyk Streams API
Prepare the Tyk Streams API Definition
To create a Tyk Streams API, start by preparing a complete Tyk Streams API definition in the OpenAPI Specification (OAS) format. This file must include:- The
x-tyk-api-gatewayextension for Tyk-specific settings. - The
x-tyk-streamingextension for Tyk Streams configuration.
Create a TykStreamsApiDefinition Custom Resource
Once your Tyk Streams API definition is ready, use a Kubernetes ConfigMap to store the definition and link it to aTykStreamsApiDefinition custom resource.
Example manifest:
Apply the TykStreamsApiDefinition Manifest
Use thekubectl command to apply the TykStreamsApiDefinition manifest to your Kubernetes cluster:
TykStreamsApiDefinition resource. The Tyk Operator watches this resource and configures the Tyk Gateway or Tyk Dashboard with the new API.
Verify the Tyk Streams API Creation
Check the status of theTykStreamsApiDefinition resource to ensure that the API has been successfully created:
Manage and Update the Tyk Streams API
To update your API configuration, modify the linkedConfigMap. The Tyk Operator will automatically detect changes and update the API in the Tyk Gateway.
Secure your Tyk Streams API
To secure your Tyk Streams API, configure security fields in the OAS definition just as you would for a standard Tyk OAS API. For more details, refer to the Secure your Tyk OAS API guide.Add a Security Policy to your API
To further protect access to your APIs, you will want to add a security policy. Below, we take you through how to define the security policy but you can also find Security Policy Example below.Define the Security Policy manifest
To create a security policy, you must define a Kubernetes manifest using theSecurityPolicy CRD. The following example illustrates how to configure a default policy for trial users for a Tyk Classic API named httpbin, a Tyk OAS API named petstore, and a Tyk Streams API named http-to-kafka.
trial-policy.yaml
In this example, we have defined a security policy as described below:
Define Security Policy status and metadata
-
name: A descriptive name for the security policy. -
active: Marks the policy as active (true or false). -
state: The current state of the policy. It can have one of three values:active: Keys connected to this policy are enabled and new keys can be created.draft: Keys connected to this policy are disabled; no new keys can be created.deny: Policy is not published to Gateway; no keys can be created.
-
tags: A list of tags to categorize or label the security policy, e.g. -
meta_data: Key-value pairs for additional metadata related to the policy, e.g.
access_rights_array: Defines the list of APIs that the security policy applies to and the versions of those APIs.name: The Kubernetes metadata name of the API resource to which the policy grants access.namespace: The Kubernetes namespace where the API resource is deployed.kind: Tyk OAS APIs (TykOasApiDefinition), Tyk Streams (TykStreamsApiDefinition) and Tyk Classic APIs (ApiDefinition) can be referenced here. The API format can be specified bykindfield. If omitted,ApiDefinitionis assumed.versions: Specifies the API versions the policy will cover. If the API is not versioned, include the default version here. The default version of a Classic API is “Default”. The default version of a Tyk OAS API is "".
ApiDefinition resource named httpbin in the default namespace, a TykOasApiDefinition resource named petstore in the default namespace, and a TykStreamsApiDefinition resource named http-to-kafka in the default namespace. Note that with Tyk Operator, you do not need to specify API ID as in the raw Policy definition. Tyk Operator will automatically retrieve the API ID of referenced API Definition resources for you.
Define Rate Limits, Usage Quota, and Throttling
rate: The maximum number of requests allowed per time period (Set to-1to disable).per: The time period (in seconds) for the rate limit (Set to-1to disable).throttle_interval: The interval (in seconds) between each request retry (Set to-1to disable).throttle_retry_limit: The maximum number of retry attempts allowed (Set to-1to disable).quota_max: The maximum number of requests allowed over a quota period (Set to-1to disable).quota_renewal_rate: The time, in seconds, after which the quota is renewed.
httpbin API at a rate limit of maximum 120 times per 60 seconds ("rate": 120, "per": 60), with a usage quota of 1000 every hour ("quota_max": 1000, "quota_renewal_rate": 3600), without any request throttling (throttle_interval: -1, throttle_retry_limit: -1).
Apply the Security Policy manifest
Once you have defined your security policy manifest, apply it to your Kubernetes cluster using thekubectl apply command:
Verify the Security Policy
After applying the manifest, you can verify that the security policy has been created successfully by running:status field, you can see that this security policy has been linked to httpbin, petstore, and http-to-kafka APIs.
Security policy example
Key-level per-API rate limits and quota
By configuring per-API limits, you can set specific rate limits, quotas, and throttling rules for each API in the access rights array. When these per-API settings are enabled, the API inherits the global limit settings unless specific limits and quotas are set in thelimit field for that API.
The following manifest defines a security policy with per-API rate limits and quotas for two APIs: httpbin and petstore.
httpbin API:
- The rate limit allows a maximum of 10 requests per 60 seconds.
- The quota allows a maximum of 100 requests per hour (3600 seconds).
- There is no throttling or retry limit (throttle_interval and throttle_retry_limit are set to -1).
petstore API:
- The rate limit allows a maximum of 5 requests per 60 seconds.
- The quota allows a maximum of 100 requests per hour (3600 seconds).
- There is no throttling or retry limit (throttle_interval and throttle_retry_limit are set to -1).
- All global limits (rate, quota, and throttling) are disabled (-1), so they do not apply.
Key-level per-endpoint rate limits
By configuring key-level per-endpoint limits, you can restrict the request rate for specific API clients to a specific endpoint of an API. The following manifest defines a security policy with per-endpoint rate limits for two APIs:httpbin and petstore.
Path based permissions
You can secure your APIs by specifying allowed URLs (methods and paths) for each API within a security policy. This is done using theallowed_urls field under access_rights_array.
The following manifest defines a security policy that allows access only to specific URLs and HTTP methods for two APIs: httpbin(a Tyk Classic API) and petstore (a Tyk OAS API).
-
Allowed access:
curl -H "Authorization: Bearer $KEY_AUTH" http://tyk-gw.org/petstore/pet/10returns a200 OKresponse.curl -H "Authorization: Bearer $KEY_AUTH" http://tyk-gw.org/httpbin/getreturns a200 OKresponse.
-
Restricted access:
curl -H "Authorization: Bearer $KEY_AUTH" http://tyk-gw.org/petstore/petreturns a403 Forbiddenresponse with the message:
curl -H "Authorization: Bearer $KEY_AUTH" http://tyk-gw.org/httpbin/anythingreturns a403 Forbiddenresponse with the message:
Partitioned policies
Partitioned policies allow you to selectively enforce different segments of a security policy, such as quota, rate limiting, access control lists (ACL), and GraphQL complexity rules. This provides flexibility in applying different security controls as needed. To configure a partitioned policy, set the segments you want to enable in thepartitions field:
quota: Set to true to enforce quota rules (limits the number of requests allowed over a period).rate_limit: Set to true to enforce rate limiting rules (limits the number of requests per second or minute).acl: Set to true to enforce access control rules (controls which APIs or paths can be accessed).complexity: Set to true to enforce GraphQL complexity rules (limits the complexity of GraphQL queries to prevent resource exhaustion).
Migrate Existing APIs to Tyk Operator
If you have existing APIs and Policies running on your Tyk platform, and you want to start using Tyk Operator to manage them, you probably would not want to re-create the APIs and Policies on the platform using Operator CRDs. It is because you will lose keys, policies, and analytics linked to the APIs. You can instead link existing APIs and Policies to a CRD by specifying the API ID or Policy ID in the CRD spec. This way, Operator will update the existing API or Policy according to the CRD spec. Any keys, policies and analytics linked to the API will continue to operate the same. This is great for idempotency.Export existing configurations to CRDs
Instead of creating the API and Policy CRDs from scratch, you can try exporting them from Dashboard using a snapshot tool. You can find the detail usage guide here. This is great if you want to have a quick start. However, this is still a PoC feature so we recommend you to double check the output files before applying them to your cluster.Migration of existing API
If there are existing APIs that you want to link to a CRD, it’s very easy to do so. You need to simply add theapi_id from your API Definition to the YAML of your ApiDefinition type. Then, the Operator will take care of the rest.
Example:
- From the existing API Definition, grab the following field:
- Simply add this value to your YAML, in the
spec.api_idfield:
- Then apply your changes:
The source of truth for the API definition is now the CRD, meaning it will override any differences in your existing API definition.
Migration of existing Policy
If you have existing pre-Operator policies, you can easily link them to a CRD, which will allow you to modify them through the YAML moving forward. Simply set the id field in the SecurityPolicy YAML to the _id field in the existing Policy’s JSON. This will allow the Operator to make the link. Note that the YAML becomes the source of truth and will overwrite any changes between it and the existing Policy. Example:-
Find out your existing Policy ID, e.g.
5f8f3933f56e1a5ffe2cd58c -
Stick the policy ID
5f8f3933f56e1a5ffe2cd58cinto the YAML’sspec.idfield like below
spec.access_rights_array field of the YAML must refer to the ApiDefinition object that the policy identified by the id will affect.
To find available ApiDefinition objects:
- And then apply this file:
id field as above, allowing keys to continue to work as before the delete event.
Idempotency
Because of the ability to declaratively define theapi_id, this gives us the ability to preserve Keys that are tied to APIs or policies which are tied to APIs.
Imagine any use case where you have keys tied to policies, and policies tied to APIs.
Now imagine that these resources are unintentionally destroyed. Our database goes down, or our cluster, or something else.
Well, using the Tyk Operator, we can easily re-generate all our resources in a non-destructive fashion. That’s because the operator intelligently constructs the unique ID using the unique namespaced name of our CRD resources. For that reason.
Alternatively, if you don’t explicitly state it, it will be hard-coded for you by Base64 encoding the namespaced name of the CRD.
For example:
- we have keys tied to policies tied to APIs in production.
- Our production DB gets destroyed, all our Policies and APIs are wiped
- The Tyk Operator can resync all the changes from our CRDs into a new environment, by explicitly defining the Policy IDs and API IDs as before.
- This allows keys to continue to work normally as Tyk resources are generated idempotently through the Operator.
Publish Your API to Dev Portal
For Tyk Self Managed or Tyk Cloud, you can set up a Developer Portal to expose a facade of your APIs and then allow third-party developers to register and use your APIs. You can make use of Tyk Operator CRDs to publish the APIs as part of your CI/CD workflow. If you have followed this Getting Started guide to create the httpbin example API, you can publish it to your Tyk Classic Developer Portal in a few steps.Currently Operator only supports publishing Tyk Classic API to the Tyk Classic Portal.
Publish an API with Tyk Operator
- Creating a security policy
httpbin API that was previously created.
- Creating an API description
apidesc.yaml, then add the following;
- Apply the changes
- Creating a PortalAPICatalog resource
api_portal.yaml, then add the following:
apis.
- Apply the changes
doc_type: swaggerdocumentation: Base64 encoded swagger doc
doc_type: swagger_custom_urldocumentation: The URL to the swagger documentation, for example “https://httpbin.org/spec.json”
doc_type: graphql
Control Kubernetes Ingress Resources
In Kubernetes, the Ingress resource defines routing rules for external HTTP/S traffic to services within a cluster, based on domains or paths. An Ingress Controller, like NGINX or HAProxy, interprets these rules and configures the network infrastructure to route traffic, handling SSL termination and load balancing. The Tyk Operator builds upon the idea of Kubernetes Ingress by allowing you to reuse existing Ingress definitions while adding advanced API management features like authentication, rate limiting, and monitoring. This approach provides seamless ingress traffic management with powerful API gateway capabilities in a unified solution.How Tyk Operator Works as an Ingress Controller
When you use Tyk Operator as an Ingress Controller, each “path” defined in your existing Ingress resource is treated as an “API” within Tyk. Using this Ingress spec as example:"13-13", "15-24"],linenos=true}
-
Path Mapping: Tyk Operator will automatically create APIs in Tyk for each path for a specific rule defined in Ingress resource. Just as with traditional Ingress, incoming requests are routed to the correct backend service within the cluster based on the host and paths defined in the Ingress rules.
In the given example, Tyk Operator is designated as the Ingress Controller for this Ingress resource. Tyk Operator reads this Ingress definition and automatically creates a corresponding API in the Tyk Gateway. The API will have:
- A custom domain set to
myingress.do.poc.tyk.technology, as defined by thehostfield in the Ingress rule. - The TLS certificate from secret
httpbin-ingress-tlsuploaded to Tyk and certificates field set to the resulting certificate ID. - A listen path set to
/httpbin, which is defined by thepathfield in the Ingress rule. - An upstream URL set to
http://httpbin.default.svc:8000, which corresponds to the backend service defined in the Ingress (httpbinservice running on port8000).
- A custom domain set to
-
API Management Through Tyk: At the same time, Tyk allows you to apply API management features by referencing a configuration template. This template is defined using either an
ApiDefinitionorTykOasApiDefinitionresource. These resources provide a reference configuration that includes details on how the API should be managed, such as security policies, traffic controls, and transformations. In the given example, there are two important annotations in the Ingress metadata:These annotations specify that Tyk Operator should use a resource namedmyapideftemplatein the same namespace as the reference for API configuration. Thetyk.io/template-kindannotation indicates that this reference is of typeApiDefinition. Alternatively, it could be aTykOasApiDefinition, depending on the user’s choice. Tyk Operator detects these annotations and looks for the specified resource in the same namespace. For each path defined in the Ingress, Tyk Operator creates a corresponding API in Tyk by copying the specification frommyapideftemplateresource (such as authentication type, rate limiting, etc.) and then updates only the relevant fields like custom domain, certificates, listen path, and upstream URL based on the Ingress spec. Note thatApiDefinitionorTykOasApiDefinitioncreated for use as a template for Ingress resources should have a special label set so that Tyk Operator would not manage it as ordinary APIs. Here is the required label forApiDefinitionandTykOasApiDefinitionrespectively: Label forApiDefinitionindicating it is a resource template.Label forTykOasApiDefinitionindicating it is a resource template.Note that use ofTykStreamsApiDefinitionas resource template is not supported. -
Automated Resource Handling: Tyk Operator handles the automatic discovery and management of existing Ingress resources, eliminating the need for manual migration of all Ingress rules into API definitions. You can simply define an API configuration template as a
TykOasApiDefinitionresource orApiDefinitionresource and then let Tyk Operator creates all the APIs from your existing Ingress rules using the referenced resource as template, streamlining the transition process. Additionally, the Tyk Operator also handles any changes to the Ingress resources it manages. If an Ingress resource is updated — whether through the addition, removal, or modification of paths in the Ingress rules — Tyk Operator automatically reconfigures the corresponding Tyk APIs to ensure they remain in sync with the updated Ingress configuration. This dynamic updating capability ensures that your API management remains consistent and up-to-date with the latest changes in your Kubernetes environment.
Configuration Examples
To configure Tyk Operator to handle Ingress resources, specify ingress class astyk in the Ingress resource. You can also optionally create a ApiDefinition or TykOasApiDefinition resource template that provides default API configurations. This allows Tyk Operator to read the Ingress resource and create API Definition resources based on ingress path and referenced template.
The following sections shows some example of Tyk ApiDefinition or TykOasApiTemplate template and Ingress specification.
HTTP host based and/or path based routing
HTTPS with cert-manager integration
ApiDefinition Template
TykOasApiDefinition Template
Ingress Class
The value of thekubernetes.io/ingress.class annotation identifies the IngressClass that will process Ingress objects.
Tyk Operator by default looks for the value tyk and will ignore all other ingress classes. If you wish to override this default behavior,
you may do so by setting the environment variable WATCH_INGRESS_CLASS in the operator manager deployment. See Installing Tyk Operator for further information.
API name
Tyk Ingress Controller will create APIs in Tyk for each path defined for a specific rule in Ingress resource. Each API created inside Tyk will follow a special naming convention as follows:default-httpbin-ingress-78acd160d inside Tyk’s Gateway.
ApiDefinition’s name comes from:
default: The namespace of this Ingress resource,httpbin-ingress: The name of this Ingress resource,78acd160d: Short hash (first 9 characters) of Host ("") and Path (/httpbin). The hash algorithm is SHA256.
Ingress Path Types
Each path in an Ingress must have its own particular path type. Kubernetes offers three types of path types:ImplementationSpecific, Exact, and Prefix. Currently, not all path types are supported. The below table shows the unsupported path types for Sample HTTP Ingress Resource based on the examples in the Kubernetes Ingress documentation.
| Kind | Path(s) | Request path(s) | Expected to match? | Works as Expected |
|---|---|---|---|---|
| Exact | /foo | /foo/ | No | No. |
| Prefix | /foo/ | /foo, /foo/ | Yes | No, /foo/ matches, /foo does not match. |
| Prefix | /aaa/bb | /aaa/bbb | No | No, the request forwarded to service. |
| Prefix | /aaa/bbb/ | /aaa/bbb | Yes, ignores trailing slash | No, /aaa/bbb does not match. |
| Prefix | /aaa/bbb | /aaa/bbbxyz | No, does not match string prefix | No, the request forwarded to service. |
proxy.strip_listen_path is set to true on API Definition, Tyk strips the listen-path (for example, the listen-path for the Ingress under Sample HTTP Ingress Resource is /httpbin) with an empty string.
The following table shows an example of path matching if the listen-path is set to /httpbin or /httpbin/.
| Kind | Path(s) | Request path(s) | Matches? |
|---|---|---|---|
| Exact | /httpbin | /httpbin, /httpbin/ | Yes. The request forwarded as / to your service. |
| Prefix | /httpbin | /httpbin, /httpbin/ | Yes. The request forwarded as / to your service. |
| ImplementationSpecific | /httpbin | /httpbin, /httpbin/ | Yes. The request forwarded as / to your service. |
| Exact | /httpbin | /httpbinget, /httpbin/get | Yes. The request forwarded as /get to your service. |
| Prefix | /httpbin | /httpbinget, /httpbin/get | Yes. The request forwarded as /get to your service. |
| ImplementationSpecific | /httpbin | /httpbinget, /httpbin/get | Yes. The request forwarded as /get to your service. |
| Exact | /httpbin/ | /httpbin/, /httpbin/get | Yes. The request forwarded as /get to your service. |
| Prefix | /httpbin/ | /httpbin/, /httpbin/get | Yes. The request forwarded as /get to your service. |
| ImplementationSpecific | /httpbin/ | /httpbin/, /httpbin/get | Yes. The request forwarded as /get to your service. |
| Exact | /httpbin/ | /httpbin | No. Ingress cannot find referenced service. |
| Prefix | /httpbin/ | /httpbin | No. Ingress cannot find referenced service. |
| ImplementationSpecific | /httpbin/ | /httpbin | No. Ingress cannot find referenced service. |
GraphQL Federation with Tyk Operator
Tyk, with release v4.0 offers GraphQL federation that allows you to divide GraphQL implementation across multiple back-end services, while still exposing them all as a single graph for the consumers. Tyk Operator supports GraphQL Federation subgraph and supergraph with following Custom Resources.Custom Resources
GraphQL Federation uses concepts of Subgraph and Supergraph. Subgraph is a representation of a back-end service and defines a distinct GraphQL schema. It can be queried directly as a separate service or it can be federated into a larger schema of a supergraph. Supergraph is a composition of several subgraphs that allows the execution of a query across multiple services in the backend. Tyk Operator uses Custom Resources called SubGraph and SuperGraph, that allows users to model the relationship between Subgraphs and Supergraphs.SubGraph
schema and sdl values for your subgraph.
To create a Subgraph API in Tyk, you can reference the subgraph’s metadata name through graphql.graph_ref field, as follows:
- ApiDefinition and SubGraph must be in the same namespace,
graphql.execution_modemust be set tosubgraph,graphql.graph_refmust be set to the metdata name of the SubGraph resource that you would like to refer.
SuperGraph
subgraph_refs and schema values for your supergraph. subgraph_refs is an array of SubGraph Custom Resource(CR) references which expects the name and namespace of the referenced subgraph. If namespace is not specified, Operator will check SubGraphs in the current namespace.
Tyk Operator will update your SuperGraph ApiDefinition when one of the subgraphs that you reference in subgraph_refs changes.
To create a SuperGraph API in Tyk, you can reference the supergraph’s metadata name through graphql.graph_ref field, as follows:
- ApiDefinition and SuperGraph must be in the same namespace,
graphql.execution_modemust be set tosupergraph,graphql.graph_refmust be set to the metdata name of the SuperGraph resource that you would like to refer.
Propagating Subgraph Changes to Supergraph
Tyk Operator will automatically propagate changes in SubGraph CRD to the corresponding Subgraph ApiDefinition. Also, if the SubGraph is referenced by a SuperGraph, the corresponding SuperGraph CR and corresponding supergraph ApiDefinition will be updated too. Therefore, once you make an update on SubGraph CR, you do not need to update your supergraph. It will be updated by Tyk Operator. With this approach, multiple teams can work on SubGraph CRDs and Tyk Operator will update the relevant SuperGraph ApiDefinition.Example
Let’s assume that a developer responsible for the Users SubGraph would like to deleteusername field from the Users SubGraph.
Also, the Supergraph called Social Media already uses the Users Subgraph.
To achieve this, the developer should update the Users SubGraph CRD. Once the SubGraph CRD is updated, Tyk Operator will:
- Update Users SubGraph CRD,
- Update Social Media Supergraph ApiDefinition since it is referencing the Users SubGraph CRD.
Deleting SubGraph
-
SubGraph without any reference
If the subgraph is not referenced in any ApiDefinition CRD or SuperGraph CRD, it is easy to delete SubGraph CRDs as follows:
-
SubGraph referenced in ApiDefinition
If you have a subgraph which is referenced in any ApiDefinition, Tyk Operator will not delete the SubGraph.
In order to delete this subgraph, the corresponding ApiDefinition CR must be updated, such that it has no reference to the
subgraph in
graph_reffield. -
SubGraph referenced in SuperGraph
Although the subgraph is not referenced in any ApiDefinition, if it is referenced in the SuperGraph, Tyk Operator will
not delete the subgraph again.
In order to delete this subgraph, SuperGraph CR should not have reference to corresponding subgraph in the
subgraph_ref.
Deleting SuperGraph
-
SuperGraph without any reference
If the supergraph is not referenced in any ApiDefinition CRD, it can be deleted as follows:
- SuperGraph referenced in ApiDefinition If a supergraph is referenced in any ApiDefinition, the Tyk Operator will not delete the SuperGraph CRD. In order to delete this supergraph, the ApiDefinition that has a reference to the supergraph must de-reference the supergraph or be deleted.
Users Subgraph
Posts Subgraph
Supergraph
Custom Plugins with Tyk Operator
Using Tyk Classic APIs, developers can implement API-level custom plugins that can be optionally setup to execute for each of the following hooks in the API request lifecycle: Pre (Request), Authentication, Post (Request), Post Authentication, Response and Analytics. Subsequently, users can execute, or “hook”, their plugin into these phases of the API request lifecycle based on their specific use case. This document explains how to configure the following plugin types with different drivers (plugin languages):- Pre (Request)
- Authentication
- Post-Auth (Request)
- Post (Request)
- Response
How It Works
In Tyk Classic APIs, the custom_middleware section of the Tyk Classic API Definition is where you configure plugins that will run at different points during the lifecycle of an API request. The table below illustrates the Tyk Classic API configuration parameters that correspond to each phase of the API request lifecycle:| Phase | Description | Config Value |
|---|---|---|
| Pre | Occurs before main request processing. | pre |
| Auth | Custom authentication can be handled during this phase. | auth_check |
| Post Auth | Occurs after key authentication | post_key_auth |
| Post | Occurs after the main request processing but before the response is sent. | post |
| Response | Occurs after the main request processing but before the response is sent. | response |
custom_middleware section of the API definition above we can see that there are Golang custom authentication
(auth_check), post authentication (post_key_auth), post, pre and response plugins configured.
It can be seen that each plugin is configured with the specific function name and associated source file path of the
file that contains the function. Furthermore, each lifecycle phase can have a list of plugins configured, allowing for
complex processing workflows. For example, you might develop one plugin for logging and another for modifying the
request in the pre request phase.
The driver configuration parameter describes the plugin implementation language. Please refer to the supported
languages section for list of supported plugin driver names.
Each plugin can have additional settings, such as:
raw_body_only: When true, indicates that only the raw body should be processed.require_session: When true, indicates that session metadata will be available to the plugin. This is applicable only for post, post authentication and response plugins.
Unsupported
Per-Endpoint Plugins
At the endpoint-level, Tyk provides the facility to attach a custom Golang plugin at the end of the request processing chain (immediately before the API-level post-plugin is executed). Please note that per-endpoint level plugins are not currently supported by Tyk Operator.Examples
Configure Custom Plugins (JavaScript) With Tyk Operator
In this example we will create a JavaScript plugin that will inject a request header Hello with a value of World. This will be configured as a pre request hook.-
Implement Plugin
The first step is to create the plugin source code.
Copy the source code above and save it to the following file on the Gateway file system at
/opt/tyk-gateway/middleware/example-javascript-middleware.js -
Create API Definition Resource
The example API Definition resource listed below listens on path /httpbin and forwards requests to upstream
http://httpbin.org.
At lines 14-18 we can see the custom_middleware section contains the configuration for our plugin:
-
The
driverconfiguration parameter is set toottoat line 15, since our plugin is a Javascript plugin. For other valid values please refer to the plugins driver page. -
A plugin hook configuration block is specified at line 16, containing the
nameandpathfor our plugin. The plugin configuration block identifies the “hook” or phase in the API request lifecycle when Tyk Gateway will execute the plugin. In the example above the configuration block is for aprerequest plugin that will be executed before any middleware. Valid values are the same as the Tyk Classic API Definition equivalent, i.e.pre,auth_check,post,post-authandresponse. We can see that the following fields are set within thepreplugin hook configuration object:- The
namefield represents the name of the function that implements the plugin in your source code. For Javascript plugins this must match the name of the middleware object that was created. In the example above we created the middleware object,exampleJavaScriptMiddlewarePreHook, by callingvar exampleJavaScriptMiddlewarePreHook = new TykJS.TykMiddleware.NewMiddleware({});. - The
pathfield contains the path to the source filemiddleware/example-javascript-middleware.js, relative to the base installation folder, i.e/opt/tyk-gateway.
- The
-
The
-
Test Plugin
We can test that our plugin injects a Hello header with a corresponding value of World by using the curl command:
The header
"Hello: World"should be injected by the custom plugin.
Configure Custom Plugins (Python) using plugin bundles via Tyk Operator
Tyk Operator also supports configuring custom plugins using plugin bundles, where the source code and associated configuration is packaged into a zip file and uploaded to a remote webserver. Tyk Gateway will then download, extract, cache and execute the plugin bundles for each of the configured phases of the API request lifecycle. For a detailed guide, check out our blog post How to Deploy Python Plugins in Tyk Running on Kubernetes, which walks you through all the steps required to create Python plugin bundles, load them into the Tyk Gateway, and configure an API Definition to use them with the Tyk Operator.Multi-Organization Management With Tyk Operator
If you want to set up multi-tenant API management with Tyk, follow these steps to define an OperatorContext for connecting and authenticating with a Tyk Dashboard and reference it in your API definitions for specific configurations.Defining OperatorContext
An OperatorContext specifies the parameters for connecting and authenticating with a Tyk Dashboard. Below is an example of how to define anOperatorContext:
.spec.secretRef.
In this example, API access key auth and organization ID org are not specified in the manifest. They are provided through a Kubernetes secret named tyk-operator-conf in alpha namespace. The secret contains keys TYK_AUTH and TYK_ORG which correspond to the auth and org fields respectively.
secretRef. The table shows mappings between .spec.env properties and secret .spec.data keys. If a value is configured in both the secret and OperatorContext spec.env field, the value from secret will take precedence.
| Secret key | .spec.env |
|---|---|
| TYK_MODE | mode |
| TYK_URL | url |
| TYK_AUTH | auth |
| TYK_ORG | org |
| TYK_TLS_INSECURE_SKIP_VERIFY | insecureSkipVerify |
| TYK_USER_OWNERS (comma separated list) | user_owners |
| TYK_USER_GROUP_OWNERS (comma separated list) | user_group_owners |
Using contextRef in API Definitions
Once anOperatorContext is defined, you can reference it in your API Definition objects using contextRef. Below is an example:
ApiDefinition object references the team-alpha context, ensuring that the configuration is applied within the alpha organization.
Internal Looping With Tyk Operator
The concept of internal looping allows you to use URL Rewriting to redirect your URL to another API endpoint or to another API in the Gateway. In Tyk, looping is generally targeted using thetyk://<API_ID>/<path> scheme, which requires prior knowledge of the API_ID. Tyk Operator simplifies the management and transformation of API traffic within Kubernetes environments by abstracting APIs as objects, managing them and dynamically assigning API_IDs by its Kubernetes metedata name and namespace.
Configuring looping to internal ApiDefinition resources
Looping can be configured within Tyk Operator for URL Rewrites, URL Rewrite Triggers and Proxy to internal APIs by configuring therewrite_to_internal in url_rewrite, rewrite_to_internal in triggers, and proxy.target_internal fields respectively with these properties:
-
Path: The
pathproperty specifies the endpoint on the target API where the request should be directed. This is the portion of the URL that follows the domain and is crucial for ensuring that the request reaches the correct resource. For example, setting a value of"/myendpoint"means that the request will be forwarded to the/myendpointpath on the target API. -
Query: The
queryproperty allows you to append additional query parameters to the target URL. These parameters can be used to modify the behavior of the target API or to pass along specific request information. For instance, settingquery: "check_limits=true"will include this query string in the redirected request, potentially triggering special handling by the target API. -
Target: The
targetproperty identifies the API resource to which the request should be routed. It consists of two components:nameandnamespace. Thenameis the identifier of the target API, while thenamespacespecifies the Kubernetes namespace where the API resource resides. Together, these elements ensure that Tyk Operator accurately locates and routes the request to the intended API. For example,name: "proxy-api"andnamespace: "default"direct the request to theproxy-apiresource in thedefaultnamespace.
tyk://<API_ID>/<path>. This mechanism is essential for routing traffic within a microservices architecture or when managing APIs across different namespaces in Kubernetes. Using this object you can effectively manage and optimize API traffic within your Tyk Gateway.
URL Rewrites
URL rewriting in Tyk enables the alteration of incoming API request paths to align with the expected endpoint format of your backend services. Assume that we wish to redirect incomingGET /basic/ requests to an API defined by an ApiDefinition object named proxy-api in the default namespace. We want the /basic/ prefix to be stripped from the request path and the redirected path should be of the format /proxy/$1, where the context variable $1 is substituted with the remainder of the path request. For example GET /basic/456 should become GET /proxy/456.
In this case we can use a rewrite_to_internal object to instruct Tyk Operator to automatically generate the API rewrite URL on our behalf for the API identified by name proxy-api in the default namespace:
/basic/456 would be matched by the match_pattern rule /basic/(.*) for GET requests specified in the method field. The 456 part of the URL will be captured and replaces {id} in the path field. Tyk Operator will use the rewrite_to_internal configuration to generate the URL rewrite for the API named proxy-api in the default namespace, and update the rewrite_to field accordingly:
rewrite_to field has been generated with the value tyk://ZGVmYXVsdC9wcm94eS1hcGk/proxy/$1 where ZGVmYXVsdC9wcm94eS1hcGk represents the API ID for the proxy-api API resource in the default namespace. Notice also that path proxy/$1 is appended to the base URL tyk://ZGVmYXVsdC9wcm94eS1hcGk and contains the context variable $1. This will be substituted with the value of {id} in the path configuration parameter.
URL Rewrite Triggers
Triggers are configurations that specify actions based on certain conditions present in HTTP headers, query parameters, path parameters etc. Triggers are essential for executing specific actions when particular criteria are met, such as rewriting URLs. They are useful for automating actions based on real-time data received in requests. For example, you might use triggers to:- Redirect users to different APIs in the Gateway based on their authentication status.
- Enforce business rules by redirecting requests to different APIs in the Gateway based on certain parameters.
basic-auth-internal within the default namespace. Subsequently, we can use a rewrite_to_internal object as follows:
Authorization header containing Basic in the header value.
A rewrite_to_internal configuration object is used to instruct Tyk Operator to generate a redirect to the API identified by the basic-auth-internal API resource in the default namespace. The redirect path will be prefixed with basic. For example, a basic authentication request to path / will be redirected to /basic/.
Tyk Operator will automatically generate a URL Rewrite (rewrite_to) to redirect the request to the API identified by basic-auth-internal within the default namespace as follows:
rewrite_to field has been generated with the value tyk://ZGVmYXVsdC9iYXNpYy1hdXRoLWludGVybmFs/proxy/$1 where ZGVmYXVsdC9iYXNpYy1hdXRoLWludGVybmFs represents the API ID for the proxy-api API resource in the default namespace. Notice also that path basic/$2 is appended to the base URL tyk://ZGVmYXVsdC9iYXNpYy1hdXRoLWludGVybmFs and contains the context variable $2. This will be substituted with the remainder of the request path.
Proxy to Internal APIs
Internal looping can also be used for proxying to internal APIs. Assume that we wish to redirect all incoming requests on listen path/users to an API defined by an ApiDefinition object named users-internal-api in the default namespace.
In this case we can use a proxy.target_internal field to instruct Tyk Operator to automatically generate the target URL on our behalf for the API identified by name users-internal-api in the default namespace:
target_internal field references other API resources. This field shares the same properties as those described for rewrite_to_internal, ensuring consistent configuration.
Tyk Operator will automatically generate the target URL to redirect the request to the API identified by users-internal-api within the default namespace as follows:
Example
Assume a business has legacy customers who authenticate with a service using Basic Authentication. The business also wants to support API Keys, enabling both client types to access the same ingress. To facilitate this, Tyk must be configured for dynamic authentication, accommodating both Basic Authentication and Auth Token methods. This setup requires configuring four API Definitions within Tyk:- Entry Point API
- BasicAuth Internal API
- AuthToken Internal API
- Proxy Internal API
There are no actual HTTP redirects in this scenario, meaning that there is no performance penalty in performing any of these Internal Redirects.
Entry Point API
The Entry Point API is the first point of entry for a client request. It inspects the header to determine if the incoming client request requires authentication using Basic Authentication or Auth Token. Consequently, it then redirects the request to the BasicAuth Internal or AuthToken Internal API depending upon the header included in the client request. The API definition resource for the Entry Point API is listed below. It is configured to listen for requests on the/entry path and forward requests upstream to http://example.com
We can see that there is a URL Rewrite rule (url_rewrites) with two triggers configured to match Basic Authentication and Auth Token requests:
- Basic Authentication trigger: Activated for incoming client requests that include an Authorization header containing a value starting with Basic. In this case a
rewrite_to_internalconfiguration object is used to instruct Tyk Operator to redirect the request to the BasicAuthInternal API, identified by namebasic-auth-internalin thedefaultnamespace. The request URL is rewritten, modifying the path to/basic/<path>. - Auth Token trigger: Activated for incoming client requests that include an Authorization header containing a value starting with Bearer. In this case a
rewrite_to_internalconfiguration object is used to instruct Tyk Operator to redirect the request to the AuthTokenInternal API, identified by nameauth-token-internalin thedefaultnamespace. The request URL is rewritten, modifying the path to/token/<path>.
BasicAuth Internal API
The BasicAuth Internal API listens to requests on path/basic and forwards them upstream to http://example.com.
The API is configured with a URL rewrite rule in url_rewrites to redirect incoming GET /basic/ requests to the API in the Gateway represented by name proxy-api in the default namespace. The /basic/ prefix will be stripped from the request URL and the URL will be rewritten with the format /proxy/$1. The context variable $1 is substituted with the remainder of the path request. For example GET /basic/456 will become GET /proxy/456.
Furthermore, a header transform rule is configured within transform_headers to add the header x-transform-api with value basic-auth, to the request.
AuthToken Internal API
The AuthToken Internal API listens to requests on path/token and forwards them upstream to http://example.com.
The API is configured with a URL rewrite rule in url_rewrites to redirect incoming GET /token/ requests to the API in the Gateway represented by name proxy-api in the default namespace. The /token/ prefix will be stripped from the request URL and the URL will be rewritten to the format /proxy/$1. The context variable $1 is substituted with the remainder of the path request. For example GET /token/456 will become GET /proxy/456.
Furthermore, a header transform rule is configured within transform_headers to add the header x-transform-api with value token-auth, to the request.
Proxy Internal API
The Proxy Internal API is keyless and responsible for listening to requests on path/proxy and forwarding upstream to http://httpbin.org. The listen path is stripped from the request before it is sent upstream.
This API receives requests forwarded from the internal AuthToken Internal and BasicAuth Internal APIs. Requests will contain the header x-transform-api with value token-auth or basic-auth, depending upon which internal API the request originated from.
Manage API MetaData
API Name
Tyk OAS API and Tyk Streams API
API name can be set throughx-tyk-api-gateway.info.name field in Tyk OAS API Definition object.
Tyk Classic API
To set the name of an API in theApiDefinition, use the spec.name string field. This name is displayed on the Tyk Dashboard and should concisely describe what the API represents.
Example:
API Status
API Active Status
An active API will be loaded to the Gateway, while an inactive API will not, resulting in a 404 response when called.Tyk OAS API and Tyk Streams API
API active state can be set throughx-tyk-api-gateway.info.state.active field in Tyk OAS API Definition object.
Tyk Classic API
The active status of an API can be set by modifying thespec.active configuration parameter. When set to true, this enables the API so that Tyk will listen for and process requests made to the listenPath.
API Accessibility
An API can be configured as internal so that external requests are not processed.Tyk OAS API and Tyk Streams API
API accessibility can be set throughx-tyk-api-gateway.info.state.internal field in Tyk OAS API Definition object.
Tyk Classic API
API accessibility can be set through thespec.internal configuration parameter as shown in the example below.
API ID
Creating a new API
If you’re creating a new API using Tyk Operator, you don’t need to specify the ID. The API ID will be generated in a deterministic way.Tyk OAS API and Tyk Streams API
The generated ID is stored instatus.id field. Run the following command to inspect generated API ID of a Tyk OAS API.
ZGVmYXVsdC9wZXRzdG9yZQ.
Tyk Classic API
The generated ID is stored instatus.api_id field. Run the following command to inspect generated API ID of a Tyk Classic API.
ZGVmYXVsdC90ZXN0.
Updating an existing API
Tyk OAS API and Tyk Streams API
If you already have API configurations created in the Tyk Dashboard and want to start using Tyk Operator to manage these APIs, you can include the existing API ID in the manifest under thex-tyk-api-gateway.info.id field in Tyk OAS API Definition object.
Tyk Classic API
If you already have API configurations created in the Tyk Dashboard and want to start using Tyk Operator to manage these APIs, you can include the existing API ID in the manifest under thespec.api_id field. This way, when you apply the manifest, Tyk Operator will not create a new API in the Dashboard. Instead, it will update the original API with the Kubernetes spec.
Example
12345 will be updated according to the provided spec instead of creating a new API.
API Categories
API categories are configured differently for Tyk OAS APIs and Tyk Classic APIs. Please see below for examples.Tyk OAS API
API categories can be specified throughcategories field in TykOasApiDefinition CRD.
Here’s an example:
Tyk Streams API
As of Tyk Operator v1.1, API categories is not supported inTykStreamsApiDefinition CRD.
Tyk Classic API
For a Tyk Classic API, you can specify the category name using thename field with a # qualifier. This will categorize the API in the Tyk Dashboard. See How API categories work to learn about limitations on API names.
Example
API Versioning
API versioning are configured differently for Tyk OAS APIs and Tyk Classic APIs. Please see below for examples.Configuring API Version in Tyk OAS API Definition
In the Tyk OAS API Definition, versioning can be configured viax-tyk-api-gateway.versioning object of the Base API, where the child API’s IDs are specified. In the Kubernetes environment with Tyk Operator, where we reference API resources through its Kubernetes name and namespace, this is not desired. Therefore, we add support for versioning configurations through the field versioning in TykOasApiDefinition custom resource definition (CRD).
Here’s an example:
linenostart=1, hl_lines=["12-24"]}
order-api (v1) and order-api-v2 (v2).
versioning is configured at order-api (v1), the Base API, and it has similiar structure as Tyk OAS API Definition:
versioning: This object configures API versioning for theorder-api.enabled: Set to true to enable versioning.name: an identifier for this version of the API (v1).default: Specifies the default version (v1), which will be used if no version is specified in the request.location: Specifies where the version key is expected (in this case, in the header). It can be set toheaderorurl-param.key: Specifies the versioning identifier key (x-api-version) to identify the version. In this example, the version is determined by an HTTP header namedx-api-version.fallbackToDefault: When set to true, if an unspecified or invalid version is requested, the default version (v1) will be used.stripVersioningData: When true, removes versioning identifier (like headers or query parameters) from the upstream request to avoid exposing internal versioning details.urlVersioningPattern: Specifies a regex that matches the format that you use for the versioning identifier (name) if you are using stripVersioningData and fallBackToDefault with location=url with Tyk 5.5.0 or laterversions: Defines the list of API versions available:name: an identifier for this version of the API (v2).tykOasApiDefinitionRef: Refers to a separate TykOasApiDefinition resource that represent a new API version.name: Kubernetes metadata name of the resource (order-api-v2).namespace: Kubernetes metadata namespace of the resource (default).
x-tyk-api-gateway.versioning object), which typically requires referencing specific API IDs. Instead, the Operator allows you to manage versioning declaratively in the TykOasApiDefinition CRD, using the versioning field to specify versions and their Kubernetes references (names and namespaces).
When using the CRD for versioning configuration, you don’t have to worry about knowing or managing the unique API IDs within Tyk. The Tyk Operator handles the actual API definition configuration behind the scenes, reducing the complexity of version management.
In case if there is original versioning information in the base API Definition, the versioning information will be kept and be merged with what is specified in CRD. If there are conflicts between the Tyk OAS API Definition and CRD, we will make use of CRD values as the final configuration.
Tyk Operator would also protect you from accidentally deleting a version of an API that is being referenced by another API, maintaining your API integrity.
Configuring API Version in Tyk Streams API Definition
As of Tyk Operator v1.1, API versioning is not supported inTykStreamsApiDefinition CRD. This can be configured natively in the Tyk Streams API Definition.
Configuring API Version in Tyk Classic API Definition
For Tyk Classic API, versioning can be configured viaApiDefinition custom resource definition (CRD). See Tyk Classic versioning for a comprehensive example of configuring API versioning for Tyk Classic API with Tyk Operator.
API Ownership
Please consult the API Ownership documentation for the fundamental concepts of API Ownership in Tyk and Operator Context documentation for an overview of the use of OperatorContext to manage resources for different teams effectively. The guide includes practical examples for managing API ownership via OperatorContext. Key topics include defining user owners and user group owners in OperatorContext for connecting and authenticating with a Tyk Dashboard, and usingcontextRef in TykOasApiDefinition or ApiDefinition objects to ensure configurations are applied within specific organizations. The provided YAML examples illustrate how to set up these configurations.
How API Ownership works in Tyk Operator
In Tyk Dashboard, API Ownership ensures that only designated ‘users’ who own an API can modify it. This security model is crucial for maintaining control over API configurations, especially in a multi-tenant environment where multiple teams or departments may have different responsibilities and permissions. Tyk Operator is designed to interact with Tyk Dashboard as a system user. For the Tyk Dashboard, Tyk Operator is just another user that must adhere to the same access controls and permissions as any other user. This means:- Tyk Operator needs the correct access rights to modify any APIs.
- It must be capable of managing APIs according to the ownership rules set in Tyk Dashboard.
OperatorContext comes into play. Users can define different OperatorContext objects that act as different agents to connect to Tyk Dashboard. Each OperatorContext can specify different access parameters, including the user access key and organization it belongs to. Within OperatorContext, users can specify the IDs of owner users or owner user groups. All APIs managed through that OperatorContext will be owned by the specified users and user groups, ensuring compliance with Tyk Dashboard’s API ownership model.
OperatorContext
Here’s howOperatorContext allows Tyk Operator to manage APIs under different ownerships:
Tyk OAS API and Tyk Streams API
Once anOperatorContext is defined, you can reference it in your Tyk OAS or Tyk Streams API Definition objects using contextRef. Below is an example with TykOasApiDefinition:
TykOasApiDefinition object references the team-alpha context, ensuring that it is managed under the ownership of the specified users and user groups.
Tyk Classic API
Similarly, if you are using Tyk Classic API, you can reference it in your API Definition objects usingcontextRef. Below is an example:
ApiDefinition object references the team-alpha context, ensuring that it is managed under the ownership of the specified users and user groups.
Troubleshooting and FAQ
Can I use Tyk Operator with non-Kubernetes Tyk installations?
While Tyk Operator is designed to work within a Kubernetes environment, you can still use it to manage non-Kubernetes Tyk installations. You’ll need to:- Run Tyk Operator in a Kubernetes cluster.
- Configure Tyk Operator to point to your external Tyk installation, e.g. via
tyk-operator-conf, environment variable, or OperatorContext:
Tyk Operator changes not applied
From Tyk Operator v0.15.0, we introduce a new status subresource in APIDefinition CRD, called latestTransaction which holds information about reconciliation status.The Status subresource in Kubernetes is a specialized endpoint that allows developers and operators to retrieve the real-time status of a specific Kubernetes resource. By querying this subresource, users can efficiently access essential information about a resource’s current state, conditions, and other relevant details without fetching the entire resource, simplifying monitoring and aiding in prompt decision-making and issue resolution.The new status subresource latestTransaction consists of a couple of fields that show the latest result of the reconciliation:
.status.latestTransaction.status: shows the status of the latest reconciliation, either Successful or Failed;.status.latestTransaction.time: shows the time of the latest reconciliation;.status.latestTransaction.error: shows the message of an error if observed in the latest transaction.
Example: Find out why an APIDefinition resource cannot be deleted
Consider the scenario when APIDefinition and SecurityPolicy are connected. Usually, APIDefinition cannot be deleted directly since it is protected by SecurityPolicy. The proper approach to remove an APIDefinition is to first remove the reference to the SecurityPolicy (either by deleting the SecurityPolicy CR or updating SecurityPolicy CR’s specification), and then remove the APIDefinition itself. However, if we directly delete this APIDefinition, Tyk Operator won’t delete the APIDefinition unless the link between SecurityPolicy and APIDefinition is removed. It is to protect the referential integrity between your resources.kubectl describe or kubectl get:
.status.latestTransaction field. As .status.latestTransaction.error implies, the error is related to SecurityPolicy dependency.
Can I use Tyk Operator with multiple Tyk installations?
Yes, you can use Tyk Operator to manage multiple Tyk installations. You’ll need to create separateOperatorContext resources for each installation:
What Features Are Supported By Tyk Operator?
APIDefinition CRD
Tyk stores API configurations as JSON objects called API Definitions. If you are using Tyk Dashboard to manage Tyk, then these are stored in either Postgres or MongoDB, as specified in the database settings. On the other hand, if you are using Tyk OSS, these configurations are stored as files in the /apps directory of the Gateway which is located at the default path /opt/tyk-gateway. An API definition includes various settings and middleware that control how incoming requests are processed.API Types
Tyk supports various API types, including HTTP, HTTPS, TCP, TLS, and GraphQL. It also includes Universal Data Graph versions for unified data access and federation, allowing seamless querying across multiple services.| Type | Support | Supported From | Comments |
|---|---|---|---|
| HTTP | ✅ | v0.1 | Standard HTTP proxy for API requests. |
| HTTPS | ✅ | v0.4 | Secure HTTP proxy using SSL/TLS encryption. |
| TCP | ✅ | v0.1 | Handles raw TCP traffic, useful for non-HTTP APIs. |
| TLS | ✅ | v0.1 | Handles encrypted TLS traffic for secure communication. |
| GraphQL - Proxy | ✅ | v0.1 | Proxy for GraphQL APIs, routing queries to the appropriate service. |
| Universal Data Graph v1 | ✅ | v0.1 | Supports Universal Data Graph v1 for unified data access. |
| Universal Data Graph v2 | ✅ | v0.12 | Supports the newer Universal Data Graph v2 for more advanced data handling. |
| GraphQL - Federation | ✅ | v0.12 | Supports GraphQL Federation for querying multiple services as one API. |
Management of APIs
Tyk offers flexible API management features such as setting active/inactive status, categorizing and naming APIs, versioning, and defining ownership within teams or organizations for streamlined administration.| Type | Support | Supported From | Comments |
|---|---|---|---|
| API Name | ✅ | v0.1 | Assign and manage names for your APIs. |
| API Status (inactive/active) | ✅ | v0.2 | Toggle API status between active and inactive. |
| API Categories | ✅ | v0.1 | Categorize APIs for easier management. |
| API ID | ✅ | v0.1 | Assign unique IDs to APIs for tracking and management. |
| API Ownership | ✅ | v0.12 | Define ownership of APIs within teams or organizations. |
| API Versioning | ✅ | v0.1 | Enable version control for APIs. |
Traffic Routing
Tyk enables traffic routing through path-based or host-based proxies and allows redirection to specific target URLs, providing control over how requests are directed to backend services.| Type | Supported | Supported From | Comments |
|---|---|---|---|
| Path-Based Proxy | ✅ | v0.1 | Route traffic based on URL path. |
| Host-Based Proxy | ✅ | v0.1 | Route traffic based on the request host. |
| Target URL | ✅ | v0.1 | Redirect traffic to a specific target URL. |
Client to Gateway Authentication and Authorization
Tyk provides multiple authentication options for client-to-gateway interactions, including keyless access, JWT, client mTLS, IP allow/block lists, and custom authentication plugins for enhanced security.| Type | Supported | Supported From | Comments |
|---|---|---|---|
| Keyless | ✅ | v0.1 | No authentication required, open access. |
| Auth Token | ✅ | v0.1 | Requires an authentication token (Bearer token). |
| JWT | ✅️ | v0.5 | Uses JSON Web Tokens for secure authentication. |
| OpenID Connect | ❌ | - | Recommended to use JWT for OIDC authentication. |
| OAuth2 | ❌ | - | OAuth2 not supported, JWT is recommended. |
| Client mTLS | ✅ | v0.11 | Supports static client mutual TLS authentication. |
| HMAC | ❌ | - | HMAC authentication is not implemented. |
| Basic Authentication | ✅ | v0.12 | Only supports enabling with default metadata. |
| Custom Authentication Plugin (Go) | ✅ | v0.11 | Custom authentication plugin written in Go. |
| Custom Authentication Plugin (gRPC) | ✅ | v0.1 | Custom authentication plugin using gRPC. |
| Multiple Authentication | ✅ | v0.14 | Chain multiple authentication methods. |
| IP Allowlist | ✅ | v0.5 | Allows access only from specific IP addresses. |
| IP Blocklist | ✅ | v0.5 | Blocks access from specific IP addresses. |
Gateway to Upstream Authentication
Tyk supports secure upstream connections through mutual TLS, certificate pinning, and public key verification to ensure data integrity between the gateway and backend services. For full details, please see the Upstream Authentication section.| Type | Supported | Supported From | |
|---|---|---|---|
| Mutual TLS for upstream connectioons | ✅ | v0.9 | Mutual TLS authentication for upstream connections. |
| Public Key Certificate Pinning | ✅ | v0.9 | Ensures that the upstream certificate matches a known key. |
| Upstream Request Signing using HMAC | ✅ | v1.2.0 | Attach an encrypted signature to requests to verify the gateway as the sender. |
API-level (Global) Features
Tyk offers global features for APIs, such as detailed traffic logging, CORS management, rate limiting, header transformations, and analytics plugins, with support for tagging, load balancing, and dynamic variables.| Feature | Supported | Supported From | Comments |
|---|---|---|---|
| Detailed recording (in Log Browser) | ✅ | v0.4.0 | Records detailed API traffic logs for analysis. |
| Config Data | ✅ | v0.8.2 | Stores additional configuration data for APIs. |
| Context Variables | ✅ | v0.1 | Enables dynamic context-based variables in APIs. |
| Cross Origin Resource Sharing (CORS) | ✅ | v0.2 | Manages CORS settings for cross-domain requests. |
| Service Discovery | ⚠️ | - | Service discovery is untested in this version. |
| Segment Tags | ✅ | v0.1 | Tags APIs for segmentation across environments. |
| Internal API (not exposed by Gateway) | ✅ | v0.6.0 | Internal APIs are not exposed via the Gateway. |
| Global (API-level) Header Transform | ✅ | v0.1.0 | Transforms request and response headers at the API level. |
| Global (API-level) Rate Limit | ✅ | v0.10 | Sets rate limits globally for APIs. |
| Custom Plugins | ✅ | v0.1 | Supports the use of custom plugins for API processing. |
| Analytics Plugin | ✅ | v0.16.0 | Integrates analytics plugins for API monitoring. |
| Batch Requests | ❌ | - | Batch requests are not supported. |
| Custom Analytics Tags (Tag Headers) | ✅ | v0.10.0 | Custom tags for API analytics data. |
| Expire Analytics After | ❌ | - | Not supported in this version. |
| Do not track Analytics (per API) | ✅ | v0.1.0 | Disable analytics tracking on specific APIs. |
| Webhooks | ❌ | - | Webhook support is not available. |
| Looping | ✅ | v0.6 | Enables internal looping of API requests. |
| Round Robin Load Balancing | ✅ | - | Supports round-robin load balancing across upstream servers. |
Endpoint-level Features
For specific API endpoints, Tyk includes features like caching, circuit breaking, request validation, URL rewriting, and response transformations, allowing for precise control over request processing and response handling at an endpoint level.| Endpoint Middleware | Supported | Supported From | Comments |
|---|---|---|---|
| Allow list | ✅️ | v0.8.2 | Allows requests only from approved sources. |
| Block list | ✅️ | v0.8.2 | Blocks requests from disapproved sources. |
| Cache | ✅ | v0.1 | Caches responses to reduce latency. |
| Advance Cache | ✅ | v0.1 | Provides advanced caching capabilities. |
| Circuit Breaker | ✅ | v0.5 | Prevents service overload by breaking circuits. |
| Track Endpoint | ✅ | v0.1 | Tracks API endpoint usage for analysis. |
| Do Not Track Endpoint | ✅ | v0.1 | Disables tracking for specific endpoints. |
| Enforced Timeouts | ✅ | v0.1 | Ensures timeouts for long-running requests. |
| Ignore Authentication | ✅ | v0.8.2 | Bypasses authentication for selected endpoints. |
| Internal Endpoint | ✅ | v0.1 | Restricts access to internal services. |
| URL Rewrite | ✅️ | v0.1 | Modifies request URLs before processing. |
| Validate Request | ✅ | v0.8.2 | Validates incoming requests before forwarding. |
| Rate Limit | ❌ | - | Rate limiting is not supported per endpoint. |
| Request Size Limit | ✅️ | v0.1 | Limits the size of requests to prevent overload. |
| Request Method Transform | ✅ | v0.5 | Modifies HTTP methods for incoming requests. |
| Request Header Transform | ✅ | v0.1 | Transforms request headers. |
| Request Body Transform | ✅ | v0.1 | Transforms request bodies for processing. |
| Request Body JQ Transform | ⚠️ | v0.1 | Requires JQ support on the Gateway Docker image. |
| Response Header Transform | ✅ | v0.1 | Transforms response headers. |
| Response Body Transform | ✅ | v0.1 | Transforms response bodies. |
| Response Body JQ Transform | ⚠️ | v0.1 | Requires JQ support on the Gateway Docker image. |
| Mock Response | ✅ | v0.1 | Simulates API responses for testing. |
| Virtual Endpoint | ✅ | v0.1 | Allows creation of dynamic virtual endpoints. |
| Per-Endpoint Plugin | ❌ | - | Plugin support per endpoint is not available. |
| Persist Graphql | ❌ | - | Not supported in this version. |
TykOasAPIDefinition CRD
The TykOasApiDefinition Custom Resource Definition (CRD) manages Tyk OAS API Definition objects within a Kubernetes environment. This CRD enables the integration and management of Tyk API definitions using Kubernetes-native tools, simplifying the process of deploying and managing OAS APIs on the Tyk Dashboard.TykOasApiDefinition Features
TykOasApiDefinition can support all features of the Tyk OAS API definition. You just need to provide the Tyk OAS API definition via a ConfigMap. In addition to managing the CRUD (Create, Read, Update, Delete) of Tyk OAS API resources, the Tyk Operator helps you better manage resources through object linking to Ingress, Security Policies, and certificates stored as Kubernetes secrets. See below for a list of Operator features and examples:
| Features | Support | Supported From | Comments | Example |
|---|---|---|---|---|
| API Category | ✅ | v1.0 | - | Manage API Categories |
| API Version | ✅ | v1.0 | - | Manage API versioning |
| API Ownership via OperatorContext | ✅ | v1.0 | - | API Ownership |
| Client Certificates | ✅ | v1.0 | - | Manage TLS certificate |
| Custom Domain Certificates | ✅ | v1.0 | - | Manage TLS certificate |
| Public keys pinning | ✅ | v1.0 | - | Manage TLS certificate |
| Upstream mTLS | ✅ | v1.0 | - | Manage TLS certificate |
| Kubernetes Ingress | ✅ | v1.0 | - | Kubernetes Ingress Controller |
| Link with SecurityPolicy | ✅ | v1.0 | - | Protect an API |
TykStreamsApiDefinition CRD
The TykStreamsApiDefinition Custom Resource Definition (CRD) manages Async API configuration within a Kubernetes environment.TykStreamsApiDefinition Features
TykStreamsApiDefinition can support all features of Tyk Streams. You just need to provide the Tyk Streams API definition via a ConfigMap. In addition to managing the CRUD (Create, Read, Update, Delete) of Tyk Streams API resources, the Tyk Operator helps you better manage resources through object linking to Security Policies. See below for a list of Operator features and examples:
| Features | Support | Supported From | Comments | Example |
|---|---|---|---|---|
| API Ownership via OperatorContext | ✅ | v1.0 | - | API Ownership |
| Link with SecurityPolicy | ✅ | v1.0 | - | Protect an API |
Version Compatability
Ensuring compatibility between different versions is crucial for maintaining stable and efficient operations. This document provides a comprehensive compatibility matrix for Tyk Operator with various versions of Tyk and Kubernetes. By understanding these compatibility details, you can make informed decisions about which versions to deploy in your environment, ensuring that you leverage the latest features and maintain backward compatibility where necessary.Compatibility with Tyk
Tyk Operator can work with all version of Tyk beyond Tyk 3.x+. Since Tyk is backward compatible, you can safely use the latest version of Tyk Operator to work with any version of Tyk. However, if you’re using a feature that was not yet available on an earlier version of Tyk, e.g. Defining a Subgraph with Tyk 3.x, you’ll see error in Tyk Operator controller manager logs. See Release notes to check for each Tyk Operator release, which version of Tyk it is tested against.| Tyk Version | 3.2 | 4.0 | 4.1 | 4.2 | 4.3 | 5.0 | 5.2 | 5.3 | 5.4 | 5.5 | 5.6 | 5.7 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Tyk Operator v0.13 | Y | Y | ||||||||||
| Tyk Operator v0.14 | Y | Y | Y | Y | ||||||||
| Tyk Operator v0.14.1 | Y | Y | Y | Y | ||||||||
| Tyk Operator v0.15.0 | Y | Y | Y | Y | ||||||||
| Tyk Operator v0.15.1 | Y | Y | Y | Y | ||||||||
| Tyk Operator v0.16.0 | Y | Y | Y | Y | Y | |||||||
| Tyk Operator v0.17.0 | Y | Y | Y | Y | Y | Y | ||||||
| Tyk Operator v0.17.1 | Y | Y | Y | Y | Y | |||||||
| Tyk Operator v0.18.0 | Y | Y | Y | Y | Y | Y | ||||||
| Tyk Operator v1.0.0 | Y | Y | Y | Y | Y | Y | ||||||
| Tyk Operator v1.1.0 | Y | Y | Y | Y | Y | Y | Y |
Compatibility with Kubernetes Version
See Release notes to check for each Tyk Operator release, which version of Kubernetes it is tested against.| Kubernetes Version | 1.19 | 1.20 | 1.21 | 1.22 | 1.23 | 1.24 | 1.25 | 1.26 | 1.27 | 1.28 | 1.29 | 1.30 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Tyk Operator v0.13 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.14 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.14.1 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.15.0 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.15.1 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.16.0 | Y | Y | Y | Y | Y | Y | Y | |||||
| Tyk Operator v0.17.0 | Y | Y | Y | Y | Y | |||||||
| Tyk Operator v0.17.1 | Y | Y | Y | Y | Y | |||||||
| Tyk Operator v0.18.0 | Y | Y | Y | Y | Y | |||||||
| Tyk Operator v1.0.0 | Y | Y | Y | Y | Y | Y | ||||||
| Tyk Operator v1.1.0 | Y | Y | Y | Y | Y | Y |
Security Policy CRD
The SecurityPolicy custom resource defines configuration of Tyk Security Policy object. Here are the supported features:| Features | Support | Supported From | Example |
|---|---|---|---|
| API Access | ✅ | v0.1 | API Access |
| Rate Limit, Throttling, Quotas | ✅ | v0.1 | Rate Limit, Throttling, Quotas |
| Meta Data & Tags | ✅ | v0.1 | Tags and Meta-data |
| Path and Method based permissions | ✅ | v0.1 | Path based permission |
| Partitions | ✅ | v0.1 | Partitioned policies |
| Per API limit | ✅ | v1.0 | Per API Limit |
| Per-Endpoint limit | ✅ | v1.0 | Per Endpoint Limit |