diff --git a/.gitignore b/.gitignore index 13cac165..fd03c672 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ tyk-stack/charts/* tyk-data-plane/charts/* +tyk-control-plane/charts/* + diff --git a/README.md b/README.md index 4fee8cc0..95d049c4 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,12 @@ This is a repository for new Tyk helm charts. We will roll out new component cha ## Umbrella Charts Helm umbrella chart (chart of charts) is an easy and really flexible way of installing multiple components as a single one. We have following umbrella charts that help you to install group of related tyk components based on your deployment need. -| Umbrella Charts | Description | Status | -|------------------------------------|---------------------------------------------------------------|-------------| -| [tyk-oss](./tyk-oss) | Tyk Open Source | Stable | -| [tyk-stack](./tyk-stack) | Tyk Self Managed | Stable | -| tyk-control-plane | Tyk Self Managed (MDCB) Control Plane | Coming Soon | -| [tyk-data-plane](./tyk-data-plane) | Tyk Self Managed (MDCB) Data Plane
Tyk Hybrid Data Plane | Stable | +| Umbrella Charts | Description | Status | +|------------------------------------------|---------------------------------------------------------------|--------| +| [tyk-oss](./tyk-oss) | Tyk Open Source | Stable | +| [tyk-stack](./tyk-stack) | Tyk Self Managed | Stable | +| [tyk-control-plane](./tyk-control-plane) | Tyk Self Managed (MDCB) Control Plane | Beta | +| [tyk-data-plane](./tyk-data-plane) | Tyk Self Managed (MDCB) Data Plane
Tyk Hybrid Data Plane | Stable | ## Component Charts * [tyk-gateway](./components/tyk-gateway) diff --git a/components/tyk-mdcb/README.md b/components/tyk-mdcb/README.md index 36f9b0d0..182f223d 100644 --- a/components/tyk-mdcb/README.md +++ b/components/tyk-mdcb/README.md @@ -103,18 +103,24 @@ Follow the notes from the installation output to get connection details. >NOTE: Please make sure you are installing MongoDB or PostgreSQL versions that are supported by Tyk. Please refer to Tyk docs to get list of supported versions. -### MDCB Configuration +### Tyk MDCB Configuration -#### License -Tyk MDCB requires a license to be set at `.Values.mdcb.license`. This field is required and must be set. +#### Tyk MDCB License -#### Listen Port +Tyk MDCB requires a license to be set at `.Values.mdcb.license`. This field is mandatory and must be configured. + +To enhance security and avoid storing plaintext values for the MDCB license directly in the Helm value file, +an alternative approach is available. You can store the license in a Kubernetes Secret and reference it externally. +Set the license in the Kubernetes Secret and provide the secret's name through `.Values.mdcb.useSecretName`. +The Secret must contain a key named `MDCBLicense`. + +#### Tyk MDCB Listen Port The `.Values.mdcb.listenPort` field represents a RPC port which worker Tyk Gateways will connect to. Setting `.Values.mdcb.listenPort` field opens a port on MDCB container and MDCB service targets this port. It is used to set `TYK_MDCB_LISTENPORT` -#### Health Check Port +#### Tyk MDCB Health Check Port The health check port for Tyk MDCB can be configurable via `.Values.mdcb.probes.healthCheckPort` field. This port lets MDCB allow standard health checks. It also defines the path for liveness and readiness probes. diff --git a/components/tyk-mdcb/templates/_helpers.tpl b/components/tyk-mdcb/templates/_helpers.tpl index 7cd3b316..b50afd86 100644 --- a/components/tyk-mdcb/templates/_helpers.tpl +++ b/components/tyk-mdcb/templates/_helpers.tpl @@ -141,6 +141,20 @@ mongoURL {{- end -}} {{- end -}} +{{/* +HTTP Protocol that is used by Tyk MDCB. At the moment, TLS is not supported. +*/}} +{{- define "mdcb.proto" -}} +http +{{- end -}} + +{{/* +HTTP Protocol that is used by Tyk MDCB. At the moment, TLS is not supported. +*/}} +{{- define "mdcb.svcPort" -}} +{{ .Values.mdcb.service.port }} +{{- end -}} + {{- define "mdcb.tplvalues.render" -}} {{- if typeIs "string" .value }} {{- tpl .value .context }} diff --git a/tyk-control-plane/.helmignore b/tyk-control-plane/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/tyk-control-plane/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/tyk-control-plane/Chart.lock b/tyk-control-plane/Chart.lock new file mode 100644 index 00000000..51ec353f --- /dev/null +++ b/tyk-control-plane/Chart.lock @@ -0,0 +1,21 @@ +dependencies: +- name: tyk-gateway + repository: file://../components/tyk-gateway + version: 1.2.0 +- name: tyk-pump + repository: file://../components/tyk-pump + version: 1.2.0 +- name: tyk-dashboard + repository: file://../components/tyk-dashboard + version: 1.0.0 +- name: tyk-bootstrap + repository: file://../components/tyk-bootstrap + version: 1.0.0 +- name: tyk-mdcb + repository: file://../components/tyk-mdcb + version: 1.0.0-beta1 +- name: tyk-dev-portal + repository: file://../components/tyk-dev-portal + version: 1.0.0 +digest: sha256:5245e9050edc9be75cb9e6201daa0fa8622a6b7f6912e2582c825023b03e4ba2 +generated: "2024-01-17T15:44:19.948207+03:00" diff --git a/tyk-control-plane/Chart.yaml b/tyk-control-plane/Chart.yaml new file mode 100644 index 00000000..7ac2793f --- /dev/null +++ b/tyk-control-plane/Chart.yaml @@ -0,0 +1,55 @@ +apiVersion: v2 +name: tyk-control-plane +version: 1.0.0-beta1 +description: | + A Helm chart for deploying Tyk Control Plane on a cluster. + It will deploy all required Tyk components with the settings provided in the values.yaml file. + It includes: + Tyk Gateway, an open source Enterprise API Gateway (supporting REST, GraphQL, TCP and gRPC protocols). + Tyk Pump, an analytics purger that moves the data generated by your Tyk nodes to any back-end. + Tyk Dashboard, a license based component that provides GUI management interface and analytics platform for Tyk. + Tyk Developer Enterprise Portal, a full-fledged CMS-like system for API providers to publish, monetise and drive the adoption of APIs. + Tyk MDCB, a license based component that performs management and synchronisation of distributed clusters of Tyk API Gateways. +icon: https://tyk.io/wp-content/uploads/2023/11/Tyk-helm-icon-02.png +type: application +home: https://tyk.io/ +sources: + - https://github.com/TykTechnologies/tyk-charts/tree/main/tyk-control-plane +keywords: + - api gateway + - reverse proxy + - api management + - tyk + - tyk stack + - tyk self managed + - apis + - api developer portal + - mdcb +dependencies: + - name: tyk-gateway + version: 1.2.0 + repository: file://../components/tyk-gateway + - name: tyk-pump + version: 1.2.0 + repository: file://../components/tyk-pump + condition: global.components.pump + - name: tyk-dashboard + version: 1.0.0 + repository: file://../components/tyk-dashboard + - name: tyk-bootstrap + version: 1.0.0 + repository: file://../components/tyk-bootstrap + - name: tyk-mdcb + version: 1.0.0-beta1 + repository: file://../components/tyk-mdcb + - name: tyk-dev-portal + version: 1.0.0 + repository: file://../components/tyk-dev-portal + condition: global.components.devPortal +annotations: + artifacthub.io/category: networking + artifacthub.io/links: | + - name: docs + url: https://tyk.io/docs/ + - name: support + url: https://community.tyk.io/ diff --git a/tyk-control-plane/README.md b/tyk-control-plane/README.md new file mode 100644 index 00000000..b890c1c1 --- /dev/null +++ b/tyk-control-plane/README.md @@ -0,0 +1,777 @@ +## Tyk Control Plane + +`tyk-control-plane` provides the default deployment of Tyk Control Plane on a Kubernetes cluster. +It will deploy all required Tyk components with the settings provided in the `values.yaml` file. + +It includes: +- Tyk Gateway, an Open Source Enterprise API Gateway (supporting REST, GraphQL, TCP and gRPC protocols). +- Tyk Dashboard, a license based component that provides a graphical management interface and analytics platform for Tyk. +- Tyk MDCB, a license based component that performs management and synchronisation of distributed clusters of Tyk API Gateways. +- Tyk Pump, an analytics purger that moves the data generated by your Tyk nodes to any back-end. Furthermore, it has all the required modifications to easily connect to Tyk Cloud or Multi Data Center (MDCB) control plane. +- Tyk Enterprise Developer Portal, a full-fledged CMS-like system for API providers to publish, monetise and drive the adoption of APIs. + +## Introduction + +By default, this chart installs following components as subcharts on a [Kubernetes](https://kubernetes.io/) cluster using the [Helm](https://helm.sh/) package manager. + +| Component | Enabled by Default | Flag | +|---------------------------------|--------------------|-----------------------------| +| Tyk Gateway | true | n/a | +| Tyk Dashboard | true | n/a | +| Tyk MDCB | true | n/a | +| Tyk Pump | false | global.components.pump | +| Tyk Enterprise Developer Portal | false | global.components.devPortal | + +To enable or disable each component, change the corresponding enabled flag. + +Also, you can set the version of each component through `image.tag`. You could find the list of version tags available from [Docker hub](https://hub.docker.com/u/tykio). + +## Prerequisites + +* [Kubernetes 1.19+](https://kubernetes.io/docs/setup/) +* [Helm 3+](https://helm.sh/docs/intro/install/) +* [Redis](https://redis.io) should already be installed or accessible by the gateway. +* [MongoDB](https://www.mongodb.com) or [PostgreSQL](https://www.postgresql.org) should already be installed or accessible by the gateway. + +## Installing the Chart + +To install the chart from Git repository in namespace `tyk` with the release name `tyk-control-plane`: +```bash +helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/ +helm repo update +helm show values tyk-helm/tyk-control-plane --devel > values.yaml +``` + +At a minimum, modify `values.yaml `for the following settings: +1. [Set Redis connection details](#set-redis-connection-details-required) +2. [Set Mongo or PostgresSQL connection details](#set-mongo-or-postgressql-connection-details-required) +3. [Tyk Dashboard License](#tyk-dashboard-license-required) +4. [Tyk MDCB License](#tyk-mdcb-license-required) + +If you would like to use Enterprise Developer Portal, additional license is required: + +5. [Enterprise Developer Portal License](#tyk-developer-enterprise-portal-license-required) + +Then just run: +```bash +helm install tyk-control-plane tyk-helm/tyk-control-plane -n tyk --create-namespace -f values.yaml --devel +``` + +## Uninstalling the Chart + +```bash +helm uninstall tyk-control-plane -n tyk +``` +This removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading Chart + +```bash +helm upgrade tyk-control-plane tyk-helm/tyk-control-plane -n tyk -f values.yaml --devel +``` + +_Note: Upgrading from tyk-pro chart_ + +If you were using `tyk-pro` chart for existing release, you cannot upgrade directly. Please modify the values.yaml base on your requirements and install using the new `tyk-control-plane` chart. + +## Configuration + +To get all configurable options with detailed comments: + +```bash +helm show values tyk-helm/tyk-control-plane --devel > values.yaml +``` + +You can update any value in your local `values.yaml` file and use `-f [filename]` flag to override default values during installation. +Alternatively, you can use `--set` flag to set it in Tyk installation. See [Using Helm](https://helm.sh/docs/intro/using_helm/) for examples. + +### Set Redis connection details (Required) + +Tyk uses Redis for distributed rate-limiting and token storage. You may set `global.redis.addr` and `global.redis.pass` with redis connection +string and password respectively. + +If you do not already have Redis installed, you may use these charts provided by Bitnami + +```bash +helm repo add bitnami https://charts.bitnami.com/bitnami +helm install tyk-redis bitnami/redis -n tyk --create-namespace --set image.tag=6.2.13 +``` + +Follow the notes from the installation output to get connection details and password. The DNS name of your Redis as set by Bitnami is +`tyk-redis-master.tyk.svc:6379` (Tyk needs the name including the port) + +### Set MongoDB or PostgresSQL connection details (Required) +If you have already installed Mongo/PostgresSQL, you can set the connection details in `global.mongo` and `global.postgres` section of values file respectively. + +If not, you can use these rather excellent charts provided by Bitnami to install mongo/postgres: + +#### Mongo Installation + +```bash +helm install tyk-mongo bitnami/mongodb --version {HELM_CHART_VERSION} --set "replicaSet.enabled=true" -n tyk +``` + +(follow notes from the installation output to get connection details and update them in `values.yaml` file) + +> [!NOTE] +[Here is](https://tyk.io/docs/planning-for-production/database-settings/) list of supported MongoDB versions. +Please make sure you are installing mongo helm chart that matches these version. + +> [!NOTE] +> Important Note regarding MongoDB: +> This helm chart enables the PodDisruptionBudget for MongoDB with an arbiter replica-count of 1. +> If you intend to perform system maintenance on the node where the MongoDB pod is running and this maintenance requires +> for the node to be drained, this action will be prevented due the replica count being 1. +> Increase the replica count in the helm chart deployment to a minimum of 2 to remedy this issue. + +```yaml +global: + # Set mongo connection details if you want to configure mongo pump. + mongo: + # The mongoURL value will allow you to set your MongoDB address. + # Default value: mongodb://mongo.{{ .Release.Namespace }}.svc:27017/tyk_analytics + # mongoURL: mongodb://mongo.tyk.svc:27017/tyk_analytics + # If your MongoDB has a password you can add the username and password to the url + # mongoURL: mongodb://root:pass@tyk-mongo-mongodb.tyk.svc:27017/tyk_analytics?authSource=admin + mongoURL: + + # mongo-go driver is supported for Tyk 5.0.2+. + # We recommend using the mongo-go driver if you are using MongoDB 4.4.x+. + # For MongoDB versions prior to 4.4, please use the mgo driver. + driver: mgo + + # Enables SSL for MongoDB connection. MongoDB instance will have to support that. + # Default value: false + # useSSL: false +``` + +#### PostgresSQL Installation +```bash +helm install tyk-postgres bitnami/postgresql --set "auth.database=tyk_analytics" -n tyk +``` + +Follow the notes from the installation output to get connection details. + +>NOTE: Please make sure you are installing Mongo/Postgres versions that are supported by Tyk. Please refer to Tyk docs to get list of [supported versions](https://tyk.io/docs/tyk-dashboard/database-options/). + +```yaml +global: + # Postgres connection string parameters. + postgres: + # host corresponds to the host name of postgres + host: tyk-postgres-postgresql.tyk.svc + # port corresponds to the port of postgres + port: 5432 + # user corresponds to the user of postgres + user: postgres + # password corresponds to the password of the given postgres user in selected database + password: + # database corresponds to the database to be used in postgres + database: tyk_analytics + # sslmode corresponds to if postgres runs in sslmode (https) + sslmode: disable + # Connection string can also be set using a secret. Provide the name of the secret and key below. + # connectionStringSecret: + # name: "" + # keyName: "" +``` + + +### Protect Confidential Fields with Kubernetes Secrets + +In the `values.yaml` file, some fields are considered confidential, such as `APISecret`, connection strings, etc. +Declaring values for such fields as plain text might not be desired for all use cases. Instead, for certain fields, +Kubernetes secrets can be referenced, and the chart will +[define container environment variables using Secret data](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data). + +This section describes how to use Kubernetes secrets to declare confidential fields. + +#### Tyk Dashboard Admin + +If Tyk Dashboard bootstrapping is enabled, Tyk Dashboard admin user will be created according to the `global.adminUser` field. + +All admin credentials can also be set through Kubernetes secret. + +> [!NOTE] +> Once `global.adminUser.useSecretName` is declared, it takes precedence over `global.adminUser.firstName`, +> `global.adminUser.lastName`, `global.adminUser.email` and `global.adminUser.password`. + +> [!WARNING] +> If `global.adminUser.useSecretName` is in use, please add all keys mentioned below to the secret. + +##### Admin First Name + +It can be configured via `global.adminUser.firstName` as a plain text or Kubernetes secret which includes `adminUserFirstName` key +in it. Then, this secret must be referenced via `global.adminUser.useSecretName`. + + +##### Admin Last Name + +It can be configured via `global.adminUser.lastName` as a plain text or Kubernetes secret which includes `adminUserLastName` key +in it. Then, this secret must be referenced via `global.adminUser.useSecretName`. + +##### Admin Email + +It can be configured via `global.adminUser.email` as a plain text or Kubernetes secret which includes `adminUserEmail` key +in it. Then, this secret must be referenced via `global.adminUser.useSecretName`. + + +##### Admin Password + +It can be configured via `global.adminUser.password` as a plain text or Kubernetes secret which includes `adminUserPassword` key +in it. Then, this secret must be referenced via `global.adminUser.useSecretName`. + +#### APISecret + +The `global.secrets.APISecret` field configures a [header value](https://tyk.io/docs/tyk-oss-gateway/configuration/#secret) used in every interaction with Tyk Gateway API. + +It can be configured via `global.secrets.APISecret` as a plain text or Kubernetes secret which includes `APISecret` key +in it. Then, this secret must be referenced via `global.secrets.useSecretName`. + +```yaml +global: + secrets: + APISecret: CHANGEME + useSecretName: "mysecret" # where mysecret includes `APISecret` key with the desired value. +``` + +#### AdminSecret + +The `global.secrets.AdminSecret` field sets a [secret](https://tyk.io/docs/tyk-dashboard/configuration/#admin_secret) for Admin API. + +It can be configured via `global.secrets.AdminSecret` as a plain text or Kubernetes secret which includes `AdminSecret` +key in it. Then, this secret must be referenced via `global.secrets.useSecretName`. + +```yaml +global: + secrets: + useSecretName: "mysecret" # where mysecret includes `useSecretName` key with the desired value. +``` + +> [!NOTE] +> Once `global.secrets.useSecretName` is declared, it takes precedence over `global.secrets.APISecret` and `global.secrets.AdminSecret`. + +#### Dashboard License + +In order to refer Tyk Dashboard license through Kubernetes secret, please use `global.secrets.useSecretName`, where +the secret should contain a key called `DashLicense`. + +#### Tyk Developer Enterprise Portal License + +In order to refer Tyk Enterprise Developer Portal license through Kubernetes secret, please use +`tyk-dev-portal.useSecretName`, where the secret should contain a key called `DevPortalLicense`. + +#### Tyk Developer Enterprise Portal Admin Password + +In order to refer Tyk Enterprise Developer Portal's admin password through Kubernetes secret, +please use `global.adminUser.useSecretName`, where the secret should contain a key called `adminUserPassword`. + +#### Tyk Developer Enterprise Portal Storage Connection String + +In order to refer Tyk Enterprise Developer Portal connection string to the selected database through Kubernetes secret, +please use `tyk-dev-portal.useSecretName`, where the secret should contain a key called +`DevPortalStorageConnectionString`. + +> [!WARNING] +> If `tyk-dev-portal.useSecretName` is in use, please add all keys mentioned to the secret. + +#### Tyk Enterprise Developer Portal AWS S3 Access Key ID + +In order to refer Tyk Enterprise Developer Portal AWS S3 Access Key ID through Kubernetes secret, +please use `tyk-dev-portal.useSecretName`, where the secret should contain a key called +`DevPortalAwsAccessKeyId`. + +> [!WARNING] +> If `tyk-dev-portal.useSecretName` is in use, please add all keys mentioned to the secret. + +#### Tyk Enterprise Developer Portal AWS S3 Secret Access Key + +In order to refer Tyk Enterprise Developer Portal connection string to the selected database through Kubernetes secret, +please use `tyk-dev-portal.useSecretName`, where the secret should contain a key called +`DevPortalAwsSecretAccessKey`. + +> [!WARNING] +> If `tyk-dev-portal.useSecretName` is in use, please add all keys mentioned to the secret. + +#### Redis Password + +Redis password can also be provided via a secret. Store Redis password in Kubernetes secret and refer to this secret +via `global.redis.passSecret.name` and `global.redis.passSecret.keyName` field, as follows: + +```yaml +global: + redis: + passSecret: + name: "yourSecret" + keyName: "redisPassKey" +``` + +#### MongoDB or Postgres connection strings + +Storage connection strings can also be provided via a secret. Store the connection string in Kubernetes secret and +refer to this secret via `global.{mongo,postgres}.connectionURLSecret.name` and `global.{mongo,postgres}.connectionURLSecret.keyName` field, +as follows: + +- MongoDB: +```yaml +global: + mongo: + connectionURLSecret: + name: "yourSecret" + keyName: "redisPassKey" +``` + +- Postgres: +```yaml +global: + postgres: + connectionURLSecret: + name: "yourSecret" + keyName: "redisPassKey" +``` + +### Gateway Configurations + +Configure below inside `tyk-gateway` section. + +#### Enabling TLS + +*Enable TLS* + +We have provided an easy way to enable TLS via the `global.tls.gateway` flag. Setting this value to true will +automatically enable TLS using the certificate provided under tyk-gateway/certs/. + +*Configure TLS secret* + +If you want to use your own key/cert pair, please follow the following steps: +1. Create a TLS secret using your cert and key pair. +2. Set `global.tls.gateway` to true. +3. Set `tyk-gateway.gateway.tls.useDefaultTykCertificate` to false. +4. Set `tyk-gateway.gateway.tls.secretName` to the name of the newly created secret. + +*Add Custom Certificates* + +To add your custom Certificate Authority(CA) to your containers, you can mount your CA certificate directly into /etc/ssl/certs folder. + +```yaml + extraVolumes: + - name: self-signed-ca + secret: + secretName: self-signed-ca-secret + extraVolumeMounts: + - name: self-signed-ca + mountPath: "/etc/ssl/certs/myCA.pem" + subPath: myCA.pem +``` + +#### Enable gateway autoscaling +You can enable autoscaling of the gateway by `--set tyk-gateway.gateway.autoscaling.enabled=true`. By default, it will enable `Horizontal Pod Autoscaler` resource with target average CPU utilisation at 60%, scaling between 1 and 3 instances. To customize those values you can modify below section of `values.yaml`: + +```yaml +tyk-gateway: + gateway: + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 30 +``` + +Built-in rules include `tyk-gateway.gateway.autoscaling.averageCpuUtilization` for CPU utilization (set by default at 60%) and `tyk-gateway.gateway.autoscaling.averageMemoryUtilization` for memory (disabled by default). In addition to that you can define rules for custom metrics using `tyk-gateway.gateway.autoscaling.autoscalingTemplate` list: + +```yaml +tyk-gateway: + gateway: + autoscaling: + autoscalingTemplate: + - type: Pods + pods: + metric: + name: nginx_ingress_controller_nginx_process_requests_total + target: + type: AverageValue + averageValue: 10000m +``` + +#### Accessing Gateway + +*Service port* + +Default service port of gateway is 8080. You can change this at `global.servicePorts.gateway`. + +*Ingress* + +An Ingress resource is created if `tyk-gateway.gateway.ingress.enabled` is set to true. + +```yaml + ingress: + # if enabled, creates an ingress resource for the gateway + enabled: true + + # specify ingress controller class name + className: "" + + # annotations for ingress + annotations: {} + + # ingress rules + hosts: + - host: tyk-gw.local + paths: + - path: / + pathType: ImplementationSpecific + + # tls configuration for ingress + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + tls: [] +``` + +*Control Port* + +Set `tyk-gateway.gateway.control.enabled` to true will allow you to run the [Gateway API]({{}}) on a separate port and protect it behind a firewall if needed. + +#### Sharding + +Configure the gateways to load APIs with specific tags only by enabling `tyk-gateway.gateway.sharding.enabled`, and set `tags` to comma separated lists of matching tags. + +```yaml + # Sharding gateway allows you to selectively load APIs to specific gateways. + # If enabled make sure you have at least one gateway that is not sharded. + # Also be sure to match API segmentation tags with the tags selected below. + sharding: + enabled: true + tags: "edge,dc1,product" +``` + +#### Deploy additional gateway groups + +`tyk-control-plane` chart manages one Gateway Deployment in the same namespace as Tyk Dashboard. +You can flexibly deploy additional gateways using `tyk-data-plane` umbrella chart. +With gateway sharding, it is useful for: +- Deploy Gateways in different networks, +- Deploy Gateways with different resources and autoscaling parameters, +- Allow different teams to manage their own Gateway instances in their own namespace. + +Here is an example configuration for `tyk-data-plane` `values.yaml`. +```yaml +global: + redis: + addrs: + - tyk-redis-master.tyk.svc:6379 # New Gateway groups should connect to the same Redis + pass: "xxxxxxx" + +tyk-gateway: + gateway: + # If this option is set to true, it will enable polling the Tyk Dashboard service for API definitions + useDashboardAppConfig: + enabled: true + # Set it to the URL to your Dashboard instance (or a load balanced instance) + # The URL needs to be formatted as: http://dashboard_host:port + # It is used to set TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING + dashboardConnectionString: "http://dashboard-svc-tyk-control-plane-tyk-dashboard.tyk.svc:3000" + + # This option is required if Policy source is set to Tyk Dashboard (`service`). + # Set this to the URL of your Tyk Dashboard installation. + # The URL needs to be formatted as: http://dashboard_host:port. + # It is used to set TYK_GW_POLICIES_POLICYCONNECTIONSTRING + policyConnectionString: "http://dashboard-svc-tyk-control-plane-tyk-dashboard.tyk.svc:3000" + + ... + + # Sharding gateway allows you to selectively load APIs to specific gateways. + # If enabled make sure you have at least one gateway that is not sharded. + # Also be sure to match API segmentation tags with the tags selected below. + sharding: + enabled: true + tags: "gw-dmz" + + ... + + # analyticsEnabled property is used to enable/disable analytics. + # If set to empty or nil, analytics will be enabled/disabled based on `global.components.pump`. + analyticsEnabled: "true" + + # used to decide whether to send the results back directly to Tyk without a hybrid pump + # if you want to send analytics to control plane instead of pump, change analyticsConfigType to "rpc" + analyticsConfigType: "" +``` + +Run the following command to deploy additional Gateways in namespace `another-namespace`. +```bash +helm install worker-gateway tyk-helm/tyk-data-plane --namespace another-namespace -f values.yaml +``` + +#### OpenTelemetry +To enable OpenTelemetry for Gateway set `gateway.opentelemetry.enabled` flag to true. It is disabled by default. + +You can also configure connection settings for it's exporter. By default `grpc` exporter is enabled on `localhost:4317` endpoint. + +To enable TLS settings for the exporter, you can set `gateway.opentelemetry.tls.enabled` to true. + +### Pump Configurations + +To enable Pump, set `global.components.pump` to true, and configure below inside `tyk-pump` section. + + + +| Pump | Configuration | +|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------| +| Prometheus Pump (Default) | Add the value `prometheus` to the `tyk-pump.pump.backend` entry, and add connection details for Prometheus under `tyk-pump.pump.prometheusPump`. | +| Mongo Pump | Add `mongo` to `tyk-pump.pump.backend`, and add connection details for mongo under `global.mongo`. | +| Mongo Selective Pump | Add `mongo-selective` to `tyk-pump.pump.backend`, and add connection details for mongo under `global.mongo`. | +| Mongo Aggregate Pump | Add `mongo-aggregate` to `tyk-pump.pump.backend`, and add connection details for mongo under `global.mongo`. | +| Postgres Pump | Add `postgres` to `tyk-pump.pump.backend`, and add connection details for postgres under `global.postgres`. | +| Postgres Aggregate Pump | Add `postgres-aggregate` to `tyk-pump.pump.backend`, and add connection details for postgres under `global.postgres`. | +| Uptime Pump | Set `tyk-pump.pump.uptimePumpBackend` to `mongo` or `postgres` or `""` | +| Other Pumps | Add the required environment variables in `tyk-pump.pump.extraEnvs` | + +> [!NOTE] +> For additional information on Tyk Pump configurations, refer to the +[Setup Dashboard Analytics](https://tyk.io/docs/tyk-pump/tyk-pump-configuration/tyk-pump-dashboard-config/) documentation. + +> To explore the list of supported backends for Tyk Pump, please visit https://tyk.io/docs/tyk-stack/tyk-pump/other-data-stores/. + +#### Prometheus Pump +Add `prometheus` to `tyk-pump.pump.backend`, and add connection details for Prometheus under `tyk-pump.pump.prometheusPump`. + +We also support monitoring using Prometheus Operator. All you have to do is set `tyk-pump.pump.prometheusPump.prometheusOperator.enabled` to true. + +This will create a _PodMonitor_ resource for your Pump instance. + +```yaml + # prometheusPump configures Tyk Pump to expose Prometheus metrics. + # Please add "prometheus" to .Values.pump.backend in order to enable Prometheus Pump. + prometheusPump: + # host represents the host without port, where Tyk Pump serve the metrics for Prometheus. + host: "" + # port represents the port where Tyk Pump serve the metrics for Prometheus. + port: 9090 + # path represents the path to the Prometheus collection. For example /metrics. + path: /metrics + # customMetrics allows defining custom Prometheus metrics for Tyk Pump. + # It accepts a string that represents a JSON object. For instance, + # + # customMetrics: '[{"name":"tyk_http_requests_total","description":"Total of API requests","metric_type":"counter","labels":["response_code","api_name","method","api_key","alias","path"]}, { "name":"tyk_http_latency", "description":"Latency of API requests", "metric_type":"histogram", "labels":["type","response_code","api_name","method","api_key","alias","path"] }]' + customMetrics: "" + # If you are using prometheus Operator, set the fields in the section below. + prometheusOperator: + # enabled determines whether the Prometheus Operator is in use or not. By default, + # it is disabled. + # Tyk Pump can be monitored with PodMonitor Custom Resource of Prometheus Operator. + # If enabled, PodMonitor resource is created based on .Values.pump.prometheusPump.prometheusOperator.podMonitorSelector + # for Tyk Pump. + enabled: false + # podMonitorSelector represents a podMonitorSelector of your Prometheus resource. So that + # your Prometheus resource can select PodMonitor objects based on selector defined here. + # Please set this field to the podMonitorSelector field of your monitoring.coreos.com/v1 + # Prometheus resource's spec. + # + # You can check the podMonitorSelector via: + # kubectl describe prometheuses.monitoring.coreos.com + podMonitorSelector: + release: prometheus-stack +``` + +#### Mongo pump +If you are using the MongoDB pumps in the tyk-control-plane installation you will require MongoDB installed for that as well. + +To install MongoDB you can use these rather excellent charts provided by Bitnami, +as described in [Set MongoDB or PostgresSQL connection details (Required)](#set-mongodb-or-postgressql-connection-details--required-) section. + +After installing MongoDB, add `mongo` to `tyk-pump.pump.backend` field. + +#### SQL pump +If you are using the SQL pumps in the tyk-control-plane installation you will require PostgreSQL installed for that as well. + +To install PostgreSQL you can use these rather excellent charts provided by Bitnami, +as described in [Set MongoDB or PostgresSQL connection details (Required)](#set-mongodb-or-postgressql-connection-details--required-) section. + +After installing PostgreSQL, add `postgres` to `tyk-pump.pump.backend` field. + +#### Uptime Pump +Uptime Pump can be configured by setting `pump.uptimePumpBackend` in values.yaml file. It supports following values +1. mongo: Used to set mongo pump for uptime analytics. Mongo Pump should be enabled. +2. postgres: Used to set postgres pump for uptime analytics. Postgres Pump should be enabled. +3. empty: Used to disable uptime analytics. + +```yaml + # uptimePumpBackend configures uptime Tyk Pump. ["", "mongo", "postgres"]. + # Set it to "" for disabling uptime Tyk Pump. By default, uptime pump is disabled. + uptimePumpBackend: "" +``` + +#### Other Pumps +To set up other backends for pump, refer to this [document](https://github.com/TykTechnologies/tyk-pump/blob/master/README.md#pumps--back-ends-supported) and add the required environment variables in `pump.extraEnvs` + +### Tyk Dashboard Configurations + +#### Tyk Dashboard License (Required) + +Tyk Dashboard License is required. It can be set up in `global.license.dashboard` or through secret `global.secrets.useSecretName`. The secret should contain a key called DashLicense. + +```yaml +global: + license: + # The license key needed by Tyk Dashboard to work. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the dashboard license. Please see `.global.secrets.useSecretName`. + dashboard: "" +``` + +#### Enabling Dashboard TLS + +Assuming that TLS certificates for the Tyk Dashboard are available in the Kubernetes Secret `tyk-dashboard-tls`, +follow these steps to enable TLS: + +1. Set `global.tls.dashboard` to `true`. +2. Set `tyk-dashboard.dashboard.tls.secretName` to the name of the Kubernetes secret containing TLS certificates for the Tyk Dashboard, in this case, `tyk-dashboard-tls`. +3. Define certificate configurations in `tyk-dashboard.dashboard.tls.certificates`, which generates `TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES` for the Tyk Dashboard. + +> Optional Steps, if needed: +> +> - Modify the secret mount path on the Tyk Dashboard Pod via `tyk-dashboard.dashboard.tls.certificatesMountPath`. +> - If necessary, either enable `insecureSkipVerify` via `tyk-dashboard.dashboard.tls.certificates`, or mount CA information through `tyk-dashboard.dashboard.extraVolumes` and `tyk-dashboard.dashboard.extraVolumeMounts`. +> - If the `tyk-bootstrap` chart is used to bootstrap the Tyk Dashboard, ensure that it has certificates to send requests to the Tyk Dashboard or enable `insecureSkipVerify` in the `tyk-bootstrap` chart. +> - If the Tyk Gateway connects to the Tyk Dashboard, confirm that the Tyk Gateway has appropriate certificates for connecting to the Tyk Dashboard + +### Tyk MDCB Configurations + +#### Tyk MDCB License (Required) + +Tyk MDCB requires a license to be set at `tyk-mdcb.mdcb.license`. This field is mandatory and must be configured. + +To enhance security and avoid storing plaintext values for the MDCB license directly in the Helm value file, +an alternative approach is available. You can store the license in a Kubernetes Secret and reference it externally. +Set the license in the Kubernetes Secret and provide the secret's name through `tyk-mdcb.mdcb.useSecretName`. +The Secret must contain a key named `MDCBLicense`. + +#### Tyk MDCB Listen Port + +The `tyk-mdcb.mdcb.listenPort` field represents a RPC port which worker Tyk Gateways will connect to. +Setting `tyk-mdcb.mdcb.listenPort` field opens a port on MDCB container and MDCB service targets this port. +It is used to set `TYK_MDCB_LISTENPORT` + +#### Tyk MDCB Health Check Port +The health check port for Tyk MDCB can be configurable via `tyk-mdcb.mdcb.probes.healthCheckPort` field. +This port lets MDCB allow standard health checks. + +It also defines the path for liveness and readiness probes. +It is used to set TYK_MDCB_HEALTHCHECKPORT + + +### Tyk Bootstrap + +To enable bootstrapping, set `global.components.bootstrap` to `true`. +It would run [tyk-k8s-bootstrap](https://github.com/TykTechnologies/tyk-k8s-bootstrap) to bootstrap `tyk-control-plane` +and to create Kubernetes secrets that can be utilized in Tyk Operator and Tyk Enterprise Developer Portal. + +#### Bootstrapped Environments + +If Tyk is already bootstrapped, the application will bypass the creation of the Tyk Organization and Admin User, proceeding directly with the creation of Kubernetes Secrets. + +Given that the Kubernetes Secrets require values for `TYK_AUTH` and `TYK_ORG`, it is essential to provide these values through the respective environment variables, called `TYK_K8SBOOTSTRAP_TYK_ADMIN_AUTH` for `TYK_AUTH` and `TYK_K8SBOOTSTRAP_TYK_ORG_ID` for `TYK_ORG`. + +Ensure that these environment variables are set appropriately to `postInstall` hook for bootstrapped environments. + +### Tyk Developer Enterprise Portal Configurations + +To enable Tyk Enterprise Developer Portal, set `global.components.devPortal` to true, and configure below inside `tyk-dev-portal` section. + +#### Tyk Developer Enterprise Portal License (Required) + +Tyk Enterprise Developer Portal License is required. It can be set up in `tyk-dev-portal.license` or through secret `global.secrets.useSecretName`. The secret should contain a key called `DevPortalLicense`. + +```yaml +tyk-dev-portal: + # Tyk Developer Portal license. + license: "" +``` + +#### Tyk Enterprise Developer Portal Database + +By default, Tyk Enterprise Developer Portal use `sqlite3` to store portal metadata. If you want to use other SQL Database, please modify the section below. + +```yaml +tyk-dev-portal: + database: + # This selects the SQL dialect to be used + # The supported values are mysql, postgres and sqlite3 + dialect: "sqlite3" + connectionString: "db/portal.db" + enableLogs: false + maxRetries: 3 + retryDelay: 5000 +``` + +#### Storage Settings + +Tyk Enterprise Developer Portal supports different storage options for storing the portal's CMS assets such as images, theme files and Open API Specification files. Please see the [Enterprise Developer Portal Storage settings](https://tyk.io/docs/tyk-stack/tyk-developer-portal/enterprise-developer-portal/install-tyk-enterprise-portal/configuration#portal-settings) page for all the available options. + +If you use the file system as storage, please set `tyk-dev-portal.storage.type` to `fs`, and configure `tyk-dev-portal.storage.persistence` to mount an existing persistent volume to Tyk Enterprise Developer Portal. + +If you use [AWS S3](https://aws.amazon.com/s3/) as storage, please set `tyk-dev-portal.storage.type` to `s3`, and configure `tyk-dev-portal.storage.s3` section with credentials to access AWS S3 bucket. + +If you use database as storage, please set `tyk-dev-portal.storage.type` to `db`, and configure `tyk-dev-portal.database` section with database connection details. + +```yaml +tyk-dev-portal: + # Sensitive configuration of Portal could be set using k8s secret + # You can set following fields: + # - DevPortalLicense - Sets LicenseKey for Developer Portal + # - DevPortalStorageConnectionString - Sets connectionString for Developer Portal + # - DevPortalAwsAccessKeyId - Sets AWS S3 Access Key ID + # - DevPortalAwsSecretAccessKey - Sets AWS S3 Secret Access Key + useSecretName: "" + # The hostname to bind the Developer Portal to. + hostName: tyk-dev-portal.org + # Developer Portal license. + license: "" + # Developer portal can be deployed as StatefulSet or as Deployment + kind: StatefulSet + storage: + # User can set the storage type for portal. + # Supported types: fs, s3, db + type: "db" + # Configuration values for using s3 as storage for Tyk Developer Portal + # In case you want to provide the key ID and access key via secrets please + # refer to the existing secret inside the helm chart or the + # .Values.useSecretName field + s3: + awsAccessKeyid: your-access-key + awsSecretAccessKey: your-secret-key + region: sa-east-1 + endpoint: https://s3.sa-east-1.amazonaws.com + bucket: your-portal-bucket + acl: private + presign_urls: true + persistence: + mountExistingPVC: "" + storageClass: "" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + labels: {} + selector: {} + database: + # This selects the SQL dialect to be used + # The supported values are mysql, postgres and sqlite3 + dialect: "sqlite3" + connectionString: "db/portal.db" + enableLogs: false + maxRetries: 3 + retryDelay: 5000 +``` + +#### Other Configurations + +Other [Enterprise Developer Portal configurations](https://tyk.io/docs/tyk-stack/tyk-developer-portal/enterprise-developer-portal/install-tyk-enterprise-portal/configuration) can be set by using environment variables with `extraEnvs` fields, e.g.: + +```yaml +tyk-dev-portal: + extraEnvs: + - name: PORTAL_LOG_LEVEL + value: debug +``` diff --git a/tyk-control-plane/templates/NOTES.txt b/tyk-control-plane/templates/NOTES.txt new file mode 100644 index 00000000..375e3cee --- /dev/null +++ b/tyk-control-plane/templates/NOTES.txt @@ -0,0 +1,89 @@ +Thank you for installing Tyk Control Plane Chart. Your release is named {{ .Release.Name }}. + +NOTE: +{{- $tykApiPort := include "tyk-control-plane.gwServicePort" . -}} +{{- if index .Values "tyk-dashboard" "dashboard" "tykApiHost" }} + Tyk Dashboard connects to Tyk Gateway at {{ index .Values "tyk-dashboard" "dashboard" "tykApiHost" }} over port {{ $tykApiPort }} for key management functions. +{{- else }} + Tyk Dashboard connects to Tyk Gateway at {{ (include "tyk-dashboard.gw_proto" (index .Subcharts "tyk-dashboard")) }}://{{ (include "tyk-dashboard.gateway_host" (index .Subcharts "tyk-dashboard")) }} over port {{ $tykApiPort }} for key management functions. +{{- end }} + Please double check if Tyk Gateway runs on this address. If not, Tyk Gateway host and Tyk Gateway port can be overridden + through .tyk-dashboard.dashboard.tykApiHost and .global.servicePorts.gateway fields respectively in values.yaml. + +{{ if index .Values "tyk-gateway" "gateway" "control" "enabled" }} +{{- $gwSvcName := printf "gateway-control-svc-%v" (include "tyk-gateway.fullname" (index .Subcharts "tyk-gateway")) -}} +To quickly test everything is ok, you can port-forward Tyk Gateway pod: + kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ $gwSvcName }} {{ index .Values "tyk-gateway" "gateway" "control" "port" }}:{{ index .Values "tyk-gateway" "gateway" "control" "containerPort" }} + curl localhost:{{ index .Values "tyk-gateway" "gateway" "control" "port" }}/hello +{{- else }} +{{- $gwSvcName := printf "gateway-svc-%v" (include "tyk-gateway.fullname" (index .Subcharts "tyk-gateway")) -}} +To quickly test everything is ok, you can port-forward Tyk Gateway pod: + kubectl port-forward --namespace {{ .Release.Namespace }} service/{{ $gwSvcName }} {{ index .Values "global" "servicePorts" "gateway" }}:{{ index .Values "global" "servicePorts" "gateway" }} + curl localhost:{{ index .Values "global" "servicePorts" "gateway" }}/hello +{{- end }} + +{{ if .Values.global.components.bootstrap -}} +=== Tyk Dashboard Login Details === +{{- if not .Values.global.adminUser.useSecretName }} + export TYK_DASHBOARD_ADMINEMAIL={{ .Values.global.adminUser.email }} + export TYK_DASHBOARD_ADMINPASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} tyk-dashboard-login-details -o jsonpath="{.data.adminUserPassword}" | base64 --decode) +{{- else }} + export TYK_DASHBOARD_ADMINEMAIL=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ .Values.global.adminUser.useSecretName }} -o jsonpath="{.data.adminUserEmail}" | base64 --decode) + export TYK_DASHBOARD_ADMINPASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ .Values.global.adminUser.useSecretName }} -o jsonpath="{.data.adminUserPassword}" | base64 --decode) +{{- end }} +{{- end }} + +=== Tyk Control Plane Details === +Before a worker gateway that is deployed in data plane can connect to MDCB, it is important to set remote control plane options. +If the worker gateway will be deployed via Helm, tyk-data-plane chart helps to facilitate this process. + +1- First obtain required connection details from Tyk MDCB: + +{{- $tykMDCBSvc := printf "mdcb-svc-%s" (include "tyk-mdcb.fullname" (index .Subcharts "tyk-mdcb")) -}} +{{- $tykMDCBSvcProto := (include "mdcb.proto" (index .Subcharts "tyk-mdcb")) -}} +{{- $tykMDCBSvcPort := (include "mdcb.svcPort" (index .Subcharts "tyk-mdcb")) }} + export MDCB_CONNECTIONSTRING="{{ $tykMDCBSvcProto }}://{{ $tykMDCBSvc }}.{{ .Release.Namespace }}.svc:{{ $tykMDCBSvcPort }}" + export GROUP_ID=your_group_id # You can use any name for your group. + +{{- $operatorSecret := index .Values "tyk-bootstrap" "bootstrap" "operatorSecret" }} +{{- $edpSecret := .Values.global.secrets.devPortal }} +{{- if and .Values.global.components.bootstrap (or $operatorSecret $edpSecret) -}} +{{ if $operatorSecret }} + export USER_API_KEY=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ $operatorSecret }} -o jsonpath="{.data.TYK_AUTH}" | base64 --decode) + export ORG_ID=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ $operatorSecret }} -o jsonpath="{.data.TYK_ORG}" | base64 --decode) +{{ else if $edpSecret }} + export USER_API_KEY=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ $edpSecret}} -o jsonpath="{.data.TYK_AUTH}" | base64 --decode) + export ORG_ID=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ $edpSecret }} -o jsonpath="{.data.TYK_ORG}" | base64 --decode) +{{- end }} +{{ else }} + export USER_API_KEY=USER_API_KEY # Set the API key of a user used to authenticate and authorise the Gateway’s access through MDCB. + export ORG_ID=YOUR_ORGANISATION_ID # Set your organisation id + +NOTE: You can find your organisation id and user api key through Tyk Dashboard, under your user account details. +{{ end }} +2- Create a Kubernetes Secret based on credentials. + kubectl create secret --namespace {{ .Release.Namespace }} generic tyk-data-plane-details \ + --from-literal "orgId=$ORG_ID" \ + --from-literal "userApiKey=$USER_API_KEY" \ + --from-literal "groupID=$GROUP_ID + +3- Refer this Kubernetes secret (tyk-data-plane-details) while installing worker gateways through `global.remoteControlPlane.useSecretName` +in tyk-data-plane chart. + +For more detail about tyk-data-plane chart, please refer to the https://github.com/TykTechnologies/tyk-charts/tree/main/tyk-data-plane + +{{- if index .Values "tyk-dashboard" "dashboard" "ingress" "enabled" }} +{{- $tlsEnabled := index .Values "tyk-dashboard" "dashboard" "ingress" "tls" }} +=== Tyk Dashboard Ingress === +{{- range $host := index .Values "tyk-dashboard" "dashboard" "ingress" "hosts" }} + {{- range .paths }} + http{{ if $tlsEnabled }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- end }} + +=================================================== + Manage Ingress resources and APIs on Kubernetes +=================================================== +You might want to install Tyk Operator next to manage Ingress resources or manage your APIs. +Please check Tyk Operator documentation at https://tyk.io/docs/tyk-operator/ diff --git a/tyk-control-plane/templates/_helpers.tpl b/tyk-control-plane/templates/_helpers.tpl new file mode 100644 index 00000000..b24a55a9 --- /dev/null +++ b/tyk-control-plane/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "tyk-control-plane.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tyk-control-plane.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tyk-control-plane.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "tyk-control-plane.gw_proto" -}} +{{- if .Values.global.tls.gateway -}} +https +{{- else -}} +http +{{- end -}} +{{- end -}} + +{{- define "tyk-control-plane.gwServicePort" -}} +{{ .Values.global.servicePorts.gateway }} +{{- end -}} diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml new file mode 100644 index 00000000..9e79fa77 --- /dev/null +++ b/tyk-control-plane/values.yaml @@ -0,0 +1,1285 @@ +global: + license: + # The license key needed by Tyk Dashboard to work. + # + # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret + # that stores the dashboard license. Please see `.global.secrets.useSecretName`. + dashboard: "" + + # adminUser specifies credentials for Tyk Dashboard admin user while bootstrapping Tyk Dashboard. + # Dashboard admin information. + adminUser: + # If you don't want to store plaintext secrets for admin user in the Helm value file and would + # rather provide the k8s Secret externally please populate the value below. + # You can set following fields in the secret: + # - adminUserFirstName - sets .global.adminUser.firstName + # - adminUserLastName - sets .global.adminUser.lastName + # - adminUserEmail- sets .global.adminUser.email + # - adminUserPassword - sets .global.adminUser.password + useSecretName: "" + + # firstName corresponds to the first name of the admin user that will be created during the bootstrapping process. + # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME + firstName: admin + + # lastName corresponds to the last name of the admin user that will be created during the bootstrapping process. + # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_LASTNAME + lastName: user + + # email corresponds to the email of the admin user that will be created during the bootstrapping process. + # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_EMAILADDRESS + email: default@example.com + # Set a password or a random one will be assigned. + password: "123456" + + components: + # Determines whether the bootstrap jobs should be run + # Those jobs verify the presence of the dashboard license and perform various operations to + # make apps such as tyk-dashboard, tyk-portal and tyk-operator ready to use from the get go + # If this is set to false, only the hook that checks for dashboard license will be run + bootstrap: true + # Determines whether the pump component should be installed. + pump: false + # Determines whether Tyk Developer Portal component should be installed. + # If you want to bootstrap Tyk Developer Portal, set `tyk-bootstrap.bootstrap.devPortal` to true + devPortal: false + + servicePorts: + # The port at which the dashboard service can be found at + dashboard: 3000 + # The port at which the gateway service can be found at + gateway: 8080 + + tls: + # If set to true the Dashboard will use SSL connection. + dashboard: false + # When true, sets the gateway protocol to HTTPS. + gateway: false + + # When true, it will install the certificate present in the templates folder, set to false when using + # a custom TLS certificate to avoid overwriting yours + useDefaultTykCertificate: true + + secrets: + # APISecret sets node_secret and secret in tyk.conf + # tyk_analytics.conf tyk_api_config.secret + # tyk_analytics.conf shared_node_secret + APISecret: CHANGEME + # tyk_analytics.conf admin_secret + # tib.conf TykAPISettings.GatewayConfig.AdminSecret + # tib.conf TykAPISettings.DashboardConfig.AdminSecret + AdminSecret: "12345" + # If you don't want to store plaintext secrets in the Helm value file and would + # rather provide the k8s Secret externally please populate the value below + # You can set following fields in the secret + # APISecret - Sets node secret in both dashboard and tyk config + # AdminSecret - Admin user secret key + # DashLicense - Tyk Dashboard license key + useSecretName: "" + # devPortal secret is used to bootstrap the Portal which should include Tyk Dashboard credentials. + # You can set to empty to skip portal bootstrapping. + # It should include the followings: + # - TYK_ORG: Tyk Dashboard Organisation ID + # - TYK_AUTH: Tyk Dashboard API Access Credentials + devPortal: tyk-dev-portal-conf + + redis: + # The addrs value will allow you to set your Redis addresses. + # + # If you are using Redis (e.g. Bitnami Redis at bitnami/redis) then enter single + # endpoint. If using sentinel connection mode for Redis, please update the port number (typically 26379). + # + # If using a Redis Cluster (e.g. bitnami/redis-cluster), you can list + # the endpoints of the redis instances or use the cluster configuration endpoint. + # + # Default value: redis.{{ .Release.Namespace }}.svc:6379 + # addrs: + # Example using tyk simple redis chart + # - redis.tyk.svc:6379 + # Example using bitnami/redis + # - tyk-redis-master.tyk.svc:6379 + # Example using bitnami/redis with sentinel + # - tyk-redis.tyk.svc:26379 + # Example using bitnami/redis-cluster + # - tyk-redis-redis-cluster.tyk.svc:6379 + + # Redis password + # If you're using Bitnami Redis chart please input your password in the field below + # pass: "" + + # Enables sentinel connection mode for Redis. If enabled, provide both + # mandatory values for sentinelPass and masterName. + # enableSentinel: false + + # Redis sentinel password, only required while enableSentinel is true. + # For bitnami/redis the same password as Redis above + # sentinelPass: "" + + # Redis sentinel master name, only required while enableSentinel is true. + # For bitnami/redis typically redis-master + # masterName: "" + + # Redis password can also be provided via a secret. Provide the name of the secret and key below. + # passSecret: + # name: "" + # keyName: "" + + # Enables SSL for Redis connection. Redis instance will have to support that. + # Default value: false + useSSL: false + + # The enableCluster value will allow you to indicate to Tyk whether you are + # running a Redis cluster or not. + # Default value: false + # enableCluster: true + + # By default, the database index is 0. Setting the database index is not + # supported with redis cluster. As such, if you have enableCluster: true, + # then this value should be omitted or explicitly set to 0. + storage: + database: 0 + + # Please check https://tyk.io/docs/planning-for-production/database-settings/mongodb/#supported-versions + # for the list of supported MongoDB versions. + mongo: + # The mongoURL value will allow you to set your MongoDB address. + # Default value: mongodb://mongo.{{ .Release.Namespace }}.svc:27017/tyk_analytics + # mongoURL: mongodb://mongo.tyk.svc:27017/tyk_analytics + + # If your MongoDB has a password you can add the username and password to the url + # mongoURL: mongodb://root:pass@tyk-mongo-mongodb.tyk.svc:27017/tyk_analytics?authSource=admin + + # mongo-go driver is supported for Tyk 5.0.2+. + # We recommend using the mongo-go driver if you are using MongoDB 4.4.x+. + # For MongoDB versions prior to 4.4, please use the mgo driver. + driver: mgo + + # Connection URL can also be set using a secret. Provide the name of the secret and key below. + # connectionURLSecret: + # name: "" + # keyName: "" + + # Enables SSL for MongoDB connection. MongoDB instance will have to support that. + # Default value: false + useSSL: false + + # Postgres connection string parameters. + postgres: + # host corresponds to the host name of postgres + host: tyk-postgres-postgresql.tyk.svc + # port corresponds to the port of postgres + port: 5432 + # user corresponds to the user of postgres + user: postgres + # password corresponds to the password of the given postgres user in selected database + password: + # database corresponds to the database to be used in postgres + database: tyk_analytics + # sslmode corresponds to if postgres runs in sslmode (https) + sslmode: disable + + # Connection string can also be set using a secret. Provide the name of the secret and key below. + # connectionStringSecret: + # name: "" + # keyName: "" + + # Choose the storageType for Tyk. [ "mongo", "postgres" ] + storageType: &globalStorageType postgres + +tyk-gateway: + # nameOverride overrides the Chart name. It is truncated to 63 characters. + # Default value: tyk-gateway.name + nameOverride: "" + + # fullnameOverride overrides App name. It is truncated to 63 characters. + # Default value: tyk-gateway.fullname + fullnameOverride: "" + + gateway: + # The hostname to bind the Gateway to. + hostName: &gwHostName tyk-gw.local + + # If this option is set to true, it will enable polling the Dashboard service for API definitions + useDashboardAppConfig: + enabled: true + # Set it to the URL to your Dashboard instance (or a load balanced instance) if and only if + # Tyk Dashboard runs with custom service name, for instance; using `fullnameOverride` in `tyk-dashboard` section. + # The URL needs to be formatted as: http://dashboard_host:port + # It is used to set TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING + dashboardConnectionString: "" + + # This option is required if Policy source is set to Tyk Dashboard (`service`) if and only if + # Tyk Dashboard runs with custom service name, for instance; using `fullnameOverride` in `tyk-dashboard` section. + # Set this to the URL of your Tyk Dashboard installation. + # The URL needs to be formatted as: http://dashboard_host:port. + # It is used to set TYK_GW_POLICIES_POLICYCONNECTIONSTRING + policyConnectionString: "" + + tls: + # The name of the secret which should contain the TLS certificate you want to use with the gateway deployment + secretName: tyk-default-tls-secret + # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs. + insecureSkipVerify: false + + # certificatesMountPath corresponds to the mount path of the secret. + certificatesMountPath: "/etc/certs/tyk-gateway" + # certificates is an array of strings, used to set TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES + certificates: + - domain_name: "*" + cert_file: "/etc/certs/tyk-gateway/tls.crt" + key_file: "/etc/certs/tyk-gateway/tls.key" + + # kind is type of k8s object to be created for gateway. + kind: Deployment + + # replicaCount specifies number of replicas to be created if kind is Deployment. + replicaCount: 1 + + # autoscaling configuration if kind IS NOT DaemonSet + autoscaling: {} + # enabled: true + # minReplicas: 1 + # maxReplicas: 3 + # averageCpuUtilization: 60 + # averageMemoryUtilization: null + # autoscalingTemplate: + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # analyticsEnabled property is used to enable/disable analytics. + # If set to empty or nil, analytics will be enabled/disabled based on `global.components.pump`. + analyticsEnabled: "" + + image: + # image repository for Tyk Gateway + repository: tykio/tyk-gateway + + # image tag for Tyk Gateway + tag: v5.2.3 + + # image pull policy for Tyk Gateway + pullPolicy: IfNotPresent + + # image pull secrets to use when pulling images from repository + imagePullSecrets: [] + + # The port which will be exposed on the container for tyk-gateway + containerPort: 8080 + + service: + # type of service + type: ClusterIP + + # external traffic policy of the service. Set it only if you are using LoadBalancer service type + externalTrafficPolicy: Local + + # annotations for service + annotations: {} + + control: + # If enabled, exposes control port of the gateway + enabled: false + + # control port of gateway + containerPort: 9696 + + # port number for control port service + port: 9696 + + # service type for control port service + type: ClusterIP + + # annotations for control port service + annotations: {} + + # Creates an ingress object in k8s. Will require an ingress-controller and + # annotation to that ingress controller. + ingress: + # if enabled, creates an ingress resource for the gateway + enabled: false + + # specify ingress controller class name + className: "" + + # annotations for ingress + annotations: {} + + # ingress rules + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + + # tls configuration for ingress + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + tls: [] + + + # We usually recommend not to specify default resources and to leave this + # as a conscious choice for the user. This also increases chances charts + # run on environments with little resources, such as Minikube. If you do + # want to specify resources, uncomment the following lines, adjust them + # as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # securityContext values for gateway pod + securityContext: + runAsUser: 1000 + fsGroup: 2000 + + # containerSecurityContext values for gateway container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + + # node labels for gateway pod assignment + nodeSelector: {} + + # tolerations for gateway pod assignment + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + + # affinity for gateway pod assignment + affinity: {} + + # used to decide whether to send the results back directly to Tyk without a hybrid pump + # if you want to send analytics to control plane instead of pump, change analyticsConfigType to "rpc" + # TODO: Consider updating analytics config type to RPC + # Ref: https://github.com/TykTechnologies/tyk-charts/pull/211#discussion_r1458662620 + analyticsConfigType: "" + + # opentelemetry is used to configure opentelemetry for Tyk Gateway + opentelemetry: + # Used to enable/disable opentelemetry + enabled: false + # exporter is used to define the type of the exporter to sending data in OTLP protocol + # Valid values are "grpc" or "http" + exporter: grpc + # endpoint defines OpenTelemetry collector endpoint to connect to. + endpoint: localhost:4317 + # A map of headers that will be sent with HTTP requests to the collector. + # It should be set to map of string to string + headers: {} + # Timeout for establishing a connection to the collector + connectionTimeout: 1 + # Name of the resource that will be used to identify the resource. + resourceName: tyk + # Type of the span processor to use. Valid values are “simple” or “batch”. + spanProcessorType: batch + # Type of the context propagator to use. Valid values are "tracecontext" and "b3". + contextPropagation: tracecontext + # TLS configuration for the exporter. + tls: + # Flag that can be used to enable TLS + enabled: false + # Flag that can be used to skip TLS verification if TLS is enabled + insecureSkipVerify: true + # Maximum TLS version that is supported. + maxVersion: 1.3 + # Minimum TLS version that is supported + minVersion: 1.2 + # Path to the cert file + certFileName: "" + # Path to the key file + keyFileName: "" + # Path to CA file + caFileName: "" + # Existing secret that stores TLS and CA Certificate + certificateSecretName: "" + # Mount path on which certificate secret should be mounted + secretMountPath: "" + sampling: + # Refers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not. + type: "AlwaysOn" + # Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled. + rate: 0.5 + # Rule that ensures that if we decide to record data for a particular operation, we’ll also record data for + # all the subsequent work that operation causes + parentBased: false + + # extraEnvs is used to set gateway env variables + # - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY + # value: "true" + extraEnvs: [] + + # extraVolumes is a list of volumes to be added to the pod + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + extraVolumes: [] + + # extraVolumeMounts is a list of volume mounts to be added to the pod + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /etc/ssl/certs/ca-certs.crt + # readOnly: true + extraVolumeMounts: [] + +tyk-pump: + ## Default values for tyk-pump chart. + ## This is a YAML-formatted file. + ## Declare variables to be passed into your templates. + ## See Tyk Helm documentation for installation details: + ## https://tyk.io/docs/tyk-oss/ce-helm-chart/ + ## Registry for all Tyk images - https://hub.docker.com/u/tykio + + # Overrides chart name. It is truncated to 63 characters. + # Default value: tyk-pump.name + nameOverride: "" + + # Overrides app name. IT is truncated to 63 characters. + # Default value: tyk-pump.fullname + fullnameOverride: "" + + # If pump is enabled the Gateway will create and collect analytics data to send + # to a data store of your choice. These can be set up in the pump config. The + # possible pump configs can be found here: + # https://github.com/TykTechnologies/tyk-pump#configuration + pump: + # number for replicas for pump deployment + replicaCount: 1 + + # podAnnotations is annotations to be added to Tyk Pump pod. + # It takes key-value pairs. + # There are no required annotation field for Tyk Pump. + # + # podAnnotations: + # yourkey: value + # image: yourhub + podAnnotations: {} + + image: + # image repository for Tyk pump + repository: docker.tyk.io/tyk-pump/tyk-pump + + # tag for Tyk pump + tag: v1.8.3 + + # image pull policy + pullPolicy: IfNotPresent + + # image pull secrets to use when pulling images from repository + imagePullSecrets: [] + + service: + # Tyk Pump svc is disabled by default. Set it to true to enable it. + enabled: false + + # type specifies type of the service. + type: ClusterIP + + # port specifies the port exposed by the service. + port: 9090 + + # externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or + # cluster-wide endpoints, while using LoadBalancer type of service. + externalTrafficPolicy: Local + + # annotations specifies annotations to be added Tyk Pump service. + annotations: {} + + # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus. + # The default port is 9090. + containerPort: 9090 + + # backend defines the pumps to be created by default, as an array of string. + # Supported backends are: + # - "mongo": Enables Mongo Aggregate and Mongo Selective Pump + # - "mongo-aggregate": Enables ONLY Mongo Aggregate + # - "mongo-selective": Enables ONLY Mongo Selective + # - "postgres": Enables Postgres Aggregate and SQL Pump + # - "postgres-aggregate": Enables ONLY SQL Aggregate + # - "postgres-pump": Enables ONLY SQL Pump + # - "prometheus": Enables Prometheus Pump. See pump.prometheusPump for Prometheus Pump configurations. + # - "hybrid": Enables Hybrid Pump + # If you would like to use other backends such as ElasticSearch, please + # configure the backend via environment variables. + backend: + - "prometheus" + - *globalStorageType + + # uptimePumpBackend configures uptime Tyk Pump. ["", "mongo", "postgres"]. + # Set it to "" for disabling uptime Tyk Pump. By default, uptime pump is disabled. + uptimePumpBackend: "" + + # prometheusPump configures Tyk Pump to expose Prometheus metrics. + # Please add "prometheus" to .Values.pump.backend in order to enable Prometheus Pump. + # The container port where Tyk Pump serves the metrics to Prometheus can be configured + # via .pump.containerPort field. + prometheusPump: + # host represents the host without port, where Tyk Pump serve the metrics for Prometheus. + host: "" + # path represents the path to the Prometheus collection. For example /metrics. + path: /metrics + # customMetrics allows defining custom Prometheus metrics for Tyk Pump. + # It accepts a string that represents a JSON object. For instance, + # + # customMetrics: '[{"name":"tyk_http_requests_total","description":"Total of API requests","metric_type":"counter","labels":["response_code","api_name","method","api_key","alias","path"]}, { "name":"tyk_http_latency", "description":"Latency of API requests", "metric_type":"histogram", "labels":["type","response_code","api_name","method","api_key","alias","path"] }]' + customMetrics: "" + # If you are using prometheus Operator, set the fields in the section below. + prometheusOperator: + # enabled determines whether the Prometheus Operator is in use or not. By default, + # it is disabled. + # Tyk Pump can be monitored with PodMonitor Custom Resource of Prometheus Operator. + # If enabled, PodMonitor resource is created based on .Values.pump.prometheusPump.prometheusOperator.podMonitorSelector + # for Tyk Pump. + enabled: false + # podMonitorSelector represents a podMonitorSelector of your Prometheus resource. So that + # your Prometheus resource can select PodMonitor objects based on selector defined here. + # Please set this field to the podMonitorSelector field of your monitoring.coreos.com/v1 + # Prometheus resource's spec. + # + # You can check the podMonitorSelector via: + # kubectl describe prometheuses.monitoring.coreos.com + podMonitorSelector: + release: prometheus-stack + + # We usually recommend not to specify default resources and to leave this + # as a conscious choice for the user. This also increases chances charts + # run on environments with little resources, such as Minikube. If you do + # want to specify resources, uncomment the following lines, adjust them + # as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # securityContext values for pump pod + securityContext: + runAsUser: 1000 + fsGroup: 2000 + + # containerSecurityContext values for pump container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + + # node labels for pump pod assignment + nodeSelector: {} + + # tolerations for pump pod assignment + tolerations: [] + + # affinity for pump pod assignment + affinity: {} + + # extraEnvs is used to set environment variables in pump container + # - name: TYK_PMP_PURGEDELAY + # value: 30 + extraEnvs: [] + + # extraVolumes is a list of volumes to be added to the pod + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + extraVolumes: [] + + # extraVolumeMounts is a list of volume mounts to be added to the pod + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /etc/ssl/certs/ca-certs.crt + # readOnly: true + extraVolumeMounts: [] + +tyk-bootstrap: + fullnameOverride: "" + nameOverride: "" + + bootstrap: + # Trigger to control if we want to bootstrap the Developer Portal component using tyk-bootstrap + devPortal: false + + # Trigger to control if we want to bootstrap the dashboard component using tyk-bootstrap + dashboard: true + + # Trigger to control if we want to bootstrap the dashboard component using tyk-bootstrap + portal: true + + # Skip validating the SSL certificates. Usually needed when using self-signed certs. + sslInsecureSkipVerify: false + + # Trigger to control if we want to create the tyk-operator secret + operatorSecret: tyk-operator-conf + + # jobs field includes configurations for Helm Hooks. + jobs: + # preInstall configures pre-install Helm hook + preInstall: + # image specifies image repository of bootstrap images + image: + # repository specifies image repository of pre-install job. + repository: tykio/tyk-k8s-bootstrap-pre-install + # tag specifies image tag of pre-install job. + tag: v2.0.1 + + # extraEnvs is used to set extra environment variables to pre-install job. + # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE + # value: "yourlicense" + extraEnvs: [] + + # postInstall configures post-install Helm hook + postInstall: + # image specifies image repository of bootstrap images + image: + # repository specifies image repository of post-install job. + repository: tykio/tyk-k8s-bootstrap-post + # tag specifies image tag of post-install job. + tag: v2.0.1 + + # extraEnvs is used to set extra environment variables to post-install job. + # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME + # value: "burak" + extraEnvs: [] + + # preDelete configures pre-delete Helm hook + preDelete: + # image specifies image repository of bootstrap images + image: + # repository specifies image repository of pre-delete job. + repository: tykio/tyk-k8s-bootstrap-pre-delete + # tag specifies image tag of pre-delete job. + tag: v2.0.1 + + # extraEnvs is used to set extra environment variables to pre-delete job. + # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME + # value: "tyk-operator-conf" + extraEnvs: [] + + org: + # The name for your organization inside Tyk + name: Default Org + # The hostname to bind the Portal to. + cname: tyk-portal.local + + # podAnnotations specifies annotations to be added Tyk Bootstrap job pods. + # It takes key-value pairs. + # There are no required annotations for Tyk Bootstrap. + # + # podAnnotations: + # postInstallPodAnnotations: + # key: value + # post: install + # preDeletePodAnnotations: + # key: value + # post: install + podAnnotations: + # preInstallPodAnnotations specifies annotations to be added to Tyk Bootstrap pre-install hook's job pods. + preInstallPodAnnotations: {} + # postInstallPodAnnotations specifies annotations to be added to Tyk Bootstrap post-install hook's job pods. + postInstallPodAnnotations: {} + # preDeletePodAnnotations specifies annotations to be added to Tyk Bootstrap pre-delete hook's job pods. + preDeletePodAnnotations: {} + +tyk-dashboard: + # nameOverride overrides the Chart name. It is truncated to 63 characters. + nameOverride: "" + + # fullnameOverride overrides App name. It is truncated to 63 characters. + fullnameOverride: "" + + dashboard: + # This is the URL of your Tyk Gateway node, which is used to set TYK_DB_TYKAPI_HOST. + # The Dashboard controls Tyk using the Gateway API and only requires visibility to one node. In a sharded environment, + # the Gateway node specified here must not be sharded. + # - If you are using tyk-stack chart, it is automatically set to the gateway service URL. + # HOWEVER, if Tyk Gateway runs with custom service name, please override with the correct URL using this field. + # - If you are using tyk-dashboard chart, you need to set the correct Gateway URL here too. + # The URL needs to be formatted as: http://gateway_host + tykApiHost: "" + # enableOwnership specifies if API Ownership for Self-Managed installations is enabled or not. + # It is used to set TYK_DB_ENABLEOWNERSHIP + enableOwnership: true + # defaultPageSize specifies the page size that the dashboard should use. + # It is used to set TYK_DB_PAGESIZE + defaultPageSize: 10 + # notifyOnChange specifies whether the Tyk Dashboard will notify all Tyk Gateway nodes to hot-reload when an API definition is changed. + # It is used to set TYK_DB_NOTIFYONCHANGE + notifyOnChange: true + # hashKeys specifies that if your Tyk Gateway is using hashed keys, set this value to true so it matches. + # The Dashboard will now operate in a mode that is compatible with key hashing. + # It is used to set TYK_DB_HASHKEYS + hashKeys: true + # enableDuplicateSlugs configures the dashboard whether validate against other listen paths. + # Setting this option to true will cause the dashboard to NOT validate against other listen paths. + # It is used to set TYK_DB_ENABLEDUPLICATESLUGS + enableDuplicateSlugs: true + # showOrgId determines whether the Org ID will be shown in the Users -> Username detail page. + # This can be useful for quickly identifying your Org ID. + # It is used to set TYK_DB_SHOWORGID + showOrgId: true + hostConfig: + # Enable this option to have the Dashboard only allow access on a specific domain and 404 on any other host access + # It is used to set TYK_DB_HOSTCONFIG_ENABLEHOSTNAMES + enableHostNames: true + # By default, for developer portal, Tyk will add orgID prefix. Set to true if you have single tenant application or each portal on separate domain. + # It is used to set TYK_DB_HOSTCONFIG_DISABLEORGSLUGPREFIX + disableOrgSlugPrefix: true + # Set this value to whatever hostname your Tyk Gateway is running on. + # It is used to set TYK_DB_HOSTCONFIG_GATEWAYHOSTNAME + overrideHostname: *gwHostName + # The path to the home directory of Tyk Dashboard, this must be set in order for Portal templates and other files to be loadable. + # It is used to set TYK_DB_HOMEDIR + homeDir: "/opt/tyk-dashboard" + # If using the mongo-pump-selective pump, where data is written to org-id-specific collections in MongoDB, + # then enabling this option will switch querying for analytics over to the independent collection entries. + # It is used to set TYK_DB_USESHARDEDANALYTICS + useShardedAnalytics: false + # If using the new Aggregate Pump, Tyk Analytics can make use of the newer, faster Analytics lookup, + # to ensure that this can be made backwards compatible.This option must be set to true, + # in conjunction with the aggregate_lookup_cutoff value. + # It is used to set TYK_DB_ENABLEAGGREGATELOOKUPS + enableAggregateLookups: true + # enableAnalyticsCache enables the caching of analytics data queries. + # When this field is set to true, the Tyk Dashboard will cache the results of analytics queries in Redis, + # which can significantly improve performance by reducing the load on the underlying MongoDB or PostgreSQL database + # that stores this data. + # It is used to set TYK_DB_ENABLEANALYTICSCACHE + enableAnalyticsCache: true + # Set this value to true if you are planning to use Tyk Sync or Tyk Operator + # It is used to set TYK_DB_ALLOWEXPLICITPOLICYID + allowExplicitPolicyId: true + # oAuth redirect URI separator + # It is used to set TYK_DB_OAUTHREDIRECTURISEPARATOR + oauthRedirectUriSeparator: ";" + # keyRequestFields enables administrators to collect necessary information for API key issuance, enforce policies, + # and provide the flexibility to customize the key request process according to evolving business needs. + # It is used to set TYK_DB_KEYREQUESTFIELDS + keyRequestFields: "appName;appType" + # Dashboard session lifetime + # It is used to set TYK_DB_DASHBOARDSESSIONLIFETIME + dashboardSessionLifetime: 43200 + # When enabled, if dashboard already have user with given email found, it will be used for the login process + # It is used to set TYK_DB_SSOENABLEUSERLOOKUP + ssoEnableUserLookup: true + # notificationsListenPort specifies the port that the Tyk Dashboard listens on for webhook notifications sent from Tyk Gateways. + # It is used to set TYK_DB_NOTIFICATIONSLISTENPORT + notificationsListenPort: 5000 + # To delete a key by its hash, set this option to true + # It is used to set TYK_DB_ENABLEDELETEKEYBYHASH + enableDeleteKeyByHash: true + # To update a key by its hash, set this option to true. + # It is used to set TYK_DB_ENABLEUPDATEKEYBYHASH + enableUpdateKeyByHash: true + # To retrieve a list of all key hash listings, set this option to true. + # It is used to set TYK_DB_ENABLEHASHEDKEYSLISTING + enableHashedKeysListing: true + # Enable support for users with the same email for multiple organisations + # It is used to set TYK_DB_ENABLEMULTIORGUSERS + enableMultiOrgUsers: true + + # replicaCount specifies number of replicas to be created if kind is Deployment. + replicaCount: 1 + + # podAnnotations is annotations to be added to Tyk Dashboard pod. + # It takes key-value pairs. + # There are no required annotation field for Tyk Dashboard. + # + # podAnnotations: + # yourkey: value + # image: yourhub + podAnnotations: {} + + image: + # image repository for Tyk Dashboard. + repository: tykio/tyk-dashboard + + # tag for Tyk Dashboard + tag: v5.2.3 + + # image pull policy + pullPolicy: Always + + # image pull secrets to use when pulling images from repository + imagePullSecrets: [] + + service: + type: ClusterIP + externalTrafficPolicy: Local + annotations: {} + + # We usually recommend not to specify default resources and to leave this + # as a conscious choice for the user. This also increases chances charts + # run on environments with little resources, such as Minikube. If you do + # want to specify resources, uncomment the following lines, adjust them + # as necessary, and remove the curly braces after 'resources:'. + # resources: + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + resources: {} + + # securityContext holds pod-level security attributes for Tyk Dashboard pod. + securityContext: + runAsUser: 1000 + fsGroup: 2000 + + # containerSecurityContext holds container-level security attributes for Tyk Dashboard container. + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + + # nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node. + nodeSelector: {} + # tolerations specifies tolerations to be applied on Tyk Dashboard pods. + tolerations: [] + # affinity specifies affinity and anti-affinity constraints. + affinity: {} + + # extraEnvs is used to set extra environment variables to Tyk Dashboard pod. + # - name: TYK_DB_PAGESIZE + # value: "10" + extraEnvs: [] + + # extraVolumes is a list of volumes to be added to the pod + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + extraVolumes: [] + + # extraVolumeMounts is a list of volume mounts to be added to the pod + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /etc/ssl/certs/ca-certs.crt + # readOnly: true + extraVolumeMounts: [] + + # The hostname to bind the Dashboard to. + hostName: tyk-dashboard.local + + tls: + # The name of the secret which should contain the TLS certificate you want to use with the dashboard deployment + secretName: tyk-default-tls-secret + # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs. + insecureSkipVerify: false + + # certificatesMountPath corresponds to the mount path of the secret. + certificatesMountPath: "/etc/certs/tyk-dashboard" + # certificates is an array of strings, used to set TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES + certificates: + - domain_name: "*" + cert_file: "/etc/certs/tyk-dashboard/tls.crt" + key_file: "/etc/certs/tyk-dashboard/tls.key" + + # ingress specifies Ingress rules for Tyk Dashboard Service. + # Ingress is disabled by default. + ingress: + enabled: false + # specify your ingress controller class name below + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + + portal: + ingress: + enabled: false + # specify your ingress controller class name below + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + +tyk-mdcb: + mdcb: + # nameOverride overrides the Chart name. It is truncated to 63 characters. + nameOverride: "" + # fullnameOverride overrides App name. It is truncated to 63 characters. + fullnameOverride: "" + + # useSecretName can be used if you don't want to store plaintext values for MDCB license in + # the Helm value file and would rather provide the k8s Secret externally. + # You should set following fields in the secret + # - MDCBLicense - Sets MDCB license key + useSecretName: "" + + # Tyk MDCB license + # It is used to set TYK_MDCB_LICENSE + license: "" + + # The rpc port which worker gateways will connect to. + # This opens a port on MDCB container and MDCB service targets this port. + # It is used to set TYK_MDCB_LISTENPORT + listenPort: 9090 + + # Set to true if you are using a hashed configuration installation of Tyk, otherwise set to false. + # It is used to set TYK_MDCB_HASHKEYS + hashKeys: true + + # Allows usage of self-signed certificates when connecting to an encrypted Redis database. + # It is used to set TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY + redisSSLInsecureSkipVerify: false + + # When it is set to true, instead of sending analytics directly to MongoDB, + # MDCB can send analytics to Redis. This will allow tyk-pump to pull + # analytics from Redis and send to your own data sinks. + # It is used to set TYK_MDCB_FORWARDANALYTICSTOPUMP + forwardAnalyticsToPump: true + + probes: + # This port lets MDCB allow standard health checks. + # It also defines the path for liveness and readiness probes. + # It is used to set TYK_MDCB_HEALTHCHECKPORT + healthCheckPort: 8181 + # liveness includes details about liveness probe used in MDCB Deployment. + liveness: + # path represents the http path to be used in liveness probe in MDBC deployment. + path: "/health" + # initialDelaySeconds specifies duration in seconds used in liveness probe as initial delay. + initialDelaySeconds: 5 + # The periodSeconds specifies the duration in seconds to perform a liveness probe. + periodSeconds: 2 + # timeoutSeconds represents the number of seconds after which the probe times out. + timeoutSeconds: 3 + # failureThreshold represents the consecutive number of failures in a row for Kubernetes to consider that the overall check has failed. + failureThreshold: 2 + # readiness includes details about readiness probe used in MDCB Deployment. + readiness: + # path represents the http path to be used in readiness probe in MDBC deployment. + path: "/health" + # initialDelaySeconds specifies the seconds used in readiness probe as initial delay. + initialDelaySeconds: 1 + # The periodSeconds specifies the duration in seconds to perform a readiness probe. + periodSeconds: 10 + # timeoutSeconds represents the number of seconds after which the probe times out. + timeoutSeconds: 3 + # failureThreshold represents the consecutive number of failures in a row for Kubernetes to consider that the overall check has failed. + failureThreshold: 3 + + # replicaCount specifies number of replicas to be created. + replicaCount: 1 + + image: + # image repository for Tyk MDCB + repository: tykio/tyk-mdcb-docker + # image tag for Tyk MDCB + tag: v2.4.2 + # image pull policy + pullPolicy: IfNotPresent + + # image pull secrets to use when pulling images from repository + imagePullSecrets: [] + + # podAnnotations specifies annotations to be added in MDCB Pod + podAnnotations: {} + # podLabels specifies labels to be added in MDCB Pod + podLabels: {} + + serviceAccount: + # Specifies whether a service account should be created + enabled: false + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + + # securityContext holds pod-level security attributes for Tyk MDCB pod. + podSecurityContext: {} + # fsGroup: 2000 + + # containerSecurityContext holds container-level security attributes for Tyk MDCB container. + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + # type corresponds to the service type of Tyk MDCB Service. + type: ClusterIP + # The port at which the MDCB service can be found + port: 9090 + # externalTrafficPolicy corresponds to the external traffic policy if the service type is load balancer + externalTrafficPolicy: Local + # annotations corresponds to the annotations which will be added into Tyk Dashboard Service. + annotations: {} + + # ingress specifies Ingress rules for Tyk MDCB Service. + # Ingress is disabled by default. + ingress: + # enabled specifies whether ingress is enabled or not. + # Set it to true to enable Ingress for Tyk MDCB Service. + enabled: false + # className specifies your ingress controller class name below + className: "" + # annotations specifies annotations to be added on Ingress resource. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # hosts corresponds to the rules to be added on Ingress rules. + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + # tls corresponds to the tls configuration if Ingress rules use TLS + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # autoscaling configuration + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + extraEnvs: [] + + # Additional volumes on the output MDCB Deployment definition. + extraVolumes: [] + # - name: foo + # secret: + # secretName: mysecret + # optional: false + + # Additional volumeMounts on the output MDCB Deployment definition. + extraVolumeMounts: [] + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + + # node labels for MDCB pod assignment + nodeSelector: {} + + # tolerations for MDCB pod assignment + tolerations: [] + + # affinity for MDCB pod assignment + affinity: {} + + +tyk-dev-portal: + # Sensitive configuration of Portal could be set using k8s secret + # You can set following fields: + # - DevPortalLicense - Sets LicenseKey for Developer Portal + # - DevPortalDatabaseConnectionString - Sets database connectionString for Developer Portal + # - DevPortalAwsAccessKeyId - Sets AWS S3 Access Key ID + # - DevPortalAwsSecretAccessKey - Sets AWS S3 Secret Access Key + useSecretName: "" + # The hostname to bind the Developer Portal to. + hostName: tyk-dev-portal.local + # Developer Portal license. + license: "" + # Developer portal can be deployed as StatefulSet or as Deployment + kind: StatefulSet + storage: + # User can set the storage type for portal. + # Supported types: fs, s3, db + type: "db" + # Configuration values for using s3 as storage for Tyk Developer Portal + # In case you want to provide the key ID and access key via secrets please + # refer to the existing secret inside the helm chart or the + # .Values.useSecretName field + s3: + awsAccessKeyid: your-access-key + awsSecretAccessKey: your-secret-key + region: sa-east-1 + endpoint: https://s3.sa-east-1.amazonaws.com + bucket: your-portal-bucket + acl: private + presign_urls: true + persistence: + mountExistingPVC: "" + storageClass: "" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + labels: {} + selector: {} + database: + # This selects the SQL dialect to be used + # The supported values are mysql, postgres and sqlite3 + dialect: "sqlite3" + connectionString: "db/portal.db" + enableLogs: false + maxRetries: 3 + retryDelay: 5000 + + # replicaCount specifies number of replicas to be created if kind is Deployment. + replicaCount: 1 + + # containerPort specifies the container port for Tyk Developer Portal container. + # Also, it is used to set PORTAL_HOST_PORT + containerPort: 3001 + image: + # image repository for Tyk Developer Portal. + repository: tykio/portal + + # Developer portal < v1.2 is not supported + tag: v1.8.0 + # image pull policy + pullPolicy: Always + + # image pull secrets to use when pulling images from repository + imagePullSecrets: [] + + service: + # type corresponds to the service type of Tyk Developer Portal Service. + type: ClusterIP + # The port at which Tyk Developer Portal service can be found + port: 3001 + # externalTrafficPolicy corresponds to the external traffic policy if the service type is load balancer + externalTrafficPolicy: Local + # annotations corresponds to the annotations which will be added into Tyk Dashboard Service. + annotations: {} + + # ingress specifies Ingress rules for Tyk Developer Portal Service. + # Ingress is disabled by default. + ingress: + # enabled specifies whether ingress is enabled or not. + # Set it to true to enable Ingress for Tyk Dashboard Service. + enabled: false + # specify your ingress controller class name below + className: "" + + # annotations specifies annotations to be added on Ingress resource. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # hosts corresponds to the rules to be added on Ingress rules. + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + + # tls corresponds to the tls configuration if Ingress rules use TLS + tls: [] + + resources: {} + # We usually recommend not to specify default resources and to leave this + # as a conscious choice for the user. This also increases chances charts + # run on environments with little resources, such as Minikube. If you do + # want to specify resources, uncomment the following lines, adjust them + # as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # securityContext holds pod-level security attributes for Tyk Developer Portal pod. + securityContext: + runAsUser: 1000 + fsGroup: 2000 + # containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node. + nodeSelector: {} + # tolerations specifies tolerations to be applied on Tyk Developer Portal pods. + tolerations: [] + # affinity specifies affinity and anti-affinity constraints. + affinity: {} + # extraEnvs is used to set extra environment variables to Tyk Developer Portal pod. + # - name: PORTAL_REFRESHINTERVAL + # value: "10" + extraEnvs: [] + # extraVolumes is a list of volumes to be added to the pod + # extraVolumes: + # - name: ca-certs + # secret: + # defaultMode: 420 + # secretName: ca-certs + extraVolumes: [] + # extraVolumeMounts is a list of volume mounts to be added to the pod + # extraVolumeMounts: + # - name: ca-certs + # mountPath: /etc/ssl/certs/ca-certs.crt + # readOnly: true + extraVolumeMounts: [] + + # livenessProve includes details about liveness probe used in Tyk Developer Portal + livenessProbe: + # initialDelaySeconds specifies the seconds used in liveness probe as initial delay. + initialDelaySeconds: 60 + + # readinessProbe includes details about readiness probe used in Tyk Developer Portal + readinessProbe: + # initialDelaySeconds specifies the seconds used in readiness probe as initial delay. + initialDelaySeconds: 60