Skip to content

Instantly share code, notes, and snippets.

@carlosjgp

carlosjgp/Helm

Last active December 28, 2022 14:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save carlosjgp/24e9695db92b30154365b6de5e260d7c to your computer and use it in GitHub Desktop.
Save carlosjgp/24e9695db92b30154365b6de5e260d7c to your computer and use it in GitHub Desktop.
Download ZIP
Tyk - Deployment and configuration
Raw
cert-manager.yaml
ingressShim:
defaultIssuerName: letsencript-staging
defaultIssuerKind: ClusterIssuer
defaultACMEChallengeType: dns01
defaultACMEDNS01ChallengeProvider: route53
extraArgs:
- --dns01-recursive-nameservers=8.8.8.8:53,8.8.4.4:53
podAnnotations:
iam.amazonaws.com/role: change:this:to:use:a:real:aws:iam:role
Raw
dashboard.configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: tyk-dashboard
labels:
app: tyk
component: dashboard
data:
tyk.conf: |-
{
"listen_port": 8080,
"tyk_api_config": {
"Host": "http://tyk-gateway.tyk.svc.cluster.local",
"Port": "8080",
"Secret": "[[TYK_TOKEN]]"
},
"mongo_url": "mongodb://mongodb-mongodb-replicaset-0.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017,mongodb-mongodb-replicaset-1.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017,mongodb-mongodb-replicaset-2.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017/tyk_analytics?replicaSet=rs0",
"license_key": "[[LICENSE_TOKEN]]",
"page_size": 10,
"admin_secret": "[[TYK_DEV_PORTAL_ADMIN_TOKEN]]",
"shared_node_secret": "[[NODE_TOKEN]]",
"force_api_defaults": false,
"notify_on_change": false,
"redis_host": "redis-master.tyk.svc.cluster.local",
"redis_port": 6379,
"enable_cluster": false,
"redis_database": 0,
"hash_keys": true,
"email_backend": {
"enable_email_notifications": false,
"code": "",
"settings": null,
"default_from_email": "",
"default_from_name": ""
},
"hide_listen_path": false,
"use_sentry": false,
"enable_master_keys": false,
"enable_duplicate_slugs": true,
"show_org_id": true,
"host_config": {
"enable_host_names": true,
"disable_org_slug_prefix": true,
"hostname": "developer-admin.my-domain.com",
"override_hostname": "api.my-domain.com",
"portal_domains": {},
"portal_root_path": "",
"generate_secure_paths": true,
"secure_cookies": true
},
"http_server_options": {
"use_ssl": false,
"certificates": [],
"min_version": 0
},
"ui": {
"login_page": {},
"nav": {
"dont_show_admin_sockets": true,
"hide_licenses_section": true
},
"uptime": {},
"portal_section": null,
"designer": {},
"dont_allow_license_management": true,
"dont_allow_license_management_view": true
},
"home_dir": "/opt/tyk-dashboard",
"identity_broker": {
"enabled": false
},
"security": {
"login_failure_username_limit": 3,
"login_failure_ip_limit": 15,
"login_failure_expiration": 900,
"login_disallow_forward_proxy": false,
"audit_log_path": "/tmp/logs/audit.log",
"allow_admin_reset_password": false
},
"disable_parallel_sessions": true,
"tagging_options": {
"tag_all_apis_by_org": false
},
"use_sharded_analytics": true,
"enable_aggregate_lookups": false
}
Raw
dashboard.deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: tyk
component: dashboard
name: tyk-dashboard
namespace: tyk
spec:
minReadySeconds: 30
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app: tyk
component: dashboard
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
labels:
app: tyk
component: dashboard
spec:
containers:
- command:
- /opt/tyk-dashboard/tyk-analytics
- --conf=/etc/tyk-dashboard/tyk.conf
image: tykio/tyk-dashboard:v1.7.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: 8080
timeoutSeconds: 1
name: tyk
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 8080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/tyk-dashboard
name: dashboard-configuration
restartPolicy: Always
terminationGracePeriodSeconds: 30
volumes:
- name: dashboard-configuration
configMap:
name: tyk-dashboard
Raw
dashboard.ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx-public
kubernetes.io/tls-acme: "true"
labels:
app: tyk
component: dashboard
name: tyk-dashboard
namespace: tyk
spec:
rules:
- host: developer-admin.my-domain.com
http:
paths:
- backend:
serviceName: tyk-dashboard
servicePort: http
path: /
- host: developer.my-domain.com
http:
paths:
- backend:
serviceName: tyk-dashboard
servicePort: http
path: /
tls:
- hosts:
- developer-admin.my-domain.com
- developer.my-domain.com
secretName: tyk-dashboard-developer-portal-tls
Raw
dashboard.service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: tyk
component: dashboard
name: tyk-dashboard
namespace: tyk
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: tyk
component: dashboard
type: ClusterIP
Raw
external-dns.yaml
publishInternalServices: true
provider: aws
aws:
region: "xxx"
policy: sync
logLevel: debug
domainFilters:
- "my-domain.com"
txtOwnerId: "k8s-test"
rbac:
create: true
podAnnotations:
iam.amazonaws.com/role: change:this:to:use:a:real:aws:iam:role
Raw
gateway.configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: tyk-gateway
labels:
app: tyk
component: gateway
data:
tyk.conf: |
{
"listen_port": 8080,
"secret": "[[TYK_TOKEN]]",
"node_secret": "[[NODE_TOKEN]]",
"template_path": "/opt/tyk-gateway/templates",
"tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
"middleware_path": "/opt/tyk-gateway/middleware",
"use_db_app_configs": true,
"db_app_conf_options": {
"connection_string": "http://tyk-dashboard.tyk.svc.cluster.local:8080",
"node_is_segmented": true,
"tags": []
},
"app_path": "/opt/tyk-gateway/apps/",
"storage": {
"type": "redis",
"enable_cluster": false,
"hosts" : {
"redis-master.tyk.svc.cluster.local": "6379"
},
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": true,
"analytics_config": {
"type": "mongo",
"csv_dir": "/tmp",
"mongo_url": "mongodb://mongodb-mongodb-replicaset-0.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017,mongodb-mongodb-replicaset-1.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017,mongodb-mongodb-replicaset-2.mongodb-mongodb-replicaset.tyk.svc.cluster.local:27017/tyk_analytics?replicaSet=rs0",
"mongo_db_name": "",
"mongo_collection": "",
"purge_delay": -1,
"ignored_ips": []
},
"health_check": {
"enable_health_checks": true,
"health_check_value_timeouts": 60
},
"optimisations_use_async_session_write": true,
"enable_non_transactional_rate_limiter": true,
"enable_sentinel_rate_limiter": false,
"allow_master_keys": false,
"policies": {
"policy_source": "service",
"policy_connection_string": "http://tyk-dashboard.tyk.svc.cluster.local:8080",
"policy_record_name": "tyk_policies"
},
"hash_keys": true,
"close_connections": true,
"http_server_options": {
"enable_websockets": true
},
"allow_insecure_configs": true,
"coprocess_options": {
"enable_coprocess": false,
"coprocess_grpc_server": ""
},
"enable_bundle_downloader": true,
"bundle_base_url": "",
"global_session_lifetime": 100,
"force_global_session_lifetime": false,
"max_idle_connections_per_host": 500
}
Raw
gateway.deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: tyk
component: gateway
name: tyk-gateway
namespace: tyk
spec:
minReadySeconds: 30
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app: tyk
component: gateway
strategy:
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
labels:
app: tyk
component: gateway
spec:
containers:
- command:
- /opt/tyk-gateway/tyk
- --conf=/etc/tyk-gateway/tyk.conf
image: tykio/tyk-gateway:v2.7.6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
tcpSocket:
port: 8080
timeoutSeconds: 1
name: tyk
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /hello
port: 8080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/tyk-gateway
name: gateway-configuration
restartPolicy: Always
terminationGracePeriodSeconds: 30
volumes:
- name: gateway-configuration
configMap:
name: tyk-gateway
Raw
gateway.ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx-public
kubernetes.io/tls-acme: "true"
generation: 1
labels:
app: tyk
component: gateway
name: tyk-gateway
namespace: tyk
spec:
rules:
- host: api.my-domain.com
http:
paths:
- backend:
serviceName: tyk-gateway
servicePort: http
path: /
tls:
- hosts:
- api.my-domain.com
secretName: tyk-gateway-api-tyk-tls
Raw
gateway.service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: tyk
component: gateway
name: tyk-gateway
namespace: tyk
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: tyk
component: gateway
type: ClusterIP
Raw
Helm
# redis
helm upgrade --install --namespace tyk \
--version 6.3.1 redis redis \
--set usePassword=false,cluster.enabled=true,cluster.slaveCount=2,metrics.enabled=true
# mongo
helm upgrade --install --namespace tyk \
--version 3.9.2 mongodb mongodb-replicaset \
--set replicas=3,metrics.enabled=true,persistentVolume:size=10Gi
# Nginx ingress
helm upgrade --install --namespace ingress \
--version 1.4.0 nginx-ingress nginx-ingress \
--set-file nginx-ingress.yaml
# ExternalDNS
helm upgrade --install --namespace kube-system \
--version 1.7.3 external-dns external-dns \
--set-file external-dns.yaml
# Cert-manager
helm upgrade --install --namespace cert-manager \
--version v0.6.6 cert-manager cert-manager \
--set-file cert-manager.yaml
Raw
nginx-ingress.yaml
# Allow preservation of the source IP address (required for rate limiting)
# Read more about this here https://github.com/kubernetes-incubator/external-dns/issues/456#issuecomment-404229331
controller:
ingressClass: nginx-public
# server-port 8282 to avoid clash with Kube2IAM running on 8181 (Nginx ingress default)
# annotations-prefix to be less tightened to nginx default annotations => "nginx.ingress.kubernetes.io"
extraArgs:
default-server-port: 8282
annotations-prefix: "ingress.kubernetes.io"
# this is required to allow ExternalDNS to work properly
# https://github.com/kubernetes/ingress-nginx/issues/2085
# https://github.com/kubernetes-incubator/external-dns/issues/456#issuecomment-404229331
publishService:
enabled: true
replicaCount: 3
service:
annotations:
# Enable PROXY protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
# Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default,
# NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be
# increased to '3600' to avoid any potential issues.
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
# Limit access to this LB
loadBalancerSourceRanges:
- xxxx
stats:
enabled: true
metrics:
enabled: true
config:
use-proxy-protocol: "true"
use-gzip: "true"
use-geoip: "true"
skip-access-log-urls: "/healthz"
# This is the default 404/5xx pages shown when ingress controller can't be found
defaultBackend:
replicaCount: 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment