Merging to release-5.7: New IA - Migration to Tyk (#5823)

[buger]

User description

New IA - Migration to Tyk (#5823)

---

PR Type

Documentation

---

Description

• Introduced a comprehensive guide for Tyk Open Source installation.

• Consolidated and streamlined menu structure for better navigation.

• Updated references and links to align with new documentation structure.

• Enhanced Redis and database configuration instructions for clarity.

---

Changes walkthrough 📝

	Relevant files
Documentation	6 files tyk-open-source.md Added comprehensive guide for Tyk Open Source installation +1146/-0 menu.yaml Restructured menu for improved navigation                                +21/-651 dashboard.md Updated database compatibility and migration references    +23/-23  alias.json Added and updated aliases for new documentation structure +118/-1  security-best-practices.md Updated links to align with new structure                                +7/-7      tyk-oss-chart.md Enhanced Redis and database configuration instructions      +5/-5
Additional files	101 files CONTRIBUTING-TECHNICAL-GUIDE.md +6/-6      dashboard-login-ldap-tib.md +1/-1      manage-multiple-environments.md +1/-1      with-tyk-multi-cloud.md +1/-1      transform-traffic.md +2/-2      endpoint-designer.md +1/-1      response-body.md +1/-1      response-headers.md +1/-1      automations.md +4/-3      client-authentication.md +1/-1      deploy-apis-overview.md +1/-1      troubleshooting-debugging.md +5/-5      upstream-authentication.md +3/-3      apim.md +4/-4      open-source.md +0/-33    installation.md +0/-66    optimise-cache.md +1/-1      event-data.md +1/-1      organisations.md +1/-1      gateway.md +1/-1      .placeholder [link]    quick-start.md +0/-174  .placeholder [link]    .placeholder [link]    quick-start.md +0/-59    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    consul.md +0/-81    vault.md +0/-111  .placeholder [link]    .placeholder [link]    .placeholder [link]    tyk-helm-tyk-stack-mongodb.md +0/-137  tyk-helm-tyk-stack-postgresql.md +0/-112  .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    .placeholder [link]    overview.md +0/-22    faq.md +1/-1      archived.md +2/-2      cloud.md +2/-2      gateway.md +9/-9      helm-chart.md +5/-5      mdcb.md +1/-1      pump.md +3/-3      upgrading.md +7/-7      create-api.md +2/-2      installation.md +3/-3      gitops-with-tyk.md +0/-37    quick-start.md +0/-38    tyk-demo.md +0/-84    tyk-k8s-demo.md +0/-243  using-tyk-dashboard.md +1/-1      creating-gql-api.md +1/-1      grpc-proxy.md +1/-1      plan-your-api-integration.md +6/-6      planning-for-production.md +0/-227  benchmarks.md +0/-37    database-settings.md +0/-24    mongodb-sizing.md +0/-79    mongodb.md +0/-58    postgresql.md +0/-104  ensure-high-availability.md +0/-14    circuit-breakers.md +0/-109  enforced-timeouts.md +0/-54    health-check.md +0/-258  load-balancing.md +0/-84    service-discovery.md +0/-157  examples.md +0/-138  uptime-tests.md +0/-161  monitoring.md +0/-61    tyk-components.md +0/-109  redis-sizing.md +0/-29    redis.md +0/-103  plugins.md +1/-1      deploy-plugins.md +1/-1      golang.md +1/-2      custom-auth-python-tutorial.md +1/-1      quickstart.md +1/-1      overview.md +5/-5      tyk-control-plane-chart.md +4/-4      tyk-data-plane-chart.md +5/-5      tyk-stack-chart.md +5/-5      data-storage-configuration.md +1/-1      install-tyk-enterprise-portal.md +1/-1      install-portal-using-docker.md +1/-1      install-portal-using-helm.md +1/-1      install-portal-using-rpm.md +1/-1      create-api-product-and-plan.md +1/-1      with-tyk-self-managed-as-provider.md +1/-1      otel_jaeger_k8s.md +1/-1      circuit-breaker-tyk-classic.md +0/-119  Additional files not shown

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 5823 - Fully compliant Fully compliant requirements: Introduce a comprehensive guide for Tyk Open Source installation. Consolidate and streamline menu structure for better navigation. Update references and links to align with the new documentation structure. Enhance Redis and database configuration instructions for clarity. Not compliant requirements:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Inconsistency Ensure that all installation steps and configurations are accurate and consistent across different platforms (e.g., Docker, Kubernetes, Ansible). --- title: "Install Tyk Open Source" description: "This page serves as a comprehensive guide to migrating workloads to Tyk" tags: ["installation", "migration", "open source"] aliases: - /apim/open-source/installation - /deployment-and-operations/tyk-open-source-api-gateway/quick-start - /tyk-oss/ce-centos - /tyk-oss/ce-debian-ubuntu - /tyk-oss/ce-kubernetes-ingress - /tyk-oss/ce-redhat - /tyk-oss/ce-redhat-rhel-centos - /tyk-oss/ce-ubuntu - /tyk-oss/ce-helm-chart-new - /tyk-oss/ce-ansible - /tyk-oss/ce-docker - /tyk-oss/ce-github - /tyk-oss/ce-helm-chart - /tyk-oss/ce-kubernetes - /tyk-configuration-reference/redis-cluster-sentinel - /tyk-stack/tyk-gateway/configuration/redis-sentinel - /apim/open-source - /tyk-stack/tyk-gateway/configuration/redis-cluster - /apim/open-source/getting-started --- ## What is Tyk Open Source Open source is at the heart of what we do. Anything that is API Gateway-related, lives in the Gateway, or is critical for the Gateway to work is open and freely available via our [Github](https://github.com/TykTechnologies/tyk). The Tyk Gateway is fully open-source. It's all the same Gateway that's used by you (the community!), by our enterprise products, as well as our SaaS. Our commitment to open source also delivers a host of benefits for our users: signup for free with Tyk, receive securely packaged open source packages, getting started guides, access to our community and all of the latest open source information. {{< note success >}} **Note** Tyk OSS, Tyk Open Source, Tyk Gateway, Tyk CE {{< /note >}} {{< img src="/img/diagrams/oss-flow.png" alt="OSS-Guide" >}} ### What Does Tyk Open Source Include? The Tyk Team has created and maintains the following components, which are fully Open Source and available under Mozilla Public License 2.0 (MPL). Star the Tyk components you use by clicking the appropriate button: * [Tyk Gateway]({{< ref "tyk-oss-gateway" >}}) - Fully fledged API Gateway (Start here!) - {{< github_star_button "TykTechnologies" "tyk" "true" >}} * [Tyk Pump]({{< ref "tyk-pump" >}}) - Send API analytics data to your chosen backend - {{< github_star_button "TykTechnologies" "tyk-pump" "true" >}} * [Tyk Identity Broker]({{< ref "tyk-identity-broker" >}}) - Connect your third-party IdP systems - {{< github_star_button "TykTechnologies" "tyk-identity-broker" "true" >}} * [Tyk Helm Chart]({{< ref "/product-stack/tyk-charts/overview" >}}) - Deploy Tyk in K8S - {{< github_star_button "TykTechnologies" "tyk-charts" "true" >}} You can find additional FAQs regarding the MPL license [here](https://www.mozilla.org/en-US/MPL/2.0/FAQ/). ## Quick Start Tyk Gateway New to Tyk Gateway? In this page you'll get started with the basics - install Tyk and test it live in less than 2 minutes. We recommend [Tyk Gateway docker compose](https://github.com/TykTechnologies/tyk-gateway-docker) as the quickest way to get started. If you want to deploy it in a specific platform check our [installation options]({{< ref "#installation-options-for-tyk-gateway" >}}) page. **Step 1 - Clone the docker-compose repository** git clone https://github.com/TykTechnologies/tyk-gateway-docker **Step 2 - Change to the new directory** cd tyk-gateway-docker **Step 3 - Deploy Tyk Gateway and Redis** docker-compose up You can also run this in detached mode using the _-d_ flag: docker-compose up -d Congratulations, you’re done!!! ### Test Installation Your Tyk Gateway is now configured and ready to use. Confirm this by checking against the ‘hello’ endpoint: ```curl curl localhost:8080/hello The output should be similar to that shown below: {"status": "pass", "version": "v5.1", "description": "Tyk GW"} Installation Options for Tyk Gateway The backbone of all our products is our open source Gateway. You can install our Open Source / Community Edition on the following platforms: {{< grid >}} {{< badge read="10 mins" href="tyk-open-source#install-tyk-gateway-with-docker" image="/img/docker.png" alt="Docker install">}} Install with Docker. {{< /badge >}} {{< badge read="10 mins" href="tyk-open-source#install-tyk-gateway-with-kubernetes" image="/img/k8s.png" alt="Kubernetes Install">}} Install with K8s. {{< /badge >}} {{< badge read="10 mins" href="tyk-open-source#install-tyk-gateway-with-ansible" image="/img/ansible.png" alt="Ansible install">}} Install with Ansible. {{< /badge >}} {{< badge read="10 mins" href="tyk-open-source#install-tyk-gateway-on-red-hat-rhel--centos" image="/img/redhat-logo2.png" alt="Redhat / CentOS install">}} Install on RHEL / CentOS. {{< /badge >}} {{< badge read="10 mins" href="tyk-open-source#install-tyk-gateway-with-ubuntu" image="/img/debian-nd-753.png" alt="Debian / Ubuntu install">}} Install on Debian / Ubuntu. {{< /badge >}} {{< badge read="10 mins" href="https://github.com/TykTechnologies/tyk" image="/img/GitHub-Mark-64px.png" alt="Tyk Gateway GitHub Repo">}} Visit our Gateway GitHub Repo. {{< /badge >}} {{< /grid >}} Install Tyk Gateway with Docker We will show you two methods of installing our Community Edition Gateway on Docker. The quickest way to get started is using docker-compose. Visit our Dockerhub to view the official images. Prerequisites The following are required for a Tyk OSS installation: Redis - Required for all Tyk installations. Simple Redis installation instructions are included below. MongoDB - Required only if you chose to use the Tyk Pump with your Tyk OSS installation. Same goes with any [other pump data stores]({{< ref "tyk-stack/tyk-pump/other-data-stores.md" >}}) you choose to use. Steps for Installation Create a network docker network create tyk Deploy Redis into the network, with the 6379 port open docker run -itd --rm --name tyk-redis --network tyk -p 127.0.0.1:6379:6379 redis:4.0-alpine Next, let's download a JSON tyk.conf configuration file wget https://raw.githubusercontent.com/TykTechnologies/tyk-gateway-docker/master/tyk.standalone.conf Run the Gateway, mounting the conf file into the container docker run \ --name tyk_gateway \ --network tyk \ -p 8080:8080 \ -v $(pwd)/tyk.standalone.conf:/opt/tyk-gateway/tyk.conf \ -v $(pwd)/apps:/opt/tyk-gateway/apps \ docker.tyk.io/tyk-gateway/tyk-gateway:latest Test Installation Your Tyk Gateway is now configured and ready to use. Confirm this by making a network request to the 'hello' endpoint: curl localhost:8080/hello Output should be similar to that shown below: {"status":"pass","version":"v3.2.1","description":"Tyk GW"} Install Tyk Gateway with Kubernetes The main way to install the Open Source Tyk Gateway in a Kubernetes cluster is via Helm charts. We are actively working to add flexibility and more user flows to our chart. Please reach out to our teams on support or the cummunity forum if you have questions, requests or suggestions for improvements. Get started with our [Quick Start guide]({{<ref "#quick-start-with-helm-chart">}}) or go to [Tyk Open Source helm chart]({{<ref "product-stack/tyk-charts/tyk-oss-chart">}}) for detailed installation instructions and configuration options. Quick Start with Helm Chart At the end of this quickstart Tyk Gateway should be accessible through service gateway-svc-tyk-oss-tyk-gateway at port 8080. The following guides provide instructions to install Redis and Tyk Open Source with default configurations. It is intended for quick start only. For production, you should install and configure Redis separately. Prerequisites Kubernetes 1.19+ Helm 3+ Steps for Installation Install Redis and Tyk NAMESPACE=tyk-oss APISecret=foo REDIS_BITNAMI_CHART_VERSION=19.0.2 helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/ helm repo update helm upgrade tyk-redis oci://registry-1.docker.io/bitnamicharts/redis -n $NAMESPACE --install --version $REDIS_BITNAMI_CHART_VERSION helm upgrade tyk-oss tyk-helm/tyk-oss -n $NAMESPACE --create-namespace \ --install \ --set global.secrets.APISecret="$APISecret" \ --set global.redis.addrs="{tyk-redis-master.$NAMESPACE.svc.cluster.local:6379}" \ --set global.redis.passSecret.name=tyk-redis \ --set global.redis.passSecret.keyName=redis-password Done! Now Tyk Gateway should be accessible through service gateway-svc-tyk-oss-tyk-gateway at port 8080. You are now ready to [create an API]({{<ref "/getting-started/create-api">}}). For the complete installation guide and configuration options, please see [Tyk OSS Helm Chart]({{<ref "/product-stack/tyk-charts/tyk-oss-chart">}}). Configure Legacy Tyk Headless Helm Chart {{< warning success >}} Warning tyk-headless chart is deprecated. Please use our Tyk Chart for Tyk Open Source at [tyk-oss]({{<ref "#quick-start-with-helm-chart">}}) instead. We recommend all users migrate to the tyk-oss Chart. Please review the [Configuration]({{<ref "#quick-start-with-helm-chart">}}) section of the new helm chart and cross-check with your existing configurations while planning for migration. {{< /warning >}} This is the preferred (and easiest) way to install the Tyk OSS Gateway on Kubernetes. It will install Tyk gateway in your Kubernetes cluster where you can add and manage APIs directly or via the Tyk Operator. Prerequisites The following are required for a Tyk OSS installation: Redis - required for all the Tyk installations and must be installed in the cluster or reachable from inside K8s. You can find instructions for a simple Redis installation bellow. MongoDB/SQL - Required only if you chose to use the MongoDB/SQL Tyk pump with your Tyk OSS installation. Same goes with any [other pump]({{< ref "tyk-stack/tyk-pump/other-data-stores" >}}) you choose to use. Helm - Tyk Helm supports the Helm 3+ version. Steps for Installation As well as our official OSS Helm repo, you can also find it in ArtifactHub. tyk-headless: This chart deploys the open source Tyk Gateway. Tyk Gateway is a fully open source Enterprise API Gateway, supporting REST, GraphQL, TCP and gRPC protocols. Tyk Gateway is provided ‘Batteries-included’, with no feature lockout. It enables organizations and businesses around the world to protect, secure, and process APIs and well as review and audit the consumed apis. — Open in Artifact Hub <script async src="https://artifacthub.io/artifacthub-widget.js"></script> If you are interested in contributing to our charts, suggesting changes, creating PRs or any other way, please use GitHub Tyk-helm-chart repo Add Tyk official Helm repo helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/ helm repo update Create namespace for Tyk deployment kubectl create namespace tyk Getting values.yaml Before we proceed with installation of the chart you may need to set some custom values. To see what options are configurable on a chart and save those options to a custom values.yaml file run: helm show values tyk-helm/tyk-headless > values.yaml Some of the necessary configration parameters will be explained in the next steps. Installing Redis Recommended: via Bitnami chart For Redis you can use these rather excellent chart provided by Bitnami. Copy the following commands to add it: helm repo add bitnami https://charts.bitnami.com/bitnami helm install tyk-redis bitnami/redis -n tyk --version 19.0.2 {{< note success >}} Note Please make sure you are installing Redis versions that are supported by Tyk. Please refer to Tyk docs to get list of [supported versions]({{< ref "#supported-versions" >}}). {{< /note >}} Follow the notes from the installation output to get connection details and password. Redis(TM) can be accessed on the following DNS names from within your cluster: tyk-redis-master.tyk.svc.cluster.local for read/write operations (port 6379) tyk-redis-replicas.tyk.svc.cluster.local for read-only operations (port 6379) export REDIS_PASSWORD=$(kubectl get secret --namespace tyk tyk-redis -o jsonpath="{.data.redis-password}" | base64 --decode) The DNS name of your Redis as set by Bitnami is tyk-redis-master.tyk.svc.cluster.local:6379 You can update them in your local values.yaml file under redis.addrs and redis.pass Alternatively, you can use --set flag to set it in Tyk installation. For example --set redis.pass=$REDIS_PASSWORD Evaluation only: via simple-redis chart {{< warning success >}} Warning Another option for Redis, to get started quickly, is to use our simple-redis chart. Please note that these provided charts must never be used in production or for anything but a quick start evaluation only. Use Bitnami redis or Official Redis Helm chart in any other case. We provide this chart, so you can quickly deploy Tyk gateway, but it is not meant for long term storage of data. {{< /warning >}} helm install redis tyk-helm/simple-redis -n tyk Installing Tyk Open Source Gateway helm install tyk-ce tyk-helm/tyk-headless -f values.yaml -n tyk Please note that by default, Gateway runs as Deployment with ReplicaCount is 1. You should not update this part because multiple instances of OSS gateways won't sync the API Definition. Installation Video See our short video on how to install the Tyk Open Source Gateway. Please note that this video shows the use of GH repo, since it recorded before the official repo was available, However, it's very similar to the above commands. {{< youtube mkyl38sBAF0 >}} Pump Installation By default pump installation is disabled. You can enable it by setting pump.enabled to true in values.yaml file. Alternatively, you can use --set pump.enabled=true while doing helm install. Quick Pump configuration(Supported from tyk helm v0.10.0) 1. Mongo Pump To configure mongo pump, do following changings in values.yaml file: Set backend to mongo. Set connection string in mongo.mongoURL. 2. Postgres Pump To configure postgres pump, do following changings in values.yaml file: Set backend to postgres. Set connection string parameters in postgres section. Optional - Using TLS You can turn on the TLS option under the gateway section in your local values.yaml file which will make your Gateway listen on port 443 and load up a dummy certificate. You can set your own default certificate by replacing the file in the certs/ folder. Optional - Mounting Files To mount files to any of the Tyk stack components, add the following to the mounts array in the section of that component. For example: - name: aws-mongo-ssl-cert filename: rds-combined-ca-bundle.pem mountPath: /etc/certs Optional - Tyk Ingress To set up an ingress for your Tyk Gateways see our Tyk Operator GitHub repository. Install Tyk Gateway with Ansible Prerequisites Ansible is required to run the following commands. Ensure port 8080 is open: this is used in this guide for Gateway traffic (the API traffic to be proxied). Steps for Installation Clone the tyk-ansible repository $ git clone https://github.com/TykTechnologies/tyk-ansible cd into the directory $ cd tyk-ansible Run initialisation script to initialise environment $ sh scripts/init.sh Modify hosts.yml file to update ssh variables to your server(s). You can learn more about the hosts file here Run ansible-playbook to install tyk-ce $ ansible-playbook playbook.yaml -t tyk-ce -t redis You can choose to not install Redis by removing the -t redis. However Redis is a requirment and needs to be installed for the gateway to run. Supported Distributions Distribution Version Supported Amazon Linux 2 ✅ CentOS 8 ✅ CentOS 7 ✅ Debian 10 ✅ Debian 9 ✅ RHEL 8 ✅ RHEL 7 ✅ Ubuntu 21 ✅ Ubuntu 20 ✅ Ubuntu 18 ✅ Ubuntu 16 ✅ Variables vars/tyk.yaml Variable Default Comments secrets.APISecret 352d20ee67be67f6340b4c0605b044b7 API secret secrets.AdminSecret 12345 Admin secret redis.host Redis server host if different than the hosts url redis.port 6379 Redis server listening port redis.pass Redis server password redis.enableCluster false Enable if redis is running in cluster mode redis.storage.database 0 Redis server database redis.tls false Enable if redis connection is secured with SSL gateway.service.host Gateway server host if different than the hosts url gateway.service.port 8080 Gateway server listening port gateway.service.proto http Gateway server protocol gateway.service.tls false Set to true to enable SSL connections gateway.sharding.enabled false Set to true to enable filtering (sharding) of APIs gateway.sharding.tags The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics) vars/redis.yaml Variable Default Comments redis_bind_interface 0.0.0.0 Binding address of Redis Read more about Redis configuration here. Install Tyk Gateway with Ubuntu The Tyk Gateway can be installed following different installation methods including Ansible and Shell. Please select by clicking the tab with the installation path most suitable for you. Install Tyk Gateway On Ubuntu Through Shell Supported Distributions Distribution Version Supported Debian 11 ✅ Ubuntu 20 ✅ Ubuntu 18 ✅ Ubuntu 16 ✅ Prerequisites Ensure port 8080 is open: this is used in this guide for Gateway traffic (the API traffic to be proxied). Steps for Installation Install Redis $ sudo apt-get install -y redis-server First import the public key as required by Ubuntu APT $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 Run Installation Scripts via our PackageCloud Repositories From https://packagecloud.io/tyk/tyk-gateway you have the following options: Via the correct package for your Ubuntu version. We have packages for the following: Xenial Trusty Precise Via Quick Installation Instructions. You can use: Manual Instructions Chef Puppet CI and Build Tools Configure The Gateway You can set up the core settings for the Tyk Gateway with a single setup script, however for more involved deployments, you will want to provide your own configuration file. {{< note success >}} Note You need to replace <hostname> for --redishost=<hostname> with your own value to run this script. {{< /note >}} $ sudo /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=<hostname> --redisport=6379 --domain="" What you've done here is told the setup script that: --listenport=8080: Listen on port 8080 for API traffic. --redishost=<hostname>: The hostname for Redis. --redisport=6379: Use port 6379 for Redis. --domain="": Do not filter domains for the Gateway, see the note on domains below for more about this. In this example, you don't want Tyk to listen on a single domain. It is recommended to leave the Tyk Gateway domain unbounded for flexibility and ease of deployment. Starting Tyk The Tyk Gateway can be started now that it is configured. Use this command to start the Tyk Gateway: $ sudo service tyk-gateway start Install Tyk Gateway On Ubuntu Through Ansible Supported Distributions Distribution Version Supported Debian 11 ✅ Ubuntu 20 ✅ Ubuntu 18 ✅ Ubuntu 16 ✅ Prerequisites Before you begin the installation process, make sure you have the following: Git - required for getting the installation files. Ansible is required to run the following commands. Ensure port 8080 is open: this is used in this guide for Gateway traffic (the API traffic to be proxied). Steps for Installation Clone the tyk-ansible repository $ git clone https://github.com/TykTechnologies/tyk-ansible cd into the directory $ cd tyk-ansible Run initalisation script to initialise environment $ sh scripts/init.sh Modify hosts.yml file to update ssh variables to your server(s). You can learn more about the hosts file here Run ansible-playbook to install tyk-gateway-ce $ ansible-playbook playbook.yaml -t tyk-gateway-ce -t redis {{< note success >}} Note Installation flavors can be specified by using the -t {tag} at the end of the ansible-playbook command. In this case we are using: -tyk-gateway-ce: Tyk Gateway with CE config -redis: Redis database as Tyk Gateway dependency {{< /note >}} Variables vars/tyk.yaml Variable Default Comments secrets.APISecret 352d20ee67be67f6340b4c0605b044b7 API secret secrets.AdminSecret 12345 Admin secret redis.host Redis server host if different than the hosts url redis.port 6379 Redis server listening port redis.pass Redis server password redis.enableCluster false Enable if redis is running in cluster mode redis.storage.database 0 Redis server database redis.tls false Enable if redis connection is secured with SSL gateway.service.host Gateway server host if different than the hosts url gateway.service.port 8080 Gateway server listening port gateway.service.proto http Gateway server protocol gateway.service.tls false Set to true to enable SSL connections gateway.sharding.enabled false Set to true to enable filtering (sharding) of APIs gateway.sharding.tags The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics) vars/redis.yaml Variable Default Comments redis_bind_interface 0.0.0.0 Binding address of Redis Read more about Redis configuration here. Install Tyk Gateway on Red Hat (RHEL / CentOS) The Tyk Gateway can be installed following different installation methods including Shell and Ansible. Please select by clicking the tab with the installation path most suitable for you. Install Tyk Gateway Through Shell Supported Distributions Distribution Version Supported CentOS 8 ✅ CentOS 7 ✅ RHEL 8 ✅ RHEL 7 ✅ Prerequisites Before you begin the installation process, make sure you have the following: Ensure port 8080 is open for Gateway traffic (the API traffic to be proxied). The Tyk Gateway has a dependency on Redis. Follow the steps provided by Red Hat to make the installation of Redis, conducting a search for the correct version and distribution. Steps for Installation Create Tyk Gateway Repository Configuration Create a file named /etc/yum.repos.d/tyk_tyk-gateway.repo that contains the repository configuration settings for YUM repositories tyk_tyk-gateway and tyk_tyk-gateway-source used to download packages from the specified URLs. This includes GPG key verification and SSL settings, on a Linux system. Make sure to replace el and 8 in the config below with your Linux distribution and version: [tyk_tyk-gateway] name=tyk_tyk-gateway baseurl=https://packagecloud.io/tyk/tyk-gateway/el/8/$basearch repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packagecloud.io/tyk/tyk-gateway/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300 [tyk_tyk-gateway-source] name=tyk_tyk-gateway-source baseurl=https://packagecloud.io/tyk/tyk-gateway/el/8/SRPMS repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packagecloud.io/tyk/tyk-gateway/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300 Update your local yum cache by running: sudo yum -q makecache -y --disablerepo='*' --enablerepo='tyk_tyk-gateway' Install Tyk Gateway Install the Tyk Gateway using yum: sudo yum install -y tyk-gateway {{< note success >}} Note You may be asked to accept the GPG key for our two repos and when the package installs, hit yes to continue. {{< /note >}} Start Redis If Redis is not running then start it using the following command: sudo service redis start Configuring The Gateway You can set up the core settings for the Tyk Gateway with a single setup script, however for more complex deployments you will want to provide your own configuration file. {{< note success >}} Note Replace <hostname> in --redishost=<hostname> with your own value to run this script. {{< /note >}} sudo /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=<hostname> --redisport=6379 --domain="" What you've done here is told the setup script that: --listenport=8080: Listen on port 8080 for API traffic. --redishost=<hostname>: The hostname for Redis. --redisport=6379: Use port 6379 for Redis. --domain="": Do not filter domains for the Gateway, see the note on domains below for more about this. In this example, you don't want Tyk to listen on a single domain. It is recommended to leave the Tyk Gateway domain unbounded for flexibility and ease of deployment. Start the Tyk Gateway The Tyk Gateway can be started now that it is configured. Use this command to start the Tyk Gateway: sudo service tyk-gateway start Install Tyk Gateway Through Ansible Supported Distributions Distribution Version Supported CentOS 8 ✅ CentOS 7 ✅ RHEL 8 ✅ RHEL 7 ✅ Prerequisites Before you begin the installation process, make sure you have the following: Git - required for getting the installation files. Ansible - required for running the commands below. Ensure port 8080 is open: this is used in this guide for Gateway traffic (the API traffic to be proxied). Steps for Installation Clone the tyk-ansible repository $ git clone https://github.com/TykTechnologies/tyk-ansible cd into the directory $ cd tyk-ansible Run the initalisation script to initialise your environment $ sh scripts/init.sh Modify the hosts.yml file to update ssh variables to your server(s). You can learn more about the hosts file here Run ansible-playbook to install tyk-gateway-ce $ ansible-playbook playbook.yaml -t tyk-gateway-ce -t redis {{< note success >}} Note Installation flavors can be specified by using the -t {tag} at the end of the ansible-playbook command. In this case we are using: -tyk-gateway-ce: Tyk Gateway with CE config -redis: Redis database as Tyk Gateway dependency {{< /note >}} Variables vars/tyk.yaml Variable Default Comments secrets.APISecret 352d20ee67be67f6340b4c0605b044b7 API secret secrets.AdminSecret 12345 Admin secret redis.host Redis server host if different than the hosts url redis.port 6379 Redis server listening port redis.pass Redis server password redis.enableCluster false Enable if redis is running in cluster mode redis.storage.database 0 Redis server database redis.tls false Enable if redis connection is secured with SSL gateway.service.host Gateway server host if different than the hosts url gateway.service.port 8080 Gateway server listening port gateway.service.proto http Gateway server protocol gateway.service.tls false Set to true to enable SSL connections gateway.sharding.enabled false Set to true to enable filtering (sharding) of APIs gateway.sharding.tags The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics) vars/redis.yaml Variable Default Comments redis_bind_interface 0.0.0.0 Binding address of Redis Read more about Redis configuration here. Install Tyk Gateway on Killercoda Killercoda gives you instant access to a real Linux or Kubernetes command-line environment via your browser. You can try this Killercoda Tyk scenario to walk through the installation of our Open Source Gateway using Docker Compose (the exact same flow shown above). Configuration Options for Redis Configure Redis Cluster Our Gateway, Dashboard and Pump all support integration with Redis Cluster. Redis Cluster allows data to be automatically sharded across multiple Redis Nodes. To setup Redis Cluster correctly, we recommend you read the Redis Cluster Tutorial. You must use the same settings across the Gateway, Dashboard and Pump. {{< note success >}} Note Redis Cluster operates differently from a Redis setup where one instance serves as the primary and others as replicas. {{< /note >}} Supported Versions Tyk 5.3 supports Redis 6.2.x, 7.0.x, and 7.2.x Tyk 5.2.x and earlier supports Redis 6.0.x and Redis 6.2.x only. Redis Cluster and Tyk Gateway To configure the Tyk Gateway to work with your Redis Cluster, set enable_cluster to true and list your servers under addrs in your tyk.conf file. {{< note success >}} Note addrs is new in v2.9.3, and replaces hosts which is now deprecated. {{< /note >}} If you are using TLS for Redis connections, set use_ssl to true. "storage": { "type": "redis", "enable_cluster": true, "addrs": [ "server1:6379", "server2:6380", "server3:6381" ], "username": "", "password": "", "database": 0, "optimisation_max_idle": 2000, "optimisation_max_active": 4000, "use_ssl": false }, Redis Cluster and Tyk Dashboard {{< note success >}} Note redis_addrs is new in v1.9.3 for the Dashboard, and replaces hosts which is now deprecated. {{< /note >}} "redis_addrs": [ "server1:6379", "server2:6380", "server3:6381" ], "redis_use_ssl": true, "enable_cluster": true To configure the Tyk Dashboard to work with your Redis Cluster, add the Redis address information to your tyk_analytics.conf file: Redis Cluster and Tyk Pump To configure the Tyk Pump to work with your Redis Cluster, set enable_cluster to true and list your servers under addrs in your pump.conf file. {{< note success >}} Note addrs is new in v2.9.3, and replaces hosts which is now deprecated. {{< /note >}} "analytics_storage_config": { "type": "redis", "enable_cluster": true, "addrs": [ "server1:6379", "server2:6380", "server3:6381" ], "username": "", "password": "", "database": 0, "optimisation_max_idle": 100, "use_ssl": false }, Redis Cluster with Docker For Redis clustered mode to work with Tyk using Docker and Amazon ElastiCache, follow these two steps: Make sure cluster mode is enabled Set the environment variable TYK_GW_STORAGE_ENABLECLUSTER to true. Add all cluster endpoints to the config Add all the Redis Cluster endpoints into Tyk, not just the primary. If Tyk can't see the whole cluster, then it will not work. For ElastiCache Redis, you can bypass having to list all your nodes, and instead just use the configuration endpoint, this allows read and write operations and the endpoint will determine the correct node to target. If this does not work, you can still list out the hosts using an environment variable. To do so, set the environment variable: TYK_GW_STORAGE_ADDRS="redis_primary1:port,redis_replica1:port,redis_primary2:port,redis_replica2:port,redis_primary3:port,redis_replica3:port" It is important that Tyk can connect to all primary and replica instances. It is recommended to ensure that the connection pool is big enough. To do so, set the following environment variables: TYK_GW_STORAGE_MAXIDLE=6000 TYK_GW_STORAGE_MAXACTIVE=10000 {{< note success >}} Note These are suggested settings, please verify them by load testing. {{< /note >}} Redis Cluster with TLS If you are using TLS for Redis connections, set use_ssl to true for Gateway and Pump, and redis_use_ssl to true for the dashboard. Redis supports SSL/TLS encryption from version 6 as an optional feature, enhancing the security of data in transit. Similarly, Amazon ElastiCache offers encryption in transit and at rest. To configure TLS or mTLS connections between an application and Redis, consider the following settings in Tyk's configuration files: storage.use_ssl: Set this to true to enable TLS encryption for the connection. storage.ssl_secure_skip_verify: A flag that, when set to true, instructs the application not to verify the Redis server's TLS certificate. This is not recommended for production due to the risk of man-in-the-middle attacks. From Tyk 5.3, additional options are available for more granular control: storage.ca_file: Path to the Certificate Authority (CA) file for verifying the Redis server's certificate. storage.cert_file and storage.key_file: Paths to your application's certificate and private key files, necessary for mTLS where both parties verify each other's identity. storage.max_version and storage.min_version: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3). Setting up an Insecure TLS Connection Enable TLS: By setting "use_ssl": true, you encrypt the connection. Skip Certificate Verification: Setting "ssl_secure_skip_verify": true bypasses the server's certificate verification, suitable only for non-production environments. Setting up a Secure TLS Connection Ensure use_ssl is set to true. Set ssl_secure_skip_verify to false to enforce certificate verification against the CA specified in ca_file. Specify the path to the CA file in ca_file for server certificate verification. Adjust min_version and max_version to secure TLS versions, ideally 1.2 and 1.3. Setting up a Mutual TLS (mTLS) Connection Follow the steps for a secure TLS connection. Provide paths for cert_file and key_file for your application's TLS certificate and private key, enabling Redis server to verify your application's identity. Example Gateway Configuration "storage": { "type": "redis", "addrs": [ "server1:6379", "server2:6380", "server3:6381" ], "use_ssl": true, "ssl_secure_skip_verify": false, "ca_file": "/path/to/ca.crt", "cert_file": "/path/to/client.crt", "key_file": "/path/to/client.key", "max_version": "1.3", "min_version": "1.2", "enable_cluster": true, "optimisation_max_idle": 2000, "optimisation_max_active": 4000 } Troubleshooting Redis Cluster If you find that Tyk components fail to initialise when using Redis clustering, for example the application does not start and the last log file entry shows a message such as Using clustered mode, try setting the environment variable REDIGOCLUSTER_SHARDCOUNT to 128 on all hosts which connect to the Redis Cluster i.e. Gateway, Dashboard, Pump, MDCB. E.g. REDIGOCLUSTER_SHARDCOUNT=128 If setting to 128 does not resolve the issue, try 256 instead. Configure Redis Sentinel From v2.9.3 Redis Sentinel is supported. Similar to Redis Cluster, our Gateway, Dashboard and Pump all support integration with Redis Sentinel. To configure Tyk to work with Redis Sentinel, list your servers under addrs and set the master name in your Gateway, Dashboard, Pump and MDCB config. Unlike Redis Cluster, enable_cluster should not be set. Indicative config snippets as follows: Supported Versions Tyk 5.3 supports Redis 6.2.x, 7.0.x, and 7.2.x Tyk 5.2.x and earlier supports Redis 6.0.x and Redis 6.2.x only. Redis Sentinel and Gateway "storage": { "type": "redis", "addrs": [ "server1:26379", "server2:26379", "server3:26379" ], "master_name": "mymaster", "username": "", "password": "", "database": 0, "optimisation_max_idle": 2000, "optimisation_max_active": 4000, "use_ssl": false }, Redis Sentinel and Dashboard "redis_addrs": [ "server1:26379", "server2:26379", "server3:26379" ], "redis_master_name": "mymaster" Redis Sentinel and Pump "analytics_storage_config": { "type": "redis", "addrs": [ "server1:26379", "server2:26379", "server3:26379" ], "master_name": "mymaster", "username": "", "password": "", "database": 0, "optimisation_max_idle": 100, "use_ssl": false }, {{< warning success >}} Warning When using Bitnami charts to install Redis Sentinel in k8s, a Redis service is exposed, which means that standard Redis config is required instead of the above setup, i.e. a single server in addrs and master_name is not required. {{< /warning >}} Support for Redis Sentinel AUTH To support the use of Redis Sentinel AUTH (introduced in Redis 5.0.1) we have added the following global config settings in Tyk v3.0.2: In the Tyk Gateway config file - sentinel_password In the Tyk Dashboard config file - redis_sentinel_password In the Tyk Pump config file - sentinel_password In the Tyk Identity Broker config file - SentinelPassword In the Tyk Synk config file - sentinel_password These settings allow you to support Sentinel password-only authentication in Redis version 5.0.1 and above. See the Redis and Sentinel authentication section of the Redis Sentinel docs for more details. Configure Redis TLS Encryption Redis supports SSL/TLS encryption from version 6 as an optional feature, enhancing the security of data in transit. To configure TLS or mTLS connections between an application and Redis, consider the following settings in Tyk's configuration files: storage.use_ssl: Set this to true to enable TLS encryption for the connection. storage.ssl_secure_skip_verify: A flag that, when set to true, instructs the application not to verify the Redis server's TLS certificate. This is not recommended for production due to the risk of man-in-the-middle attacks. From Tyk 5.3, additional options are available for more granular control: storage.ca_file: Path to the Certificate Authority (CA) file for verifying the Redis server's certificate. storage.cert_file and storage.key_file: Paths to your application's certificate and private key files, necessary for mTLS where both parties verify each other's identity. storage.max_version and storage.min_version: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3). Setting up an Insecure TLS Connection Enable TLS: By setting "use_ssl": true, you encrypt the connection. Skip Certificate Verification: Setting "ssl_secure_skip_verify": true bypasses the server's certificate verification, suitable only for non-production environments. Setting up a Secure TLS Connection Ensure use_ssl is set to true. Set ssl_secure_skip_verify to false to enforce certificate verification against the CA specified in ca_file. Specify the path to the CA file in ca_file for server certificate verification. Adjust min_version and max_version to secure TLS versions, ideally 1.2 and 1.3. Setting up a Mutual TLS (mTLS) Connection Follow the steps for a secure TLS connection. Provide paths for cert_file and key_file for your application's TLS certificate and private key, enabling Redis server to verify your application's identity. Example Gateway Configuration "storage": { "type": "redis", "addrs": [ "server1:6379", "server2:6380", "server3:6381" ], "use_ssl": true, "ssl_secure_skip_verify": false, "ca_file": "/path/to/ca.crt", "cert_file": "/path/to/client.crt", "key_file": "/path/to/client.key", "max_version": "1.3", "min_version": "1.2", "optimisation_max_idle": 2000, "optimisation_max_active": 4000 } </details> <details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/5886/files#diff-a6789c66bfa0660f7fdbe4796002ab4777677bae59a0276689c840100ff0b0b2R48-R2815'><strong>Navigation Structure</strong></a> Validate that the updated menu structure aligns with the intended streamlined navigation and does not break existing links or references.</summary> ```yaml path: /apim category: Page show: True - title: "Self Managed" category: Directory show: True menu: - title: "Deployment lifecycle" category: Directory show: True Database Compatibility Verify that the updated database compatibility notes and migration instructions are clear and accurate. Version compatibility with other components in the Tyk stack. This takes the form of a compatibility matrix and is only required for Gateway and Portal. 3rd party dependencies and tools --> With MongoDB 4.4 reaching [EOL](https://www.mongodb.com/legal/support-policy/lifecycles) in February 2024, we can no longer guarantee full compatibility with this version of the database. If you are [using MongoDB]({{< ref "tyk-self-managed#mongodb" >}}) we recommend that you upgrade to a version that we have tested with, as indicated [below](#3rdPartyTools-v5.3.6). With PostgreSQL v11 reaching [EOL](https://www.postgresql.org/support/versioning/) in November 2023, we can no longer guarantee full compatibility with this version of the database. If you are [using PostgreSQL]({{< ref "tyk-self-managed#postgresql" >}}) we recommend that you upgrade to a version that we have tested with, as indicated [below](#3rdPartyTools-v5.3.6). ##### Compatibility Matrix For Tyk Components

[netlify]

✅ PS. Pls add /docs/nightly to the end of url

Name	Link
🔨 Latest commit	28055cd
🔍 Latest deploy log	https://app.netlify.com/sites/tyk-docs/deploys/678506989c40c5000846bae8
😎 Deploy Preview	https://deploy-preview-5886--tyk-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ PS. Pls add /docs/nightly to the end of url

Name	Link
🔨 Latest commit	28055cd
🔍 Latest deploy log	https://app.netlify.com/sites/tyk-docs/deploys/678506989c40c5000846bae8
😎 Deploy Preview	https://deploy-preview-5886--tyk-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
General	Replace placeholder reference with the correct link to avoid broken links in the documentation Replace the placeholder {{< ref "#" >}} in the Quick Start guide link with the actual URL or reference to avoid broken links in the documentation. tyk-docs/content/getting-started/create-api.md [35] -To embark on your API journey with Tyk Cloud, we recommend going to our [Quick Start guide]({{< ref "#" >}}). +To embark on your API journey with Tyk Cloud, we recommend going to our [Quick Start guide]({{< ref "getting-started/quick-start" >}}). Suggestion importance[1-10]: 9 Why: The suggestion addresses a critical issue of a placeholder link that could lead to broken navigation. The improved_code provides a valid replacement, enhancing the documentation's usability.	9
	Confirm Redis Cluster settings to prevent misconfigurations in caching setup Verify that the Redis Cluster configuration aligns with the documented setup to avoid potential misconfigurations or runtime issues. tyk-docs/content/basic-config-and-security/reduce-latency/caching/optimise-cache.md [48] -The configuration of the separate Redis Cache is the same (and uses the same underlying driver) as the regular configuration, so [Redis Cluster]({{< ref "tyk-open-source#configure-redis-cluster" >}}) is fully supported. If you set `enable_cluster` to `false`, you only need to set one entry in `addrs`. +The configuration of the separate Redis Cache is the same (and uses the same underlying driver) as the regular configuration, so [Redis Cluster]({{< ref "tyk-open-source#configure-redis-cluster" >}}) is fully supported. Ensure that the `enable_cluster` setting is correctly configured, and if set to `false`, only one entry in `addrs` is required. Suggestion importance[1-10]: 6 Why: The suggestion highlights the need to confirm Redis Cluster settings, which is a reasonable addition to avoid misconfigurations. It aligns with the existing code and enhances the documentation's reliability.	6
Possible issue	Verify the key-value store setup to prevent runtime errors when dynamically accessing sensitive data Ensure that the referenced key-value store configuration is correctly implemented and tested to avoid runtime errors when accessing sensitive data dynamically. tyk-docs/content/api-management/upstream-authentication.md [61] -Tyk's [Request Header Transform]({{< ref "transform-traffic/request-headers" >}}) middleware can be configured to add this header to the request prior to it being proxied to the upstream. To enhance security by restricting visibility of the access token, the key/token can be stored in a [key-value store]({{< ref "tyk-self-managed#from-api-definitions" >}}), with only the reference included in the middleware configuration. +Tyk's [Request Header Transform]({{< ref "transform-traffic/request-headers" >}}) middleware can be configured to add this header to the request prior to it being proxied to the upstream. To enhance security by restricting visibility of the access token, ensure the key/token is correctly stored and accessible in a [key-value store]({{< ref "tyk-self-managed#from-api-definitions" >}}), with only the reference included in the middleware configuration. Suggestion importance[1-10]: 7 Why: The suggestion emphasizes the importance of verifying the key-value store setup to prevent runtime errors, which is a valid and useful enhancement. It aligns with the existing code and improves clarity on ensuring secure and functional configurations.	7
Security	Test third-party secret storage integration to ensure sensitive data is securely managed Ensure that the third-party secret storage integration is tested to avoid exposing sensitive data due to misconfiguration. tyk-docs/content/api-management/security-best-practices.md [337] -Prevent sensitive data, such as usernames, passwords, license keys and other secrets, from being stored as plain text in application configuration files. Use [key value secret storage]({{< ref "tyk-self-managed#manage-multi-environment-and-distributed-setups" >}}) to dynamically load sensitive data from a secure secret manager. +Prevent sensitive data, such as usernames, passwords, license keys, and other secrets, from being stored as plain text in application configuration files. Ensure proper configuration and testing of [key value secret storage]({{< ref "tyk-self-managed#manage-multi-environment-and-distributed-setups" >}}) to dynamically load sensitive data securely from a secret manager. Suggestion importance[1-10]: 7 Why: The suggestion stresses the importance of testing third-party secret storage integration, which is a valuable addition to ensure sensitive data is securely managed. It aligns with the existing code and enhances security practices.	7
	Provide clearer instructions for securing the Gateway's API with a shared secret Clarify the steps for securing the Gateway's command and control API to ensure users understand how to implement the shared secret effectively. tyk-docs/content/basic-config-and-security/security/gateway.md [12] -The Tyk Gateway is the main component that will be internet-facing in your installation since it manages the traffic through to your services. The Gateway has a command and control API that must be secured, using a [shared secret]({{< ref "tyk-self-managed#change-all-the-shared-secrets" >}}). +The Tyk Gateway is the main component that will be internet-facing in your installation since it manages the traffic through to your services. The Gateway has a command and control API that must be secured by implementing a robust [shared secret]({{< ref "tyk-self-managed#change-all-the-shared-secrets" >}}) configuration. Ensure the shared secret is unique and stored securely. Suggestion importance[1-10]: 6 Why: The suggestion adds clarity on securing the Gateway's API by emphasizing the importance of a robust and unique shared secret. This improves the documentation's guidance on security practices, though it is not addressing a critical issue.	6