TykTechnologies
tyk-k8s-bootstrap
Go

Bootstraps tyk-stack Helm Chart in Kubernetes.

Last updated May 21, 2026
27
Stars
1
Forks
2
Issues
0
Stars/day
Attention Score
36
Language breakdown
Go 90.0%
Shell 5.2%
Makefile 3.3%
Dockerfile 1.6%
Files click to expand
README

Tyk-K8S-Bootstrap

Tyk K8s Bootstrap comes with three applications to bootstrap tyk-stack and to create Kubernetes secrets that can be utilized in Tyk Operator and tyk-dev-portal chart.

What it does?

tyk-k8s-bootstrap offers three applications functioning as Chart Hooks in Helm charts.

  • bootstrap-pre-install is a binary functioning as a pre-install hook, validating the Tyk Dashboard License key.
  • bootstrap-post-install is a binary functioning as a post-install hook, bootstrapping the Tyk Dashboard by
setting up an organization and an admin user. Additionally, it generates Kubernetes secrets utilized by Tyk Operator and Tyk Enterprise Portal
  • bootstrap-pre-delete is a binary functioning as a pre-delete hook, responsible for system cleanup.

Environment Variables

| Environment Variable | Description | |------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | TYKK8SBOOTSTRAPLOG | sets the level of the logrus logger. The default is info | | TYKK8SBOOTSTRAPINSECURESKIPVERIFY | enables InsecureSkipVerify options in HTTP requests sent to Tyk -
might be useful for Tyk Dashboard with self-signed certs | | TYKK8SBOOTSTRAPBOOTSTRAPDASHBOARD | controls bootstrapping Tyk Dashboard or not. | | TYKK8SBOOTSTRAPBOOTSTRAPPORTAL | controls bootstrapping Tyk Classic Portal or not. | | TYKK8SBOOTSTRAPOPERATORKUBERNETESSECRETNAME | corresponds to the Kubernetes secret name that will be created for Tyk Operator.
Set it to an empty to string to disable bootstrapping Kubernetes secret for Tyk Operator. | | TYKK8SBOOTSTRAPDEVPORTALKUBERNETESSECRETNAME | corresponds to the Kubernetes secret name that will be created for Tyk Developer Enterprise Portal.
Set it to an empty to string to disable bootstrapping Kubernetes secret for Tyk Developer Enterprise Portal. | | TYKK8SBOOTSTRAPK8S_DASHBOARDSVCURL | corresponds to the URL of Tyk Dashboard. | | TYKK8SBOOTSTRAPK8S_DASHBOARDSVCPROTO | corresponds to Tyk Dashboard Service Protocol (either http or https). By default, it is http. | | TYKK8SBOOTSTRAPK8S_RELEASENAMESPACE | corresponds to the namespace where Tyk is deployed via Helm Chart. | | TYKK8SBOOTSTRAPK8S_DASHBOARDDEPLOYMENTNAME | corresponds to the name of the Tyk Dashboard Deployment, which is being used to restart
Dashboard pod after bootstrapping. | | TYKK8SBOOTSTRAPTYKADMINSECRET | corresponds to the secret that will be used in Admin APIs. | | TYKK8SBOOTSTRAPTYKADMINFIRSTNAME | corresponds to the first name of the admin being created. | | TYKK8SBOOTSTRAPTYKADMINLASTNAME | corresponds to the last name of the admin being created. | | TYKK8SBOOTSTRAPTYKADMINEMAILADDRESS | corresponds to the email address of the admin being created. | | TYKK8SBOOTSTRAPTYKADMINPASSWORD | corresponds to the password of the admin being created. | | TYKK8SBOOTSTRAPTYKADMINAUTH | corresponds to Tyk Dashboard API Access Credentials of the admin user, and it will be used in Authorization
header of the HTTP requests that will be sent to Tyk for bootstrapping. | | TYKK8SBOOTSTRAPTYKORGNAME | corresponds to the name for your organization that is going to be bootstrapped in Tyk. | | TYKK8SBOOTSTRAPTYKORGCNAME | corresponds to the Organisation CNAME which is going to bind the Portal to. | | TYKK8SBOOTSTRAPTYKORGID | corresponds to the organisation ID that is being created. | | TYKK8SBOOTSTRAPTYKORGHYBRID_ENABLED | specifies if the Hybrid organisation for MDCB Control Plane is enabled or not | | TYKK8SBOOTSTRAPTYKORGHYBRIDKEYEVENT | corresponds to keyevent of the event options (optional). | | TYKK8SBOOTSTRAPTYKORGHYBRIDHASHEDKEYEVENT | corresponds to hashedkey_event of the event options (optional). | | TYKK8SBOOTSTRAPTYK_DASHBOARDLICENSE | corresponds to the license key of Tyk Dashboard. |

Bootstrapped Environments

If Tyk is already bootstrapped, the application will bypass the creation of the Tyk Organization and Admin User, proceeding directly with the creation of Kubernetes Secrets.

Given that the Kubernetes Secrets require values for TYKAUTH and TYKORG, it is essential to provide these values through the respective environment variables, called TYKK8SBOOTSTRAPTYKADMINAUTH for TYK_AUTH and TYKK8SBOOTSTRAPTYKORGID for TYK_ORG.

Ensure that these environment variables are set appropriately.

[!WARNING]
If these values are not provided, TYKAUTH and TYKORG values in Kubernetes secrets will be empty string. You may
need to update the secret later to populate these values.

Required RBAC roles for the app to work inside the Kubernetes cluster

Given that the applications operate as Chart Hooks to execute specific actions, such as creating Kubernetes Secrets, validating component health statuses, and performing system cleanup during the deletion of the Helm Release, they require specific RBAC rules for each operation.

The required roles can be found here: bootstrap-role.yaml

Useful testing tips and commands:

Load images to Kind Cluster

After making your changes to applications, running the following command loads your local changes into KinD cluster with tykio/tyk-k8s-boostrap{pre-post}-{delete-install}:testing image.

$ ./hack/load_images.sh

KinD with a local image repository

If you want to create a k8s kind cluster that also has a local repository where you can push the images generated by the Makefile just run the "local_registry.sh" script. After, the commands below help you with building and pushing the containers to the local repository.

(rm bin/bootstrapapp-post || true) && make build-bootstrap-post && docker build -t localhost:5001/bootstrap-tyk-post:$bsVers -f ./.container/image/bootstrap-post/Dockerfile ./bin && docker push localhost:5001/bootstrap-tyk-post:$bsVers
(rm bin/bootstrapapp-pre-delete || true) && make build-bootstrap-pre-delete && docker build -t localhost:5001/bootstrap-tyk-pre-delete:$bsVers -f ./.container/image/bootstrap-pre-delete/Dockerfile ./bin & docker push localhost:5001/bootstrap-tyk-pre-delete:$bsVers

The "hack" folder comes with a job (job.yaml) that can be applied directly together with the role.yaml (which contains the ServiceAccount and ClusterRoleBinding) into a namespace running an empty tyk stack for debugging/development purposes.

🔗 More in this category

© 2026 GitRepoTrend · TykTechnologies/tyk-k8s-bootstrap · Updated daily from GitHub