How to deploy custom middleware (python or Go) to tyk-gateway when the gateway is running in kubernetes

I am testing tyk (community edition) for our environment. The whole setup is running in EKS and is deployed with tyk’s helm charts.

We have requirement to build a custom plugin (could be go or python). I have created a bundle.zip but I am not sure how to deploy this to the gateway deployment. I wanted to check if there is a support for s3 in place or github?

Have you seen our Publishing the Plugin docs about setting up your Python plugin?

The whole documentation follows through on configuring the gateway and API definition. Let us know if it helps.

We do have S3 support through the use of our mserv bundle server

I have added the following to deployment but still I do not see anything in logs related to bundles being downloaded. Log level is debug.

- name: TYK_GW_ENABLEBUNDLEDOWNLOADER
          value: 'true'
        - name: TYK_GW_BUNDLEBASEURL
          value: https://<web server>/
        - name: TYK_GW_BUNDLEINSECURESKIPVERIFY
          value: 'true'
        - name: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESS
          value: 'true'
        - name: TYK_GW_COPROCESSOPTIONS_PYTHONPATHPREFIX
          value: /opt/tyk-gateway

What about the API definition?

https://tyk.io/docs/plugins/supported-languages/rich-plugins/python/custom-auth-python-tutorial/#configure-an-api-definition

Yes. I have added that to api definition as well

piVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: example-apikey
  namespace: dst
spec:
  name: example-apikey
  protocol: http
  use_keyless: false
  active: true
  custom_middleware_bundle: “bundle.zip”
  proxy:
    target_url: https://bar/
    listen_path: "/apikey"
    strip_listen_path: true
    preserve_host_header: false
  auth:
    auth_header_name: 'Authorization'
  auth_configs:
    authToken:
      auth_header_name: 'Authorization'
      use_param: true
      param_name: apikey
  base_identity_provided_by: auth_token
  use_standard_auth: true
  internal: true

I got partial reason and now I am getting the logs for bundle download.

1. You have delete and recreate the whole apidefinition resource in kubernetes. This does not make sense and is a big issue, if you need to redeploy the api definition everytime.
2. After redeploying the API definition, I can see gateway is trying to download the bundle but getting 403. The ‘bundle.zip’ in a public object in an S3. Not sure why its getting 403. I am able to download the object without any auth from different pods.

Attempting to download plugin bundle: https://<bucket-name>.s3.<region>.amazonaws.com/%E2%80%9Cbundle.zip%E2%80%9D

Looks like the issue is due to the “%E2%80%9C” and “%E2%80%9D” thats getting appended.

Did you mean partial result?

That’s weird. Typically an API update or a hot reload should simply do it. Can you try that and let us know?

This may be the string in your bundle.zip. The double quotes seem different
custom_middleware_bundle: “bundle.zip”

when compare with
listen_path: "/apikey"

When you URL decode it the value comes out as “bundle.zip”

Does the tyk-operator do a hot reload of gateway once the API is recreated?

Its me again, I am trying to figure out how to deploy mserv as proxy server on kubernetes and use it to download bundles from S3? Is there any such examples?

I seem to have missed this.

Yes it should reload during creation and update as seen from theklient.Universal.HotReload function in the API definition controller

I don’t know that we have