Tyk Operator Ingress - Not Accessible Outside Cluster

viper51s · February 21, 2022, 2:56pm

We are attempting to use Tyk Operator to manage our APIs and as an ingress controller but can’t get it to function correctly. We’ve deployed Tyk OSS Gateway and Tyk Operator according to the instructions on Kubernetes (tyk.io) and the Tyk Operator Github Repo.

I assume we are doing something wrong as we can see Tyk Operator interacting with the OSS Cluster and managing the apis however external ingress is not working. This is being run on Rancher Desktop (MacOS Monterey) for testing.

Below are the YAML definitions we are using (note httpbin.test → 127.0.0.1 in the machines host file). Whenever we navigate to http://httpbin.test/get (for example) from the host machine we get connection refused. We also see nothing in the log files indicating the request hit the Gateway (as expected with a connection refused).

Any advice on where to look next would be greatly appreciated!

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbintemplate
  labels: 
    template: "true"
spec:
  name: httpbintemplate
  protocol: http
  use_keyless: true
  active: true
  proxy:
    target_url: http://example.com # <--- This doesn't matter as it will be overridden
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        paths:
          black_list: []
          ignored: []
          white_list: []
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin-ingress
  annotations:
    kubernetes.io/ingress.class: tyk # <----------------- REFERENCES TYK INGRESS CONTROLLER
    tyk.io/template: httpbintemplate # <---------------- REFERENCE TO APIDEFINITION IN SAME NAMESPACE
spec:
 rules:
  - host: httpbin.test
    http:
     paths:
      - backend:
         service:
          name: httpbin
          port:
            number: 8000
        pathType: Prefix
        path: /
        
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

And confirming httpbin.test → 127.0.0.1:

ping httpbin.test
PING httpbin.test (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.084 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.216 ms

--- httpbin.test ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.084/0.145/0.216/0.054 ms

Komal_Sukhani · February 22, 2022, 12:31pm

Have you port-forwarded gateway service and is it listening on port 80?
You need to make sure when you request http://httpbin.test/get it reaches the gateway.

viper51s · February 22, 2022, 7:01pm

Right, I can do that and it does work (have verified that previously). However I was under the impression that Tyk Operator provides an Ingress Controller so that port forwarding wasn’t required?

ahmet · February 22, 2022, 7:19pm

@viper51s the idea is that you will create a service type load balancer for the tyk gateway. You then point all ingress traffic to that tyk gateway.

The ingress controller inside tyk operator reads the ingress spec that you provide and configures the gateway appropriately.

Ingress support is only really for legacy / compatibility reasons. I personally would only use ingress if you need interoperability with cert-manager / you have other tooling that depends on and works with ingress resources.

IMO our ApiDefinition CRDs should be the canonical way of using tyk.

Hope that helps?

viper51s · February 22, 2022, 9:12pm

Excellent, thank you Ahmet & Komal_Sukhani. I added the following service:

apiVersion: v1
kind: Service
metadata:
  name: tyk-lb-service
spec:
  selector:
    app: gateway-tyk-ce-tyk-headless
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  type: LoadBalancer

And it’s now working for me. Appreciate the feedback and direction!