Console
    Start free

    Use sidecar authentication for Workload Identity Federation on AKS and EKS

    Workload Identity Federation (WIF) lets your Apigee workloads use credentials from an external provider to get Google security tokens for Apigee APIs. This page describes how to configure WIF for Apigee hybrid using a sidecar container. This method is an alternative to using Kubernetes Projected Service Account Tokens, as described in Enabling Workload Identity Federation on AKS and EKS . Use the sidecar method if you must use an external or custom Identity Provider (IDP) to fetch authentication tokens.

    With this method can use a sidecar along with Workload Identity Federation on non-GKE platforms to mount security tokens from your preferred identity provider (IDP) for service account authentication.

    Before you begin

    This procedure assumes you have already configured Workload Identity Federation for your Google Cloud project, including creating an Identity Pool and Provider, and granting appropriate IAM permissions to your Kubernetes service accounts. For details, see Enabling Workload Identity Federation on AKS and EKS .

    Configure Apigee hybrid

    To enable Workload Identity Federation with sidecar authentication, configure the sidecar in your overrides.yaml file. Specify the sidecar container and any volumes that share data between the sidecar and the Apigee hybrid component. If you use Vault, add the annotations required for the sidecar to fetch tokens from your IDP.

    You only need to configure the gcp.federatedWorkloadIdentity.sidecarSpec section in your overrides.yaml file once for all components. When you apply the configuration, the Helm charts will insert the appropriate component name for each component everywhere the charts encounter the value APIGEE_COMPONENT .

    Add the following configuration to your overrides.yaml file. Select the example that matches your use case, Kubernetes secrets, service account JSON key files, or Vault:

    Secrets or files

     gcp 
 : 
  
 federatedWorkloadIdentity 
 : 
  
 enabled 
 : 
  
 true 
  
 type 
 : 
  
  "sidecar" 
 
  
 sidecarSpec 
 : 
  
 volumes 
 : 
  
  source-creds 
 
  
 - 
  
 name 
 : 
  
 secret 
 : 
  
 secretName 
 : 
  
  apigee-hybrid-APIGEE_COMPONENT 
 
  
 container 
 : 
  
 - 
  
 name 
 : 
  
 apigee-fwi-sidecar 
  
 env 
 : 
  
  APIGEE_COMPONENT 
 
  
 image 
 : 
  
  your-custom-sidecar-image 
 
  
 volumeMounts 
 : 
  
 - 
  
 name 
 : 
  
  shared-mount 
 
  
 mountPath 
 : 
  
 /shared 
  
 - 
  
 name 
 : 
  
  source-creds 
 
  
 mountPath 
 : 
  
 /source-creds 
  
 readonly 
 : 
  
 true

    Vault

     gcp 
 : 
  
 federatedWorkloadIdentity 
 : 
  
 enabled 
 : 
  
 true 
  
 type 
 : 
  
  "sidecar" 
 
  
 sidecarSpec 
 : 
  
 annotations 
 : 
  
 - 
  
 vault.hashicorp.com/agent-inject 
 : 
  
 'true' 
  
 - 
  
 vault.hashicorp.com/agent-pre-populate-only 
 : 
  
 'false' 
  
 - 
  
 vault.hashicorp.com/log-level 
 : 
  
 'trace' 
  
 - 
  
 vault.hashicorp.com/ca-cert 
 : 
  
  VAULT_CA_CERT_PATH 
 
  
 - 
  
 vault.hashicorp.com/namespace 
 : 
  
 ' VAULT_NAMESPACE 
' 
  
 - 
  
 vault.hashicorp.com/agent-service-account-token-volume-name 
 : 
  
  VAULT_TOKEN 
 
  
 # for example: 'vault-token' 
  
 - 
  
 vault.hashicorp.com/secret-volume-path 
 : 
  
  VAULT_SECRET_VOLUME_PATH 
 
  
 # for example: '/var/vault-data' 
  
 - 
  
 vault.hashicorp.com/service 
 : 
  
  VAULT_SERVICE_URL 
 
:8200  
 # For example: '127.0.0.1:8200' or 'https://dev-hcvault.nam.nsroot.net:8200' 
  
 volumes 
 : 
  
  source-creds 
 
  
 - 
  
 name 
 : 
  
 secret 
 : 
  
 secretName 
 : 
  
  apigee-hybrid-APIGEE_COMPONENT 
 
  
 container 
 : 
  
 - 
  
 name 
 : 
  
 apigee-fwi-sidecar 
  
 env 
 : 
  
  APIGEE_COMPONENT 
 
  
 image 
 : 
  
  your-custom-sidecar-image 
 
  
 volumeMounts 
 : 
  
 - 
  
 name 
 : 
  
  shared-mount 
 
  
 mountPath 
 : 
  
 /shared 
  
 - 
  
 name 
 : 
  
  source-creds 
 
  
 mountPath 
 : 
  
 /source-creds 
  
 readonly 
 : 
  
 true

    If your sidecar needs secrets injected via Vault annotations, you can add them to each component that needs the sidecar. For example:

     mart 
 : 
  
 annotations 
 : 
  
 vault.hashicorp.com/agent-inject 
 : 
  
 "true" 
  
 vault.hashicorp.com/role 
 : 
  
 " VAULT_ROLE 
" 
  
 vault.hashicorp.com/agent-inject-secret-token 
 : 
  
 " VAULT_SECRET_PATH 
" 
  
 vault.hashicorp.com/agent-inject-template-token 
 : 
  
 | 
  
} - with secret " VAULT_SECRET_PATH 
" - 
}} {{ 
 .Data.data.token 
}}  
{{ - end - 
} runtime 
 : 
  
 annotations 
 : 
  
 vault.hashicorp.com/agent-inject 
 : 
  
 "true" 
  
 vault.hashicorp.com/role 
 : 
  
 " VAULT_ROLE 
" 
  
 vault.hashicorp.com/agent-inject-secret-token 
 : 
  
 " VAULT_SECRET_PATH 
" 
  
 vault.hashicorp.com/agent-inject-template-token 
 : 
  
 | 
  
{{ - with secret "secrets/my-secret-path" - 
}} {{ 
 .Data.data.token 
}}  
{{ - end - 
}} ... 
  
 other components ...

    Where:

    • gcp.federatedWorkloadIdentity.enabled : Must be true .
    • gcp.federatedWorkloadIdentity.type : Must be "sidecar" . This tells Apigee hybrid to use the sidecar method for Workload Identity Federation.
    • gcp.federatedWorkloadIdentity.sidecarSpec.container : A Kubernetes container specification for your custom sidecar. You must specify your custom image that can fetch tokens from your IdP.
    • gcp.federatedWorkloadIdentity.sidecarSpec.volumes : A list of additional volumes to mount in hybrid pods. This is the volume where the token is mounted.
    • gcp.federatedWorkloadIdentity.sidecarSpec.annotations : (Vault only) A map of annotations to apply to hybrid pods.
    • [ component ].annotations : (Vault only, optional) A map of annotations to apply to individual hybrid components if needed by your configuration.

    After updating your overrides.yaml file, apply the changes to your cluster. Run the following commands to update each hybrid component:

    1. Make sure you are in the apigee-charts/ directory.
    2. Upgrade the Apigee Operator/Controller: 
      helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    3. Upgrade the Apigee datastore: 
      helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    4. Upgrade Apigee telemetry: 
      helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    5. Upgrade Apigee Redis: 
      helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    6. Upgrade Apigee ingress manager: 
      helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    7. Upgrade the Apigee organization: 
      helm upgrade ORG_NAME 
apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  -f OVERRIDES_FILE
    8. Upgrade the environment.

      You must install one environment at a time. Specify the environment with --set env= ENV_NAME .

      helm upgrade ENV_RELEASE_NAME 
apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  --set env= ENV_NAME 
\
  -f OVERRIDES_FILE
    9. Upgrade the environment groups ( virtualhosts ).

      You must upgrade one environment group (virtualhost) at a time. Specify the environment group with --set envgroup= ENV_GROUP_NAME . Repeat the following commands for each environment group mentioned in the overrides.yaml file:

      helm upgrade ENV_GROUP_RELEASE_NAME 
apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE 
\
  --set envgroup= ENV_GROUP_NAME 
\
  -f OVERRIDES_FILE

    For more information, see:
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: