This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.
This configuration works for both Apigee ingress gateway and Anthos Service Mesh.
How to configure a non-SNI client
This section explains how to enable support for non-SNI ( Server Name Indication ) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.- Create an ApigeeRoute custom resource definition (CRD). Be sure that
enableNonSniClientis set totrue:apiVersion : apigee . cloud . google . com / v1alpha1 kind : ApigeeRoute metadata : name : ROUTE_NAME namespace : apigee spec : hostnames : - "*" ports : - number : 443 protocol : HTTPS tls : credentialName : CREDENTIAL_NAME mode : SIMPLE # optional minProtocolVersion : TLS_AUTO selector : app : APP_NAME enableNonSniClient : true
Where:
- ROUTE_NAME is the name you give to the CRD.
- CREDENTIAL_NAME
is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following
kubectlCommand:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
- APP_NAME
Identifies the type of ingress gateway:
-
apigee-ingressgatewayfor Apigee ingress gateway. -
istio-ingressgatewayfor Anthos Service Mesh.
-
-
hostnamesmust be set to the wildcard"*".
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: [" route_name "]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides .yaml --settings virtualhosts --env $ENVIRONMENT
Usage notes
- What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
- What happens if the cluster has more than one environment group. Will it work
if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
- Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion : apigee . cloud . google . com / v1alpha1 kind : ApigeeRoute metadata : name : route_name namespace : apigee spec : hostnames : - "*" ports : - number : 80 protocol : HTTP selector : app : istio - ingressgateway enableNonSniClient : true
Where:
- route_name is the name you give to the CRD.
-
hostnamesmust be set to the wildcard "*".
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: [" route_name "]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides .yaml --settings virtualhosts --env $ENVIRONMENT
Enable support for both non-SNI and HTTP clients
This section explains how to enable both non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion : apigee . cloud . google . com / v1alpha1 kind : ApigeeRoute metadata : name : route_name namespace : apigee spec : hostnames : - "*" ports : - number : 443 protocol : HTTPS tls : credentialName : credential_name mode : SIMPLE # optional minProtocolVersion : TLS_AUTO - number : 80 protocol : HTTP selector : app : istio - ingressgateway enableNonSniClient : true
Where:
- route_name is the name you give to the CRD.
-
hostnamemust be set to the wildcard "*". - credential_name
is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following
kubectlCommand:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: [" route_name "]
- Save the CRD file. For example:
ApigeeRoute.yaml - Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides .yaml --settings virtualhosts --env $ENVIRONMENT
