The Apigee Hybrid management plane must be able to reach theMART servicein the runtime plane. For this reason, you must expose the MART
endpoint to requests coming from outside of the cluster.
The MART endpoint is a secure TLS connection. Hybrid uses anIstio
ingress gateway serviceto expose traffic to this endpoint.
This topic explains the steps to take to expose the MART endpoint.
Adding the MART service account
MART requires a GCP service account for authentication.
In the GCP setup step,Add service accounts, you
created a service account with no role for MART.
Locate the key file you downloaded for that service account.
The file should have a.jsonextension.
Add the key file path to themart.serviceAccountPathproperty:
...
mart:
sslCertPath:
sslKeyPath:
hostAlias:serviceAccountPath: "path to a file"...
Add themart.sslCertPath,mart.sslKeyPath, andmart.hostAliasproperties. The following table describes these properties:
Property
Value
mart.sslCertPath mart.sslKeyPath
The MART certificate/key pair must be authorized by a certificate authority (CA).
If you have not previously created an authorized cert/key pair, then you must do
so now and enter the certificate and key filenames for the corresponding property
values. If you need help generating the authorized cert/key pair, seeObtain TLS credentials: An example.
mart.hostAlias.
(Required) A qualified DNS name for the MART server endpoint. For example,foo-mart.mydomain.com.
For example, where the host alias is a qualified domain name:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation version (1.2) is end-of-life, and users should upgrade to a newer version for continued support and functionality.\u003c/p\u003e\n"],["\u003cp\u003eThe Apigee Hybrid MART endpoint must be exposed to external requests for the management plane to function correctly, utilizing a secure TLS connection.\u003c/p\u003e\n"],["\u003cp\u003eSetting up MART requires providing a trusted TLS key/certificate pair, obtained from a Certificate Authority, along with a qualified domain name.\u003c/p\u003e\n"],["\u003cp\u003eA dedicated GCP service account is needed for MART authentication, and the path to the service account key file must be specified in the \u003ccode\u003emart.serviceAccountPath\u003c/code\u003e property.\u003c/p\u003e\n"],["\u003cp\u003eYou must specify the paths to the TLS certificate and key files and the host alias for MART, using \u003ccode\u003emart.sslCertPath\u003c/code\u003e, \u003ccode\u003emart.sslKeyPath\u003c/code\u003e, and \u003ccode\u003emart.hostAlias\u003c/code\u003e in the overrides file, ensuring the certificate's Common Name matches the host alias.\u003c/p\u003e\n"]]],[],null,["# MART configuration\n\n| You are currently viewing version 1.2 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThe Apigee Hybrid management plane must be able to reach the\n[MART service](/apigee/docs/hybrid/v1.2/what-is-hybrid#management-api-mart)\nin the runtime plane. For this reason, you must expose the MART\nendpoint to requests coming from outside of the cluster.\nThe MART endpoint is a secure TLS connection. Hybrid uses an\n[Istio\ningress gateway service](https://istio.io/docs/tasks/traffic-management/ingress/) to expose traffic to this endpoint.\n| The MART setup requires you to provide a trusted TLS key/certificate pair and a qualified domain name. Self-signed certificates are not permitted. For an example showing how to obtain a certificate signed by a CA, see [Obtain\n| TLS credentials](/apigee/docs/hybrid/v1.2/lets-encrypt).\n\n\nThis topic explains the steps to take to expose the MART endpoint.\n\nAdding the MART service account\n-------------------------------\n\n\nMART requires a GCP service account for authentication.\n\n1. In the GCP setup step, [Add service accounts](/apigee/docs/hybrid/v1.2/precog-serviceaccounts), you created a service account with no role for MART. Locate the key file you downloaded for that service account. The file should have a `.json` extension.\n2. Add the key file path to the `mart.serviceAccountPath` property: \n\n ```\n ...\n mart:\n sslCertPath:\n sslKeyPath:\n hostAlias:\n serviceAccountPath: \"path to a file\"\n ...\n ```\n\n\n For example: \n\n ```\n ...\n mart:\n sslCertPath:\n sslKeyPath:\n hostAlias:\n serviceAccountPath: \"your_keypath/mart-service-account.json\n ...\n ```\n\nAdding TLS credentials and the host alias\n-----------------------------------------\n\n1. Open your overrides file.\n2. Add the `mart.sslCertPath`, `mart.sslKeyPath`, and `mart.hostAlias` properties. The following table describes these properties:\n\n\n For example, where the host alias is a qualified domain name: \n\n ```\n ...\n\n mart:\n sslCertPath: \u003cvar translate=\"no\"\u003epath-to-file\u003c/var\u003e/mart-server.crt\n sslKeyPath: \u003cvar translate=\"no\"\u003epath-to-file\u003c/var\u003e/mart-server.key\n hostAlias: foo-mart.mydomain.com\n serviceAccountPath: \"your_keypath/mart-service-account.json\n\n ...\n ```\n3. Save your changes."]]
