This step explains how to download and install cert-manager and Anthos Service Mesh (ASM), required for Apigee hybrid to operate.
Install cert-manager
Use one of the following two commands to install cert-manager v0.14.2 from GitHub.
To find your Kubernetes version use the kubectl version
command.
- If you have Kubernetes 1.15
or newer:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- Kubernetes versions older than 1.15
:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
You should see a response that the cert-manager namespace and several cert-manager resources have been created.
Install ASM
Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.
Supported ASM versions
For new installations of hybrid, install ASM 1.6.x into your cluster. If you are upgrading from hybrid version 1.2.x, install ASM version 1.5.x into your cluster.
Perform ASM setup and configuration steps
To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.
- Follow the ASM setup and configuration steps:
- If this is a new installation of Apigee hybrid install the ASM version 1.6. x . Go to: Introduction to the installation and migration .
- If you are upgrading from an earlier version of hybrid, use ASM 1.5.x. Go to: Installing Anthos Service Mesh on an existing cluster .
-
When you have completed the ASM setup and config steps, go to the next section to complete the hybrid configuration and ASM installation steps.
Perform final hybrid configuration and install ASM
Finally, add hybrid-specific configurations to the istio-operator.yaml
file and
install ASM.
- Ensure that you're in the ASM installation's root directory. For example:
1.6.11-asm.1. - Open the
./asm/cluster/istio-operator.yamlfile in an editor. - Add the following lines indented under
spec.meshConfig::Text to copy
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'Example showing placement
Line breaks inserted for readability
apiVersion : install . istio . io / v1alpha1 kind : IstioOperator metadata : clusterName : "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec : profile : asm hub : gcr . io / gke - release / asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag : 1.5 . 7 - asm . 0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig : # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls : false accessLogFile : "/dev/stdout" accessLogEncoding : 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat : '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS % "," user_agent ":" % REQ ( USER - AGENT ) % "," host ":" % REQ (: AUTHORITY ) % "," request ":" % REQ (: METHOD ) % % REQ ( X - ENVOY - ORIGINAL - PATH ? : PATH ) % % PROTOCOL % "," request_time ":" % DURATION % "," status ":" % RE SPONSE_CODE % "," status_details ":" % RESPONSE_CODE_DETAILS % "," bytes_received ":" % BYTES_RECEIV ED % "," bytes_sent ":" % BYTES_SENT % "," upstream_address ":" % UPSTREAM_HOST % "," upstream_response _flags ":" % RESPONSE_FLAGS % "," upstream_response_time ":" % RESPONSE_DURATION % "," upstream_serv ice_time ":" % RESP ( X - ENVOY - UPSTREAM - SERVICE - TIME ) % "," upstream_cluster ":" % UPSTREAM_CLUSTER % "," x_forwarded_for ":" % REQ ( X - FORWARDED - FOR ) % "," request_method ":" % REQ (: METHOD ) % "," request_ path ":" % REQ ( X - ENVOY - ORIGINAL - PATH ? : PATH ) % "," request_protocol ":" % PROTOCOL % "," tls_protocol ":" % DOWNSTREAM_TLS_VERSION % "," request_id ":" % REQ ( X - REQUEST - ID ) % "," sni_host ":" % REQUESTED_S ERVER_NAME % "," apigee_dynamic_data ":" % DYNAMIC_METADATA ( envoy . lua ) % "}' defaultConfig : proxyMetadata : GCP_METADATA : "hybrid-example|123456789123|example-cluster|us-central1" # { "$ref" : "#/definitions/io.k8s.cli.substitutions.gke-metadata" }
- Add (or update) the
spec:componentsstanza in theistio-operator.yamlfile below themeshConfig:section and immediately abovevalues:, where reserved_static_ip is the IP address you reserved for your runtime ingress gateway in Project and Org Setup - Step 5: Configure Cloud DNS .Text to copy
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443
Example showing placement
Line breaks inserted for readability
apiVersion : install . istio . io / v1alpha1 kind : IstioOperator metadata : clusterName : "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec : profile : asm hub : gcr . io / gke - release / asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag : 1.5 . 7 - asm . 0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig : # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls : false accessLogFile : "/dev/stdout" accessLogEncoding : 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat : '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS % "," user_agent ":" % REQ ( USER - AGENT ) % "," host ":" % REQ (: AUTHORITY ) % "," request ":" % REQ (: METHOD ) % % REQ ( X - ENVOY - ORIGINAL - PATH ? : PATH ) % % PROTOCOL % "," request_time ":" % DURATION % "," status ":" % RE SPONSE_CODE % "," status_details ":" % RESPONSE_CODE_DETAILS % "," bytes_received ":" % BYTES_RECEIV ED % "," bytes_sent ":" % BYTES_SENT % "," upstream_address ":" % UPSTREAM_HOST % "," upstream_response _flags ":" % RESPONSE_FLAGS % "," upstream_response_time ":" % RESPONSE_DURATION % "," upstream_serv ice_time ":" % RESP ( X - ENVOY - UPSTREAM - SERVICE - TIME ) % "," upstream_cluster ":" % UPSTREAM_CLUSTER % "," x_forwarded_for ":" % REQ ( X - FORWARDED - FOR ) % "," request_method ":" % REQ (: METHOD ) % "," request_ path ":" % REQ ( X - ENVOY - ORIGINAL - PATH ? : PATH ) % "," request_protocol ":" % PROTOCOL % "," tls_protocol ":" % DOWNSTREAM_TLS_VERSION % "," request_id ":" % REQ ( X - REQUEST - ID ) % "," sni_host ":" % REQUESTED_S ERVER_NAME % "," apigee_dynamic_data ":" % DYNAMIC_METADATA ( envoy . lua ) % "}' defaultConfig : proxyMetadata : GCP_METADATA : "hybrid-example|123456789123|example-cluster|us-central1" # { "$ref" : "#/definitions/io.k8s.cli.substitutions.gke-metadata" } components : pilot : k8s : hpaSpec : maxReplicas : 2 ingressGateways : - name : istio - ingressgateway enabled : true k8s : service : type : LoadBalancer loadBalancerIP : 123.234 . 56.78 ports : - name : status - port port : 15020 targetPort : 15020 - name : http2 port : 80 targetPort : 80 - name : https port : 443 - name : prometheus port : 15030 targetPort : 15030 - name : tcp port : 31400 targetPort : 31400 - name : tls port : 15443 targetPort : 15443 hpaSpec : maxReplicas : 2 values : . . .
- Return now to the ASM documentation you used previously, and complete ASM installation
(install or apply the
istio-operator.yamlfile to the cluster). When given a choice, choose PERMISSIVE mTLS .
Summary
You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.
1 2 (NEXT) Step 3: Install apigeectl 4 5