APIM Operator: Before you begin

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes the steps you must complete before you can install and configure the Apigee APIM Operator for Kubernetes (Preview). To learn more about the benefits of using the APIM Operator, see Apigee APIM Operator for Kubernetes overview.

Required roles

To get the permissions that you need to set up the resources required to install and use the APIM Operator, ask your administrator to grant you the following IAM roles on the organization:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Required set up tasks

Before you install the APIM Operator, make sure to complete the following tasks to set up the resources you need to use the feature:

  1. Provision an Apigee instance using version 1-14-0-apigee-4 or later.

    You can view instance versions in the Instance details page of the Apigee UI in Google Cloud console.Go to the Instances page in the Google Cloud console to select an instance and view its details:

    Go to Instances

    You can use APIM Operator with a Subscription or Pay-as-you-go Apigee organization. For more details about provisioning paid Apigee instances, see Before you begin.

  2. Install the Google Cloud CLI.

    After the Google Cloud CLI is installed, run the gcloud components update command to get the latest gcloud components.

  3. Install and configure the kubectl command-line tool.
  4. Install Helm (version v3.14.3 or later).
  5. Create a GKE cluster with Workload Identity Federation for GKE and GKE Gateway enabled.

    Workload Identity Federation for GKE is enabled by default when using Autopilot mode to create and manage your clusters. For more information, see Autopilot overview.

    For the steps required to create a new cluster with Workload Identity Federation for GKE and GKE Gateway enabled using Autopilot, see Deploying Gateways.

  6. Deploy a GKE Gateway to your cluster.

    You can choose to configure and deploy an internal Gateway or an external Gateway to use with APIM Operator. If you choose to deploy an internal Gateway, a proxy-only subnet and shared VPC are required. For the purposes of this guide, we recommend that you deploy an external Gateway. For more information, see GKE Gateway controller requirements.

    To deploy the GKE Gateway, use the steps outlined in Deploy an external Gateway. When you create the Gateway, use the following yaml configuration:

    # gateway.yaml
      kind: Gateway
      apiVersion: gateway.networking.k8s.io/v1beta1
      metadata:
        name: global-ext-lb1
        namespace: default
      spec:
        gatewayClassName: gke-l7-global-external-managed
        listeners:
        - name: http
          protocol: HTTP
          allowedRoutes:
            kinds:
            - kind: HTTPRoute
            namespaces:
              from: All
      port: 80

  7. Deploy the HTTPRoute resource to your cluster to map traffic from the Gateway to your backend service.

    For more information on the HTTPRoute resource, see Deploy the HTTPRoute (for internal Gateways) or Create an HTTPRoute (for external Gateways).

    For the purposes of this guide, we recommend that you deploy an external Gateway and HTTPRoute, following the steps in Create an HTTPRoute. When you create the HTTPRoute, use the following yaml configuration:

    # httproute.yaml
    kind: HTTPRoute
    apiVersion: gateway.networking.k8s.io/v1beta1
    metadata:
      name: http-bin-route
      namespace: http
    spec:
      parentRefs:
      - kind: Gateway
        name: global-ext-lb1
        namespace: default
      hostnames:
      - apigee-apim-operator-test.apigee.net
      rules:
      - matches:
        - path:
            value: /
        backendRefs:
        - name: httpbin
          kind: Service
          port: 80
          namespace: http

  8. Verify the GKE Gateway setup to confirm that it is working as expected:
    1. Get the Gateway details using the following command:
      kubectl get gateway GATEWAY_NAME

      Where GATEWAY_NAME is the name of the GKE Gateway you created.

      For example:

      kubectl get gateway global-ext-lb1

      The output should appear similar to the following:

      NAME             CLASS                            ADDRESS        PROGRAMMED   AGE
      global-ext-lb1   gke-l7-global-external-managed   34.54.193.72   True         11d
      

      Confirm that an IP address is assigned to the Gateway and that the value of PROGRAMMED is True.

    2. Describe the Gateway to confirm the route is attached:
      kubectl describe gateway GATEWAY_NAME

      For example:

      kubectl describe gateway global-ext-lb1

      The output should look similar to the following:

      ...
        Listeners:
          Attached Routes:  1
          Conditions:
            Last Transition Time:  2024-10-03T03:10:17Z
      ...

      Confirm that the value of Attached Routes is 1, indicating that the route is attached.

    3. Send a request to the Gateway:
      curl http://GATEWAY_IP_ADDRESS/get -k \
          -H "Host: HOST_NAME"

      Where:

      • GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, where GATEWAY_NAME is the name of the Gateway:
        kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o=jsonpath="{.status.addresses[0].value}"
      • HOST_NAME is the hostname defined in the Gateway's HTTPRoute. You can retrieve the HOST_NAME using the following command:
        kubectl get HTTPRoute HTTPROUTE_NAME -n NAMESPACE

      For example:

      curl http://34.54.193.72/get -k \
      -H "Host: apigee-apim-operator-test.apigee.net"

      The response should appear similar to the following:

        {
          "args": {},
          "headers": {
            "Accept": "*/*",
            "Host": "apigee-apim-operator-test.apigee.net",
            "User-Agent": "curl/8.7.1",
            "X-Cloud-Trace-Context": "2bb8a80e29e80662ff9cb89971c447d9/13083106619927322701"
          },
          "origin": "67.164.1.10,34.54.193.72",
          "url": "http://apigee-apim-operator-test.apigee.net/get"
        }

What's next

Learn how to Install the APIM Operator.