APIM Operator: Before you begin

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes the steps you must complete before you can install and configure the Apigee APIM Operator for Kubernetes (Preview). To learn more about the benefits of using the APIM Operator, see Apigee APIM Operator for Kubernetes overview.

Required roles

To get the permissions that you need to set up the resources required to install and use the APIM Operator, ask your administrator to grant you the following IAM roles on the organization:

Create and manage the Google Kubernetes Engine (GKE) cluster: Container Admin (roles/container.admin)
Create and manage service accounts: Service Account Admin (roles/iam.serviceAccountAdmin)
Create and manage service extensions: Service Extensions Admin (roles/networkservices.serviceExtensionsAdmin)
Create and manage network endpoint groups (NEGs): Compute Instance Admin (roles/compute.instanceAdmin)
Create and manage backend services: Compute Load Balancer Admin (roles/compute.loadBalancerAdmin)
Create and manage Apigee resources: Apigee Admin (roles/apigee.admin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Required set up tasks

Before you install the APIM Operator, make sure to complete the following tasks to set up the resources you need to use the feature:

Provision an Apigee instance using version 1-14-0-apigee-4 or later.
You can view instance versions in the Instance details page of the Apigee UI in Google Cloud console.Go to the Instances page in the Google Cloud console to select an instance and view its details:
Go to Instances

You can use APIM Operator with a Subscription or Pay-as-you-go Apigee organization. For more details about provisioning paid Apigee instances, see Before you begin.
Install the Google Cloud CLI.

After the Google Cloud CLI is installed, run the gcloud components update command to get the latest gcloud components.
Install and configure the kubectl command-line tool.
Install Helm (version v3.14.3 or later).
Create a GKE cluster with Workload Identity Federation for GKE and GKE Gateway enabled.

Workload Identity Federation for GKE is enabled by default when using Autopilot mode to create and manage your clusters. For more information, see Autopilot overview.

For the steps required to create a new cluster with Workload Identity Federation for GKE and GKE Gateway enabled using Autopilot, see Deploying Gateways.

Note: If you are using Standard mode to create and manage your clusters, you must manually enable Workload Identity Federation for GKE and GKE Gateway. For more information, see Workload Identity and Deploying Gateways.
Deploy a GKE Gateway to your cluster.
You can choose to configure and deploy an internal Gateway or an external Gateway to use with APIM Operator. If you choose to deploy an internal Gateway, a proxy-only subnet and shared VPC are required. For the purposes of this guide, we recommend that you deploy an external Gateway. For more information, see GKE Gateway controller requirements.
Note: If you plan to deploy more than one GKE Gateway in the same region, both Gateways must be of the same type (internal or external). You can't deploy an internal Gateway and an external Gateway in the same region. The example configurations in this guide use an external Gateway.

To deploy the GKE Gateway, use the steps outlined in Deploy an external Gateway. When you create the Gateway, use the following yaml configuration:
```
# gateway.yaml
  kind: Gateway
  apiVersion: gateway.networking.k8s.io/v1beta1
  metadata:
    name: global-ext-lb1
    namespace: default
  spec:
    gatewayClassName: gke-l7-global-external-managed
    listeners:
    - name: http
      protocol: HTTP
      allowedRoutes:
        kinds:
        - kind: HTTPRoute
        namespaces:
          from: All
  port: 80
```

Deploy the HTTPRoute resource to your cluster to map traffic from the Gateway to your backend service.

For more information on the HTTPRoute resource, see Deploy the HTTPRoute (for internal Gateways) or Create an HTTPRoute (for external Gateways).

For the purposes of this guide, we recommend that you deploy an external Gateway and HTTPRoute, following the steps in Create an HTTPRoute. When you create the HTTPRoute, use the following yaml configuration:

# httproute.yaml
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
  name: http-bin-route
  namespace: http
spec:
  parentRefs:
  - kind: Gateway
    name: global-ext-lb1
    namespace: default
  hostnames:
  - apigee-apim-operator-test.apigee.net
  rules:
  - matches:
    - path:
        value: /
    backendRefs:
    - name: httpbin
      kind: Service
      port: 80
      namespace: http

Verify the GKE Gateway setup to confirm that it is working as expected:

Get the Gateway details using the following command:
```
kubectl get gateway GATEWAY_NAME
```
Where GATEWAY_NAME is the name of the GKE Gateway you created.

For example:
```
kubectl get gateway global-ext-lb1
```
The output should appear similar to the following:
```
NAME             CLASS                            ADDRESS        PROGRAMMED   AGE
global-ext-lb1   gke-l7-global-external-managed   34.54.193.72   True         11d
```
Confirm that an IP address is assigned to the Gateway and that the value of PROGRAMMED is True.

Describe the Gateway to confirm the route is attached:

kubectl describe gateway GATEWAY_NAME

For example:

kubectl describe gateway global-ext-lb1

The output should look similar to the following:

...
  Listeners:
    Attached Routes:  1
    Conditions:
      Last Transition Time:  2024-10-03T03:10:17Z
...

Confirm that the value of Attached Routes is 1, indicating that the route is attached.

Send a request to the Gateway:

curl http://GATEWAY_IP_ADDRESS/get -k \
    -H "Host: HOST_NAME"

Where:

GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, where GATEWAY_NAME is the name of the Gateway:
```
kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o=jsonpath="{.status.addresses[0].value}"
```
HOST_NAME is the hostname defined in the Gateway's HTTPRoute. You can retrieve the HOST_NAME using the following command:
```
kubectl get HTTPRoute HTTPROUTE_NAME -n NAMESPACE
```

For example:

curl http://34.54.193.72/get -k \
-H "Host: apigee-apim-operator-test.apigee.net"

The response should appear similar to the following:

  {
    "args": {},
    "headers": {
      "Accept": "*/*",
      "Host": "apigee-apim-operator-test.apigee.net",
      "User-Agent": "curl/8.7.1",
      "X-Cloud-Trace-Context": "2bb8a80e29e80662ff9cb89971c447d9/13083106619927322701"
    },
    "origin": "67.164.1.10,34.54.193.72",
    "url": "http://apigee-apim-operator-test.apigee.net/get"
  }

What's next

Learn how to Install the APIM Operator.