This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge documentation.
This page describes the steps you must complete before you can install and configure the Apigee APIM Operator for Kubernetes (Preview). To learn more about the benefits of using the APIM Operator, see Apigee APIM Operator for Kubernetes overview.
Required roles
To get the permissions that you need to set up the resources required to install and use the APIM Operator, ask your administrator to grant you the following IAM roles on the organization:
-
Create and manage the Google Kubernetes Engine (GKE) cluster:
Container Admin (
roles/container.admin
) -
Create and manage service accounts:
Service Account Admin (
roles/iam.serviceAccountAdmin
) -
Create and manage service extensions:
Service Extensions Admin (
roles/networkservices.serviceExtensionsAdmin
) -
Create and manage network endpoint groups (NEGs):
Compute Instance Admin (
roles/compute.instanceAdmin
) -
Create and manage backend services:
Compute Load Balancer Admin (
roles/compute.loadBalancerAdmin
) -
Create and manage Apigee resources:
Apigee Admin (
roles/apigee.admin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Required set up tasks
Before you install the APIM Operator, make sure to complete the following tasks to set up the resources you need to use the feature:
Provision an Apigee instance using version
1-14-0-apigee-4
or later.You can view instance versions in the Instance details page of the Apigee UI in Google Cloud console.Go to the Instances page in the Google Cloud console to select an instance and view its details:
You can use APIM Operator with a Subscription or Pay-as-you-go Apigee organization. For more details about provisioning paid Apigee instances, see Before you begin.
Install the Google Cloud CLI.
After the Google Cloud CLI is installed, run the
gcloud components update
command to get the latest gcloud components.- Install and configure the
kubectl
command-line tool. - Install Helm (version v3.14.3 or later).
Create a GKE cluster with Workload Identity Federation for GKE and GKE Gateway enabled.
Workload Identity Federation for GKE is enabled by default when using Autopilot mode to create and manage your clusters. For more information, see Autopilot overview.
For the steps required to create a new cluster with Workload Identity Federation for GKE and GKE Gateway enabled using Autopilot, see Deploying Gateways.
- Deploy a GKE Gateway to your cluster.
You can choose to configure and deploy an internal Gateway or an external Gateway to use with APIM Operator. If you choose to deploy an internal Gateway, a proxy-only subnet and shared VPC are required. For the purposes of this guide, we recommend that you deploy an external Gateway. For more information, see GKE Gateway controller requirements.
To deploy the GKE Gateway, use the steps outlined in Deploy an external Gateway. When you create the Gateway, use the following
yaml
configuration:# gateway.yaml kind: Gateway apiVersion: gateway.networking.k8s.io/v1beta1 metadata: name: global-ext-lb1 namespace: default spec: gatewayClassName: gke-l7-global-external-managed listeners: - name: http protocol: HTTP allowedRoutes: kinds: - kind: HTTPRoute namespaces: from: All port: 80
- Deploy the HTTPRoute resource to your cluster to map traffic from the Gateway to your backend service.
For more information on the HTTPRoute resource, see Deploy the HTTPRoute (for internal Gateways) or Create an HTTPRoute (for external Gateways).
For the purposes of this guide, we recommend that you deploy an external Gateway and HTTPRoute, following the steps in Create an HTTPRoute. When you create the HTTPRoute, use the following
yaml
configuration:# httproute.yaml kind: HTTPRoute apiVersion: gateway.networking.k8s.io/v1beta1 metadata: name: http-bin-route namespace: http spec: parentRefs: - kind: Gateway name: global-ext-lb1 namespace: default hostnames: - apigee-apim-operator-test.apigee.net rules: - matches: - path: value: / backendRefs: - name: httpbin kind: Service port: 80 namespace: http
- Verify the GKE Gateway setup to confirm that it is working as expected:
- Get the Gateway details using the following command:
kubectl get gateway GATEWAY_NAME
Where GATEWAY_NAME is the name of the GKE Gateway you created.
For example:
kubectl get gateway global-ext-lb1
The output should appear similar to the following:
NAME CLASS ADDRESS PROGRAMMED AGE global-ext-lb1 gke-l7-global-external-managed 34.54.193.72 True 11d
Confirm that an IP address is assigned to the Gateway and that the value of
PROGRAMMED
isTrue
. - Describe the Gateway to confirm the route is attached:
kubectl describe gateway GATEWAY_NAME
For example:
kubectl describe gateway global-ext-lb1
The output should look similar to the following:
... Listeners: Attached Routes: 1 Conditions: Last Transition Time: 2024-10-03T03:10:17Z ...
Confirm that the value of
Attached Routes
is1
, indicating that the route is attached. - Send a request to the Gateway:
curl http://GATEWAY_IP_ADDRESS/get -k \ -H "Host: HOST_NAME"
Where:
GATEWAY_IP_ADDRESS
is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, whereGATEWAY_NAME
is the name of the Gateway:kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o=jsonpath="{.status.addresses[0].value}"
HOST_NAME
is the hostname defined in the Gateway'sHTTPRoute
. You can retrieve the HOST_NAME using the following command:kubectl get HTTPRoute HTTPROUTE_NAME -n NAMESPACE
For example:
curl http://34.54.193.72/get -k \ -H "Host: apigee-apim-operator-test.apigee.net"
The response should appear similar to the following:
{ "args": {}, "headers": { "Accept": "*/*", "Host": "apigee-apim-operator-test.apigee.net", "User-Agent": "curl/8.7.1", "X-Cloud-Trace-Context": "2bb8a80e29e80662ff9cb89971c447d9/13083106619927322701" }, "origin": "67.164.1.10,34.54.193.72", "url": "http://apigee-apim-operator-test.apigee.net/get" }
- Get the Gateway details using the following command:
What's next
Learn how to Install the APIM Operator.