Obtain TLS credentials: An example

This topic is intended as an example only. It explains how to obtain a TLS certificate from the certificate authority (CA) Let's Encrypt. These steps are provided primarily as an example to follow if you do not have another ready way to obtain a certificate/key pair that is authorized by a CA. The example shows how to generate certificates using the Let's Encrypt CA, the Certbot client, and Google Cloud Platform Cloud DNS.

Where you can use these credentials

You must provide TLS credentials for two Istio ingress gateways that are exposed outside the cluster:

Gateway TLS requirement
MART ingress gateway Requires an authorized TLS certificate/key pair.
Runtime ingress gateway You can use a self-signed certificate/key pair or authorized TLS credentials.
See also External connections.

Requirements

  • You will need a domain name obtained through a domain name registrar. You can register a domain name through Google Domains or another domain registrar of your choice.

Configure Cloud DNS

To obtain authorized TLS credentials, you must have a qualified domain name. The following steps explain how to Google Cloud DNS to obtain a domain name and manage your domain servers.
  1. Open the Google Cloud console and log in with the account you created in Step 1: Create a Google Cloud account.
  2. Select the project that you created in Step 2: Create a GCP project.
  3. Enable the DNS API. See Enabling APIs.
  4. Create two static IP addresses:
    • If you are on GKE, follow the instructions in Reserving a static external IP address to create two static IP addresses. You can give the addresses any name you wish, for example: apigee-hybrid-mart and apigee-hybrid-runtime. When you finish, you will have two IP numbers to use in the cluster configuration in the next step. For example: 35.225.131.189 and 34.66.75.196
    • If you are on Anthos GKE, follow instructions in the Anthos GKE documentation to create two static IP addresses.
  5. Create a managed public zone. For instructions, see Create a managed public zone.
  6. Get the External IP you reserved for the apigee-hybrid-mart.
  7. Create record set for the MART endpoint. Enter the External IP you obtained in the previous step and add a prefix to the domain name, such as mart. For instructions, see Create a new record.

  8. Get the External IP that you reserved for apigee-hybrid-runtime.
  9. Create record set for the Istio ingress endpoint. This is the address for making API calls to the hybrid gateway. Enter the External IP you obtained in the previous step and add a prefix to the domain name, such as apitest. For instructions, see Create a new record.

  10. Copy the DNS record data, as shown in the following example:

  11. Return to your domain page at Google Domains.
  12. Select your domain.
  13. Select DNS.
  14. In the Name Servers section, click Edit.
  15. Enter the domain name servers that you copied from the Network Services Cloud DNS page:

Now, your Google Cloud DNS will manage the DNS records for your domain.

Install Certbot on a VM

Now that you have Cloud DNS set up to manage your domain servers, you will install the Certbot client with the dns_google plugin on a Cloud VM. The client enables you to get authorized certificates for your domain from a Let's Encrypt endpoint.

  1. Open the Google Cloud console and log in with the account you created in Step 1: Create a Google Cloud account.
  2. Select the project that you created in Step 2: Create a GCP project.
  3. Select IAM & admin > Service accounts.

    The Service accounts view displays a list of the project’s service accounts.

  4. To create a new service account, click +Create Service Account at the top of the view.

    The Service account details view displays.

  5. In the Service account name field, enter the name of the service account.

    You can optionally add a description in the Service account description field. Descriptions are helpful at reminding you what a particular service account is used for.

  6. Click Create.

    GCP creates a new service account and displays the Service account permissions view. Use this view to assign a role to your new service account.

  7. Click the Select a role drop-down list.
  8. Select the Project Owner role.
  9. Click Continue.
  10. Click Done.
  11. In the GCP console, select Compute Engine > VM Instances.
  12. Create a VM instance named certmanager.
  13. Under the Boot Disk section, choose CentOS7 and 20 GB for the SSD persistent drive.
  14. Set the Service Account to the one you created above.
  15. Install Certbot and the dns_google plugin on the machine and run the Certbot client:
      sudo su -
      yum -y install yum-utils
      yum install certbot -y
      yum install certbot-dns-google -y
      certbot certonly --dns-google -d *.your_domain_name,*.your_domain_name --server https://acme-v02.api.letsencrypt.org/directory
      

    For example:

    sudo su -
    yum -y install yum-utils
    yum install certbot -y
    yum install certbot-dns-google -y
    certbot certonly --dns-google -d *.apigee-hybrid-docs.net,*.apigee-hybrid-docs.net --server https://acme-v02.api.letsencrypt.org/directory
    
  16. You can now find your authorized certificate and private key files in this directory: cd /etc/letsencrypt/live/your_domain_name/

    For example:

    cd /etc/letsencrypt/live/apigee-hybrid-docs.net
    ls
      cert.pem  chain.pem  fullchain.pem  privkey.pem  README

  17. Copy the files fullchain.pem and privkey.pem to your local machine.
  18. Update your overrides file to point to the certificate and private key. For the hostAlias, use the DNS name that you created previously.

    For example:

    envs:
      - name: test
        sslCertPath: "$HOME/hybrid/apigee-hybrid-setup/tls/fullchain.pem"
        sslKeyPath: "$HOME/hybrid/apigee-hybrid-setup/tls/privkey.pem"
        hostAlias: "apitest.apigee-hybrid-docs.net"
    mart:
      nodeSelector:
        key: cloud.google.com/gke-nodepool
        value: apigee-runtime
      sslCertPath: "$HOME/hybrid/apigee-hybrid-setup/tls/fullchain.pem"
      sslKeyPath: "$HOME/hybrid/apigee-hybrid-setup/tls/privkey.pem"
      replicaCountMin: 1
      replicaCountMax: 1
      hostAlias: "mart.apigee-hybrid-docs.net"
  19. Apply the changes:

    If you changed the mart configuration, apply the changes:

    apigeectl apply -f your_overrides_file -c mart

    If you changed the envs configuration, apply the changes:

    apigeectl apply -f your_overrides_file -c runtime
  20. Test the configuration

    Deploy and test a proxy, as explained in Create and deploy a new API proxy.