This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.
How to configure a non-SNI client
This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.- Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClientis set totrue:apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: route_name namespace: apigee spec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName: credential_name mode: SIMPLE #optional minProtocolVersion: TLS_AUTO selector: app: apigee-ingressgateway enableNonSniClient: true Where: - route_name is the name you give to the CRD.
- credential_name is the name of a Kubernetes Secret deployed to the cluster
        that contains TLS credentials for your virtualhost. You can find the credential name with
        the following kubectlCommand:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName 
- hostnamesmust be set to the wildcard "*".
 
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example: ApigeeRoute.yaml
- Apply the CRD to the cluster:
  kubectl apply -f ApigeeRoute.yaml -n apigee 
- Apply the change to virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT 
Usage notes
- What happens if the cluster has more than one org?
  Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair. 
- What happens if the cluster has more than one environment group. Will it work
    if the virtual hosts share the same key/cert pair?
  All hostnames across all environment groups must use the same key/cert pair. 
- Why are we creating an ApigeeRoute instead of Gateway?
    ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook). 
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: route_name namespace: apigee spec: hostnames: - "*" ports: - number: 80 protocol: HTTP selector: app: istio-ingressgateway enableNonSniClient: true Where: - route_name is the name you give to the CRD.
- hostnamesmust be set to the wildcard "*".
 
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example: ApigeeRoute.yaml
- Apply the CRD to the cluster:
  kubectl apply -f ApigeeRoute.yaml -n apigee 
- Apply the change to virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT 
Enable support for both non-SNI and HTTP clients
This section explains how to enable both non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: route_name namespace: apigee spec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName: credential_name mode: SIMPLE #optional minProtocolVersion: TLS_AUTO - number: 80 protocol: HTTP selector: app: istio-ingressgateway enableNonSniClient: true Where: - route_name is the name you give to the CRD.
- hostnamemust be set to the wildcard "*".
- credential_name is the name of a Kubernetes Secret deployed to the cluster
        that contains TLS credentials for your virtualhost. You can find the credential name with
        the following kubectlCommand:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName 
 
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the additionalGatewaysproperty. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example: ApigeeRoute.yaml
- Apply the CRD to the cluster:
  kubectl apply -f ApigeeRoute.yaml -n apigee 
- Apply the change to virtualhosts:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT