指定配置替换
Apigee Hybrid 安装程序使用许多设置的默认值;但是,有一些设置没有默认值。如下文所述,您必须为这些设置提供值。
准备工作
我们建议您查看以下场景以确定您是否要为它们配置集群。这些配置是可选的。
- 如果您计划在多个区域中安装 Hybrid,请阅读多区域部署,然后再继续操作。
- Apigee Hybrid 为 Cassandra 用户提供默认密码;但我们建议您更改默认用户密码。如需了解详情,请参阅为 Cassandra 配置 TLS。
- 如果要为 Cassandra 配置存储空间和堆设置,请参阅配置存储空间和堆设置。
- 对于生产安装场景,请为 Cassandra 配置永久性固态硬盘 (SSD) 存储空间。我们不支持为 Apigee Hybrid 使用本地 SSD。如需了解详情,请参阅为生产部署添加 SSD 存储空间。
配置集群
按照惯例,配置替换项会写入 $HYBRID_FILES/overrides
目录中名为 overrides.yaml
的文件。
- 在
$HYBRID_FILES/overrides
目录中创建名为overrides.yaml
的新文件。例如:vi $HYBRID_FILES/overrides/overrides.yaml
overrides.yaml
提供唯一 Apigee Hybrid 安装的配置。此步骤中的替换文件会为小规模 Hybrid 运行时安装提供基本配置,适合首次安装。 - 在
overrides.yaml
中,添加所需的属性值,如下所示。下面还提供了每个属性的详细说明。如果您要在 GKE 上安装 Apigee Hybrid 并计划使用 Workload Identity 对 Hybrid 组件进行身份验证,请选择 GKE - Workload Identity 标签页以配置您的
overrides.yaml
文件。对于所有其他安装,请选择非生产 (Non-prod) 或生产 (Prod) 环境对应的标签页,具体取决于您在第 4 步:创建服务账号和凭据中的选择。
对于生产环境中的安装,请在针对生产环境配置 Cassandra 中查看 Cassandra 数据库的存储要求。
GKE - Workload Identity
请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。如果您要在 GKE 上安装 Apigee Hybrid,则还可以选择向 Google API 和 Workload Identity 进行身份验证并发出请求。如需大致了解 Workload Identity,请参阅:
如需在 GKE 上为 Apigee Hybrid 使用 Workload Identity,请使用此模板,然后按照第 8 步:安装 Hybrid 运行时中的步骤创建 Kubernetes 服务账号,并将其与在第 4 步:创建服务账号和凭据中创建的 Google 服务账号相关联。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID workloadIdentityEnabled: true k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false # false for all GKE installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use 1 for demo installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. backup: enabled: true # Set to true for initial installation. # This triggers apigeectl to create the apigee-cassandra-backup Kubernetes service account. # See Cassandra backup overview for instructions on using cassandra.backup. virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional envs: - name: ENVIRONMENT_NAME logger: enabled: false # Set to false for all GKE installations.
非生产
请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 cassandra: replicaCount: 1 # Use 1 for non-prod or "demo" installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional envs: - name: ENVIRONMENT_NAME serviceAccountPaths: synchronizer: NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-non-prod.json" udca: NON_PROD_SERVICE_ACCOUNT_FILEPATH runtime: NON_PROD_SERVICE_ACCOUNT_FILEPATH mart: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH connectAgent: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH metrics: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH udca: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH watcher: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH logger: enabled: false # Set to false to disable logger for GKE installations. # Set to true for all platforms other than GKE. # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
生产
请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use multiples of 3 for production. # See Configure Cassandra for production for guidelines. storage: capacity: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # See Configure Cassandra for production. virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE envs: - name: ENVIRONMENT_NAME serviceAccountPaths: synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-synchronizer.json" udca: UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json" runtime: RUNTIME_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-runtime.json" mart: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-mart.json" connectAgent: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # Use the same service account for mart and connectAgent metrics: serviceAccountPath: METRICS_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-metrics.json" udca: serviceAccountPath: UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json" watcher: serviceAccountPath: WATCHER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-watcher.json" logger: enabled: false # Set to false to disable logger for GKE installations. # Set to true for all platforms other than GKE. # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: LOGGER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-logger.json"
示例
以下示例展示了一个添加了示例属性值的已完成替换文件:
gcp: region: us-central1 projectID: hybrid-example k8sCluster: name: apigee-hybrid region: us-central1 org: hybrid-example instanceID: "my_hybrid_example" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false replicaCount: 3 virtualhosts: - name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: ./certs/keystore.pem sslKeyPath: ./certs/keystore.key ingressGateways: - name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10 envs: - name: test serviceAccountPaths: synchronizer: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-synchronizer.json udca: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-udca.json runtime: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-runtime.json mart: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-mart.json connectAgent: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, example-hybrid-apigee-mart.json metrics: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-metrics.json udca: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-udca.json watcher: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-watcher.json logger: enabled: false # Set to "false" for GKE. Set to "true" for all other Kubernetes platforms. serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, LOGGER_SERVICE_ACCOUNT_NAME.json
- 完成后,保存文件。
下表介绍了您必须在替换文件中提供的每个属性值。如需了解详情,请参阅配置属性参考文档。
变量 | 说明 |
---|---|
ANALYTICS_REGION | 在 GKE 中,您必须将此值设置为集群在其中运行的区域。在所有其他平台上,请选择支持 Analytics 的集群的最近分析区域(请参阅第 1 部分的第 2 步:创建组织中的表)。 这是您在先前为环境变量 |
GCP_PROJECT_ID | 标识 apigee-logger 和 apigee-metrics 将其数据推送到的 Google Cloud 项目。这是分配给环境变量 PROJECT_ID 的值。 |
CLUSTER_NAME | 您的 Kubernetes 集群名称。这是分配给环境变量 CLUSTER_NAME 的值。 |
CLUSTER_LOCATION | 集群运行所在的区域。这是您在第 1 步:创建集群中创建集群所在的区域。 这是您在先前为环境变量 |
ORG_NAME | 您的 Apigee Hybrid 组织的 ID。这是分配给环境变量 ORG_NAME 的值。 |
UNIQUE_INSTANCE_IDENTIFIER | 用于标识此实例的唯一字符串。该 ID 可以是字母和数字的任意组合,长度不得超过 63 个字符。 您可以在同一集群中创建多个组织,但对于同一 Kubernetes 集群中的所有组织, |
ENVIRONMENT_GROUP_NAME | 您的环境所分配到的环境组的名称。
这是您在项目和组织设置 - 第 3 步:创建环境组中创建的组。这是分配给环境变量 ENV_GROUP 的值。
|
CERT_NAME KEY_NAME |
输入您之前在第 5 步:创建 TLS 证书中生成的自签名 TLS 密钥和证书文件的名称。这些文件必须位于 base_directory/hybrid-files/certs 目录中。
例如:sslCertPath: ./certs/keystore.pem sslKeyPath: ./certs/keystore.key |
INGRESS_NAME | 部署的 Apigee 入站流量网关的名称。 该字段可以是满足以下要求的任何名称:
请参阅配置属性参考文档中的 |
SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE | (可选)这是一个键值对,用于为默认入站流量服务提供注解。云平台会使用注解来帮助您配置 Hybrid 安装,例如将 loadbalancer 类型设置为内部或外部。
注解因平台而异。如需了解必需和建议的注解,请参阅平台文档。 如果不使用此部分,请将其注释掉或删除。 |
SVC_LOAD_BALANCER_IP | (可选)您为负载均衡器预留的 IP 地址。在支持指定负载均衡器 IP 地址的平台上,系统会使用此 IP 地址创建负载均衡器。在不允许指定负载均衡器 IP 的平台上,系统会忽略此属性。
如果不使用此部分,请将其注释掉或删除。 |
ENVIRONMENT_NAME | 使用您在界面中创建环境时所用的名称,如项目和组织设置 - 第 3 步:创建环境组中所述。 |
*_SERVICE_ACCOUNT_FILEPATH | service-accounts/ 目录中服务账号 JSON 文件的路径和文件名账号。名称必须包含服务账号文件的路径。此路径可以是完整路径,也可以是相对于 hybrid-files/ 目录的路径。如果您添加相对路径,必须从 hybrid-files/ 目录中调用 apigeectl ,即应用此配置的命令。对于非生产环境,单个服务账号的名称默认为 对于生产环境,该名称是您使用 Hybrid 运行时设置 - 第 4 步:创建服务账号和凭据中的 您可以在 生产环境服务账号的默认名称为:
|
摘要
配置文件指示 Kubernetes 如何将 Hybrid 组件部署到集群。接下来,您将启用同步器访问权限,以便 Apigee 运行时和管理平面能够进行通信。
1 2 3 4 5 6 (下一步)第 7 步:启用 Synchronizer 访问权限 8 9 10