第 6 步:配置集群

指定配置替换

Apigee Hybrid 安装程序使用许多设置的默认值;但是,有一些设置没有默认值。如下文所述,您必须为这些设置提供值。

准备工作

我们建议您查看以下场景以确定您是否要为它们配置集群。这些配置是可选的。

配置集群

按照惯例,配置替换项会写入 $HYBRID_FILES/overrides 目录中名为 overrides.yaml 的文件。

  1. $HYBRID_FILES/overrides 目录中创建名为 overrides.yaml 的新文件。例如:
    vi $HYBRID_FILES/overrides/overrides.yaml

    overrides.yaml 提供唯一 Apigee Hybrid 安装的配置。此步骤中的替换文件会为小规模 Hybrid 运行时安装提供基本配置,适合首次安装。

  2. overrides.yaml 中,添加所需的属性值,如下所示。下面还提供了每个属性的详细说明。

    如果您要在 GKE 上安装 Apigee Hybrid 并计划使用 Workload Identity 对 Hybrid 组件进行身份验证,请选择 GKE - Workload Identity 标签页以配置您的 overrides.yaml 文件。

    对于所有其他安装,请选择非生产 (Non-prod) 或生产 (Prod) 环境对应的标签页,具体取决于您在第 4 步:创建服务账号和凭据中的选择。

    对于生产环境中的安装,请在针对生产环境配置 Cassandra 中查看 Cassandra 数据库的存储要求。

    GKE - Workload Identity

    请确保 overrides.yaml 文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。

    如果您要在 GKE 上安装 Apigee Hybrid,则还可以选择向 Google API 和 Workload Identity 进行身份验证并发出请求。如需大致了解 Workload Identity,请参阅:

    如需在 GKE 上为 Apigee Hybrid 使用 Workload Identity,请使用此模板,然后按照第 8 步:安装 Hybrid 运行时中的步骤创建 Kubernetes 服务账号,并将其与在第 4 步:创建服务账号和凭据中创建的 Google 服务账号相关联。

    gcp:
      region: ANALYTICS_REGION
      projectID: GCP_PROJECT_ID
      workloadIdentityEnabled: true
    
    k8sCluster:
      name: CLUSTER_NAME
      region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.
    org: ORG_NAME
    
    instanceID: "UNIQUE_INSTANCE_IDENTIFIER"
      
    ao:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-operators"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2
    
    runtime:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-runtime"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 
    
    cassandra:
      hostNetwork: false
        # false for all GKE installations.
        # See Multi-region deployment: Prerequisites
      replicaCount: 3
        # Use 1 for demo installations and multiples of 3 for production.
        # See Configure Cassandra for production for guidelines.
      backup:
        enabled: true
        # Set to true for initial installation.
        # This triggers apigeectl to create the apigee-cassandra-backup Kubernetes service account.
        # See Cassandra backup overview for instructions on using cassandra.backup.
    
    virtualhosts:
    - name: ENVIRONMENT_GROUP_NAME
      selector:
        app: apigee-ingressgateway
        ingress_name: INGRESS_NAME
      sslCertPath: ./certs/CERT_NAME.pem
      sslKeyPath: ./certs/KEY_NAME.key
    
    ingressGateways:
    - name: INGRESS_NAME # maximum 17 characters.
      replicaCountMin: 2
      replicaCountMax: 10
      svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
        SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
      svcLoadBalancerIP: SVC_LOAD_BALANCER_IP  # optional
    
    envs:
    - name: ENVIRONMENT_NAME
    
    logger:
      enabled: false # Set to false for all GKE installations.
    
    

    非生产

    请确保 overrides.yaml 文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。

    Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。

    gcp:
      region: ANALYTICS_REGION
      projectID: GCP_PROJECT_ID
    
    k8sCluster:
      name: CLUSTER_NAME
      region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.
    org: ORG_NAME
    
    instanceID: "UNIQUE_INSTANCE_IDENTIFIER"
      
    ao:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-operators"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2
    
    runtime:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-runtime"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 
    
    cassandra:
      replicaCount: 1
        # Use 1 for non-prod or "demo" installations and multiples of 3 for production.
        # See Configure Cassandra for production for guidelines.
      hostNetwork: false
        # Set to false for single region installations and multi-region installations
        # with connectivity between pods in different clusters, for example GKE installations.
        # Set to true  for multi-region installations with no communication between
        # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,
        # AKS, EKS, and OpenShift installations.
        # See Multi-region deployment: Prerequisites
    
    virtualhosts:
    - name: ENVIRONMENT_GROUP_NAME
      selector:
        app: apigee-ingressgateway
        ingress_name: INGRESS_NAME
      sslCertPath: ./certs/CERT_NAME.pem
      sslKeyPath: ./certs/KEY_NAME.key
    
    ingressGateways:
    - name: INGRESS_NAME # maximum 17 characters.
      replicaCountMin: 2
      replicaCountMax: 10
      svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
        SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
      svcLoadBalancerIP: SVC_LOAD_BALANCER_IP  # optional
    
    envs:
    - name: ENVIRONMENT_NAME
      serviceAccountPaths:
        synchronizer: NON_PROD_SERVICE_ACCOUNT_FILEPATH
          # For example: "./service-accounts/GCP_PROJECT_ID-apigee-non-prod.json"
        udca: NON_PROD_SERVICE_ACCOUNT_FILEPATH
        runtime: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    
    mart:
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    connectAgent:
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    metrics:
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    udca:
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    watcher:
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    logger:
      enabled: false
            # Set to false to disable logger for GKE installations.
            # Set to true for all platforms other than GKE.
            # See apigee-logger in Service accounts and roles used by hybrid components.
      serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
    
    

    生产

    请确保 overrides.yaml 文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。下表对其进行了介绍。

    Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。

    gcp:
      region: ANALYTICS_REGION
      projectID: GCP_PROJECT_ID
    
    k8sCluster:
      name: CLUSTER_NAME
      region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.
    org: ORG_NAME
    
    instanceID: "UNIQUE_INSTANCE_IDENTIFIER"
      
    ao:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-operators"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2
    
    runtime:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-runtime"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 
    
    cassandra:
      hostNetwork: false
        # Set to false for single region installations and multi-region installations
        # with connectivity between pods in different clusters, for example GKE installations.
        # Set to true  for multi-region installations with no communication between
        # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,
        # AKS, EKS, and OpenShift installations.
        # See Multi-region deployment: Prerequisites
      replicaCount: 3
        # Use multiples of 3 for production.
        # See Configure Cassandra for production for guidelines.
      storage:
        capacity: 500Gi
      resources:
        requests:
          cpu: 7
          memory: 15Gi
      maxHeapSize: 8192M
      heapNewSize: 1200M
        # Minimum storage requirements for a production environment.
        # See Configure Cassandra for production.
    
    virtualhosts:
    - name: ENVIRONMENT_GROUP_NAME
      selector:
        app: apigee-ingressgateway
        ingress_name: INGRESS_NAME
      sslCertPath: ./certs/CERT_NAME.pem
      sslKeyPath: ./certs/KEY_NAME.key
    
    ingressGateways:
    - name: INGRESS_NAME # maximum 17 characters.
      replicaCountMin: 2
      replicaCountMax: 10
      svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
        SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
    
    envs:
    - name: ENVIRONMENT_NAME
      serviceAccountPaths:
        synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH
          # For example: "./service-accounts/GCP_PROJECT_ID-apigee-synchronizer.json"
        udca: UDCA_SERVICE_ACCOUNT_FILEPATH
          # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json"
        runtime: RUNTIME_SERVICE_ACCOUNT_FILEPATH
          # For example: "./service-accounts/GCP_PROJECT_ID-apigee-runtime.json"
    
    mart:
      serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH
            # For example: "./service-accounts/GCP_PROJECT_ID-apigee-mart.json"
    
    connectAgent:
      serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH
            # Use the same service account for mart and connectAgent
    
    metrics:
      serviceAccountPath: METRICS_SERVICE_ACCOUNT_FILEPATH
            # For example: "./service-accounts/GCP_PROJECT_ID-apigee-metrics.json"
    
    udca:
      serviceAccountPath: UDCA_SERVICE_ACCOUNT_FILEPATH
            # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json"
    
    watcher:
      serviceAccountPath: WATCHER_SERVICE_ACCOUNT_FILEPATH
            # For example: "./service-accounts/GCP_PROJECT_ID-apigee-watcher.json"
    
    logger:
      enabled: false
            # Set to false to disable logger for GKE installations.
            # Set to true for all platforms other than GKE.
            # See apigee-logger in Service accounts and roles used by hybrid components.
      serviceAccountPath: LOGGER_SERVICE_ACCOUNT_FILEPATH
            # For example: "./service-accounts/GCP_PROJECT_ID-apigee-logger.json"
    

    示例

    以下示例展示了一个添加了示例属性值的已完成替换文件:

    gcp:
      region: us-central1
      projectID: hybrid-example
    
    k8sCluster:
      name: apigee-hybrid
      region: us-central1
    
    org: hybrid-example
    
    instanceID: "my_hybrid_example"
      
    ao:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-operators"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2
    
    runtime:
      image:
        url: "gcr.io/apigee-release/hybrid/apigee-runtime"
        tag: "1.11.2-hotfix.2" # Required for Apigee hybrid v1.11.2 
    
    cassandra:
      hostNetwork: false
      replicaCount: 3
    
    virtualhosts:
    - name: example-env-group
      selector:
        app: apigee-ingressgateway
        ingress_name: my-ingress-1
      sslCertPath: ./certs/keystore.pem
      sslKeyPath: ./certs/keystore.key
    
    ingressGateways:
    - name: my-ingress-1
      replicaCountMin: 2
      replicaCountMax: 10
    
    envs:
    - name: test
      serviceAccountPaths:
        synchronizer: ./service-accounts/my-hybrid-project-apigee-non-prod.json
          # for production environments, my-hybrid-project-apigee-synchronizer.json
        udca: ./service-accounts/my-hybrid-project-apigee-non-prod.json
          # for production environments, my-hybrid-project-apigee-udca.json
        runtime: ./service-accounts/my-hybrid-project-apigee-non-prod.json
          # for production environments, my-hybrid-project-apigee-runtime.json
    
    mart:
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, my-hybrid-project-apigee-mart.json
    
    connectAgent:
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, example-hybrid-apigee-mart.json
    
    metrics:
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, my-hybrid-project-apigee-metrics.json
    
    udca:
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, my-hybrid-project-apigee-udca.json
    
    watcher:
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, my-hybrid-project-apigee-watcher.json
    
    logger:
      enabled: false # Set to "false" for GKE. Set to "true" for all other Kubernetes platforms.
      serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json
        # for production environments, LOGGER_SERVICE_ACCOUNT_NAME.json
    
  3. 完成后,保存文件。

下表介绍了您必须在替换文件中提供的每个属性值。如需了解详情,请参阅配置属性参考文档

变量 说明
ANALYTICS_REGION 在 GKE 中,您必须将此值设置为集群在其中运行的区域。在所有其他平台上,请选择支持 Analytics 的集群的最近分析区域(请参阅第 1 部分的第 2 步:创建组织中的表)。

这是您在先前为环境变量 ANALYTICS_REGION 分配的值。

GCP_PROJECT_ID 标识 apigee-loggerapigee-metrics 将其数据推送到的 Google Cloud 项目。这是分配给环境变量 PROJECT_ID 的值。
CLUSTER_NAME 您的 Kubernetes 集群名称。这是分配给环境变量 CLUSTER_NAME 的值。
CLUSTER_LOCATION 集群运行所在的区域。这是您在第 1 步:创建集群中创建集群所在的区域。

这是您在先前为环境变量 CLUSTER_LOCATION 分配的值。

ORG_NAME 您的 Apigee Hybrid 组织的 ID。这是分配给环境变量 ORG_NAME 的值。
UNIQUE_INSTANCE_IDENTIFIER

用于标识此实例的唯一字符串。该 ID 可以是字母和数字的任意组合,长度不得超过 63 个字符。

您可以在同一集群中创建多个组织,但对于同一 Kubernetes 集群中的所有组织,instanceID 必须相同。

ENVIRONMENT_GROUP_NAME 您的环境所分配到的环境组的名称。 这是您在项目和组织设置 - 第 3 步:创建环境组中创建的组。这是分配给环境变量 ENV_GROUP 的值。
CERT_NAME
KEY_NAME
输入您之前在第 5 步:创建 TLS 证书中生成的自签名 TLS 密钥和证书文件的名称。这些文件必须位于 base_directory/hybrid-files/certs 目录中。 例如:
sslCertPath: ./certs/keystore.pem
sslKeyPath: ./certs/keystore.key
INGRESS_NAME 部署的 Apigee 入站流量网关的名称。 该字段可以是满足以下要求的任何名称:
  • 长度不得超过 17 个字符
  • 只能包含小写字母数字字符、“-”或“.”
  • 以字母数字字符开头
  • 以字母数字字符结尾

请参阅配置属性参考文档中的 ingressGateways[].name

SVC_ANNOTATIONS_KEYSVC_ANNOTATIONS_VALUE (可选)这是一个键值对,用于为默认入站流量服务提供注解。云平台会使用注解来帮助您配置 Hybrid 安装,例如将 loadbalancer 类型设置为内部或外部。

注解因平台而异。如需了解必需和建议的注解,请参阅平台文档。

如果不使用此部分,请将其注释掉或删除。

SVC_LOAD_BALANCER_IP (可选)您为负载均衡器预留的 IP 地址。在支持指定负载均衡器 IP 地址的平台上,系统会使用此 IP 地址创建负载均衡器。在不允许指定负载均衡器 IP 的平台上,系统会忽略此属性。

如果不使用此部分,请将其注释掉或删除。

ENVIRONMENT_NAME 使用您在界面中创建环境时所用的名称,如项目和组织设置 - 第 3 步:创建环境组中所述。
*_SERVICE_ACCOUNT_FILEPATH service-accounts/ 目录中服务账号 JSON 文件的路径和文件名账号。名称必须包含服务账号文件的路径。此路径可以是完整路径,也可以是相对于 hybrid-files/ 目录的路径。如果您添加相对路径,必须从 hybrid-files/ 目录中调用 apigeectl,即应用此配置的命令。

对于非生产环境,单个服务账号的名称默认为 GCP_PROJECT_ID-non-prod.json

对于生产环境,该名称是您使用 Hybrid 运行时设置 - 第 4 步:创建服务账号和凭据中的 create-service-account 工具生成的服务账号密钥文件的名称。

您可以在 service-accounts/ 目录中查看服务账号文件的列表。

生产环境服务账号的默认名称为:

  • CassandraGCP_PROJECT_ID-apigee-cassandra.json
  • LoggerGCP_PROJECT_ID-apigee-logger.json
  • MARTGCP_PROJECT_ID-apigee-mart.json
  • Connect AgentGCP_PROJECT_ID-apigee-mart.json
  • 指标GCP_PROJECT_ID-apigee-metrics.json
  • Apigee 运行时GCP_PROJECT_ID-
  • 同步器GCP_PROJECT_ID-apigee-synchronizer.json
  • UDCAGCP_PROJECT_ID-apigee-udca.json
  • WatcherGCP_PROJECT_ID-apigee-watcher.json

摘要

配置文件指示 Kubernetes 如何将 Hybrid 组件部署到集群。接下来,您将启用同步器访问权限,以便 Apigee 运行时和管理平面能够进行通信。

1 2 3 4 5 6 (下一步)第 7 步:启用 Synchronizer 访问权限 8 9 10