指定配置替换
Apigee Hybrid 安装程序对许多设置使用默认值。但是,有一些设置没有默认值。如下文所述,您必须为这些设置提供值。
准备工作
我们建议您查看以下场景以确定您是否要为它们配置集群。这些配置是可选的。
- 如果您计划在多个区域中安装 Hybrid,请阅读多区域部署,然后再继续操作。
- Apigee Hybrid 为 Cassandra 用户提供默认密码。Apigee 建议更改默认用户密码。如需了解详情,请参阅为 Cassandra 配置 TLS。
- 如果要为 Cassandra 配置存储空间和堆设置,请参阅配置存储空间和堆设置。
- 如第 1 部分:项目和组织设置 - 第 1 步:启用 API中所述,对于生产安装场景,请为 Cassandra 配置永久性固态硬盘 (SSD) 存储空间。Apigee 不支持对 Apigee Hybrid 使用本地 SSD。如需了解详情,请参阅为生产部署添加 SSD 存储空间。
配置集群
按照惯例,配置替换项会写入名为 overrides.yaml
的文件,该文件通常存储在 $APIGEE_HELM_CHARTS_HOME
目录中。
- 在
$APIGEE_HELM_CHARTS_HOME
目录中创建名为overrides.yaml
的新文件。overrides.yaml
提供唯一 Apigee Hybrid 安装的配置。此步骤中的替换文件会为小规模 Hybrid 运行时安装提供基本配置,适合首次安装。 - 在
overrides.yaml
中,添加所需的属性值,如下所示。下面提供了每个属性的详细说明。为安装、生产、生产或非生产(演示、评估或概念验证安装)选择标签页,非生产取决于您在第 4 步:创建服务账号中的选择。
对于生产环境中的安装,请在针对生产环境配置 Cassandra 中查看 Cassandra 数据库的存储要求。
如果您要在 GKE 上安装 Apigee Hybrid 并计划使用 Workload Identity 对 Hybrid 组件进行身份验证,请选择生产:Workload Identity或非生产:Workload Identity标签页以配置您的
overrides.yaml
文件。生产
请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。您可以在此页面上修改它们的值。下表中介绍了它们。Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。
instanceID: "UNIQUE_INSTANCE_IDENTIFIER" namespace: APIGEE_NAMESPACE # Usually "apigee" gcp: projectID: PROJECT_ID region: ANALYTICS_REGION k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME # Required if using Data residency: contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1" # Required for Apigee hybrid v1.12.1 envs: - name: ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the chart directory. synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-synchronizer.json" runtime: RUNTIME_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-runtime.json" udca: UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-udca.json" cassandra: hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use multiples of 3 for production. # See Configure Cassandra for production for guidelines. storage: capacity: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # See Configure Cassandra for production. ingressGateways: - name: INGRESS_NAME # maximum 17 characters. See Known issue 243167389. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: PATH_TO_CERT_FILE sslKeyPath: PATH_TO_KEY_FILE mart: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # For example: "apigee-org/PROJECT_ID-apigee-mart.json" connectAgent: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # Use the same service account for mart and connectAgent # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-mart.json" logger: enabled: true # enabled by default # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: LOGGER_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-logger.json" metrics: serviceAccountPath: METRICS_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-metrics.json" udca: serviceAccountPath: UDCA_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-udca.json" watcher: serviceAccountPath: WATCHER_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-watcher.json"
非生产
请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。您可以在此页面上修改它们的值。下表中介绍了它们。Google Cloud 项目区域和 Kubernetes 集群区域的不同平台之间存在差异。请选择您要在其中安装 Apigee Hybrid 的平台。
instanceID: "UNIQUE_INSTANCE_IDENTIFIER" namespace: APIGEE_NAMESPACE # Usually "apigee" gcp: projectID: PROJECT_ID region: ANALYTICS_REGION k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME # Required if using Data residency: contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1" # Required for Apigee hybrid v1.12.1 envs: - name: ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the chart directory. synchronizer: NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json" runtime: NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json" udca: NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json" cassandra: hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites replicaCount: 1 # Use 1 for non-prod or "demo" installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. ingressGateways: - name: INGRESS_NAME # maximum 17 characters. See Known issue 243167389. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: PATH_TO_CERT_FILE sslKeyPath: PATH_TO_KEY_FILE mart: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-non-prod.json" connectAgent: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # Use the same service account for mart and connectAgent # For example: "PROJECT_ID-apigee-non-prod.json" logger: enabled: true # enabled by default # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-non-prod.json" metrics: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-non-prod.json" udca: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-non-prod.json" watcher: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"
生产:Workload Identity
此模板适用于使用 Workload Identity 在 GKE 上进行的生产安装。请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。您可以在此页面上修改它们的值。 下表中介绍了它们。如果您要在 GKE 上安装 Apigee Hybrid,则还可以选择向 Google API 和 GKE 进行身份验证并发出请求。如需大致了解 Workload Identity,请参阅:
如需在 GKE 上为 Apigee Hybrid 使用 Workload Identity,请使用此模板,然后按照第 11 步:使用 Helm 图表安装 Apigee Hybrid中的步骤创建 Kubernetes 服务账号,并将其与在第 4 步:创建服务账号中创建的 Google 服务账号相关联。
instanceID: "UNIQUE_INSTANCE_IDENTIFIER" namespace: APIGEE_NAMESPACE # Usually "apigee" gcp: projectID: PROJECT_ID region: ANALYTICS_REGION workloadIdentity: enabled: true k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME # Required if using Data residency: contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1" # Required for Apigee hybrid v1.12.1 envs: - name: ENVIRONMENT_NAME gsa: synchronizer: "SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-synchronizer@PROJECT_ID.iam.gserviceaccount.com" runtime: "RUNTIME_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-runtime@PROJECT_ID.iam.gserviceaccount.com" udca: "UDCA_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com" cassandra: hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use multiples of 3 for production. # See Configure Cassandra for production for guidelines. storage: capacity: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # See Configure Cassandra for production. backup: enabled: true # Set to true for initial installation. # This triggers the chart to create the apigee-cassandra-backup Kubernetes service account when you install it. # See Cassandra backup overview for instructions on using cassandra.backup. ingressGateways: - name: INGRESS_NAME # maximum 17 characters. See Known issue 243167389. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: PATH_TO_CERT_FILE sslKeyPath: PATH_TO_KEY_FILE mart: gsa: "MART_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com" connectAgent: gsa: "MART_SERVICE_ACCOUNT_EMAIL" # Use the same service account for mart and connectAgent # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com" logger: enabled: true # enabled by default # See apigee-logger in Service accounts and roles used by hybrid components. gsa: "LOGGER_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-logger@PROJECT_ID.iam.gserviceaccount.com" metrics: gsa: "METRICS_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-metrics@PROJECT_ID.iam.gserviceaccount.com" udca: gsa: "UDCA_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com" watcher: gsa: "WATCHER_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-watcher@PROJECT_ID.iam.gserviceaccount.com"
非生产:Workload Identity
此模板适用于使用 Workload Identity 在 GKE 上进行的非生产安装。请确保
overrides.yaml
文件具有以下结构和语法。red, bold italics 中的值是您必须提供的属性值。您可以在此页面上修改它们的值。 下表中介绍了它们。如果您要在 GKE 上安装 Apigee Hybrid,则还可以选择向 Google API 和 GKE 进行身份验证并发出请求。如需大致了解 Workload Identity,请参阅:
如需在 GKE 上为 Apigee Hybrid 使用 Workload Identity,请使用此模板,然后按照第 11 步:使用 Helm 图表安装 Apigee Hybrid中的步骤创建 Kubernetes 服务账号,并将其与在第 4 步:创建服务账号中创建的 Google 服务账号相关联。
instanceID: "UNIQUE_INSTANCE_IDENTIFIER" namespace: APIGEE_NAMESPACE # Usually "apigee" gcp: projectID: PROJECT_ID region: ANALYTICS_REGION workloadIdentity: enabled: true gsa: "NON_PROD_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-non-prod@PROJECT_ID.iam.gserviceaccount.com" k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME # Required if using Data residency: contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com instanceID: "UNIQUE_INSTANCE_IDENTIFIER" cassandra: hostNetwork: false # false for all GKE installations. # See Multi-region deployment: Prerequisites replicaCount: 1 # Use 1 for non-prod or "demo" installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. backup: enabled: true # Set to true for initial installation. # This triggers the chart to create the apigee-cassandra-backup Kubernetes service account when you install it. # See Cassandra backup overview for instructions on using cassandra.backup. virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: PATH_TO_CERT_FILE sslKeyPath: PATH_TO_KEY_FILE ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1" # Required for Apigee hybrid v1.12.1 envs: - name: ENVIRONMENT_NAME logger: enabled: false # Set to false for all GKE installations.
示例
以下示例展示了一个添加了示例属性值的已完成替换文件:
instanceID: "my_hybrid_example" namespace: apigee gcp: projectID: hybrid-example region: us-central1 k8sCluster: name: apigee-hybrid region: us-central1 org: hybrid-example contractProvider: https://us-apigee.googleapis.com ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.12.1-hotfix.1" envs: - name: test serviceAccountPaths: synchronizer:my-hybrid-project-apigee-synchronizer.json runtime: my-hybrid-project-apigee-runtime.json udca: my-hybrid-project-apigee-udca.json cassandra: hostNetwork: false replicaCount: 3 ingressGateways: - name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10 virtualhosts: - name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.key logger: enabled: true # Set to "false" for GKE. Set to "true" for all other Kubernetes platforms. serviceAccountPath: apigee-telemetry/my-hybrid-project-apigee-logger.json mart: serviceAccountPath: my-hybrid-project-apigee-mart.json connectAgent: serviceAccountPath: my-hybrid-project-apigee-mart.json metrics: serviceAccountPath: my-hybrid-project-apigee-metrics.json udca: serviceAccountPath: my-hybrid-project-apigee-udca.json watcher: serviceAccountPath: my-hybrid-project-apigee-watcher.json
- 完成后,保存文件。
下表介绍了您必须在替换文件中提供的每个属性值。如需了解详情,请参阅配置属性参考文档。
变量 | 说明 | |||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
UNIQUE_INSTANCE_IDENTIFIER | 用于标识此实例的唯一字符串。该 ID 可以是字母和数字的任意组合,最多可达 63 个字符。 您可以在同一集群中创建多个组织,但对于同一 Kubernetes 集群中的所有组织, |
|||||||||||||||||||||||||||
APIGEE_NAMESPACE | Apigee Hybrid 组件的 Kubernetes 命名空间。 默认值为 |
|||||||||||||||||||||||||||
ANALYTICS_REGION | 在 GKE 中,您必须将此值设置为集群在其中运行的区域。在所有其他平台上,请选择支持 Analytics 的集群的最近分析区域(请参阅第 1 部分的第 2 步:创建组织中的表)。 这是您在先前为环境变量 |
|||||||||||||||||||||||||||
PROJECT_ID | 标识 apigee-logger 和 apigee-metrics 将其数据推送到的 Google Cloud 项目。这是分配给环境变量 PROJECT_ID 的值。 |
|||||||||||||||||||||||||||
CLUSTER_NAME | 您的 Kubernetes 集群名称。这是分配给环境变量 CLUSTER_NAME 的值。 |
|||||||||||||||||||||||||||
CLUSTER_LOCATION | 集群运行所在的区域。这是您在第 1 步:创建集群中创建集群所在的区域。 这是您在先前为环境变量 |
|||||||||||||||||||||||||||
ORG_NAME | 您的 Apigee Hybrid 组织的 ID。这是分配给环境变量 ORG_NAME 的值。 |
|||||||||||||||||||||||||||
CONTROL_PLANE_LOCATION | 如果您在 Apigee Hybrid 安装中使用数据驻留,则必须提供此值。这是存储客户核心内容(例如代理软件包)的位置。如需查看列表,请参阅可用的 Apigee API 控制平面区域。这是在第 2 步:创建组织中为 CONTROL_PLANE_LOCATION 环境变量分配的值。 |
|||||||||||||||||||||||||||
ENVIRONMENT_GROUP_NAME | 您的环境所分配到的环境组的名称。
这是您在项目和组织设置 - 第 3 步:创建环境组中创建的组。这是分配给环境变量 ENV_GROUP 的值。
|
|||||||||||||||||||||||||||
PATH_TO_CERT_FILE PATH_TO_KEY_FILE |
输入您之前在第 5 步:创建 TLS 证书中生成的自签名 TLS 密钥和证书文件的路径和文件名。这些文件必须位于 APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs 目录中。
例如:sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key |
|||||||||||||||||||||||||||
INGRESS_NAME | 部署的 Apigee 入站流量网关的名称。 该字段可以是满足以下要求的任何名称:
请参阅配置属性参考文档中的 |
|||||||||||||||||||||||||||
SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE | (可选)这是一个键值对,用于为默认入站流量服务提供注解。您的云平台使用注解来帮助配置 Hybrid 安装,例如将负载均衡器类型设置为内部或外部。
注解因平台而异。如需了解必需和建议的注解,请参阅平台文档。 如果不使用此部分,请将其注释掉或删除。 |
|||||||||||||||||||||||||||
SVC_LOAD_BALANCER_IP | (可选)您为负载均衡器预留的 IP 地址。在支持指定负载均衡器 IP 地址的平台上,系统会使用此 IP 地址创建负载均衡器。在不允许指定负载均衡器 IP 的平台上,系统会忽略此属性。
如果不使用此部分,请将其注释掉或删除。 | |||||||||||||||||||||||||||
ENVIRONMENT_NAME | 使用您在界面中创建环境时所用的名称,如项目和组织设置 - 第 3 步:创建环境组中所述。 | |||||||||||||||||||||||||||
*_SERVICE_ACCOUNT_FILEPATH | 相应图表目录中服务账号 JSON 文件的路径和文件名账号。提供名称以及相对于图表目录的路径。例如:
对于非生产环境,单个服务账号的名称默认为 对于生产环境,该名称是您使用第 4 步:创建服务账号中的 您可以在每个相应的图表目录中查看服务账号文件。 服务账号的相应图表目录的默认名称如下:
|
|||||||||||||||||||||||||||
*_SERVICE_ACCOUNT_EMAIL | 当您使用 GKE 上的 Workload Identity 时,您需要提供的 Google 服务账号 (GSA) 的服务账号电子邮件地址。这些服务账号是您在第 4 步:创建服务账号中创建的服务账号。
您可以使用以下命令找到服务账号的电子邮件地址: gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee" |
摘要
配置文件指示 Kubernetes 如何将 Hybrid 组件部署到集群。接下来,您将启用同步器访问权限,以便 Apigee 运行时和管理平面能够进行通信。