This section describes using Apigee Connect for communication between the hybrid management plane and the MART service in the runtime plane.
Introduction
Apigee Connect allows the Apigee hybrid management plane to connect securely to the MART service in the runtime plane without requiring you to expose the MART endpoint on the internet. If you use Apigee Connect, you do not need to configure the MART ingress gateway with a host alias and an authorized DNS certificate.
Configuring Apigee connect
Configure Apigee connect in your overrides with the connectAgent configuration property.
Service account
Apigee connect uses the apigee-mart service account. This service account requires the Apigee Connect Agent roles/apigeeconnect.Agent role. See Service accounts and roles used by hybrid components.
Use the connectAgent.serviceAccountPath or connectAgent.serviceAccountRef configuration properties to specify the apigee-mart service account key. Alternatively you can store the service account key in Hashicorp Vault.
API
Apigee Connect requires the Apigee Connect API in the Google Cloud API Library. For instructions on enabling APIs in the Google Cloud console, see Step 3: Enable APIs.
Applying Apigee connect configuration
Apply changes to the Apigee connect configuration with the apigee-org chart with the following command:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Image
Apigee connect uses the gcr.io/apigee-release/hybrid/apigee-connect-agent:1.3.6 image. If you want to use a private image repository, see Use a private image repository with Apigee hybrid.
Checking Apigee connect logs
Check the Apigee Connect Agent log.
kubectl logs -n namespace apigee-connect-agent-pod-name
The Apigee Connect Agent reports the following log categories:
| Audit logs category | Operations |
|---|---|
| DATA_READ | ConnectionService.ListConnections |
| DATA_WRITE | Tether.Egress |
You can set the level of logging with the connectAgent.logLevel configuration property.