Step 3: Configure the GKE on-prem user cluster

Specify configuration overrides

The Apigee hybrid installer uses defaults for many settings; however, there are a few settings that do not have defaults. You must provide values for these settings, as explained next.

  1. Be sure you are in the hybrid-base-directory/hybrid-files directory.
  2. Copy the overrides-small.yaml file from the $APIGEECTL_HOME/examples directory to your overrides directory:
    cp $APIGEECTL_HOME/examples/overrides-small.yaml ./overrides/overrides.yaml

    This example file provides a basic configuration for a small-footprint hybrid runtime installation, a configuration that is suitable for a your first installation.

  3. cd into the overrides directory:
  4. cd overrides
  5. Open overrides.yaml and add the required property values, shown below. A detailed description of each property is also provided below:

    Syntax

    The overrides.yaml file has the following structure and syntax. Values in red, bold italics are property values that you must provide. They are also described in the table below.

    gcp:
      region: gcp-region
      projectID: gcp-project-id
    
    k8sCluster:
      name: cluster-name
      region: cluster-region
    
    org: org-name
    
    virtualhosts:
      - name: virtual-host-name
        hostAliases:
          - "host-alias-1"
          - "host-alias-2"
          - "host-alias-n"
        sslCertPath: ./certs/test-cert-name.pem
        sslKeyPath: ./certs/test-key-name.key
        routingRules:
          - paths:
            - /path1
            - /path2
            - /pathn
            env: environment-name
    
    envs:
      - name: environment-name          # The same name of the env you created in the UI
        serviceAccountPaths:
          synchronizer: ./service-accounts/synchronizer-service-account-name.json
          udca: ./service-accounts/udca-service-account-name.json
    
    mart:
      hostAlias: mart-host-alias
      serviceAccountPath: ./service-accounts/mart-service-account-name.json
      sslCertPath: ./certs/mart-cert-name.pem
      sslKeyPath: ./certs/mart-key-name.key
    
    cassandra:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
    
    ingress:
      runtime:
        loadBalancerIP: virtual_IP_runtime
      mart:
        loadBalancerIP: virtual_IP_mart
    
    
    metrics:
      serviceAccountPath: ./service-accounts/metrics-service-account-name.json
    
    logger:
      enabled: false

    Example

    The following example shows a completed overrides file with example property values added:

    gcp:
      region: us-central1
      projectID: my-gcp-project
    
    k8sCluster:
      name: apigee-hybrid
      region: us-central1
    
    org: hybrid-org
    
    virtualhosts:
      - name: default
        hostAliases:
          - "*.acme.com"
        sslCertPath: ./certs/keystore.pem
        sslKeyPath: ./certs/keystore.key
        routingRules:
          - paths:
            - /foo
            - /bar
            env: test
    
    envs:
      - name: test
        serviceAccountPaths:
          synchronizer: ./service-accounts/hybrid-project-apigee-synchronizer.json
          udca: ./service-accounts/hybrid-project-apigee-udca.json
    
    mart:
      hostAlias: "mart.apigee-hybrid-docs.net"
      serviceAccountPath: ./service-accounts/hybrid-project-apigee-mart.json
      sslCertPath: ./certs/fullchain.pem
      sslKeyPath: ./certs/privkey.key
    
    cassandra:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
    
    ingress:
      runtime:
        loadBalancerIP: 21.0.124.13
      mart:
        loadBalancerIP: 21.0.124.14
    
    metrics:
      serviceAccountPath: ./service-accounts/hybrid-project-apigee-metrics.json
    
    logger:
      enabled: false
  6. When your finished, save the file.

The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

Variable Description
project-id Your GCP project ID.
cluster-name Your Kubernetes cluster name.
cluster-region The region in which the cluster was created.
org-name The name of your Apigee hybrid organization.
environment-name Use the same name that you used when you created an environment in the UI, as explained in Step 5: Add a new environment in the hybrid UI.
test-host-alias

(Required) For the quickstart, use the wildcard character "*".

The use of * is only recommended for a trial installation when using self-signed TLS credentials. Later, as you develop more complex Apigee hybrid configurations, such as creating multiple environments, you will need to use a qualified domain name for this value.

test-cert-name
test-key-name
Enter the name of the self-signed TLS key and certificate files that you generated previously in the step Create TLS credentials for the runtime gateway. These files must be located in the base_directory/hybrid-files/certs directory. For example:
sslCertPath: ./certs/keystore.pem
sslKeyPath: ./certs/keystore.key
synchronizer-service-account-name The name of the synchronizer service account key file that you generated with the create-service-account tool. For example:
synchronizer: ./service-accounts/hybrid-project-apigee-synchronizer.json
udca-service-account-name The name of the udca service account key file that you generated with the create-service-account tool. For example:
udca: ./service-accounts/hybrid-project-apigee-udca.json
virtual_IP_runtime,
virtual_IP_mart
To use GKE on-prem integrated load balancing, you need to provide virtual IPs for LoadBalancers on the hybrid MART and runtime services. GKE on-prem automatically configures the virtual IP on the F5 BIG-IP load balancer. For more information, see Setting up your load balancer for GKE on-prem
mart-host-alias A qualified DNS name for the MART server endpoint. This name must match the common name (CN) used in the authorized TLS certificate required for this configuration. For example, mart.mydomain.com
mart-service-account-name The name of the mart service account key file that you generated with the create-service-account tool.
mart-cert-name
mart-key-name
Enter the name of the authorized TLS key and certificate files that you generated previously in the step Create TLS credentials for the MART gateway. These files must be located in the base_directory/hybrid-files/certs directory. For example:
sslCertPath: ./certs/fullchain.pem
sslKeyPath: ./certs/privkey.key
gcp-region Identifies the GCP region where the apigee-logger and the apigee-metrics push their data.
gcp-project-id Identifies the Google Cloud project where apigee-logger and the apigee-metrics push their data.
metrics-service-account-name The name of the metrics service account key file that you generated with the create-service-account tool. For example:
serviceAccountPath: ./service-accounts/hybrid-project-apigee-metrics.json

Summary

The configuration file tells Kubernetes how to deploy the hybrid components to a cluster. Next, you will apply this configuration to your cluster.

1 2 3 (NEXT) Step 4: Install hybrid runtime