Paso 2: Instalar Cert-manager y ASM

En este paso, se explica cómo descargar y, luego, instalar cert-manager y Anthos Service Mesh (ASM). Esto es necesario para que Apigee Hybrid funcione.

Instala cert-manager

Usa uno de los siguientes dos comandos para instalar cert-manager v0.14.2 desde GitHub. Para buscar tu versión de Kubernetes, usa el comando kubectl version.

  • Si tienes Kubernetes 1.15 o posterior:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
  • Versiones de Kubernetes anteriores a 1.15:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

Debería ver una respuesta en la que se indica que se creó el espacio de nombres del cert-manager y varios recursos de cert-manager.

Instala ASM

Apigee Hybrid usa la distribución de Istio proporcionada con Anthos Service Mesh (ASM). Sigue estos pasos para instalar ASM en tu clúster.

Versiones de ASM admitidas

Para las nuevas instalaciones de Hybrid, instala ASM 1.6.x en tu clúster. Si actualizas desde la versión de Hybrid 1.2.x, instala la versión 1.5.x de ASM en el clúster.

Realiza los pasos de configuración y ajustes de ASM

Para completar la instalación de ASM, primero debes seguir los pasos de configuración y ajustes específicos de ASM en la documentación de ASM. Luego, debes regresar aquí para completar la configuración específica de la opción híbrida antes de aplicar la configuración al clúster.

  1. Sigue los pasos de configuración y ajustes de ASM:
  2. Cuando hayas completado los pasos de configuración y ajustes de ASM, ve a la siguiente sección para completar la configuración de nube híbrida y los pasos de instalación de ASM.

Realiza la configuración híbrida final e instala ASM

Por último, agrega configuraciones específicas de la nube híbrida al archivo istio-operator.yaml y, luego, instala ASM.

  1. Asegúrate de que estás en el directorio raíz de la instalación de ASM. Por ejemplo: 1.6.11-asm.1.
  2. Abre el archivo ./asm/cluster/istio-operator.yaml en un editor.
  3. Agrega las siguientes líneas con sangría en spec.meshConfig::

    Texto que se debe copiar

        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

    Ejemplo en el que se muestra la posición

    Se insertan saltos de línea para facilitar la lectura

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
  4. Agrega (o actualiza) la estrofa spec:components al archivo istio-operator.yaml debajo de la sección meshConfig: e inmediatamente después de values:, donde reserved_static_ip es la dirección IP que reservaste. para tu puerta de enlace de entrada del entorno de ejecución en Configuración del proyecto y la organización - Paso 5: Configura Cloud DNS.

    Texto que se debe copiar

        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: reserved_static_ip
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
    

    Ejemplo en el que se muestra la posición

    Se insertan saltos de línea para facilitar la lectura

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
    
      components:
        pilot:
          k8s:
            hpaSpec:
              maxReplicas: 2
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: 123.234.56.78
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
            hpaSpec:
              maxReplicas: 2
      values:
        .
        .
        .
  5. Regresa a la documentación de ASM que usaste antes y completa la instalación de ASM (instala o aplica el archivo istio-operator.yaml en el clúster). Cuando se le indique, elija PERMISSIVE mTLS.

Resumen

Ahora tienes instalado cert-manager y ASM, y estás listo para instalar la herramienta de línea de comandos híbrida de Apigee en tu máquina local.

1 2 (SIGUIENTE) Paso 3: Instala apigeectl 4 5