Langkah 2: Instal cert-manager dan ASM

Langkah ini menjelaskan cara mendownload dan menginstal cert-manager dan Anthos Service Mesh (ASM), yang diperlukan agar Apigee Hybrid dapat beroperasi.

Menginstal cert-manager

Gunakan salah satu dari dua perintah berikut untuk menginstal cert-manager v0.14.2 dari GitHub. Untuk menemukan versi Kubernetes, gunakan perintah kubectl version.

  • Jika Anda memiliki Kubernetes 1.15 atau yang lebih baru:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
  • Versi Kubernetes yang lebih lama dari 1.15:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

Anda akan melihat respons bahwa namespace cert-manager dan beberapa resource cert-manager telah dibuat.

Menginstal ASM

Apigee hybrid menggunakan distribusi Istio yang disediakan dengan Anthos Service Mesh (ASM). Ikuti langkah-langkah berikut untuk menginstal ASM di cluster Anda.

Versi ASM yang didukung

Untuk penginstalan hybrid baru, instal ASM 1.6.x ke cluster Anda. Jika Anda mengupgrade dari versi campuran 1.2.x, instal ASM versi 1.5.x ke cluster Anda.

Melakukan langkah-langkah penyiapan dan konfigurasi ASM

Untuk menyelesaikan penginstalan ASM, Anda harus mengikuti langkah-langkah penyiapan dan konfigurasi khusus ASM terlebih dahulu dalam dokumentasi ASM. Kemudian, Anda harus kembali ke sini untuk menyelesaikan konfigurasi khusus hibrida sebelum menerapkan konfigurasi ke cluster.

  1. Ikuti langkah-langkah penyiapan dan konfigurasi ASM:
  2. Setelah menyelesaikan langkah-langkah penyiapan dan konfigurasi ASM, buka bagian berikutnya untuk menyelesaikan langkah-langkah penginstalan ASM dan konfigurasi campuran.

Melakukan konfigurasi hybrid akhir dan menginstal ASM

Terakhir, tambahkan konfigurasi khusus campuran ke file istio-operator.yaml dan instal ASM.

  1. Pastikan Anda berada di direktori utama penginstalan ASM. Misalnya: 1.6.11-asm.1.
  2. Buka file ./asm/cluster/istio-operator.yaml di editor.
  3. Tambahkan baris berikut yang diindentasi di bagian spec.meshConfig::

    Teks yang akan disalin

        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

    Contoh yang menampilkan penempatan

    Jeda baris disisipkan untuk keterbacaan

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
  4. Tambahkan (atau perbarui) stanza spec:components dalam file istio-operator.yaml di bawah bagian meshConfig: dan tepat di atas values:, dengan reserved_static_ip adalah alamat IP yang Anda cadangkan untuk gateway ingress runtime di Penyiapan Project dan Organisasi - Langkah 5: Konfigurasi Cloud DNS.

    Teks yang akan disalin

        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: reserved_static_ip
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
    

    Contoh yang menampilkan penempatan

    Jeda baris disisipkan untuk keterbacaan

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
    
      components:
        pilot:
          k8s:
            hpaSpec:
              maxReplicas: 2
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: 123.234.56.78
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
            hpaSpec:
              maxReplicas: 2
      values:
        .
        .
        .
  5. Sekarang, kembali ke dokumentasi ASM yang Anda gunakan sebelumnya, dan selesaikan penginstalan ASM (instal atau terapkan file istio-operator.yaml ke cluster). Jika diberi pilihan, pilih PERMISSIVE mTLS.

Ringkasan

Sekarang Anda telah menginstal cert-manager dan ASM, dan Anda siap menginstal alat command line hybrid Apigee di komputer lokal.

1 2 (BERIKUTNYA) Langkah 3: Instal apigeectl 4 5