Paso 2: Instala el certificado cert‑manager y ASM

En este paso se explica cómo descargar e instalar cert-manager y Anthos Service Mesh (ASM), que son necesarios para que Apigee hybrid funcione.

Instalar cert-manager

Usa uno de los dos comandos siguientes para instalar cert-manager v0.14.2 desde GitHub. Para encontrar tu versión de Kubernetes, usa el comando kubectl version.

  • Si tienes Kubernetes 1.15 o una versión posterior: 
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
  • Versiones de Kubernetes anteriores a 1.15: 
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

Debería aparecer una respuesta que indique que se han creado el espacio de nombres cert-manager y varios recursos de cert-manager.

Instalar ASM

Apigee Hybrid usa la distribución de Istio proporcionada con Anthos Service Mesh (ASM). Sigue estos pasos para instalar ASM en tu clúster.

Versiones de ASM compatibles

En las nuevas instalaciones híbridas, instala ASM 1.6.x en tu clúster. Si vas a actualizar desde la versión 1.2.x de Hybrid, instala la versión 1.5.x de ASM en tu clúster.

Sigue los pasos de configuración de ASM

Para completar la instalación de ASM, primero debes seguir los pasos de configuración específicos de ASM que se indican en la documentación de ASM. Después, debes volver aquí para completar la configuración específica del modo híbrido antes de aplicar la configuración al clúster.

  1. Sigue los pasos de configuración de ASM:

  2. Cuando haya completado los pasos de configuración de ASM, vaya a la siguiente sección para completar los pasos de configuración híbrida e instalación de ASM.

Realizar la configuración final de Hybrid e instalar ASM

Por último, añade configuraciones específicas de híbrido al archivo istio-operator.yaml e instala ASM.

  1. Asegúrate de que te encuentras en el directorio raíz de la instalación de ASM. Por ejemplo: 1.6.11-asm.1.
  2. Abre el archivo ./asm/cluster/istio-operator.yaml en un editor.
  3. Añade las siguientes líneas con sangría debajo de spec.meshConfig::

    Texto que se va a copiar

        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

    Ejemplo que muestra la colocación

    Saltos de línea insertados para facilitar la lectura 

    apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
spec:
  profile: asm
  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
  meshConfig:
    # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
    # 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
      _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
      METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
      SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
      ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
      _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
      ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
      ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
      path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
      ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
      ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    defaultConfig:
      proxyMetadata:
        GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
          {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
  4. Añade (o actualiza) la stanza spec:components en el archivo istio-operator.yaml debajo de la sección meshConfig: e inmediatamente encima de values:, donde reserved_static_ip es la dirección IP que has reservado para tu pasarela de entrada de tiempo de ejecución en Configuración del proyecto y de la organización - Paso 5: Configurar Cloud DNS.

    Texto que se va a copiar

        ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        service:
          type: LoadBalancer
          loadBalancerIP: reserved_static_ip
          ports:
          - name: status-port
            port: 15020
            targetPort: 15020
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
          - name: prometheus
            port: 15030
            targetPort: 15030
          - name: tcp
            port: 31400
            targetPort: 31400
          - name: tls
            port: 15443
            targetPort: 15443

    Ejemplo que muestra la colocación

    Saltos de línea insertados para facilitar la lectura 

    apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
spec:
  profile: asm
  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
  meshConfig:
    # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
    # 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
      _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
      METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
      SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
      ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
      _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
      ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
      ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
      path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
      ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
      ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    defaultConfig:
      proxyMetadata:
        GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
          {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}

  components:
    pilot:
      k8s:
        hpaSpec:
          maxReplicas: 2
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        service:
          type: LoadBalancer
          loadBalancerIP: 123.234.56.78
          ports:
          - name: status-port
            port: 15020
            targetPort: 15020
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
          - name: prometheus
            port: 15030
            targetPort: 15030
          - name: tcp
            port: 31400
            targetPort: 31400
          - name: tls
            port: 15443
            targetPort: 15443
        hpaSpec:
          maxReplicas: 2
  values:
    .
    .
    .
  5. Vuelve a la documentación de ASM que has usado antes y completa la instalación de ASM (instala o aplica el archivo istio-operator.yaml al clúster). Cuando se te dé la opción, elige mTLS PERMISIVO.

Resumen

Ahora tienes instalados cert-manager y ASM, y puedes instalar la herramienta de línea de comandos de Apigee hybrid en tu máquina local.

1 2 (SIGUIENTE) Paso 3: Instala apigeectl 4 5