此步骤介绍如何下载并安装 Apigee Hybrid 运行所需的 cert-manager 和 Anthos Service Mesh (ASM)。
安装 cert-manager
使用以下两个命令之一从 GitHub 安装 cert-manager v0.14.2。要查找您的 Kubernetes 版本,请使用 kubectl version 命令。
- 如果您使用的是 Kubernetes 1.15 或更高版本:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- 低于 1.15 的 Kubernetes 版本:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
您应该会看到一个响应,表明已创建 cert-manager 命名空间和多个 cert-manager 资源。
安装 ASM
Apigee Hybrid 使用 Anthos Service Mesh (ASM) 提供的 Istio 发行版。 请按照以下步骤在集群中安装 ASM。
支持的 ASM 版本
对于 Hybrid 的全新安装,请将 ASM 1.6.x 安装到您的集群中。如果您要从 Hybrid 1.2.x 版升级,请将 ASM 1.5.x 版安装到您的集群中。
执行 ASM 设置和配置步骤
如需完成 ASM 安装,首先必须按照 ASM 文档中特定于 ASM 的设置和配置步骤执行操作。然后,您必须返回此处完成特定于混合的配置,然后再将配置应用到集群。
- 按照 ASM 设置和配置步骤执行操作:
- 如果这是新安装 Apigee Hybrid,请安装 ASM 1.6.xx 版。转到:安装和迁移简介。
- 如果您要从早期版本的 Hybrid 进行升级,请使用 ASM 1.5.x。转到在现有集群上安装 Anthos Service Mesh。
完成 ASM 设置和配置步骤后,请转到下一部分以完成混合配置和 ASM 安装步骤。
执行最终混合配置并安装 ASM
最后,将特定于混合的配置添加到 istio-operator.yaml 文件并安装 ASM。
-
确保您位于 ASM 安装的根目录中。 例如
1.6.11-asm.1。 - 通过编辑器打开
./asm/cluster/istio-operator.yaml文件。 - 在
spec.meshConfig:下添加以下行:要复制的文本
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'显示位置的示例
插入换行符是为了方便阅读
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
- 在
istio-operator.yaml文件中添加(或更新)spec:components节,位于meshConfig:部分下,并且其后紧跟values:,其中 reserved_static_ip 是您在项目和组织设置 - 第 5 步:配置 Cloud DNS 中为运行时入站网关预留的 IP 地址。要复制的文本
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443显示位置的示例
插入换行符是为了方便阅读
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"} components: pilot: k8s: hpaSpec: maxReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: 123.234.56.78 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443 hpaSpec: maxReplicas: 2 values: . . .
- 现在,返回到您之前使用的 ASM 文档,并完成 ASM 安装(安装
istio-operator.yaml文件或将其应用到集群)。选择任一选项后,选择 PERMISSIVE mTLS。
摘要
现在,您已经安装了 cert-manager 和 ASM,可以在本地机器上安装 Apigee Hybrid 命令行工具了。
1 2 (下一步)第 3 步:安装 apigeectl 4 5