Step 2: Install cert-manager and ASM

This step explains how to download and install cert-manager and Anthos Service Mesh (ASM), required for Apigee hybrid to operate.

Install cert-manager

Use one of the following two commands to install cert-manager v0.14.2 from GitHub. To find your Kubernetes version use the kubectl version command.

If you have Kubernetes 1.15 or newer:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml

Kubernetes versions older than 1.15:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

You should see a response that the cert-manager namespace and several cert-manager resources have been created.

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

For new installations of hybrid, install ASM 1.6.x into your cluster. If you are upgrading from hybrid version 1.2.x, install ASM version 1.5.x into your cluster.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

Follow the ASM setup and configuration steps:
Important: When following the ASM documentation, do not install or apply the YAML configuration file istio-operator.yaml when instructed to do so. At that time, we require you to return to this page to edit the file with further hybrid-specific configurations before installing/applying the configuration.
- If this is a new installation of Apigee hybrid install the ASM version 1.6.x. Go to: Introduction to the installation and migration.
- If you are upgrading from an earlier version of hybrid, use ASM 1.5.x. Go to: Installing Anthos Service Mesh on an existing cluster.
When you have completed the ASM setup and config steps, go to the next section to complete the hybrid configuration and ASM installation steps.

Perform final hybrid configuration and install ASM

Finally, add hybrid-specific configurations to the istio-operator.yaml file and install ASM.

Ensure that you're in the ASM installation's root directory. For example: 1.6.11-asm.1.
Open the ./asm/cluster/istio-operator.yaml file in an editor.

Add the following lines indented under spec.meshConfig::

Text to copy

    # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

Example showing placement

Line breaks inserted for readability

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
spec:
  profile: asm
  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
  meshConfig:
    # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
    # 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
      _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
      METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
      SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
      ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
      _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
      ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
      ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
      path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
      ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
      ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    defaultConfig:
      proxyMetadata:
        GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
          {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}

Add (or update) the spec:components stanza in the istio-operator.yaml file below the meshConfig: section and immediately above values:, where reserved_static_ip is the IP address you reserved for your runtime ingress gateway in Project and Org Setup - Step 5: Configure Cloud DNS.

Text to copy

    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        service:
          type: LoadBalancer
          loadBalancerIP: reserved_static_ip
          ports:
          - name: status-port
            port: 15020
            targetPort: 15020
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
          - name: prometheus
            port: 15030
            targetPort: 15030
          - name: tcp
            port: 31400
            targetPort: 31400
          - name: tls
            port: 15443
            targetPort: 15443

Example showing placement

Line breaks inserted for readability

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
spec:
  profile: asm
  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
  meshConfig:
    # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
    # 1.4 defaulted to false.
    enableAutoMtls: false
    accessLogFile: "/dev/stdout"
    accessLogEncoding: 1
    # This is Apigee's custom access log format. Changes should not be made to this
    # unless first working with the Data and AX teams as they parse these logs for
    # SLOs.
    accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
      _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
      METHOD)%
      %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
      SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
      ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
      _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
      ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
      ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
      path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
      ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
      ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    defaultConfig:
      proxyMetadata:
        GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
          {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}

  components:
    pilot:
      k8s:
        hpaSpec:
          maxReplicas: 2
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        service:
          type: LoadBalancer
          loadBalancerIP: 123.234.56.78
          ports:
          - name: status-port
            port: 15020
            targetPort: 15020
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
          - name: prometheus
            port: 15030
            targetPort: 15030
          - name: tcp
            port: 31400
            targetPort: 31400
          - name: tls
            port: 15443
            targetPort: 15443
        hpaSpec:
          maxReplicas: 2
  values:
    .
    .
    .

Return now to the ASM documentation you used previously, and complete ASM installation (install or apply the istio-operator.yaml file to the cluster). When given a choice, choose PERMISSIVE mTLS.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

1 2 (NEXT) Step 3: Install apigeectl 4 5