Langkah ini menjelaskan cara mendownload dan menginstal cert-manager dan Anthos Service Mesh (ASM), yang diperlukan agar Apigee Hybrid dapat beroperasi.
Menginstal cert-manager
Gunakan salah satu dari dua perintah berikut untuk menginstal cert-manager v0.14.2 dari GitHub.
Untuk menemukan versi Kubernetes, gunakan perintah kubectl version
.
- Jika Anda memiliki Kubernetes 1.15 atau yang lebih baru:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- Versi Kubernetes yang lebih lama dari 1.15:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
Anda akan melihat respons bahwa namespace cert-manager dan beberapa resource cert-manager telah dibuat.
Menginstal ASM
Apigee hybrid menggunakan distribusi Istio yang disediakan dengan Anthos Service Mesh (ASM). Ikuti langkah-langkah berikut untuk menginstal ASM di cluster Anda.
Versi ASM yang didukung
Untuk penginstalan hybrid baru, instal ASM 1.6.x ke cluster Anda. Jika Anda mengupgrade dari versi campuran 1.2.x, instal ASM versi 1.5.x ke cluster Anda.
Melakukan langkah-langkah penyiapan dan konfigurasi ASM
Untuk menyelesaikan penginstalan ASM, Anda harus mengikuti langkah-langkah penyiapan dan konfigurasi khusus ASM terlebih dahulu dalam dokumentasi ASM. Kemudian, Anda harus kembali ke sini untuk menyelesaikan konfigurasi khusus hibrida sebelum menerapkan konfigurasi ke cluster.
- Ikuti langkah-langkah penyiapan dan konfigurasi ASM:
- Jika ini adalah penginstalan baru Apigee hybrid, instal ASM versi 1.6.x. Buka: Pengantar penginstalan dan migrasi.
- Jika Anda mengupgrade dari versi hybrid sebelumnya, gunakan ASM 1.5.x. Buka: Menginstal Anthos Service Mesh di cluster yang ada.
Setelah menyelesaikan langkah-langkah penyiapan dan konfigurasi ASM, buka bagian berikutnya untuk menyelesaikan langkah-langkah penginstalan ASM dan konfigurasi campuran.
Melakukan konfigurasi hybrid akhir dan menginstal ASM
Terakhir, tambahkan konfigurasi khusus campuran ke file istio-operator.yaml
dan
instal ASM.
-
Pastikan Anda berada di direktori utama penginstalan ASM. Misalnya:
1.6.11-asm.1
. - Buka file
./asm/cluster/istio-operator.yaml
di editor. - Tambahkan baris berikut yang diindentasi di bagian
spec.meshConfig:
:Teks yang akan disalin
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
Contoh yang menampilkan penempatan
Jeda baris disisipkan untuk keterbacaan
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
- Tambahkan (atau perbarui) stanza
spec:components
dalam fileistio-operator.yaml
di bawah bagianmeshConfig:
dan tepat di atasvalues:
, dengan reserved_static_ip adalah alamat IP yang Anda cadangkan untuk gateway ingress runtime di Penyiapan Project dan Organisasi - Langkah 5: Konfigurasi Cloud DNS.Teks yang akan disalin
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443
Contoh yang menampilkan penempatan
Jeda baris disisipkan untuk keterbacaan
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"} components: pilot: k8s: hpaSpec: maxReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: 123.234.56.78 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443 hpaSpec: maxReplicas: 2 values: . . .
- Sekarang, kembali ke dokumentasi ASM yang Anda gunakan sebelumnya, dan selesaikan penginstalan ASM
(instal atau terapkan file
istio-operator.yaml
ke cluster). Jika diberi pilihan, pilih PERMISSIVE mTLS.
Ringkasan
Sekarang Anda telah menginstal cert-manager dan ASM, dan Anda siap menginstal alat command line hybrid Apigee di komputer lokal.
1 2 (BERIKUTNYA) Langkah 3: Instal apigeectl 4 5