Langkah ini menjelaskan cara mendownload dan menginstal cert-manager dan Anthos Service Mesh (ASM), yang diperlukan agar Apigee Hybrid dapat beroperasi.
Menginstal cert-manager
Gunakan salah satu dari dua perintah berikut untuk menginstal cert-manager v0.14.2 dari GitHub.
Untuk menemukan versi Kubernetes, gunakan perintah kubectl version
.
- Jika Anda menggunakan Kubernetes 1.15 atau yang lebih baru:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- Versi Kubernetes yang lebih lama dari 1.15:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
Anda akan melihat respons bahwa namespace pengelola sertifikat dan beberapa resource pengelola sertifikat telah dibuat.
Instal ASM
Apigee Hybrid menggunakan distribusi Istio yang disediakan dengan Anthos Service Mesh (ASM). Ikuti langkah-langkah berikut untuk menginstal ASM di cluster Anda.
Versi ASM yang didukung
Untuk penginstalan hybrid baru, instal ASM 1.6.x ke dalam cluster Anda. Jika Anda melakukan upgrade dari versi hybrid 1.2.x, instal ASM versi 1.5.x ke dalam cluster Anda.
Melakukan langkah penyiapan dan konfigurasi ASM
Untuk menyelesaikan penginstalan ASM, Anda harus terlebih dahulu mengikuti langkah-langkah penyiapan dan konfigurasi khusus ASM dalam dokumentasi ASM. Kemudian, Anda harus kembali ke sini untuk menyelesaikan konfigurasi khusus hybrid sebelum menerapkan konfigurasi ke cluster.
- Ikuti langkah-langkah penyiapan dan konfigurasi ASM:
- Jika ini adalah penginstalan baru Apigee Hybrid, instal ASM versi 1.6.x. Buka: Pengantar penginstalan dan migrasi.
- Jika Anda melakukan upgrade dari versi hybrid sebelumnya, gunakan ASM 1.5.x. Buka: Menginstal Anthos Service Mesh pada cluster yang ada.
Setelah Anda menyelesaikan langkah-langkah penyiapan dan konfigurasi ASM, lanjutkan ke bagian berikutnya untuk menyelesaikan langkah-langkah konfigurasi hybrid dan penginstalan ASM.
Melakukan konfigurasi hybrid akhir dan menginstal ASM
Terakhir, tambahkan konfigurasi khusus hybrid ke file istio-operator.yaml
dan
instal ASM.
-
Pastikan Anda berada di direktori utama penginstalan ASM. Misalnya:
1.6.11-asm.1
. - Buka file
./asm/cluster/istio-operator.yaml
di editor. - Tambahkan baris berikut yang diindentasi di bawah
spec.meshConfig:
:Teks untuk disalin
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
Contoh yang menampilkan penempatan
Jeda baris disisipkan agar mudah dibaca
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
- Tambahkan (atau perbarui) stanza
spec:components
di fileistio-operator.yaml
di bawah bagianmeshConfig:
dan tepat di atasvalues:
, dengan reserved_static_ip adalah alamat IP yang Anda cadangkan untuk gateway masuk runtime di Penyiapan Project dan Org - Langkah 5: Konfigurasi Cloud DNS.Teks untuk disalin
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443
Contoh yang menampilkan penempatan
Jeda baris disisipkan agar mudah dibaca
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"} components: pilot: k8s: hpaSpec: maxReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: 123.234.56.78 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443 hpaSpec: maxReplicas: 2 values: . . .
- Kembali sekarang ke dokumentasi ASM yang Anda gunakan sebelumnya, dan selesaikan penginstalan ASM
(instal atau terapkan file
istio-operator.yaml
ke cluster). Jika diberi pilihan, pilih mTLS PERMISSIF.
Ringkasan
Sekarang Anda telah menginstal cert-manager dan ASM, dan siap menginstal alat command line Apigee Hybrid di komputer lokal Anda.
1 2 (NEXT) Langkah 3: Instal apigeectl 4 5