Step 5: Create service accounts and credentials

This step explains how to create the Google Cloud service accounts and TLS credentials that are required for Apigee hybrid to operate.

Create the service accounts

Apigee hybrid uses Google Cloud service accounts to allow hybrid components to communicate by making authorized API calls.

In this step, you use an Apigee hybrid command-line tool to create a set of service accounts and download the service account private key files.

To learn more about service accounts and read the full list of service accounts recommended for production environments, see the following:

• About service accounts
• Service accounts and roles used by hybrid components

Apigee provides a tool, create-service-account, that creates the service accounts, assigns the roles to the service accounts, and creates and downloads the key files for the service account in a single command. To learn about the related Google Cloud concepts, see Creating and managing service accounts and Creating and managing service account keys.

1. Be sure that you are in the base_directory/hybrid-files directory you configured in Set up the project directory structure.
2. Execute the following command from inside the hybrid-files directory. This command creates a service account for the apigee-metrics component and places the downloaded key in the ./service-accounts directory.

   ./tools/create-service-account apigee-metrics ./service-accounts

   When you see the following prompt, enter y:

   [INFO]: gcloud configured project ID is project_id.
    Press: y to proceed with creating service account in project: project_id
    Press: n to abort.

   If this is the first time an SA with the exact name assigned by the tool was created, then the tool just creates it, and you do not have to do anything further.

   If, however, you see the following message and prompt, enter y to generate new keys:

   [INFO]: Service account apigee-metrics@project_id.iam.gserviceaccount.com already exists.
   ...
    [INFO]: The service account might have keys associated with it. It is recommended to use existing keys.
    Press: y to generate new keys.(this does not de-activate existing keys)
    Press: n to skip generating new keys.
   

3. Now, create the rest of the service accounts using the following commands. The create-service-account command is interactive and requires a response for each account.

   ./tools/create-service-account apigee-synchronizer ./service-accounts

   ./tools/create-service-account apigee-udca ./service-accounts

   ./tools/create-service-account apigee-mart ./service-accounts

   ./tools/create-service-account apigee-cassandra ./service-accounts

   ./tools/create-service-account apigee-logger ./service-accounts

   ./tools/create-service-account apigee-watcher ./service-accounts

   ./tools/create-service-account apigee-distributed-trace ./service-accounts

4. Verify that the service account keys were created using the following command. You are responsible for storing these private keys securely. The key filenames are prefixed with the name of your Google Cloud project.

   ls ./service-accounts

   The result should look something like the following:

   gcp-project-id-apigee-cassandra.json
   gcp-project-id-apigee-distributed-trace.json
   gcp-project-id-apigee-logger.json
   gcp-project-id-apigee-mart.json
   gcp-project-id-apigee-metrics.json
   gcp-project-id-apigee-synchronizer.json
   gcp-project-id-apigee-udca.json
   gcp-project-id-apigee-watcher.json

Create TLS certificates

You are required to provide TLS certificates for the runtime ingress gateway in your Apigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation), the runtime gateway can accept self-signed credentials. In the following steps, openssl is used to generate the self-signed credentials.

In this step, you will create the TLS credential files and add them to the base_directory/hybrid-files/certs directory. In Step 6: Configure the cluster, you will add the file paths to the cluster configuration file.

1. Be sure that you are in the base_directory/hybrid-files directory you configured in Set up the project directory structure.
2. Make sure to save a domain name to the DOMAIN environment variable using the following command:

   echo $DOMAIN

3. Execute the following command from inside the hybrid-files directory:

   openssl req  -nodes -new -x509 -keyout ./certs/keystore.key -out \
       ./certs/keystore.pem -subj '/CN='$DOMAIN'' -days 3650

   Where DOMAIN is the same one you used for your environment in Part 1, Step 5: Create an environment group.

   This command creates a self-signed certificate/key pair that you can use for the quickstart installation.

4. Check to make sure the files are in the ./certs directory using the following command:

   ls ./certs
     keystore.pem
     keystore.key

   Where keystore.pem is the self-signed TLS certificate file and keystore.key is the key file.

You now have the service accounts and credentials needed to manage Apigee hybrid in your Kubernetes cluster. Next, you will create a file that is used by Kubernetes to deploy the hybrid runtime components to the cluster.

1 2 3 4 5 (NEXT) Step 6: Configure the hybrid runtime 7