Step 3: Install ASM

Stay organized with collections Save and categorize content based on your preferences.

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

See Apigee hybrid: supported platforms for the ASM versions supported in hybrid version 1.5.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

The instructions to install and configure ASM are different depending on your platform. The platforms are divided into the following categories:

  • GKE: Google Kubernetes Engine clusters running on Google Cloud.
  • Outside Google Cloud: Anthos clusters running on:
    • Anthos clusters on VMware (GKE on-prem)
    • Anthos on bare metal
    • Anthos clusters on AWS
    • Amazon EKS
  • Other Kubernetes Platforms: Conformant clusters created and running on:
    • AKS
    • EKS
    • OpenShift

GKE

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo ${PROJECT_ID}
    echo ${CLUSTER_NAME}
    echo ${CLUSTER_LOCATION}
  2. Create an overlay file named overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              nodeSelector:
                # default node selector, if different or not using node selectors, change accordingly.
                cloud.google.com/gke-nodepool: apigee-runtime
              resources:
                requests:
                  cpu: 1000m
              service:
                type: LoadBalancer
                loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
                ports:
                  - name: http-status-port
                    port: 15021
                  - name: http2
                    port: 80
                    targetPort: 8080
                  - name: https
                    port: 443
                    targetPort: 8443
    
    • apigee-runtime is the default value for the node selector. This is the apigee-runtime node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit the nodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit the loadBalancerIP property, but keep the type and ports properties.
  3. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  4. Install asmcli and any required tools like git, kubectl, and jq, following the instructions in Install required tools.
  5. Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
  6. Install ASM with optional features. Specify the legacy ingress gateway with --option legacy-default-ingressgateway. for example:
    ./asmcli install \
      --verbose \
      --project_id $PROJECT_ID \
      --cluster_name $CLUSTER_NAME \
      --cluster_location $CLUSTER_LOCATION \
      --output_dir dir_path \
      --custom_overlay overlay.yaml \
      --enable_all \
      --option legacy-default-ingressgateway
    • dir_path is the output directory where you want asmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions in Install with optional features.

Troubleshooting

If you encounter an error at refers to gcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloud
container hub memberships register my-hybrid-example
...' failed.

Try the following steps to remedy this error and then run asmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, see Quotas and limits.

Outside Google Cloud

These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:

  • Anthos clusters on VMware (GKE on-prem)
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo ${PROJECT_ID}
    echo ${CLUSTER_NAME}
    echo ${CLUSTER_LOCATION}
  2. Create an overlay file named overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              nodeSelector:
                # default node selector, if different or not using node selectors, change accordingly.
                cloud.google.com/gke-nodepool: apigee-runtime
              resources:
                requests:
                  cpu: 1000m
              service:
                type: LoadBalancer
                loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
                ports:
                  - name: http-status-port
                    port: 15021
                  - name: http2
                    port: 80
                    targetPort: 8080
                  - name: https
                    port: 443
                    targetPort: 8443
    
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
    • apigee-runtime is the default value for the node selector. This is the apigee-runtime node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit the nodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit the loadBalancerIP property, but keep the type and ports properties.
  3. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  4. Install asmcli and any required tools like git, kubectl, and jq, following the instructions in Install required tools.
  5. Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
  6. Install ASM with optional features. Specify the legacy ingress gateway with --option legacy-default-ingressgateway. for example:
    ./asmcli install \
      --verbose \
      --project_id $PROJECT_ID \
      --cluster_name $CLUSTER_NAME \
      --cluster_location $CLUSTER_LOCATION \
      --output_dir dir_path \
      --custom_overlay overlay.yaml \
      --enable_all \
      --option legacy-default-ingressgateway
    • dir_path is the output directory where you want asmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions in Install with optional features.

Troubleshooting

If you encounter an error at refers to gcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloud
container hub memberships register my-hybrid-example
...' failed.

Try the following steps to remedy this error and then run asmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, see Quotas and limits.

GKE on other platforms

These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:

  • GKE on-prem (Anthos)
  • Anthos on bare metal
  • GKE on AWS

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

  1. Download and unzip istioctlaccording to the the instructions in the ASM documentation: Downloading the installation file.
  2. Depending on the certificate authority you plan to use, install ASM by following the instructions in one of the following sections:
    1. Using Mesh CA: Installing Anthos Service Mesh with Mesh CA
    2. Supplying your own certificates with Istio CA: Installing Anthos Service Mesh with Istio CA
  3. Configure the validating webhook with the instructions in Configuring the validating webhook.
  4. Check the control plane components with the instructinos in Checking the control plane components.

    Do not continue with "Injecting sidecar proxies."

Other Kubernetes platforms

AKS

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.0 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.0-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  6. Mac OS

  7. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz
  8. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.0-osx.tar.gz.1.sig istio-1.12.9-asm.0-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  10. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  11. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  12. Windows

  13. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip
  14. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.0-win.zip.1.sig istio-1.12.9-asm.0-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  16. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  17. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  18. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  19. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-0"

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-0 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-0-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-0-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-0      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file called istiod-service.yaml with the following contents:
    apiVersion: v1
    kind: Service
    metadata:
      name: istiod
      namespace: istio-system
      labels:
        istio.io/rev: asm-1129-0
        app: istiod
        istio: pilot
        release: istio
    spec:
      ports:
        - port: 15010
          name: grpc-xds # plaintext
          protocol: TCP
        - port: 15012
          name: https-dns # mTLS with k8s-signed cert
          protocol: TCP
        - port: 443
          name: https-webhook # validation and injection
          targetPort: 15017
          protocol: TCP
        - port: 15014
          name: http-monitoring # prometheus stats
          protocol: TCP
      selector:
        app: istiod
        istio.io/rev: asm-1129-0
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
  2. Use kubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
    istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
    

EKS

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.0 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.0-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  6. Mac OS

  7. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz
  8. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.0-osx.tar.gz.1.sig istio-1.12.9-asm.0-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  10. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  11. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  12. Windows

  13. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip
  14. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.0-win.zip.1.sig istio-1.12.9-asm.0-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  16. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  17. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  18. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  19. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-0"

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-0 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-0-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-0-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-0      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file called istiod-service.yaml with the following contents:
    apiVersion: v1
    kind: Service
    metadata:
      name: istiod
      namespace: istio-system
      labels:
        istio.io/rev: asm-1129-0
        app: istiod
        istio: pilot
        release: istio
    spec:
      ports:
        - port: 15010
          name: grpc-xds # plaintext
          protocol: TCP
        - port: 15012
          name: https-dns # mTLS with k8s-signed cert
          protocol: TCP
        - port: 443
          name: https-webhook # validation and injection
          targetPort: 15017
          protocol: TCP
        - port: 15014
          name: http-monitoring # prometheus stats
          protocol: TCP
      selector:
        app: istiod
        istio.io/rev: asm-1129-0
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
  2. Use kubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
    istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
    

OpenShift

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.0 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  2. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz
  3. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.0-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.0-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  4. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  5. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  6. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  7. Mac OS

  8. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  9. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz
  10. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.0-osx.tar.gz.1.sig istio-1.12.9-asm.0-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  11. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  12. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  13. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  14. Windows

  15. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  16. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip
  17. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.0-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.0-win.zip.1.sig istio-1.12.9-asm.0-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  18. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.0-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.0 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  19. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.0
  20. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  21. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  22. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-0"

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-0 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-0-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-0-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-0      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file called istiod-service.yaml with the following contents:
    apiVersion: v1
    kind: Service
    metadata:
      name: istiod
      namespace: istio-system
      labels:
        istio.io/rev: asm-1129-0
        app: istiod
        istio: pilot
        release: istio
    spec:
      ports:
        - port: 15010
          name: grpc-xds # plaintext
          protocol: TCP
        - port: 15012
          name: https-dns # mTLS with k8s-signed cert
          protocol: TCP
        - port: 443
          name: https-webhook # validation and injection
          targetPort: 15017
          protocol: TCP
        - port: 15014
          name: http-monitoring # prometheus stats
          protocol: TCP
      selector:
        app: istiod
        istio.io/rev: asm-1129-0
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
  2. Use kubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
    istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
    

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

Next step

1 2 3 (NEXT) Step 4: Install apigeectl 5 6 7 8 9