Step 3: Install ASM

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

For all hybrid version 1.5.6 installations, install ASM version 1.8.x.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

The instructions to install and configure ASM are different depending on your platform. Choose the steps your platform below:

GKE

  1. Follow the ASM setup and configuration steps:

    Install the ASM version 1.8.x. Go to: Installing Anthos Service Mesh.

    Follow the steps in:

    1. Before you begin
    2. Installing Anthos Service Mesh
    3. Under Examples run Only validate
    4. Then return to these instructions.
  2. When you have completed the ASM setup and config steps, go to the next section to complete the hybrid configuration and ASM installation steps.

Perform final hybrid configuration and install ASM

Finally, add hybrid-specific configurations to the istio-operator.yaml file and install ASM.

  1. Ensure that you're in the ASM installation's root directory. For example: 1.8.6-asm.1. This should match the OUTPUT_DIR you specified with the --output_dir option of install_asm.
  2. Open the OUTPUT_DIR/asm/istio/istio-operator.yaml file in an editor.
  3. Add the following lines indented under spec.meshConfig: to set spec.meshConfig.accessLogFile, spec.meshConfig.accessLogEncoding, and spec.meshConfig.accessLogFormat to the values used by Apigee hybrid:

    Text to copy

        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

    Example showing placement

    Line breaks inserted for readability

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
  4. Add (or update) the spec:components stanza in the istio-operator.yaml file below the meshConfig: section and immediately above values:, where reserved_static_ip is an IP address your runtime ingress gateway can use. If you do not have a reserved static IP address, for this Quick Start, you can leave the LoadBalancerIP property out.

    Text to copy

      components:
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: static_ip # If you do not have a reserved static IP, leave this out.
              ports:
              - name: status-port
                port: 15021
                targetPort: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
    

    Example showing placement

    Line breaks inserted for readability

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
    
      components:
        pilot:
          k8s:
            hpaSpec:
              maxReplicas: 2
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: 123.234.56.78
              ports:
              - name: status-port
                port: 15021
                targetPort: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
            hpaSpec:
              maxReplicas: 2
      values:
        .
        .
        .
    
  5. Return now to the ASM documentation you used previously, and complete ASM installation (install or apply the istio-operator.yaml file to the cluster): Installation with an overlay file.

GKE on-prem

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. Go to Installing Anthos Service Mesh on premises and perform all of the ASM steps up to and including Configuring the certificate authority, then stop and go to the next section Apply the manifest below.

Apply the manifest

When you have downloaded and unzipped the ASM installation file, continue with the following steps:

  1. Make sure you are in the Istio directory that you downloaded and unzipped. For example: 1.8.6-asm.1.
  2. Set profile with the following command, where your_static_ip is a static IP address that the istio ingress component can use. If you do not have a static IP address reserved, leave the --set values.gateways.istio-ingressgateway.loadBalancerIP line out:
    ./bin/istioctl install --set profile=asm-multicloud \
     --set values.gateways.istio-ingressgateway.loadBalancerIP=your_static_IP
  3. Finally, return to the ASM documentation to Check the control plane components to validate your installation.

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

Anthos on bare metal

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. Go to Installing Anthos Service Mesh on premises and perform all of the ASM steps up to and including Configuring the certificate authority, then stop and go to the next section Apply the manifest below.

Apply the manifest

When you have downloaded and unzipped the ASM installation file, continue with the following steps:

  1. Make sure you are in the Istio directory that you downloaded and unzipped. For example: 1.8.6-asm.1.
  2. Set profile with the following command, where your_static_ip is a static IP address that the istio ingress component can use. If you do not have a static IP address reserved, leave the --set values.gateways.istio-ingressgateway.loadBalancerIP line out:
    ./bin/istioctl install --set profile=asm-multicloud \
     --set values.gateways.istio-ingressgateway.loadBalancerIP=your_static_IP
  3. Finally, return to the ASM documentation to Check the control plane components to validate your installation.

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

AKS

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.8.6-asm.8 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

    • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
    • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
    • Red Hat OpenShift

    Preparing to install Anthos Service Mesh

      Linux

    1. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz
    2. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig
      openssl dgst -verify /dev/stdin -signature istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig istio-1.8.6-asm.8-linux-amd64.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-linux-amd64.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    4. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    5. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    6. Mac OS

    7. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz
    8. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz.1.sig
      openssl dgst -sha256 -verify /dev/stdin -signature istio-1.8.6-asm.8-osx.tar.gz.1.sig istio-1.8.6-asm.8-osx.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-osx.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    10. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    11. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    12. Windows

    13. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip
    14. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip.1.sig
      openssl dgst -verify - -signature istio-1.8.6-asm.8-win.zip.1.sig istio-1.8.6-asm.8-win.zip <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-win.zip

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
    16. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    17. For convenience, add the tools in the \bin directory to your PATH:
      set PATH=%CD%\bin:%PATH%
    18. Now that ASM Istio is installed, check the version of istioctl:
      istioctl version
    19. Create a namespace called istio-system for the control plane components:
      kubectl create namespace istio-system

    Installing Anthos Service Mesh

    1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
      istioctl install \
          --set profile=asm-multicloud
    2. Check that the istiod pods are running with kubectl get pods:
      kubectl get pods -n istio-system

      Your output should look something like:

      NAME                                      READY   STATUS    RESTARTS   AGE
      istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
      istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
      istiod-dbfb7c7b6-2ls88                1/1     Running   0          3m21s
      istiod-dbfb7c7b6-fnj8c                1/1     Running   1          3m21s
      
    3. Verify that your install completed:
      kubectl get svc -n istio-system

      Your output should look something like:

      NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
      istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
      istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
      istiod                ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
      

    Configure the validating webhook

    1. Create a file called istiod-service.yaml with the following contents:
      apiVersion: v1
      kind: Service
      metadata:
        name: istiod
        namespace: istio-system
        labels:
          app: istiod
          istio: pilot
          release: istio
      spec:
        ports:
          - port: 15010
            name: grpc-xds # plaintext
            protocol: TCP
          - port: 15012
            name: https-dns # mTLS with k8s-signed cert
            protocol: TCP
          - port: 443
            name: https-webhook # validation and injection
            targetPort: 15017
            protocol: TCP
          - port: 15014
            name: http-monitoring # prometheus stats
            protocol: TCP
        selector:
          app: istiod
    2. Use kubectl to apply the validating webhook configuration:
      kubectl apply -f istiod-service.yaml
    3. Verify that the configuration was applied:
      kubectl get svc -n istio-system

      The response should look similar to:

      NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
      istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
      

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

GKE on AWS

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. Go to Installing on Anthos clusters on AWS and perform all of the ASM steps up to and including Download the installation file, then stop and go to the next section Apply the manifest below.

Apply the manifest

When you have downloaded and unzipped the ASM installation file, continue with the following steps:

  1. Make sure you are in the Istio directory that you downloaded and unzipped. For example: 1.8.6-asm.1.
  2. Set profile with the following command:
    ./bin/istioctl install --set profile=asm-multicloud
  3. Finally, return to the ASM documentation to Check the control plane components to validate your installation.

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

EKS

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.8.6-asm.8 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

    • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
    • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
    • Red Hat OpenShift

    Preparing to install Anthos Service Mesh

      Linux

    1. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz
    2. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig
      openssl dgst -verify /dev/stdin -signature istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig istio-1.8.6-asm.8-linux-amd64.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-linux-amd64.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    4. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    5. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    6. Mac OS

    7. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz
    8. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz.1.sig
      openssl dgst -sha256 -verify /dev/stdin -signature istio-1.8.6-asm.8-osx.tar.gz.1.sig istio-1.8.6-asm.8-osx.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-osx.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    10. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    11. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    12. Windows

    13. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip
    14. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip.1.sig
      openssl dgst -verify - -signature istio-1.8.6-asm.8-win.zip.1.sig istio-1.8.6-asm.8-win.zip <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-win.zip

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
    16. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    17. For convenience, add the tools in the \bin directory to your PATH:
      set PATH=%CD%\bin:%PATH%
    18. Now that ASM Istio is installed, check the version of istioctl:
      istioctl version
    19. Create a namespace called istio-system for the control plane components:
      kubectl create namespace istio-system

    Installing Anthos Service Mesh

    1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
      istioctl install \
          --set profile=asm-multicloud
    2. Check that the istiod pods are running with kubectl get pods:
      kubectl get pods -n istio-system

      Your output should look something like:

      NAME                                      READY   STATUS    RESTARTS   AGE
      istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
      istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
      istiod-dbfb7c7b6-2ls88                1/1     Running   0          3m21s
      istiod-dbfb7c7b6-fnj8c                1/1     Running   1          3m21s
      
    3. Verify that your install completed:
      kubectl get svc -n istio-system

      Your output should look something like:

      NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
      istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
      istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
      istiod                ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
      

    Configure the validating webhook

    1. Create a file called istiod-service.yaml with the following contents:
      apiVersion: v1
      kind: Service
      metadata:
        name: istiod
        namespace: istio-system
        labels:
          app: istiod
          istio: pilot
          release: istio
      spec:
        ports:
          - port: 15010
            name: grpc-xds # plaintext
            protocol: TCP
          - port: 15012
            name: https-dns # mTLS with k8s-signed cert
            protocol: TCP
          - port: 443
            name: https-webhook # validation and injection
            targetPort: 15017
            protocol: TCP
          - port: 15014
            name: http-monitoring # prometheus stats
            protocol: TCP
        selector:
          app: istiod
    2. Use kubectl to apply the validating webhook configuration:
      kubectl apply -f istiod-service.yaml
    3. Verify that the configuration was applied:
      kubectl get svc -n istio-system

      The response should look similar to:

      NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
      istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
      

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

OpenShift

Set up and download ASM

Use the ASM documentation to set up your environment and download ASM.

  1. Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
  2. This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.8.6-asm.8 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

    • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
    • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
    • Red Hat OpenShift

    Preparing to install Anthos Service Mesh

      Linux

    1. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
      oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
    2. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz
    3. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig
      openssl dgst -verify /dev/stdin -signature istio-1.8.6-asm.8-linux-amd64.tar.gz.1.sig istio-1.8.6-asm.8-linux-amd64.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    4. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-linux-amd64.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    5. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    6. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    7. Mac OS

    8. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
      oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
    9. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz
    10. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-osx.tar.gz.1.sig
      openssl dgst -sha256 -verify /dev/stdin -signature istio-1.8.6-asm.8-osx.tar.gz.1.sig istio-1.8.6-asm.8-osx.tar.gz <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    11. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-osx.tar.gz

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
    12. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    13. For convenience, add the tools in the /bin directory to your PATH:
      export PATH=$PWD/bin:$PATH
    14. Windows

    15. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
      oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
    16. Download the Anthos Service Mesh installation file to your current working directory:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip
    17. Download the signature file and use openssl to verify the signature:
      curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.8.6-asm.8-win.zip.1.sig
      openssl dgst -verify - -signature istio-1.8.6-asm.8-win.zip.1.sig istio-1.8.6-asm.8-win.zip <<'EOF'
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
      wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
      -----END PUBLIC KEY-----
      EOF
      
    18. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
      tar xzf istio-1.8.6-asm.8-win.zip

      The command creates an installation directory in your current working directory named istio-1.8.6-asm.8 that contains:

      • Sample applications in the samples directory.
      • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
      • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
    19. Ensure that you're in the Anthos Service Mesh installation's root directory:
      cd istio-1.8.6-asm.8
    20. For convenience, add the tools in the \bin directory to your PATH:
      set PATH=%CD%\bin:%PATH%
    21. Now that ASM Istio is installed, check the version of istioctl:
      istioctl version
    22. Create a namespace called istio-system for the control plane components:
      kubectl create namespace istio-system

    Installing Anthos Service Mesh

    1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
      istioctl install \
          --set profile=asm-multicloud
    2. Check that the istiod pods are running with kubectl get pods:
      kubectl get pods -n istio-system

      Your output should look something like:

      NAME                                      READY   STATUS    RESTARTS   AGE
      istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
      istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
      istiod-dbfb7c7b6-2ls88                1/1     Running   0          3m21s
      istiod-dbfb7c7b6-fnj8c                1/1     Running   1          3m21s
      
    3. Verify that your install completed:
      kubectl get svc -n istio-system

      Your output should look something like:

      NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
      istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
      istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
      istiod                ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
      

    Configure the validating webhook

    1. Create a file called istiod-service.yaml with the following contents:
      apiVersion: v1
      kind: Service
      metadata:
        name: istiod
        namespace: istio-system
        labels:
          app: istiod
          istio: pilot
          release: istio
      spec:
        ports:
          - port: 15010
            name: grpc-xds # plaintext
            protocol: TCP
          - port: 15012
            name: https-dns # mTLS with k8s-signed cert
            protocol: TCP
          - port: 443
            name: https-webhook # validation and injection
            targetPort: 15017
            protocol: TCP
          - port: 15014
            name: http-monitoring # prometheus stats
            protocol: TCP
        selector:
          app: istiod
    2. Use kubectl to apply the validating webhook configuration:
      kubectl apply -f istiod-service.yaml
    3. Verify that the configuration was applied:
      kubectl get svc -n istio-system

      The response should look similar to:

      NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
      istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
      

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

Next step

1 2 3 (NEXT) Step 4: Install apigeectl 5 6 7 8 9