Configuring Apigee ingress gateway
You can configure your ingress gateways in your overrides.yaml
. For example:
Syntax
ingressGateways: - name: INGRESS_NAME replicaCountMin: REPLICAS_MIN replicaCountMax: REPLICAS_MAX resources: requests: cpu: CPU_COUNT_REQ memory: MEMORY_REQ limits: cpu: CPU_COUNT_LIMIT memory: MEMORY_LIMIT svcAnnotations: # optional. See Known issue 243599452. SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional
Example
ingressGateways: - name: prod1 replicaCountMin: 2 replicaCountMax: 100 resources: requests: cpu: 1 memory: 1Gi limits: cpu: 2 memory: 2Gi svcAnnotations: # optional. See Known issue 243599452. networking.gke.io/load-balancer-type: "Internal" svcLoadBalancerIP: 198.252.0.123
- INGRESS_NAME is the name of the ingress gateway deployment. This can be any name that meets
the following requirements:
- Have a maximum length of 17 characters
- Contain only lowercase alphanumeric characters, '-' or '.'
- Start with an alphanumeric character
- End with an alphanumeric character
See
ingressGateways[].name
in the Configuration property reference - REPLICAS_MIN and REPLICAS_MAX The minimum and maximum replica counts for
Apigee ingress gateway in your installation. See
ingressGateways[].replicaCountMin
andingressGateways[].replicaCountMax
in the Configuration property reference. - CPU_COUNT_REQ and MEMORY_REQ The CPU and memory request for each
replica of Apigee ingress gateway in your installation.
See
ingressGateways[].resources.requests.cpu
andingressGateways[].resources.requests.memory
in the Configuration property reference. - CPU_COUNT_LIMIT and MEMORY_LIMIT The maximum CPU and memory limits for
each replica of Apigee ingress gateway in your installation.
See
ingressGateways[].resources.limits.cpu
andingressGateways[].resources.limits.memory
in the Configuration property reference. - SVC_ANNOTATIONS_KEY SVC_ANNOTATIONS_VALUE (optional):
This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. For example:
ingressGateways: svcAnnotations: networking.gke.io/load-balancer-type: "Internal"
Annotations vary from platform to platform. See your platform documentation for required and suggested annotations.
SeeingressGateways[].svcAnnotations
in the Configuration property reference. - SVC_LOAD_BALANCER_IP (optional). On platforms that support specifying the load balancer
IP address, the load balancer will be created with this IP address. On platforms that do not
allow you to specify the load balancer IP address, this property is ignored.
See
ingressGateways[].svcLoadBalancerIP
in the Configuration property reference.
Apply the Apigee ingress gateway configuration
Apply changes to the organization scope:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Management tasks
Some common management tasks for the Apigee ingress gateway:
Scaling Apigee ingress gateway:
Update the following properties in your overrides file.
ingressGateways[].replicaCountMax
ingressGateways[].replicaCountMin
See ingressGateways
in the
Configuration properties reference for details.
Apply the changes:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Updating resource allocation
Update the following properties in your overrides file.
ingressGateways[].resources.limits.cpu
ingressGateways[].resources.limits.memory
ingressGateways[].resources.requests.cpu
ingressGateways[].resources.requests.memory
See ingressGateways
in the
Configuration properties reference for details.
Apply the changes:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Updating the Apigee ingress gateway service
Update the following properties in your overrides file.
ingressGateways[].svcAnnotations
ingressGateways[].svcLoadBalancerIP
See ingressGateways
in the
Configuration properties reference for details.
Apply the changes:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Disable the loadbalancer for the default Apigee ingress gateway service:
If you create a custom Kubernetes service
for your ingress gateway deployment, you can disable creation of a load balancer on the default
Kubernetes service. Update the
ingressGateways[].svcType
property to ClusterIP
in your overrides file. For example:
ingressGateways: - name: my-ingress-gateway replicaCountMin: 2 replicaCountMax: 10 svcType: ClusterIP
Apply the changes:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Configure TLS and mTLS
See Configuring TLS and mTLS on the ingress gateway.
Enabling non-SNI clients
See Enable non-SNI and HTTP clients.
Installing additional Apigee ingress gateways
In the overrides.yaml
file you can add multiple ingress gateways. The
ingressGateways
configuration property is an array. For more information, see
ingressGateways in the
Configuration properties reference.
For example:
ingressGateways: - name: fruit replicaCountMin: 2 replicaCountMax: 10 - name: meat replicaCountMin: 2 replicaCountMax: 10
Apply the changes:
helm upgrade ORG_NAME apigee-org/ \ --namespace apigee \ --atomic \ -f OVERRIDES_FILE.yaml
Mapping virtual hosts to Apigee ingress gateway deployments
You can use selector labels to map a virtual host to an Apigee ingress gateway deployment. In the
following example, the virtual host spam-vh
is configured to
run on the ingress gateway labeled meat
and the other two virtual hosts run on
the fruit
ingress gateway. The ingress gateways must be properly labeled, as explained in
Installing additional Cloud Service Mesh gateways.
virtualhosts: - name: spam-vh sslCertPath: cert-spam.crt sslKeyPath: cert-spam.key selector: app: apigee-ingressgateway ingress_name: meat - name: banana-vh sslCertPath: cert-banana.crt sslKeyPath: cert-banana.key selector: app: apigee-ingressgateway ingress_name: fruit - name: plum-vh sslCertPath: cert-plum.crt sslKeyPath: cert-plum.key selector: app: apigee-ingressgateway ingress_name: fruit
Adding custom ciphersuites to Apigee ingress gateway deployments
You can add custom ciphersuites to your Apigee ingress gateway deployment with the
virtualhosts.cipherSuites
property in your overrides file.
See virtualhosts.cipherSuites
for the default ciphersuites enabled in Apigee hybrid.
You can enable older versions of TLS with the virtualhosts.minTLSProtocolVersion
property and add custom ciphersuites to your Apigee ingress gateway deployment with the virtualhosts.cipherSuites
property in your overrides file.
For example, to enable TLS v.1.1:
virtualhosts: - name: ENV_GROUP_NAME minTLSProtocolVersion: "1.1" cipherSuites: - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-SHA" - "ECDHE-RSA-AES128-SHA" - "ECDHE-ECDSA-AES256-SHA" - "ECDHE-RSA-AES256-SHA" ...
Customize Ingress access logs
You can customize the Apigee ingress gateway access log destination and format with the
istiod.accessLogFile
and
istiod.accessLogFormat
configuration properties. In the following example, the output will be sent to /dev/stdout
,
which is the default value for istiod.accessLogFile
:
istiod: accessLogFormat: '{"request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","status":"%RESPONSE_CODE%"}'
You can disable Apigee ingress gateway access logging by assigning
istiod.accessLogFile
and empty
value. For example:
istiod: accessLogFile: ''
FAQ
- How does this work with my existing Cloud Service Mesh/Istio installation in another namespace?
- As long as Apigee is installed in a dedicated namespace - Apigee ingress gateway can be run alongside an already existing Cloud Service Mesh/Istio installation in the cluster. Apigee ingress gateway doesn't store any configuration in apiserver hence there won't be any conflict.
- Who is responsible for upgrading Apigee ingress gateway components?
- Apigee takes care of upgrades to Apigee ingress gateway components Apigee ingress gateway which happens during regular hybrid upgrades and patch releases.
- How do I expose port 80 in Apigee ingress gateway?
- Port 80 is not supported by Apigee ingress gateway. If you are migrating from Cloud Service Mesh to Apigee ingress gateway, and you followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway.