Step 3: Install ASM

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

See Apigee hybrid: supported platforms for the ASM versions supported in hybrid version 1.7.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

The instructions to install and configure ASM are different depending on your platform. The platforms are divided into the following categories:

  • GKE: Google Kubernetes Engine clusters running on Google Cloud.
  • Outside Google Cloud: Anthos clusters running on:
    • Anthos clusters on VMware (GKE on-prem)
    • Anthos on bare metal
    • Anthos clusters on AWS
    • Amazon EKS
  • Other Kubernetes Platforms: Conformant clusters created and running on:
    • AKS
    • EKS
    • OpenShift

GKE

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo $PROJECT_ID
    echo $CLUSTER_NAME
    echo $CLUSTER_LOCATION
  2. Create an overlay file named overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              nodeSelector:
                # default node selector, if different or not using node selectors, change accordingly.
                cloud.google.com/gke-nodepool: apigee-runtime
              resources:
                requests:
                  cpu: 1000m
              service:
                type: LoadBalancer
                loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
                ports:
                  - name: http-status-port
                    port: 15021
                  - name: http2
                    port: 80
                    targetPort: 8080
                  - name: https
                    port: 443
                    targetPort: 8443
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
    • apigee-runtime is the default value for the node selector. This is the apigee-runtime node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit the nodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit the loadBalancerIP property, but keep the type and ports properties.
  3. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  4. Install asmcli and any required tools like git, kubectl, and jq, following the instructions in Install required tools.
  5. Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
  6. Install ASM with optional features. Specify the legacy ingress gateway with --option legacy-default-ingressgateway. for example:
    ./asmcli install \
      --verbose \
      --project_id $PROJECT_ID \
      --cluster_name $CLUSTER_NAME \
      --cluster_location $CLUSTER_LOCATION \
      --output_dir dir_path \
      --custom_overlay overlay.yaml \
      --enable_all \
      --option legacy-default-ingressgateway
    • dir_path is the output directory where you want asmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions in Install with optional features.

Troubleshooting

If you encounter an error at refers to gcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloud
container hub memberships register my-hybrid-example
...' failed.

Try the following steps to remedy this error and then run asmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, see Quotas and limits.

Outside Google Cloud

These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:

  • Anthos clusters on VMware (GKE on-prem)
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo ${PROJECT_ID}
    echo ${CLUSTER_NAME}
    echo ${CLUSTER_LOCATION}
  2. Make note of the values you will need with ASMCLI. These are the values you will be asked to provide when following the steps in the ASM documentation:
    • FLEET_PROJECT_ID the name of the project your clusters will be associated with. Use the project you created for this install, stored in the ${PROJECT_ID} environment variable.
    • KUBECONFIG_FILE The full path to the kubeconfig file. The default path is $HOME/.kube/config. for more information see Organizing Cluster Access Using kubeconfig Files in the Kubernetes documentation.
    • DIR_PATH the output directory for ASMCLI. This is the path where it will create the Istio configuration files. For example: ./asm.
    • GATEWAY_NAMESPACE the namespace for your Istio ingress gateway, for example: istio.
    • REVISION the revision label for this release of ASM. Use asm-1129-3
    • CONTEXT the Kubernetes context. Check that kubernetes is using the context for you cluster with the following command:
      kubectl config get-contexts

      If your current cluster is not the current context, you can set it with the following command:

      kubectl config use-context CONTEXT
    • USER_ACCOUNT the account with cluster admin permissions you are using to manage the cluster.
  3. Set the context to your project and region with the following commands:

    Set your default project ID:

    gcloud config set project ${PROJECT_ID}

    If you are working with regional clusters, set your default compute region:

    gcloud config set compute/region ${CLUSTER_LOCATION}
  4. Get credentials with the following command:
    gcloud container clusters get-credentials ${CLUSTER_NAME} --region ${CLUSTER_LOCATION} --project ${PROJECT_ID}
  5. Create an overlay file named overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              nodeSelector:
                # default node selector, if different or not using node selectors, change accordingly.
                cloud.google.com/gke-nodepool: apigee-runtime
              resources:
                requests:
                  cpu: 1000m
              service:
                type: LoadBalancer
                loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
                ports:
                  - name: http-status-port
                    port: 15021
                  - name: http2
                    port: 80
                    targetPort: 8080
                  - name: https
                    port: 443
                    targetPort: 8443
      meshConfig:
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    
    • apigee-runtime is the default value for the node selector. This is the apigee-runtime node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit the nodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit the loadBalancerIP property, but keep the type and ports properties.
  6. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  7. Install asmcli and any required tools like git, kubectl, and jq, following the instructions in Install required tools.
  8. Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
  9. Install ASM with optional features. Specify the legacy ingress gateway with --option legacy-default-ingressgateway. for example:
    ./asmcli install \
      --verbose \
      --project_id $PROJECT_ID \
      --cluster_name $CLUSTER_NAME \
      --cluster_location $CLUSTER_LOCATION \
      --output_dir dir_path \
      --custom_overlay overlay.yaml \
      --enable_all \
      --option legacy-default-ingressgateway
    • dir_path is the output directory where you want asmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions in Install with optional features.

Troubleshooting

If you encounter an error at refers to gcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloud
container hub memberships register my-hybrid-example
...' failed.

Try the following steps to remedy this error and then run asmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, see Quotas and limits.

Other Kubernetes platforms

AKS

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  6. Mac OS

  7. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
  8. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  10. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  11. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  12. Windows

  13. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
  14. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  16. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  17. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  18. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  19. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. create a file called overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      meshConfig:
        accessLogFile: /dev/stdout
        enableTracing: true
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
      components:
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              ports:
              - name: status-port
                port: 15021
                targetPort: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
    
  2. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-3" \
        --filename overlay.yaml

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-3 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  3. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-3-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-3-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  4. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-3     ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

EKS

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  6. Mac OS

  7. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
  8. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  10. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  11. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  12. Windows

  13. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
  14. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  16. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  17. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  18. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  19. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. create a file called overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      meshConfig:
        accessLogFile: /dev/stdout
        enableTracing: true
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
      components:
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              ports:
              - name: status-port
                port: 15021
                targetPort: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
    
  2. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-3" \
        --filename overlay.yaml

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-3 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  3. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-3-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-3-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  4. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-3     ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

OpenShift

Set up and download ASM

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  2. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
  3. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  4. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  5. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  6. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  7. Mac OS

  8. Grant the anyuid security context constraint (SCC) to the istio-system with the following oc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  9. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
  10. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  11. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  12. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  13. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  14. Windows

  15. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  16. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
  17. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  18. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.12.9-asm.3-win.zip

    The command creates an installation directory in your current working directory named istio-1.12.9-asm.3 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  19. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.12.9-asm.3
  20. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  21. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  22. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. create a file called overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      meshConfig:
        accessLogFile: /dev/stdout
        enableTracing: true
        accessLogFormat:
          '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
      components:
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              ports:
              - name: status-port
                port: 15021
                targetPort: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
    
  2. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-1129-3" \
        --filename overlay.yaml

    The --set revision argument adds a revision label in the format istio.io/rev=asm-1129-3 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  3. Check that the istiod pods are running with kubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57s
    istiod-asm-1129-3-dbfb7c7b6-2ls88      1/1     Running   0          3m21s
    istiod-asm-1129-3-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
    
  4. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-1129-3     ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

1 2 3 (NEXT) Step 4: Install apigeectl 5 6 7 8 9