The Apigee Hybrid management plane ordinarily communicates with the MART service in the runtime plane via Apigee Connect. This is the recommended configuration. However, if you want to use the MART Istio ingress gateway service instead of Apigee Connect, you will want to expose the MART endpoint to requests coming from outside of the cluster. The MART endpoint is a secure TLS connection. Hybrid uses an Istio ingress gateway service to expose traffic to this endpoint.
This topic explains the steps to take to expose the MART endpoint.
Adding the MART service account
MART requires a GCP service account for authentication.
- In the GCP setup step, Add service accounts, you
created a service account with no role for MART.
Locate the key file you downloaded for that service account.
The file should have a
- Add the key file path to the
... mart: sslCertPath: sslKeyPath: hostAlias: serviceAccountPath: "path to a file" ...
... mart: sslCertPath: sslKeyPath: hostAlias: serviceAccountPath: "your_keypath/mart-service-account.json ...
Adding TLS credentials and the host alias
- Open your overrides file.
- Add the
mart.hostAliasproperties. The following table describes these properties:
Property Value mart.sslCertPath
The MART certificate/key pair must be authorized by a certificate authority (CA). If you have not previously created an authorized cert/key pair, then you must do so now and enter the certificate and key filenames for the corresponding property values. If you need help generating the authorized cert/key pair, see Obtain TLS credentials: An example.
(Required) A qualified DNS name for the MART server endpoint. For example,
For example, where the host alias is a qualified domain name:
... mart: sslCertPath: path-to-file/mart-server.crt sslKeyPath: path-to-file/mart-server.key hostAlias: foo-mart.mydomain.com serviceAccountPath: "your_keypath/mart-service-account.json ...
- Save your changes.