Enable non-SNI and HTTP clients

This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.

This configuration works for both Apigee ingress gateway and Anthos Service Mesh.

How to configure a non-SNI client

This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.
  1. Create an ApigeeRoute custom resource definition (CRD). Be sure that enableNonSniClient is set to true:
    apiVersion: apigee.cloud.google.com/v1alpha1
    kind: ApigeeRoute
    metadata:
      name: ROUTE_NAME
      namespace: apigee
    spec:
      hostnames:
      - "*"
      ports:
      - number: 443
        protocol: HTTPS
        tls:
          credentialName: CREDENTIAL_NAME
          mode: SIMPLE
          #optional
          minProtocolVersion: TLS_AUTO
      selector:
        app: APP_NAME
      enableNonSniClient: true
    

    Where:

    • ROUTE_NAME is the name you give to the CRD.
    • CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following kubectl Command:
      kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
    • APP_NAME Identifies the type of ingress gateway:
      • apigee-ingressgateway for Apigee ingress gateway.
      • istio-ingressgateway for Anthos Service Mesh.
    • hostnames must be set to the wildcard "*".
  2. Open your overrides file and make the change described in the next step.
  3. For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:
    virtualhosts:
      - name: default
        sslCertPath: ./certs/fullchain.pem
        sslKeyPath: ./certs/privkey.pem
        additionalGateways: ["route_name"]
  4. Save the CRD file. For example: ApigeeRoute.yaml
  5. Apply the CRD to the cluster:
    kubectl apply -f ApigeeRoute.yaml -n apigee
  6. Apply the change to virtualhosts:
    $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT

Usage notes

  • What happens if the cluster has more than one org?

    Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.

  • What happens if the cluster has more than one environment group. Will it work if the virtual hosts share the same key/cert pair?

    All hostnames across all environment groups must use the same key/cert pair.

  • Why are we creating an ApigeeRoute instead of Gateway?

    ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).

Enable HTTP clients

This section explains support for HTTP clients for use with Apigee hybrid.

  1. Create an ApigeeRoute custom resource definition (CRD). For example:
    apiVersion: apigee.cloud.google.com/v1alpha1
    kind: ApigeeRoute
    metadata:
      name: route_name
      namespace: apigee
    spec:
      hostnames:
      - "*"
      ports:
      - number: 80
        protocol: HTTP
      selector:
        app: istio-ingressgateway
      enableNonSniClient: true

    Where:

    • route_name is the name you give to the CRD.
    • hostnames must be set to the wildcard "*".
  2. Open your overrides file and make the change described in the next step.
  3. For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:
    virtualhosts:
      - name: default
        sslCertPath: ./certs/fullchain.pem
        sslKeyPath: ./certs/privkey.pem
        additionalGateways: ["route_name"]
  4. Save the CRD file. For example: ApigeeRoute.yaml
  5. Apply the CRD to the cluster:
    kubectl apply -f ApigeeRoute.yaml -n apigee
  6. Apply the change to virtualhosts:
    $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT

Enable support for both non-SNI and HTTP clients

This section explains how to enable both non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.

  1. Create an ApigeeRoute custom resource definition (CRD). For example:
    apiVersion: apigee.cloud.google.com/v1alpha1
    kind: ApigeeRoute
    metadata:
      name: route_name
      namespace: apigee
    spec:
      hostnames:
      - "*"
      ports:
      - number: 443
        protocol: HTTPS
        tls:
          credentialName: credential_name
          mode: SIMPLE
          #optional
          minProtocolVersion: TLS_AUTO
      - number: 80
        protocol: HTTP
      selector:
        app: istio-ingressgateway
      enableNonSniClient: true

    Where:

    • route_name is the name you give to the CRD.
    • hostname must be set to the wildcard "*".
    • credential_name is the name of a Kubernetes Secret deployed to the cluster that contains TLS credentials for your virtualhost. You can find the credential name with the following kubectl Command:
      kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
  2. Open your overrides file and make the change described in the next step.
  3. For each environment group, add the ApigeeRoute name to the additionalGateways property. For example:
    virtualhosts:
      - name: default
        sslCertPath: ./certs/fullchain.pem
        sslKeyPath: ./certs/privkey.pem
        additionalGateways: ["route_name"]
  4. Save the CRD file. For example: ApigeeRoute.yaml
  5. Apply the CRD to the cluster:
    kubectl apply -f ApigeeRoute.yaml -n apigee
  6. Apply the change to virtualhosts:
    $APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT