This topic explains how to enable non-SNI clients, HTTP clients, and a combination of both for use with Apigee hybrid.
This configuration works for both Apigee ingress gateway and Anthos Service Mesh.
How to configure a non-SNI client
This section explains how to enable support for non-SNI (Server Name Indication) clients in Apigee hybrid. A non-SNI client uses port 443 and is required if you want to integrate hybrid runtime instances with Google Cloud Load Balancing or for clients that do not support SNI.- Create an ApigeeRoute custom resource definition (CRD). Be sure that
enableNonSniClient
is set totrue
:apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: ROUTE_NAME namespace: apigee spec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName: CREDENTIAL_NAME mode: SIMPLE #optional minProtocolVersion: TLS_AUTO selector: app: APP_NAME enableNonSniClient: true
Where:
- ROUTE_NAME is the name you give to the CRD.
- CREDENTIAL_NAME is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following
kubectl
Command:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
- APP_NAME Identifies the type of ingress gateway:
apigee-ingressgateway
for Apigee ingress gateway.istio-ingressgateway
for Anthos Service Mesh.
hostnames
must be set to the wildcard"*"
.
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGateways
property. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml
- Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts
:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT
Usage notes
- What happens if the cluster has more than one org?
Since the ingress is at the cluster level for a given port (443), and there can only be one key/cert pair for the ApigeeRoute CRD, all orgs must share the same key/cert pair.
- What happens if the cluster has more than one environment group. Will it work
if the virtual hosts share the same key/cert pair?
All hostnames across all environment groups must use the same key/cert pair.
- Why are we creating an ApigeeRoute instead of Gateway?
ApigeeRoutes can be validated by Apigee; however, Gateway (the Istio CRD) cannot be. Technically, even Gateway can work, but we can prevent potential configuration mistakes (through a validation webhook).
Enable HTTP clients
This section explains support for HTTP clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: route_name namespace: apigee spec: hostnames: - "*" ports: - number: 80 protocol: HTTP selector: app: istio-ingressgateway enableNonSniClient: true
Where:
- route_name is the name you give to the CRD.
hostnames
must be set to the wildcard "*".
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGateways
property. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml
- Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts
:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT
Enable support for both non-SNI and HTTP clients
This section explains how to enable both non-SNI (port 443) and HTTP (port 80) clients for use with Apigee hybrid.
- Create an ApigeeRoute custom resource definition (CRD). For example:
apiVersion: apigee.cloud.google.com/v1alpha1 kind: ApigeeRoute metadata: name: route_name namespace: apigee spec: hostnames: - "*" ports: - number: 443 protocol: HTTPS tls: credentialName: credential_name mode: SIMPLE #optional minProtocolVersion: TLS_AUTO - number: 80 protocol: HTTP selector: app: istio-ingressgateway enableNonSniClient: true
Where:
- route_name is the name you give to the CRD.
hostname
must be set to the wildcard "*".- credential_name is the name of a Kubernetes Secret deployed to the cluster
that contains TLS credentials for your virtualhost. You can find the credential name with
the following
kubectl
Command:kubectl -n apigee get ApigeeRoutes -o=yaml | grep credentialName
- Open your overrides file and make the change described in the next step.
- For each environment group, add the ApigeeRoute name to the
additionalGateways
property. For example:virtualhosts: - name: default sslCertPath: ./certs/fullchain.pem sslKeyPath: ./certs/privkey.pem additionalGateways: ["route_name"]
- Save the CRD file. For example:
ApigeeRoute.yaml
- Apply the CRD to the cluster:
kubectl apply -f ApigeeRoute.yaml -n apigee
- Apply the change to
virtualhosts
:$APIGEECTL_HOME/apigeectl apply -f overrides.yaml --settings virtualhosts --env $ENVIRONMENT