Step 11: Install Apigee hybrid Using Helm

Install the Apigee hybrid runtime components

In this step, you will use Helm to install the following Apigee hybrid components:

Apigee operator
Apigee datastore
Apigee telemetry
Apigee Redis
Apigee ingress manager
Apigee organization
Your Apigee environment(s)

You will install the charts for each environment one at a time. The sequence in which you install the components matters.

Pre-installation Notes

If you have not already installed Helm v3.14.2+, follow the instructions in Installing Helm.
Apigee hybrid uses Helm guardrails to verify the configuration before installing or upgrading a chart. You may see guardrail-specific information in the output of each of the commands in this section, for example:
```
# Source: apigee-operator/templates/apigee-operators-guardrails.yaml
apiVersion: v1
kind: Pod
metadata:
  name: apigee-hybrid-helm-guardrail-operator
  namespace:  APIGEE_NAMESPACE
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    app: apigee-hybrid-helm-guardrail
```
If any of the helm upgrade commands fail, you can use the guardrails output to help diagnose the cause. See Diagnosing issues with guardrails.
Before executing any of the Helm upgrade/install commands, use the Helm dry-run feature by adding --dry-run=server at the end of the command. See helm install --h to list supported commands, options, and usage.

Installation steps

Select the installation instructions for the service account authentication type in your hybrid installation:

Kubernetes Secrets

If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.

Install Apigee Operator/Controller:

Note: This step requires elevated cluster permissions. Run helm -h or helm install -h for details

Dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify Apigee Operator installation:

helm ls -n APIGEE_NAMESPACE

NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                                       APP VERSION
operator   apigee   3          2025-06-26 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.15.1   1.15.1

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
apigee-controller-manager   1/1     1            1           34s

Install Apigee datastore:

Dry run:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify apigeedatastore is up and running by checking its state before proceeding to the next step:

kubectl -n APIGEE_NAMESPACE get apigeedatastore default

NAME      STATE       AGE
default   running    51s

Install Apigee telemetry:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

NAME               STATE     AGE
apigee-telemetry   running   55s

Install Apigee Redis:

Dry run:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeeredis default

NAME      STATE     AGE
default   running   79s

Install Apigee ingress manager:

Dry run:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager

NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
apigee-ingressgateway-manager   2/2     2            2           16s

Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:

Dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective org:

kubectl -n APIGEE_NAMESPACE get apigeeorg

NAME                      STATE     AGE
my-project-123abcd        running   4m18s

Install the environment.

You must install one environment at a time. Specify the environment with --set env=ENV_NAME. If you have set the $ENV_NAME environment variable in your shell, you can use that in the following commands:
1. Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml
```
3. Verify it is up and running by checking the state of the respective env:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```
```
NAME                       STATE     AGE   GATEWAYTYPE
apigee-my-project-my-env   running   3m1s
```
Install the environment groups (virtualhosts).
1. You must install one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands. Repeat the following commands for each env group mentioned in your overrides.yaml file:
  Dry run:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml
```
  Note: ENV_GROUP must be unique within the apigee namespace. For example, if you have a prod env and envgroup, you should set this name to prod-envgroup. The later env group name should still be prod.
3. Check the state of the ApigeeRoute (AR).
  Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane. Therefore, check that the corresponding AR's state is running:
```
kubectl -n APIGEE_NAMESPACE get arc
```
```
NAME                                STATE   AGE
apigee-org1-dev-egroup                       2m
```
```
kubectl -n APIGEE_NAMESPACE get ar
```
```
NAME                                                        STATE     AGE
apigee-ingressgateway-internal-chaining-my-project-123abcd   running   19m
my-project-myenvgroup-000-321dcba                            running   2m30s
```

JSON files

If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.

Install Apigee Operator/Controller:

Note: This step requires elevated cluster permissions. Run helm -h or helm install -h for details

Dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify Apigee Operator installation:

helm ls -n APIGEE_NAMESPACE

NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                                       APP VERSION
operator   apigee   3          2025-06-26 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.15.1   1.15.1

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
apigee-controller-manager   1/1     1            1           34s

Install Apigee datastore:

Dry run:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify apigeedatastore is up and running by checking its state before proceeding to the next step:

kubectl -n APIGEE_NAMESPACE get apigeedatastore default

NAME      STATE       AGE
default   running    51s

Install Apigee telemetry:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

NAME               STATE     AGE
apigee-telemetry   running   55s

Install Apigee Redis:

Dry run:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeeredis default

NAME      STATE     AGE
default   running   79s

Install Apigee ingress manager:

Dry run:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager

NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
apigee-ingressgateway-manager   2/2     2            2           16s

Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:

Dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective org:

kubectl -n APIGEE_NAMESPACE get apigeeorg

NAME                      STATE     AGE
my-project-123abcd        running   4m18s

Install the environment.

You must install one environment at a time. Specify the environment with --set env=ENV_NAME. If you have set the $ENV_NAME environment variable in your shell, you can use that in the following commands:
1. Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml
```
3. Verify it is up and running by checking the state of the respective env:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```
```
NAME                       STATE     AGE   GATEWAYTYPE
apigee-my-project-my-env   running   3m1s
```
Install the environment groups (virtualhosts).
1. You must install one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands. Repeat the following commands for each env group mentioned in your overrides.yaml file:
  Dry run:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml
```
  Note: ENV_GROUP must be unique within the apigee namespace. For example, if you have a prod env and envgroup, you should set this name to prod-envgroup. The later env group name should still be prod.
3. Check the state of the ApigeeRoute (AR).
  Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane. Therefore, check that the corresponding AR's state is running:
```
kubectl -n APIGEE_NAMESPACE get arc
```
```
NAME                                STATE   AGE
apigee-org1-dev-egroup                       2m
```
```
kubectl -n APIGEE_NAMESPACE get ar
```
```
NAME                                                        STATE     AGE
apigee-ingressgateway-internal-chaining-my-project-123abcd   running   19m
my-project-myenvgroup-000-321dcba                            running   2m30s
```

Vault

If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.

Install Apigee Operator/Controller:

Note: This step requires elevated cluster permissions. Run helm -h or helm install -h for details

Dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify Apigee Operator installation:

helm ls -n APIGEE_NAMESPACE

NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                                       APP VERSION
operator   apigee   3          2025-06-26 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.15.1   1.15.1

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
apigee-controller-manager   1/1     1            1           34s

Install Apigee datastore:

Dry run:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify apigeedatastore is up and running by checking its state before proceeding to the next step:

kubectl -n APIGEE_NAMESPACE get apigeedatastore default

NAME      STATE       AGE
default   running    51s

Install Apigee telemetry:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

NAME               STATE     AGE
apigee-telemetry   running   55s

Install Apigee Redis:

Dry run:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeeredis default

NAME      STATE     AGE
default   running   79s

Install Apigee ingress manager:

Dry run:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager

NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
apigee-ingressgateway-manager   2/2     2            2           16s

Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:

Dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective org:

kubectl -n APIGEE_NAMESPACE get apigeeorg

NAME                      STATE     AGE
my-project-123abcd        running   4m18s

Install the environment.

You must install one environment at a time. Specify the environment with --set env=ENV_NAME. If you have set the $ENV_NAME environment variable in your shell, you can use that in the following commands:
1. Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml
```
3. Verify it is up and running by checking the state of the respective env:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```
```
NAME                       STATE     AGE   GATEWAYTYPE
apigee-my-project-my-env   running   3m1s
```
Install the environment groups (virtualhosts).
1. You must install one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands. Repeat the following commands for each env group mentioned in your overrides.yaml file:
  Dry run:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml
```
  Note: ENV_GROUP must be unique within the apigee namespace. For example, if you have a prod env and envgroup, you should set this name to prod-envgroup. The later env group name should still be prod.
3. Check the state of the ApigeeRoute (AR).
  Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane. Therefore, check that the corresponding AR's state is running:
```
kubectl -n APIGEE_NAMESPACE get arc
```
```
NAME                                STATE   AGE
apigee-org1-dev-egroup                       2m
```
```
kubectl -n APIGEE_NAMESPACE get ar
```
```
NAME                                                        STATE     AGE
apigee-ingressgateway-internal-chaining-my-project-123abcd   running   19m
my-project-myenvgroup-000-321dcba                            running   2m30s
```

WIF for GKE

If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.

Install Apigee Operator/Controller:

Note: This step requires elevated cluster permissions. Run helm -h or helm install -h for details

Dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify Apigee Operator installation:

helm ls -n APIGEE_NAMESPACE

NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                                       APP VERSION
operator   apigee   3          2025-06-26 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.15.1   1.15.1

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
apigee-controller-manager   1/1     1            1           34s

Install Apigee datastore:

Dry run:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Set up the service account bindings for Cassandra for Workload Identity Federation for GKE:

The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be two commands in the form of:

Production

gcloud iam service-accounts add-iam-policy-binding CASSANDRA_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \
  --project PROJECT_ID

And:

Production

kubectl annotate serviceaccount apigee-cassandra-default \
  iam.gke.io/gcp-service-account=CASSANDRA_SERVICE_ACCOUNT_EMAIL \
  --namespace APIGEE_NAMESPACE

Non-prod

kubectl annotate serviceaccount apigee-cassandra-default \
  iam.gke.io/gcp-service-account=NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --namespace APIGEE_NAMESPACE

For example:

Production

NOTES:
For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
  gcloud iam service-accounts add-iam-policy-binding apigee-cassandra@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \
        --project my-project

  kubectl annotate serviceaccount apigee-cassandra-default \
        iam.gke.io/gcp-service-account=apigee-cassandra@my-project.iam.gserviceaccount.com \
        --namespace apigee

Non-prod

NOTES:
For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \
        --project my-project

  kubectl annotate serviceaccount apigee-cassandra-default \
        iam.gke.io/gcp-service-account=apigee-non-prod@my-project.iam.gserviceaccount.com \
        --namespace apigee

Optional: If you do not want to set up Cassandra backup at this time, edit your overrides file to remove or comment out the cassandra.backup stanza before running the helm upgrade command without the --dry-run flag. See Cassandra backup and restore for more information about configuring Cassandra backup.

Install the chart:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify apigeedatastore is up and running by checking its state before proceeding to the next step:

kubectl -n APIGEE_NAMESPACE get apigeedatastore default

NAME      STATE       AGE
default   running    51s

Install Apigee telemetry:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Set up the service account bindings for Loggeer and Metrics for Workload Identity Federation for GKE:

Logger KSA: apigee-logger-apigee-telemetry

gcloud iam service-accounts add-iam-policy-binding LOGGER_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \
  --project PROJECT_ID

Metrics KSA: apigee-metrics-sa

Production

gcloud iam service-accounts add-iam-policy-binding METRICS_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \
  --project PROJECT_ID

For example:

Production

NOTES:
For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
  Logger KSA: apigee-logger-apigee-telemetry
  gcloud iam service-accounts add-iam-policy-binding apigee-logger@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \
        --project my-project

  Metrics KSA: apigee-metrics-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-metrics@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \
        --project my-project

Non-prod

NOTES:
For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
  Logger KSA: apigee-logger-apigee-telemetry
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \
        --project my-project

  Metrics KSA: apigee-metrics-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \
        --project my-project

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

NAME               STATE     AGE
apigee-telemetry   running   55s

Install Apigee Redis:

Dry run:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeeredis default

NAME      STATE     AGE
default   running   79s

Install Apigee ingress manager:

Dry run:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager

NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
apigee-ingressgateway-manager   2/2     2            2           16s

Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:

Dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Set up the service account bindings for org-scoped components for Workload Identity Federation for GKE, MART, Apigee Connect, UDCA, and Watcher.

The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be four commands.

Note: The KSA names include a unique hash id for your organization, for example, apigee-mart-my-project-123abcd-sa.

MART KSA: apigee-mart-PROJECT_ID-ORG_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Connect Agent KSA: apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Mint Task Scheduler KSA: (If you are using Monetization for Apigee hybrid) apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

UDCA KSA: apigee-udca-PROJECT_ID-ORG_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Watcher KSA: apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding WATCHER_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \
  --project PROJECT_ID

For example:

Production

NOTES:
For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).


  MART KSA: apigee-mart-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \
        --project my-project


  Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \
        --project my-project


  Mint task scheduler KSA: apigee-mint-task-scheduler-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mint-task-scheduler-my-project-1a2b3c4-sa]" \
        --project my-project


  UDCA KSA: apigee-udca-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \
        --project my-project


  Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-watcher@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \
        --project my-project

Non-prod

NOTES:
For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).

  MART KSA: apigee-mart-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \
        --project my-project


  Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \
        --project my-project


  UDCA KSA: apigee-udca-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \
        --project my-project


  Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \
        --project my-project

Install the chart:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective org:

kubectl -n APIGEE_NAMESPACE get apigeeorg

NAME                      STATE     AGE
my-project-123abcd        running   4m18s

Install the environment.

You must install one environment at a time. Specify the environment with --set env=ENV_NAME. If you have set the $ENV_NAME environment variable in your shell, you can use that in the following commands:

Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server
```

Set up the service account bindings for env-scoped components for Workload Identity Federation for GKE, Runtime, Synchronizer, and UDCA.

The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be four commands.

Note: The KSA names include a unique hash id for your environment, for example, apigee-mart-my-project--myenv-abc1234-sa.

Runtime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding RUNTIME_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

Synchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

UDCA KSA: apigee-udca-PROJECT_ID-ORG_HASH_ID-ENV_NAME-ENV_HASH_ID-sa

Production

gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

Non-prod

gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \
  --project PROJECT_ID

For example:

NOTES:
For Apigee Environment GKE Workload Identity, my-env, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).


  Runtime KSA: apigee-runtime-my-project-my-env-b2c3d4e-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-runtime@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-runtime-my-project-my-env-b2c3d4e-sa]" \
        --project my-project


  Synchronizer KSA: apigee-synchronizer-my-project-my-env-b2c3d4e-sa
  gcloud iam service-accounts add-iam-policy-binding apigee-synchronizer@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-synchronizer-my-project-my-env-b2c3d4e-sa]" \
        --project my-project


  UDCA KSA: apigee-udca-my-project-my-env-b2c3d4e-sa:
  gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-my-env-b2c3d4e-sa]" \
        --project my-project

Install the chart:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective env:

kubectl -n APIGEE_NAMESPACE get apigeeenv

NAME                       STATE     AGE   GATEWAYTYPE
apigee-my-project-my-env   running   3m1s

Install the environment groups (virtualhosts).
1. You must install one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands. Repeat the following commands for each env group mentioned in your overrides.yaml file:
  Dry run:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml
```
  Note: ENV_GROUP must be unique within the apigee namespace. For example, if you have a prod env and envgroup, you should set this name to prod-envgroup. The later env group name should still be prod.
3. Check the state of the ApigeeRoute (AR).
  Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane. Therefore, check that the corresponding AR's state is running:
```
kubectl -n APIGEE_NAMESPACE get arc
```
```
NAME                                STATE   AGE
apigee-org1-dev-egroup                       2m
```
```
kubectl -n APIGEE_NAMESPACE get ar
```
```
NAME                                                        STATE     AGE
apigee-ingressgateway-internal-chaining-my-project-123abcd   running   19m
my-project-myenvgroup-000-321dcba                            running   2m30s
```
(Optional) You can see the status of your Kubernetes service accounts in the Kubernetes: Workloads Overview page in the Google Cloud console.
Go to Workloads

Note: You may see an error status for the apigee-cassandra-backup service account. This is because you are not currently running backup or restore, and these processes have not been fully configured yet. For more information on Cassandra backup and restore, see Cassandra backup overview.

WIF on other platforms

If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.

Install Apigee Operator/Controller:

Note: This step requires elevated cluster permissions. Run helm -h or helm install -h for details

Dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify Apigee Operator installation:

helm ls -n APIGEE_NAMESPACE

NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                                       APP VERSION
operator   apigee   3          2025-06-26 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.15.1   1.15.1

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
apigee-controller-manager   1/1     1            1           34s

Install Apigee datastore:

Dry run:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade datastore apigee-datastore/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

If you have enabled Cassandra backup or Cassandra restore, grant the Cassandra Kubernetes service accounts access to impersonate the associated apigee-cassandraIAM service account.

List the email addresses of the IAM service account for Cassandra:

Production

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-cassandra"

Non-prod

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"

The output should look similar to the following:

Production

apigee-cassandra      apigee-cassandra@my-project.iam.gserviceaccount.com      False

Non-prod

apigee-non-prod       apigee-non-prod@my-project.iam.gserviceaccount.com      False

List the Cassandra Kubernetes service accounts:

kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-cassandra"

The output should look similar to the following:

apigee-cassandra-backup-sa                       0   7m37s
apigee-cassandra-default                         0   7m12s
apigee-cassandra-guardrails-sa                   0   6m43s
apigee-cassandra-restore-sa                      0   7m37s
apigee-cassandra-schema-setup-my-project-1a2b2c4 0   7m30s
apigee-cassandra-schema-val-my-project-1a2b2c4   0   7m29s
apigee-cassandra-user-setup-my-project-1a2b2c4   0   7m22s

If you have created the apigee-cassandra-backup-sa or apigee-cassandra-restore-sa Kubernetes service accounts, grant each of them access to impersonate the apigee-cassandra IAM service account with the following command:
Production
Template

gcloud iam service-accounts add-iam-policy-binding \ CASSANDRA_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser
Example

gcloud iam service-accounts add-iam-policy-binding \ apigee-cassandra@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \ --role=roles/iam.workloadIdentityUser
Non-prod
Template

gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser
Example

gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \ --role=roles/iam.workloadIdentityUser
Where:
- CASSANDRA_IAM_SA_EMAIL: the email address of the Cassandra IAM service account.
- PROJECT_NUMBER: the project number of the project where you created the workload identity pool.
  Note: You must use the project number in the member identifier. Using the project ID is not supported. You can find the project number with the following command:
```
gcloud projects describe PROJECT_ID --format="value(projectNumber)"
```
- POOL_ID: the workload identity pool ID.
- MAPPED_SUBJECT: the Kubernetes ServiceAccount from the claim in your ID token. In most hybrid installations, this will have the format: system:serviceaccount:APIGEE_NAMESPACE:K8S_SA_NAME.
  - For apigee-cassandra-backup-sa, this will be something similar to system:serviceaccount:apigee:apigee-cassandra-backup-sa.
  - For apigee-cassandra-restore-sa, this will be something similar to system:serviceaccount:apigee:apigee-cassandra-restore-sa.
  Tip: In the step Add the cluster as a workload identity pool provider in Step 5: Set up service account authentication, you mapped google.subject=assertions.sub. Therefore the value of MAPPED_SUBJECT will be the value in the ID token following "sub": . You can find the mapped subject for a Kubernetes service account by searching the ID token for sub followed by the name of the service account.
  For example: pipe the contents of the ID token through grep -E 'sub.*apigee-cassandra-backup-sa'

Verify apigeedatastore is up and running by checking its state before proceeding to the next step:

kubectl -n APIGEE_NAMESPACE get apigeedatastore default

NAME      STATE       AGE
default   running    51s

Install Apigee telemetry:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

NAME               STATE     AGE
apigee-telemetry   running   55s

Grant the telemetry Kubernetes service accounts access to impersonate the associated apigee-metricsIAM service account.

List the email address of the IAM service account for metrics:

Production

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-metrics"

The output should look similar to the following:

apigee-metrics   apigee-metrics@my-project.iam.gserviceaccount.com   False

Non-prod

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"

The output should look similar to the following:

apigee-non-prod   apigee-non-prod@my-project.iam.gserviceaccount.com   False

List the telemetry Kubernetes service accounts:

kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "telemetry"

The output should look similar to the following:

apigee-metrics-apigee-telemetry                    0   42m
apigee-open-telemetry-collector-apigee-telemetry   0   37m

Grant each of the telemetry Kubernetes service accounts access to impersonate the apigee-metrics IAM service account with the following command:

Production

Apigee Metrics KSA: apigee-metrics-apigee-telemetry to apigee-metrics Google IAM service account

Code

gcloud iam service-accounts add-iam-policy-binding \
  METRICS_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-metrics@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \
    --role=roles/iam.workloadIdentityUser

Apigee OpenTelemetry Collector KSA: apigee-open-telemetry-collector-apigee-telemetry to apigee-metrics Google IAM service account

Code

gcloud iam service-accounts add-iam-policy-binding \
  METRICS_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-metrics@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \
    --role=roles/iam.workloadIdentityUser

Non-prod

Apigee Metrics KSA: apigee-metrics-apigee-telemetry to apigee-non-prod Google IAM service account

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \
    --role=roles/iam.workloadIdentityUser

Apigee OpenTelemetry Collector KSA: apigee-open-telemetry-collector-apigee-telemetry to apigee-non-prod Google IAM service account

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \
    --role=roles/iam.workloadIdentityUser

Install Apigee Redis:

Dry run:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade redis apigee-redis/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeeredis default

NAME      STATE     AGE
default   running   79s

Install Apigee ingress manager:

Dry run:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade ingress-manager apigee-ingress-manager/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking its availability:

kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager

NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
apigee-ingressgateway-manager   2/2     2            2           16s

Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:

Dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective org:

kubectl -n APIGEE_NAMESPACE get apigeeorg

NAME                      STATE     AGE
my-project-123abcd        running   4m18s

Grant the org-scoped Kubernetes service accounts access to impersonate the associated IAM service accounts.

List the email addresses of the IAM service accounts used by the apigee-mart, apigee-udca, and apigee-watcher components:

Production

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"

The output should look similar to the following:

apigee-mart      apigee-mart@my-project.iam.gserviceaccount.com      False
apigee-udca      apigee-udca@my-project.iam.gserviceaccount.com      False
apigee-watcher   apigee-watcher@my-project.iam.gserviceaccount.com   False

If you are using Monetization for Apigee hybrid, also get the email address of the apigee-mint-task-scheduler service account.

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mint-task-scheduler"

The output should look similar to the following:

apigee-mint-task-scheduler   apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com   False

Non-prod

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"

The output should look similar to the following:

apigee-non-prod     apigee-non-prod@my-project.iam.gserviceaccount.com         False

List the org-scoped Kubernetes service accounts:

kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-connect-agent\|apigee-mart\|apigee-udca\|apigee-watcher"

The output should look similar to the following:

apigee-connect-agent-my-project-123abcd         0   1h4m
apigee-mart-my-project-123abcd                  0   1h4m
apigee-mint-task-scheduler-my-project-123abcd   0   1h3m
apigee-udca-my-project-123abcd                  0   1h2m
apigee-watcher-my-project-123abcd               0   1h1m

Use the following commands to grant the org-scoped Kubernetes service accounts access to impersonate the associated IAM service accounts as follows:

Production

Connect agent KSA: apigee-connect-agent-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mart IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  APIGEE_MART_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-mart@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

MART KSA: apigee-mart-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mart IAM service account. MART and Connect agent use the same IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  APIGEE_MART_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-mart@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Mint task scheduler KSA: (if using Monetization for Apigee hybrid)

apigee-mint-task-scheduler-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mint-task-scheduler IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  APIGEE_MINT_TASK_SCHEDULER_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Org-scoped UDCA KSA: apigee-udca-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-udca IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  APIGEE_UDCA_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-udca-task-scheduler@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Watcher KSA: apigee-watcher-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-watcher IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  APIGEE_WATCHER_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-watcher@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Non-prod

Connect agent KSA: apigee-connect-agent-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

MART KSA: apigee-mart-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Mint task scheduler KSA: (if using Monetization for Apigee hybrid)

apigee-mint-task-scheduler-ORG_NAME-UUIORG_HASH_IDD Kubernetes service account to apigee-non-prod IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Org-scoped UDCA KSA: apigee-udca-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Watcher KSA: apigee-watcher-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \
    --role=roles/iam.workloadIdentityUser

Install the environment.

Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server
```

Install the chart:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml

Verify it is up and running by checking the state of the respective env:

kubectl -n APIGEE_NAMESPACE get apigeeenv

NAME                       STATE     AGE   GATEWAYTYPE
apigee-my-project-my-env   running   3m1s

Grant the environment-scoped Kubernetes service accounts access to impersonate the associated IAM service accounts.

List the email address of the IAM service accounts used by the apigee-runtime, apigee-synchronizer, and apigee-udca components:

Production

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"

Non-prod

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"

gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"

The output should look similar to the following:

Production

apigee-runtime         apigee-runtime@my-project.iam.gserviceaccount.com         False
apigee-synchronizer    apigee-synchronizer@my-project.iam.gserviceaccount.com      False
apigee-udca            apigee-udca@my-project.iam.gserviceaccount.com         False

Non-prod

apigee-non-prod     apigee-non-prod@my-project.iam.gserviceaccount.com         False

List the environment-scoped Kubernetes service accounts:

kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"

The output should look similar to the following:

apigee-runtime-my-project--my-env-cdef123          0   19m
apigee-synchronizer-my-project-my-env-cdef123      0   17m
apigee-udca-my-project-123abcd                     0   1h29m
apigee-udca-my-project-my-env-cdef123              0   22m

Note: You may see both org-scoped and environment-scoped apigee-udca Kubernetes service accounts. In this step, grant access to the environment-scoped apigee-udca service account.

Use the following command to grant the environment-scoped Kubernetes service accounts access to impersonate the associated IAM service accounts as follows:

Production

Runtime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-runtime Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  RUNTIME_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-runtime@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

Synchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-synchronizer Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  SYNCHRONIZER_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-synchronizer@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

UDCA KSA: apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-udca Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  UDCA_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-udca@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

Non-prod

Runtime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

Non-prod

Synchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

Non-prod

UDCA KSA: apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA

Code

gcloud iam service-accounts add-iam-policy-binding \
  NON_PROD_IAM_SA_EMAIL \
    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
    --role=roles/iam.workloadIdentityUser

Example

gcloud iam service-accounts add-iam-policy-binding \
  apigee-non-prod@my-project.iam.gserviceaccount.com \
    --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \
    --role=roles/iam.workloadIdentityUser

Install the environment groups (virtualhosts).
1. You must install one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP. If you have set the $ENV_GROUP environment variable in your shell, you can use that in the following commands. Repeat the following commands for each env group mentioned in your overrides.yaml file:
  Dry run:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml \
  --dry-run=server
```
2. Install the chart:
```
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set envgroup=$ENV_GROUP \
  -f overrides.yaml
```
  Note: ENV_GROUP must be unique within the apigee namespace. For example, if you have a prod env and envgroup, you should set this name to prod-envgroup. The later env group name should still be prod.
3. Check the state of the ApigeeRoute (AR).
  Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane. Therefore, check that the corresponding AR's state is running:
```
kubectl -n APIGEE_NAMESPACE get arc
```
```
NAME                                STATE   AGE
apigee-org1-dev-egroup                       2m
```
```
kubectl -n APIGEE_NAMESPACE get ar
```
```
NAME                                                        STATE     AGE
apigee-ingressgateway-internal-chaining-my-project-123abcd   running   19m
my-project-myenvgroup-000-321dcba                            running   2m30s
```

Next step

In the next step, you will configure the Apigee ingress gateway and deploy a proxy to test your installation.

(NEXT) Step 1: Expose Apigee ingress 2

Step 11: Install Apigee hybrid Using Helm Stay organized with collections Save and categorize content based on your preferences.

Install the Apigee hybrid runtime components

Pre-installation Notes

Installation steps

Kubernetes Secrets

JSON files

Vault

WIF for GKE

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

Production

Non-prod

WIF on other platforms

Production

Non-prod

Production

Non-prod

Production

Template

Example

Non-prod

Template

Example

Production

Non-prod

Production

Code

Example

Code

Example

Non-prod

Code

Example

Code

Example

Production

Non-prod

Production

Code

Example

Code

Example

Code

Example

Code

Example

Code

Example

Non-prod

Code

Example

Code

Example

Code

Example

Code

Step 11: Install Apigee hybrid Using Helm