Managing Apigee ingress gateway

Starting with Apigee hybrid version 1.8, Apigee hybrid uses the Apigee ingress gateway to provide the ingress gateway for hybrid.

Configuring Apigee ingress gateway

You can configure your ingress gateways in your overrides.yaml. For example:

Syntax

ingressGateways:
- name: INGRESS_NAME
  replicaCountMin: REPLICAS_MIN
  replicaCountMax: REPLICAS_MAX
  resources:
    requests:
      cpu: CPU_COUNT_REQ
      memory: MEMORY_REQ
    limits:
      cpu: CPU_COUNT_LIMIT
      memory: MEMORY_LIMIT
  svcAnnotations:  # optional.
    SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
  svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional

Example

ingressGateways:
- name: prod1
  replicaCountMin: 2
  replicaCountMax: 100
  resources:
    requests:
      cpu: 1
      memory: 1Gi
    limits:
      cpu: 2
      memory: 2Gi
  svcAnnotations:  # optional. See Known issue 243599452.
    networking.gke.io/load-balancer-type: "Internal"
  svcLoadBalancerIP: 198.252.0.123

INGRESS_NAME is the name of the ingress gateway deployment. This can be any name that meets the following requirements:
- Have a maximum length of 17 characters
- Contain only lowercase alphanumeric characters, '-' or '.'
- Start with an alphanumeric character
- End with an alphanumeric character
See ingressGateways[].name in the Configuration property reference
REPLICAS_MIN and REPLICAS_MAX The minimum and maximum replica counts for Apigee ingress gateway in your installation. See ingressGateways[].replicaCountMin and ingressGateways[].replicaCountMax in the Configuration property reference.
CPU_COUNT_REQ and MEMORY_REQ The CPU and memory request for each replica of Apigee ingress gateway in your installation.
Set these properties if you have previously set them for your Anthos Service Mesh ingress gateway, for example in your overlay.yaml file.

See ingressGateways[].resources.requests.cpu and ingressGateways[].resources.requests.memory in the Configuration property reference.
CPU_COUNT_LIMIT and MEMORY_LIMIT The maximum CPU and memory limits for each replica of Apigee ingress gateway in your installation.
Set these properties if you have previously set them for your Anthos Service Mesh ingress gateway, for example in your overlay.yaml file.

See ingressGateways[].resources.limits.cpu and ingressGateways[].resources.limits.memory in the Configuration property reference.
SVC_ANNOTATIONS_KEY SVC_ANNOTATIONS_VALUE (optional):
Note: The ingressGateways[].svcAnnotations field in overrides.yaml is not working as expected. See Known issue 243599452

This is a key-value pair that provides annotations for your default ingress service. Annotations are used by your cloud platform to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. For example:
```
ingressGateways:
  svcAnnotations:
    networking.gke.io/load-balancer-type: "Internal"
```
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.

Note: You do not need to set Annotations here if you are creating your own Kubernetes service for ingress gateway deployment as documented in Expose Apigee ingress gateway.
See ingressGateways[].svcAnnotations in the Configuration property reference.
SVC_LOAD_BALANCER_IP (optional). On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.
Caution: Make sure not to specify the same IP address as the current istio-ingressgateway. This could cause problems while that service is still on the cluster.

Note: You do not need to set LoadBalancerIP if you are creating your own Kubernetes service for ingress gateway deployment as documented in Expose Apigee ingress gateway.
See ingressGateways[].svcLoadBalancerIP in the Configuration property reference.

Apply the Apigee ingress gateway configuration

Apply changes to the organization scope with apigeectl.

$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --org

Management tasks

Some common management tasks for the Apigee ingress gateway:

Stop supplying configuration to ASM

After upgrading to Apigee hybrid v1.8 and migrating traffic to Apigee ingress gateway, you can stop supplying routing configuration to Anthos Service Mesh.

Update the Apigee controller to stop updating Anthos Service Mesh CR objects in the API server. In your overrides file, set:
```
ao:
  args:
    disableIstioConfigInAPIServer: true
```

Apply the configuration changes:

$APIGEECTL_HOME/apigeectl init -f OVERRIDES_FILE

See ao in the Configuration properties reference for details.

Check the status of the deployment with the following command, because the previous command restarted the controller:
```
$APIGEECTL_HOME/apigeectl check-ready -f OVERRIDES_FILE
```
Update the virtualhosts. Every virtual host needs to include the app selector label with the value app: apigee-ingressgateway. With this change, Anthos Service Mesh gateway won't be able to read Apigee routing configuration.

Add or replace the selector property in each virtual host as follows:
```
virtualhosts:
- name: ENV_GROUP
  selector:
    app: apigee-ingressgateway # required
  ...
```
Apply the configuration changes:
```
$APIGEECTL_HOME/apigeectl apply -f OVERRIDES_FILE --settings virtualhosts
```
For more information see virtualhosts.selector in the Configuration property reference.

Scaling Apigee ingress gateway:

Update the following properties in your overrides file.

ingressGateways[].replicaCountMax
ingressGateways[].replicaCountMin

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Updating resource allocation

Update the following properties in your overrides file.

ingressGateways[].resources.limits.cpu
ingressGateways[].resources.limits.memory
ingressGateways[].resources.requests.cpu
ingressGateways[].resources.requests.memory

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Updating the Apigee ingress gateway service

Update the following properties in your overrides file.

ingressGateways[].svcAnnotations
ingressGateways[].svcLoadBalancerIP

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Disable the load balancer for the default Apigee ingress gateway service:

If you create a custom Kubernetes service for your ingress gateway deployment, you can disable creation of a load balanceer on the default Kubernetes service. Update the ingressGateways[].svcType property to ClusterIP in your overrides file. For example:

ingressGateways:
  - name: my-ingress-gateway
    replicaCountMin: 2
    replicaCountMax: 10
    svcType: ClusterIP

Apply the changes with apigeectl apply --org.

Configure TLS and mTLS

See Configuring TLS and mTLS on the ingress gateway.

Enabling non-SNI clients

See Enable non-SNI and HTTP clients.

Installing additional Apigee ingress gateways

In the overrides.yaml file you can add multiple ingress gateways. The ingressGateways configuration property is an array. For more information, see ingressGateways in the Configuration properties reference.

For example:

ingressGateways:
- name: fruit
  replicaCountMin: 2
  replicaCountMax: 10

- name: meat
  replicaCountMin: 2
  replicaCountMax: 10

Apply the changes with apigeectl apply --org.

Targeting an Apigee ingress to a virtual host

You can target a labeled Apigee ingress gateway to a specific virtual host in your overrides file. This configuration specifies the ingress gateway where Apigee will apply the virtual host's configuration. In the following example, the virtual host spam-vh is configured to use the ingress gateway labeled meat and the other two virtual hosts use the fruit ingress gateway. The ingress gateways must be properly labeled, as explained in Installing additional Anthos Service Mesh gateways.

Note: You must specify both the selector:app and selector:ingress_name properties to properly apply an ingress gateway to a virtual host.

virtualhosts:
- name: spam-vh
  sslCertPath: cert-spam.crt
  sslKeyPath: cert-spam.key
  selector:
    app: apigee-ingressgateway
    ingress_name: meat
- name: banana-vh
  sslCertPath: cert-banana.crt
  sslKeyPath: cert-banana.key
  selector:
    app: apigee-ingressgateway
    ingress_name: fruit
- name: plum-vh
  sslCertPath: cert-plum.crt
  sslKeyPath: cert-plum.key
  selector:
    app: apigee-ingressgateway
    ingress_name: fruit

FAQ

How does this work with my existing Anthos Service Mesh/Istio installation in another namespace?: As long as Apigee is installed in a dedicated namespace - Apigee ingress gateway can be run alongside an already existing Anthos Service Mesh/Istio installation in the cluster. Apigee ingress gateway doesn't store any configuration in apiserver hence there won't be any conflict.
Who is responsible for upgrading Apigee ingress gateway components?: Upgrade of Apigee ingress gateway components is taken care of by Apigee and happens during regular hybrid upgrades and patch releases.
How do I expose port 80 in Apigee ingress gateway?: Port 80 is not supported by Apigee ingress gateway. If you are migrating from Anthos Service Mesh to Apigee ingress gateway, and followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway.