Managing Apigee ingress gateway

Starting with Apigee hybrid version 1.8, Apigee hybrid uses the Apigee ingress gateway to provide the ingress gateway for hybrid.

Configuring Apigee ingress gateway

You can configure your ingress gateways in your overrides.yaml. For example:

Syntax

ingressGateways:
- name: INGRESS_NAME
  replicaCountMin: REPLICAS_MIN
  replicaCountMax: REPLICAS_MAX
  resources:
    requests:
      cpu: CPU_COUNT_REQ
      memory: MEMORY_REQ
    limits:
      cpu: CPU_COUNT_LIMIT
      memory: MEMORY_LIMIT
  svcAnnotations:  # optional. See Known issue 243599452.
    SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
  svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional

Example

ingressGateways:
- name: prod1
  replicaCountMin: 2
  replicaCountMax: 100
  resources:
    requests:
      cpu: 1
      memory: 1Gi
    limits:
      cpu: 2
      memory: 2Gi
  svcAnnotations:  # optional. See Known issue 243599452.
    networking.gke.io/load-balancer-type: "Internal"
  svcLoadBalancerIP: 198.252.0.123

INGRESS_NAME is the name of the ingress gateway deployment. This can be any name that meets the following requirements:
- Have a maximum length of 17 characters
- Contain only lowercase alphanumeric characters, '-' or '.'
- Start with an alphanumeric character
- End with an alphanumeric character
See ingressGateways[].name in the Configuration property reference
REPLICAS_MIN and REPLICAS_MAX The minimum and maximum replica counts for Apigee ingress gateway in your installation. See ingressGateways[].replicaCountMin and ingressGateways[].replicaCountMax in the Configuration property reference.
CPU_COUNT_REQ and MEMORY_REQ The CPU and memory request for each replica of Apigee ingress gateway in your installation.
Set these properties if you had previously set them for your Anthos Service Mesh ingress gateway in Apigee hybrid version 1.8 or earlier, for example in your overlay.yaml file.

See ingressGateways[].resources.requests.cpu and ingressGateways[].resources.requests.memory in the Configuration property reference.
CPU_COUNT_LIMIT and MEMORY_LIMIT The maximum CPU and memory limits for each replica of Apigee ingress gateway in your installation.
Set these properties if you had previously set them for your Anthos Service Mesh ingress gateway in Apigee hybrid version 1.8 or earlier, for example in your overlay.yaml file.

See ingressGateways[].resources.limits.cpu and ingressGateways[].resources.limits.memory in the Configuration property reference.
SVC_ANNOTATIONS_KEY SVC_ANNOTATIONS_VALUE (optional):
Note: The ingressGateways[].svcAnnotations field in overrides.yaml is not working as expected. See Known issue 243599452

This is a key-value pair that provides annotations for your default ingress service. Annotations are used by your cloud platform to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. For example:
```
ingressGateways:
  svcAnnotations:
    networking.gke.io/load-balancer-type: "Internal"
```
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.

Note: You do not need to set Annotations here if you are creating your own Kubernetes service for ingress gateway deployment as documented in Expose Apigee ingress gateway.
See ingressGateways[].svcAnnotations in the Configuration property reference.
SVC_LOAD_BALANCER_IP (optional). On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.
Caution: Make sure not to specify the same IP address as the current istio-ingressgateway. This could cause problems while that service is still on the cluster.

Note: You do not need to set LoadBalancerIP if you are creating your own Kubernetes service for ingress gateway deployment as documented in Expose Apigee ingress gateway.
See ingressGateways[].svcLoadBalancerIP in the Configuration property reference.

Apply the Apigee ingress gateway configuration

Apply changes to the organization scope with apigeectl.

$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --org

Management tasks

Some common management tasks for the Apigee ingress gateway:

Scaling Apigee ingress gateway:

Update the following properties in your overrides file.

ingressGateways[].replicaCountMax
ingressGateways[].replicaCountMin

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Updating resource allocation

Update the following properties in your overrides file.

ingressGateways[].resources.limits.cpu
ingressGateways[].resources.limits.memory
ingressGateways[].resources.requests.cpu
ingressGateways[].resources.requests.memory

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Updating the Apigee ingress gateway service

Update the following properties in your overrides file.

ingressGateways[].svcAnnotations
ingressGateways[].svcLoadBalancerIP

See ingressGateways in the Configuration properties reference for details.

Apply the changes with apigeectl apply --org.

Disable the loadbalancer for the default Apigee ingress gateway service:

If you create a custom Kubernetes service for your ingress gateway deployment, you can disable creation of a load balanceer on the default Kubernetes service. Update the ingressGateways[].svcType property to ClusterIP in your overrides file. For example:

ingressGateways:
  - name: my-ingress-gateway
    replicaCountMin: 2
    replicaCountMax: 10
    svcType: ClusterIP

Apply the changes with apigeectl apply --org.

Configure TLS and mTLS

See Configuring TLS and mTLS on the ingress gateway.

Enabling non-SNI clients

See Enable non-SNI and HTTP clients.

Installing additional Apigee ingress gateways

In the overrides.yaml file you can add multiple ingress gateways. The ingressGateways configuration property is an array. For more information, see ingressGateways in the Configuration properties reference.

For example:

ingressGateways:
- name: fruit
  replicaCountMin: 2
  replicaCountMax: 10

- name: meat
  replicaCountMin: 2
  replicaCountMax: 10

Apply the changes with apigeectl apply --org.

Mapping virtual hosts to Apigee ingress gateway deployments

You can use selector labels to map a virtual host to an Apigee ingress gateway deployment. In the following example, the virtual host spam-vh is configured to run on the ingress gateway labeled meat and the other two virtual hosts run on the fruit ingress gateway. The ingress gateways must be properly labeled, as explained in Installing additional Anthos Service Mesh gateways.

Note: You must specify both of the selectors: selector:app and selector:ingress_name to properly apply an ingress gateway to a virtual host.

virtualhosts:
- name: spam-vh
  sslCertPath: cert-spam.crt
  sslKeyPath: cert-spam.key
  selector:
    app: apigee-ingressgateway
    ingress_name: meat
- name: banana-vh
  sslCertPath: cert-banana.crt
  sslKeyPath: cert-banana.key
  selector:
    app: apigee-ingressgateway
    ingress_name: fruit
- name: plum-vh
  sslCertPath: cert-plum.crt
  sslKeyPath: cert-plum.key
  selector:
    app: apigee-ingressgateway
    ingress_name: fruit

Adding custom ciphersuites to Apigee ingress gateway deployments

Apigee hybrid supports TLS v1.2 ciphersuites. If you are using TLS v1.0 or v1.1, you can use the virtualhosts.cipherSuites property in your overrides file to add custom ciphersuites to your Apigee ingress gateway deployment.

For example, to support TLS v.1.1:

virtualhosts:
- name: ENV_GROUP_NAME
  minTLSProtocolVersion: "1.1"
  cipherSuites:
  - "ECDHE-ECDSA-AES128-GCM-SHA256"
  - "ECDHE-RSA-AES128-GCM-SHA256"
  - "ECDHE-ECDSA-AES256-GCM-SHA384"
  - "ECDHE-RSA-AES256-GCM-SHA384"
  - "ECDHE-ECDSA-CHACHA20-POLY1305"
  - "ECDHE-RSA-CHACHA20-POLY1305"
  - "ECDHE-ECDSA-AES128-SHA"
  - "ECDHE-RSA-AES128-SHA"
  - "ECDHE-ECDSA-AES256-SHA"
  - "ECDHE-RSA-AES256-SHA"
  ...

For example, to support TLS v.1.0:

virtualhosts:
- name: ENV_GROUP
  minTLSProtocolVersion: "1.0"
  cipherSuites:
  - "ECDHE-ECDSA-AES128-GCM-SHA256"
  - "ECDHE-RSA-AES128-GCM-SHA256"
  - "ECDHE-ECDSA-AES256-GCM-SHA384"
  - "ECDHE-RSA-AES256-GCM-SHA384"
  - "ECDHE-ECDSA-CHACHA20-POLY1305"
  - "ECDHE-RSA-CHACHA20-POLY1305"
  - "ECDHE-ECDSA-AES128-SHA"
  - "ECDHE-RSA-AES128-SHA"
  - "ECDHE-ECDSA-AES256-SHA"
  - "ECDHE-RSA-AES256-SHA"
  ...

Customize Ingress access logs

You can customize the Apigee ingress gateway access log destination and format with the istiod.accessLogFile and istiod.accessLogFormat configuration properties. In the following example, the output will be sent to /dev/stdout, which is the default value for istiod.accessLogFile:

istiod:
  accessLogFormat: '{"request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","status":"%RESPONSE_CODE%"}'

You can disable Apigee ingress gateway access logging by assigning istiod.accessLogFile and empty value. For example:

istiod:
  accessLogFile: ''

FAQ

How does this work with my existing Anthos Service Mesh/Istio installation in another namespace?: As long as Apigee is installed in a dedicated namespace - Apigee ingress gateway can be run alongside an already existing Anthos Service Mesh/Istio installation in the cluster. Apigee ingress gateway doesn't store any configuration in apiserver hence there won't be any conflict.
Who is responsible for upgrading Apigee ingress gateway components?: Upgrade of Apigee ingress gateway components is taken care of by Apigee and happens during regular hybrid upgrades and patch releases.
How do I expose port 80 in Apigee ingress gateway?: Port 80 is not supported by Apigee ingress gateway. If you are migrating from Anthos Service Mesh to Apigee ingress gateway, and followed the instructions in the community post to enable Port 80, it will not work with Apigee Ingress gateway.