Apigee known issues

After migration of apigee-logger from fluend to fluent-bit in Apigee hybrid version 1.6.6, the logger stopped working on Anthos BareMetal with CentOS or RHEL.

Rolling back an archive deployment is not currently supported. To remove a version of an archive deployment you need to either redeploy a previous version of an archive or delete the environment.

• Apigee supports OpenAPI Specification 3.0 when you publish your APIs using SmartDocs on your portal, though a subset of features are not yet supported. For example, allOf properties for combining and extending schemas.

  If an unsupported feature is referenced in your OpenAPI Specification, in some cases the tools will ignore the feature but still render the API reference documentation. In other cases, an unsupported feature will cause errors that prevent the successful rendering of the API reference documentation. In either case, you will need to modify your OpenAPI Specification to avoid use of the unsupported feature until it is supported in a future release.

• When using Try this API in the portal, the Accept header is set to application/json regardless of the value set for consumes in the OpenAPI Specification.

• API Proxy request and response counts (for proxy and targets) show abnormal spikes

  Here is a sample showing such a spike:

  (view larger image)

  
• Due to a bug, the system registers the count incorrectly for a brief period and the count is corrected. This happens where there is a reduction in API traffic (which results in a scale down of API gateways).
• To distinguish actual spikes in requests vs. this issue, please consult the API Analytics page (specifically the Proxy Performance and Target Performance pages)

Affected Metrics:

• apigee.googleapis.com/proxyv2/request_count
• apigee.googleapis.com/proxyv2/response_count
• apigee.googleapis.com/targetv2/request_count
• apigee.googleapis.com/targetv2/response_count

271689008

With cert-manager v1.10.1 on OpenShift versions 4.7 to 4.10, the cert-manager pods do not start as expected. To resolve the problem, modify the security config constraint as described in the cert-manager 1.10 release notes.

269573358

The OASValidation Policy fails when the JSON content does not match the anticipated pattern. For example if a header is expecting a value in the format <text>@<text>, and is populated with text missing the @ symbol.

266957367

On Apigee Hybrid v1.7 installations, upgrading Anthos Service Mesh to v1.15 can cause 503 errors for proxies using TLS/SSL headers.

260324159

258699204

If you see problems with the apigee-telemetry-app or apigee-telemetry-proxy pods not running, change the metrics resources requests and resources limits properties to match the following defaults in Configuration property reference: metrics.

Apply the changes with apigeectl apply with the ‑‑telemetry flag:

apigeectl apply --telemetry -f overrides.yaml

254505866

Provisioning API hub using the UI fails if you select a region other than the following:

• asia-east1
• asia-southeast1
• europe-west1
• europe-west4
• us-central1
• us-east1
• us-west1
• us-west4

250875730

This is expected to occur every minute and does not affect your billing cost.

243880171

If http_proxy is configured to DENY internal network traffic, the apigee-cassandra-default-* pod doesn't get into ready state.

Use the following work around:

1. Update the readinessProbe section in the $APGEECTL_HOME/templates/1_apigee-datastore.yaml to add the line - unset http_proxy as follows:

readinessProbe:
  exec:
    command:
      - /bin/bash
      - -c
      - unset http_proxy # this is the line that needs to be added.
      - /opt/apigee/ready-probe.sh

2. Apply the changes:

   $APGEECTL_HOME/apigeectl apply --datastore -f overrides.yaml

3. Delete the unhealthy cassandra pod:

   kubectl -n apigee delete pods unhealthy-cassandra-pod

243599452

The ingressGateways[].svcAnnotations field in overrides.yaml is not working as expected. If you need to add custom annotations to the Apigee ingress gateway service, create a custom Kubernetes service as documented in Expose Apigee ingress gateway.

242213234

This error might be returned when attempting to load API products: "Products were not loaded successfully. Error: no connections available from the Apigee connect agent(s)."

The problem occurs after enabling VPC service control in the GCP project and adding iamcredentials.googleapis.com as one of the restricted services in the service perimeter.

230798614

If you are running Apigee hybrid 1.7.3 or an older version, and you are experiencing unresponsive hybrid runtime behavior, it may be caused by a version incompatibility between the runtime pods and C*. The recommended solution is to upgrade to Apigee hybrid 1.7.4 or later. See Upgrading Apigee hybrid.

213798518

181569522

When creating new environments do not re-use deleted envrionment names. If you delete an environment and recreate it with the same environment name, proxies can fail to deploy to the new environment.

During upgrade to Apigee hybrid 1.8.x, after running apigeectl init and confirming that check-ready succeeded, you may notice, if you view the pods, that the Cassandra schema validation job is in an error state. This is a harmless condition, and you can safely move to the next step in the upgrade procedure.

On OpenShift, after running apigeectl init, the runtime pod can become stuck in initialization mode. To avoid this, try the following workaround:

1. Edit the file plugins/open-shift/scc.yaml and insert the line

   - system:serviceaccount:{{ .Namespace }}:default

   under the line system:serviceaccount:{{ .Namespace }}:{{ .Logger.PodServiceAccountName }} in the specifications for apigee-logger scc.

2. Run apigeectl init again.
3. Verify that the users section has both default and apigee-logger-apigee-telemetry services accounts with the following oc command:

   oc get scc apigee-apigee-logger -o yaml

   The output should resemble:

   users: 
    - system:serviceaccount:apigee:default 
    - system:serviceaccount:apigee:apigee-logger-apigee-telemetry

API Monitoring of Configurable API Proxies may display a fault code of '(not set)' for responses with a non-2xx status from the target.

For a particular key, if there is continuous traffic, the key may not be rate limited at the updated rate. If there is five minutes of no traffic for a particular key, the rate will be reflected.

If you are using the SpikeArrest policy in a shared flow, then the Identifier has the shared flow name appended, and the throttling limit is enforced for all the APIs that use the shared flow. Similarly, if you are using the Quota policy in a shared flow, the policy counters are updated for all the APIs that use the shared flow.

connectAgent:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-connect-agent"
    tag: "1.5.4"

Invalid HTTP Header error: The Istio ingress switches all incoming target responses to the HTTP2 protocol. Because the hybrid message processor only supports HTTP1, you may see the following error when an API proxy is called:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1,

name: [:authority], value: [domain_name]

If you see this error, you can take either of the following actions to correct the problem:

• Modify the target service to omit the Host header in the response.
• Remove the Host header using the AssignMessage policy in your API proxy if necessary.