Step 2: Install cert-manager and ASM

This step explains how to download and install cert-manager and Anthos Service Mesh (ASM), required for Apigee hybrid to operate.

Install cert-manager

Use one of the following two commands to install cert-manager v0.14.2 from GitHub. To find your Kubernetes version use the kubectl version command.

If you have Kubernetes 1.15 or newer:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml

Kubernetes versions older than 1.15:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

You should see a response that the cert-manager namespace and several cert-manager resources have been created.

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

For new installations of hybrid, install ASM 1.6.x into your cluster. If you are upgrading from hybrid version 1.2.x, install ASM version 1.5.x into your cluster.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

Follow the ASM setup and configuration steps:
Important: When following the ASM documentation, do not install or apply the YAML configuration file istio-operator.yaml when instructed to do so. At that time, we require you to return to this page to edit the file with further hybrid-specific configurations before installing/applying the configuration.
- If this is a new installation of Apigee hybrid install the ASM version 1.6.x. Go to: Introduction to the installation and migration.
- If you are upgrading from an earlier version of hybrid, use ASM 1.5.x. Go to: Installing Anthos Service Mesh on an existing cluster.
When you have completed the ASM setup and config steps, go to the next section to complete the hybrid configuration and ASM installation steps.

Perform final hybrid configuration and install ASM

Finally, add hybrid-specific configurations to the istio-operator.yaml file and install ASM.

Ensure that you're in the ASM installation's root directory. For example: 1.6.11-asm.1.
Open the ./asm/cluster/istio-operator.yaml file in an editor.

Add the following lines indented under spec.meshConfig::

Text to copy

 # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

Example showing placement

Line breaks inserted for readability

apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata:  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec:  profile: asm  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}  meshConfig:  # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.  # 1.4 defaulted to false.  enableAutoMtls: false  accessLogFile: "/dev/stdout"  accessLogEncoding: 1  # This is Apigee's custom access log format. Changes should not be made to this  # unless first working with the Data and AX teams as they parse these logs for  # SLOs.  accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE  _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:  METHOD)%  %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE  SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV  ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response  _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv  ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%  ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_  path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol  ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S  ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'  defaultConfig:  proxyMetadata:  GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #  {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}

Add (or update) the spec:components stanza in the istio-operator.yaml file below the meshConfig: section and immediately above values:, where reserved_static_ip is the IP address you reserved for your runtime ingress gateway in Project and Org Setup - Step 5: Configure Cloud DNS.

Text to copy

 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443

Example showing placement

Line breaks inserted for readability

apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata:  clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec:  profile: asm  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}  tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}  meshConfig:  # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.  # 1.4 defaulted to false.  enableAutoMtls: false  accessLogFile: "/dev/stdout"  accessLogEncoding: 1  # This is Apigee's custom access log format. Changes should not be made to this  # unless first working with the Data and AX teams as they parse these logs for  # SLOs.  accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE  _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:  METHOD)%  %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE  SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV  ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response  _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv  ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%  ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_  path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol  ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S  ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'  defaultConfig:  proxyMetadata:  GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #  {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}  components:  pilot:  k8s:  hpaSpec:  maxReplicas: 2  ingressGateways:  - name: istio-ingressgateway  enabled: true  k8s:  service:  type: LoadBalancer  loadBalancerIP: 123.234.56.78  ports:  - name: status-port  port: 15020  targetPort: 15020  - name: http2  port: 80  targetPort: 80  - name: https  port: 443  - name: prometheus  port: 15030  targetPort: 15030  - name: tcp  port: 31400  targetPort: 31400  - name: tls  port: 15443  targetPort: 15443  hpaSpec:  maxReplicas: 2  values:  .  .  .

Return now to the ASM documentation you used previously, and complete ASM installation (install or apply the istio-operator.yaml file to the cluster). When given a choice, choose PERMISSIVE mTLS.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

1 2 (NEXT) Step 3: Install apigeectl 4 5

Step 2: Install cert-manager and ASM Stay organized with collections Save and categorize content based on your preferences.

Install cert-manager

Install ASM

Supported ASM versions

Perform ASM setup and configuration steps

Perform final hybrid configuration and install ASM

Text to copy

Example showing placement

Text to copy

Example showing placement

Summary

Step 2: Install cert-manager and ASM