Examples

Public and Private Cloud Deprecation Notice:

Support for Istio by integrating with Istio Mixer

In March this year, the Istio community announced deprecation for Istio Mixer. The Istio Mixer component is critical for the functioning of the Apigee adapter for Istio, which is why we redesigned the Istio adapter to use native Envoy filters (see envoy filter and HTTP filters) to integrate with Apigee.

Apigee announced the beta release of this feature in the API management for services that use Envoy blog post, in addition to the Apigee Adapter for Envoy overview.

Apigee recommends that you move your Istio Adapter setup to Apigee Adapter for Envoy as soon as possible. Moving to the Envoy adapter requires that you recreate your Istio Adapter setup from scratch. There is no other migration path.

Changing default Apigee capabilities

Consider this rule definition -- the default definition found in samples/apigee/rule.yaml:

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-rule
  namespace: istio-system
spec:
  match: context.reporter.kind == "inbound" && destination.namespace == "default"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.authorization
    - apigee.analytics

This definition applies analytics and authorization capabilities. If you want to remove authorization, and thereby disable the need for an API key or token while maintaining analytics, you could remove the authorization line and reapply the rule:

Remove the apigee.authorization line from the rule.yaml file:

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-rule
  namespace: istio-system
spec:
  match: context.reporter.kind == "inbound" && destination.namespace == "default"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.analytics

Reapply the rule:

kubectl apply -f samples/apigee/rule.yaml

Call the /hello API without an API key, and it works:

curl http://$HELLOWORLD_URL/hello
Hello version: v2, instance: helloworld-v2-56666fdd58-7t4s2

API key as query parameter

By default, API keys must be passed in a header called x-api-key. For example:

curl http://$HELLOWORLD_URL/hello -H "x-api-key: XsU1R4zGXz2ERxa0ilYQ5szwuljr5bB"

You can change this behavior by applying the samples/apigee/httpapispec.yaml configuration to the service mesh. You can see in that file that the apiKeys entry includes a query parameter called apikey, as well as the header x-api-key. After applying the config, you can use either.

kubectl apply -f samples/apigee/httpapispec.yaml

Now, you can call the API with the API key in a query parameter, and it will work:

curl http://$HELLOWORLD_URL/hello?apikey=XsU1R4zGXz2ERxa0ilYQ5szwuljr5bB

The HTTPAPISpec defines certain attributes for a service API. The default Apigee spec tells the Mixer where to look for the API key (query parameter or header), specifies the public name of the service (helloworld.default.svc.cluster.local), and specifies patterns to match against incoming HTTP requests. For example, the default Apigee spec generates the /hellooperation attribute when GET /hello is matched.

apiVersion: config.istio.io/v1alpha2
kind: HTTPAPISpec
metadata:
  creationTimestamp: null
  name: helloworldapi
  namespace: default
spec:
  apiKeys:
  - query: apikey
  - header: x-api-key
  attributes:
    attributes:
      api.service:
        stringValue: helloworld.default.svc.cluster.local
      api.version:
        stringValue: v1
  patterns:
  - attributes:
      attributes:
        api.operation:
            stringValue: /hello
    httpMethod: GET
    uriTemplate: /hello