CLI Reference

The apigee-istio Command Line Interface (CLI) lets you control and manage the Apigee adapter.

Help command

Online help is provided for all apigee-istio commands. Just type:

apigee-istio help

For help on any command, type:

apigee-istio <command> help

For example:

apigee-istio provision help

Version command

Print the CLI version.

apigee-istio version

Provision command

Provisioning installs a proxy in your Apigee Edge organization, sets up a certificate, and generates credentials that you'll need to configure the Apigee adapter.

Usage

If you are on Edge Public Cloud:

apigee-istio provision -o [organization] -e [environment] -u [username] -p [password]

If you are on Edge Private Cloud:

apigee-istio provision -o [organization] -e [environment] -u [username] --managementBase [mgmt server url] -p [password]

Parameters

Parameters Type Description
-o, --org String (Required) Your Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-f, --forceProxyInstall (Optional) Forces the istio-auth proxy to be re-installed if it is already installed in your org.
-h, --help Displays help for the command parameters.
-k, --key String (Required only when --verifyOnly is used) Specifies the key returned from the apigee-istio provision command, because --verifyOnly does not regenerate the key.
-s, --secret String (Required only when --verifyOnly is used) Specifies the secret returned from the apigee-istio provision command, because --verifyOnly does not regenerate the secret.
--verifyOnly (Optional) Causes the command to execute without actually provisioning anything on Apigee Edge.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Your Apigee management base URL. Default: https://api.enterprise.apigee.com
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
--strength int (Optional) Specifies the encryption strength for SSL certificates used in provisioning the adapter. Default 2048
-v, --verbose (Optional) Produces verbose output.
--virtualHosts String Overrides the default virtual hosts, which are "default,secure". Use this option if you have virtual hosts specified for your Edge organization-environment other than these defaults. See the Edge documentation to learn about virtual hosts.
--years int (Optional) The number of years before the SSL certificate used in the provisioning expires. Default: 1

Examples

If you are on Edge Public Cloud:

apigee-istio provision -o docs -e test -u jdoe@example.com -p abc123

If you are on Edge Private Cloud:

apigee-istio provision -o docs -e test -u jdoe@example.com --managementBase http://192.162.55.100:8080

Output

On success, you'll see output similar to the following:

verifying internal proxy...
  ok: https://edgemicroservices.apigee.net/edgemicro/analytics/organization/myorg/environment/myenv
  ok: https://edgemicroservices.apigee.net/edgemicro/quotas/organization/myorg/environment/myenv
verifying customer proxy...
  ok: https://myorg-myenv.apigee.net/istio-auth/certs
  ok: https://myorg-myenv.apigee.net/istio-auth/products
  ok: https://myorg-myenv.apigee.net/istio-auth/verifyApiKey

# istio handler configuration for apigee adapter
apiVersion: config.istio.io/v1alpha2
kind: apigee
metadata:
  name: apigee-handler
  namespace: istio-system
spec:
  apigee_base: https://edgemicroservices.apigee.net/edgemicro
  customer_base: https://myorg-myenv.apigee.net/istio-auth
  org_name: myorg
  env_name: myenv
  key: 06a40b65005d03ea24c0d53de69ab795590b0c332526e97fed549471bdea00b9
  secret: 93550179f344150c6474956994e0943b3e93a3c90c64035f378dc05c98389633

Binding commands

Binding associates a service deployed to the Istio mesh with an Apigee API product. The CLI lets you create, remove, and list bindings.

Add a binding

Bind an Istio service to an API product.

Usage

If you are on Edge Public Cloud:

apigee-istio bindings add [service_name] [product_name]  -o [organization] -e [environment] -u [username] -p [password]

If you are on Edge Private Cloud:

apigee-istio bindings add [service_name] [product_name]  -o [organization] -e [environment] -u [username] -p [password] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Your Apigee management base URL. Default: https://api.enterprise.apigee.com
service_name String (Required) The identifier for the service that you are binding. For example: helloworld.default.svc.cluster.local
product_name String (Required) The name of the API product to bind to. For example: hello-istio-product.
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials
-v, --verbose (Optional) Produces verbose output.
-h, --help Displays help for the command parameters.

Example

apigee-istio bindings add helloworld.default.svc.cluster.local hello-istio-product -o myorg -e test 

Output

On success, you'll see output similar to the following:

product hello-istio-product is now bound to: helloworld.default.svc.cluster.local

List bindings

List all Istio service bindings.

Usage

If you are on Edge Public Cloud:

apigee-istio bindings list -o [organization] -e [environment] -u [username] -p [password]

If you are on Edge Private Cloud:

apigee-istio bindings list -o [organization] -e [environment] -u [username] -p [password] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Your Apigee management base URL. Default: https://api.enterprise.apigee.com
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials
-v, --verbose (Optional) Produces verbose output.
-h, --help Displays help for the command parameters.

Example

apigee-istio bindings list -o myorg -e test 

Output

On success, you'll see output similar to the following, listing bound and unbound products in your organization:

API Products
============
Bound
-----
hello-istio-product:
  Quota: 5 requests every 1 minute
  Service bindings:
    helloworld.default.svc.cluster.local
  Paths:
    /

Unbound
-------
Generic Product:
streetcarts_product:
users:
  Quota: 50 requests every 1 minute
jdoe:

Remove binding

Remove the binding of an Istio service from an API product.

Usage

If you are on Edge Public Cloud:

apigee-istio bindings remove [service_name] [product_name] -o [organization] -e [environment] -u [username] -p [password]

If you are on Edge Private Cloud:

apigee-istio bindings remove [service_name] [product_name]  -o [organization] -e [environment] -u [username] -p [password] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Your Apigee management base URL. Default: https://api.enterprise.apigee.com
service_name String (Required) The identifier for the service that you are removing. For example: helloworld.default.svc.cluster.local
product_name String (Required) The name of the API product for which to remove the binding. For example: hello-istio-product.
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials
-v, --verbose (Optional) Produces verbose output.
-h, --help Displays help for the command parameters.

Example

apigee-istio bindings remove helloworld.default.svc.cluster.local hello-istio-product -o myorg -e test

Output

On success, you'll see output similar to the following:

product hello-istio-product is no longer bound to: helloworld.default.svc.cluster.local

Token commands

The token commands let you create, inspect, and rotate JWT tokens. See also Using JWT-based authentication.

Create a JWT token

You can use the token to make authenticated API calls to a service running in the Istio mesh that is bound to an API product. See also Using JWT-based authentication.

Usage

If you are on Edge Public Cloud:

apigee-istio token create -o [organization] -e [environment] -u [username] -p [password] -i [consumer_key] -s [consumer_secret]

If you are on Edge Private Cloud:

apigee-istio token create -o [organization] -e [environment] -u [username] -p [password] -i [consumer_key] -s [consumer_secret] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Your Apigee management base URL. Default: https://api.enterprise.apigee.com
-i, --id String (Required) The consumer key from the Developer App you created on Apigee Edge, as explained in Get an API key.
-s, --secret String (Required) The consumer secret from the Developer App you created on Apigee Edge, as explained in Get an API key.
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials.
-v, --verbose (Optional) Produce verbose output.
-h, --help Displays help for the command parameters.

Example

apigee-istio token create -o myorg -e test -i YUmlZAcBKNsTAelJqPZFl3sh58ObATX9 -s icTARgaKHqvUH1dq

Output

On success, you'll see a JST token output similar to the following:

eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJ0a2tlVzVKQTY2a0pZYTB4bFV1cVBsUW1BMU43IiwiYXVkIjoiaXN0aW8iLCJuYmYiOjE1MzAxMzg1OTEsImFwaV9wcm9kdWN0X2xpc3QiOlsiaXN0aW8tcHJvZHVjdCJdLCJhcHBsaWNhdGlvbl9uYW1lIjoiaXN0aW8tYXBwIiwiZGV2ZWxvcGVyX2VtYWlsIjoicFluZ2Zsb3lkQGdvb2dsZS5jb20iLCJpc3MiOiJodHRwczovL2FwaWdlZXNlYXJjaC10ZXN0LmFwaWdlZS5uZXQvaXN0aW8tYXV0aC90b2tlbiIsImV4cCI6MTUzMDEzOTQ5MSwiaWF0IjoxNTMwMTM4NTkxLCJqdGkiOiIxODgzMzViZi0wMmE4LTRjZGUsOGFkOS0yMWJmNDZjNmRjZDkiLCJjbGllbnRfaWQiOiJZVW1sWkFjQktOc1RBZWxKcVBZRmwzc2g1OE9iQVRYOSJ9.AL7pKSTmond-NSPRNNHVbIzTdAnZjOXcjQ-BbOJ_8lsQvF7PuiOUrGIhY5XTcJusisKgbCdtIxBl8Wq1EiQ_fKnUc3JYYOqzpTB5bGoFy0Yqbfu96dneuWyzgZnoQBkqwZkbQTIg7WNTGx1TJX-UTePvBPxAefiAbaEUcigX9tTsXPoRJZOTrm7IOeKpxpB_gQYkxQtV1_NbERxjTPyMbHdMWal9_xRVzSt7mpTGudMN9OR-VtQ1uXA67GOqhZWcOzq57qImOiCMbaoKnKUADevyWjX_VscN5ZZUtzQUQhTrmv8aR69-uVhMIPKp9juMyYKaYn2IsYZEeCWfhfV45Q

Inspect a JWT token

You can inspect a JWT token with this command. See also Using JWT-based authentication.

Usage

If you are on Edge Public Cloud:

apigee-istio token inspect -o [organization] -e [environment] -u [username] -p [password] -f [token_file]

If you are on Edge Private Cloud:

apigee-istio token inspect -o [organization] -e [environment] -u [username] -p [password] -f [token_file] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-f, --file String A file containing the token. Or, you can use standard input.
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Apigee management base. Default: https://api.enterprise.apigee.com
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials.
-v, --verbose (Optional) Produces verbose output.
-h, --help Displays

help for the command parameters.

Example

apigee-istio token inspect -o myorg -e test -u jdoe@google.com -p abc123 -f ./mytoken

Output

On success, you'll see output similar to the following:

{
        "access_token": "eeiZQz07tdTot6VeZfv7HEv1BlSQ",
        "api_product_list": [
                "istio-product"
        ],
        "application_name": "istio-app",
        "aud": "istio",
        "client_id": "YUmlZAcBKNsTAelKqPYFl3sh58ObATX9",
        "developer_email": "jdoe@google.com",
        "exp": 1530150142,
        "iat": 1530339242,
        "iss": "https://apigeesearch-test.apigee.net/istio-auth/token",
        "jti": "e8a0eb3f-395a-4f90-8446-b1b015986cb1",
        "nbf": 1530339242
}

verifying...
token ok.

Rotate a JWT token

At some time after you initially generate a JWT, you might need to change the public/private key pair stored by Apigee Edge in its encrypted key-value map (KVM). This process of generating a new key pair is called key rotation. When you rotate keys, a new private/public key pair is generated and stored in the "istio" KVM in your Apigee Edge organization/environment. In addition, the old public key is retained along with its original key ID value.

Usage

If you are on Edge Public Cloud:

apigee-istio token rotate-cert -o [organization] -e [environment] -u [username] -p [password] -k [provision_key] -s [provision_secret] --kid [new_key_id]

If you are on Edge Private Cloud:

apigee-istio token rotate-cert -o [organization] -e [environment] -u [username] -p [password] -k [provision_key] -s [provision_secret] --kid [new_key_id] --managementBase [mgmt server url] --routerBase [host alias]

Parameters

Parameters Type Description
-k, --key String (Required) The secret value you obtained when you provisioned the Apigee adapter.
--kid String (Optional) The new key id (default "1")
-s, --secret String (Required) The secret value you obtained when you provisioned the Apigee adapter.
--strength int (Optional) Specifies the encryption strength for SSL certificates used in provisioning the adapter. Default 2048
--years int (Optional) The number of years before the SSL certificate used in the provisioning expires. Default: 1
-o, --org String (Required) An Apigee organization. You must be an org administrator.
-e, --env String (Required) An environment in your organization.
-u, --username String (Required for basic authentication only) Your Apigee username (typically an email address). You can optionally specify the username in a .netrc file. If you do so, then you are not required to provide your username on the command line. See also Using .netrc for credentials.
-p, --password String (Required for basic authentication only) Your Apigee password. You can optionally specify the password in a .netrc file. If you do so, then you are not required to provide your password on the command line. See also Using .netrc for credentials.
-t, --token String (Required for OAuth token authentication only) An OAuth or SAML token that you generate from your Apigee account information. For information on generating tokens, see Using get_token and Access the management API with SAML.
-m, --managementBase String (Required if you are on Apigee Private Cloud) Apigee management base. Default: https://api.enterprise.apigee.com
-r, --routerBase String (Optional) Specifies the virtual host alias for your organization-environment. Default: apigee.net. See the Edge documentation to learn about virtual hosts.
-n, --netrc String (Optional) Specifies the path to your .netrc file. Default: $HOME/.netrc. See also Using .netrc for credentials
-v, --verbose (Optional) Produces verbose output.
-h, --help Displays help for the command parameters.

Example

apigee-istio token rotate-cert -o myorg -e test -u jdoe@google.com -k 2e238ffa15dc5ab6a1e97868e7581f6c60ddb8575478582c256d8b7e5b2677a8 -s 51058077223fa7b683c3bea845c5cca138340d1d5583922b6d465f9f918a4b08 --kid 2

Output

certificate successfully rotated

Using .netrc for credentials

apigee-istio automatically picks up the username and password (for basic authentication where needed) from a .netrc file in your home directory if you are on Edge Public Cloud and have an entry for the machine api.enterprise.apigee.com. If you are on Apigee Private Cloud, the machine value is the same as your managementBase URL (for example: http://192.162.55.100).

For example on Edge Public Cloud:

machine api.enterprise.apigee.com
login jdoe@google.com
password abc123

For example on Edge Private Cloud:

machine http://192.162.55.100
login jdoe@google.com
password abc123