The Apigee hybrid management plane must be able to reach the MART service endpoint in your runtime plane. For this reason, you must expose the MART endpoint to requests coming from outside of the cluster.
The MART endpoint is a secure TLS connection. Hybrid uses an Istio ingress gateway service to expose traffic to this endpoint.
The setup requires you to provide a TLS key/certificate pair. At the end of this section, we provide an example that shows how to generate a self-signed certificate that you can use for testing purposes.
Expose the endpoint
To expose the MART endpoint:
- Open the
overrides.yamlfile for edit if it is not already open.
- Add the
sslKeyPathproperties as the following example shows:
namespace: MyNamespace config: base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM= envs: - orgName: MyOrganization envName: MyEnvironment mart: hostAlias: your_host_alias OR use "*" if you do not have a DNS domain name. sslCertPath: path_to_tls_certificate/my_cert.crt sslKeyPath: path_to_tls_private_key/my_key.key ...The required properties are:
A publicly available, registered DNS server name. For example:
foo-test.mydomain.com. If you don't have a DNS name, you can use the wildcard "*".
The path on your system to a TLS certificate file. Note that the Common Name (CN) in the cert in each environment must match the
hostAlias. For testing purposes only, you can use a self-signed certificate. See Create a self-signed certificate/key pair for details.
The path on your system to a TLS key file.
- Save your changes.
The following example shows a configuration with the full domain name for the
namespace: MyNamespace config: base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM= envs: - orgName: MyOrganization envName: MyEnvironment mart: hostAlias: foo-mart.mydomain.com # or "*" if you do not have a registered DNS name. sslCertPath: /Users/myhome/ssh/mart-server.crt sslKeyPath: /Users/myhome/ssh/mart-server.key
The following example shows a configuration that uses "*" as the
namespace: MyNamespace config: base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM= envs: - orgName: MyOrganization envName: MyEnvironment ... mart: hostAlias: "*" sslCertPath: /Users/myhome/ssh/mart-server.crt sslKeyPath: /Users/myhome/ssh/mart-server.key
Create a self-signed certificate/key pair
For testing purposes, you can use a self-signed certificate/key pair for the MART endpoint configuration.
To generate a self-signed pair for the MART endpoint:
- Create a directory to contain the TLS credentials for MART.
- Execute the following commands to generate the TLS credentials:
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out mart-server.key
openssl req -nodes -new -key mart-server.key -out mart-server.csr
openssl x509 -req -sha256 -days 365 -in mart-server.csr -signkey mart-server.key -out mart-server.crt
For the certificate's Common Name (CN), be sure to use the same domain name you use for the
- In the
overrides.yamlconfiguration, provide the paths to the