Expose the MART endpoint

The Apigee hybrid management plane must be able to reach the MART service endpoint in your runtime plane. For this reason, you must expose the MART endpoint to requests coming from outside of the cluster.

The MART endpoint is a secure TLS connection. Hybrid uses an Istio ingress gateway service to expose traffic to this endpoint.

The setup requires you to provide a TLS key/certificate pair. At the end of this section, we provide an example that shows how to generate a self-signed certificate that you can use for testing purposes.

Expose the endpoint

To expose the MART endpoint:

  1. Open the overrides.yaml file for edit if it is not already open.
  2. Add the mart object's hostAlias, sslCertPath, and sslKeyPath properties as the following example shows:
    namespace: MyNamespace
    config:
      base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM=
      envs:
        - orgName: MyOrganization
          envName: MyEnvironment
    
    mart:
      hostAlias: your_host_alias OR use "*" if you do not have a DNS domain name.
      sslCertPath: path_to_tls_certificate/my_cert.crt
      sslKeyPath: path_to_tls_private_key/my_key.key
    
    ...
    The required properties are:
    Property Value
    config.envs.hostAlias A publicly available, registered DNS server name. For example: foo-test.mydomain.com. If you don't have a DNS name, you can use the wildcard "*".
    config.envs.sslCertPath The path on your system to a TLS certificate file. Note that the Common Name (CN) in the cert in each environment must match the hostAlias. For testing purposes only, you can use a self-signed certificate. See Create a self-signed certificate/key pair for details.
    config.envs.sslKeyPath The path on your system to a TLS key file.
  3. Save your changes.

The following example shows a configuration with the full domain name for the hostAlias property:

namespace: MyNamespace
config:
  base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM=
  envs:
    - orgName: MyOrganization
      envName: MyEnvironment

mart:
  hostAlias: foo-mart.mydomain.com # or "*" if you do not have a registered DNS name.
  sslCertPath: /Users/myhome/ssh/mart-server.crt
  sslKeyPath: /Users/myhome/ssh/mart-server.key

The following example shows a configuration that uses "*" as the hostAlias property:

namespace: MyNamespace
config:
  base64Credentials: dXNlckBleGFtcGxlLmNvbTphYmMxMjM=
  envs:
    - orgName: MyOrganization
      envName: MyEnvironment
...

mart:
  hostAlias: "*"
  sslCertPath: /Users/myhome/ssh/mart-server.crt
  sslKeyPath: /Users/myhome/ssh/mart-server.key

Create a self-signed certificate/key pair

For testing purposes, you can use a self-signed certificate/key pair for the MART endpoint configuration.

To generate a self-signed pair for the MART endpoint:

  1. Create a directory to contain the TLS credentials for MART.
  2. Execute the following commands to generate the TLS credentials:
    openssl genrsa -des3 -out server.pass.key 2048
    openssl rsa -in server.pass.key -out mart-server.key
    openssl req -nodes -new -key mart-server.key -out mart-server.csr
    openssl x509 -req -sha256 -days 365 -in mart-server.csr -signkey mart-server.key -out mart-server.crt

    For the certificate's Common Name (CN), be sure to use the same domain name you use for the mart.hostAlias property in overrides.yaml.

  3. In the overrides.yaml configuration, provide the paths to the mart-server.key and mart-server.crt files.

Next step

1 2 3 4 5 Next: Ingress 7 8 9 10 11