Apigee hybrid uses Istio ingress gateways to expose the following services outside the cluster. The steps for installing these gateway components require you to provide TLS credentials in their configurations:
- The MART ingress gateway allows the management plane to communicate with the runtime plane. To secure this endpoint, you must use an authorized TLS certificate/key pair in your hybrid runtime configuration. You cannot use a self-signed certificate for the MART ingress TLS configuration. See Create a self-signed certificate/key pair below.
- The message processors (MPs) that process incoming API proxy traffic also use an ingress gateway exposed to the outside. For trial or testing installations, the MP ingress gateway(s) can be configured with self-signed certs. See Create a self-signed certificate/key pair below.
Later in the installation instructions, you'll be asked to provide these credentials in the steps:
Obtaining authorized TLS credentials
The MART service configuration requires an authorized TLS certificate/key pair. This means the cert must be authorized by a certificate authority (CA). It is up to you to obtain these credentials by whatever means is available to you or your organization. For example illustrating how to obtain credentials from the CA Let's Encrypt, see Obtain TLS credentials (example).
Create a self-signed certificate/key pair
For testing purposes, you can use a self-signed certificate/key pair for your environment configuration. Note, however, you cannot use self-signed certs for the MART ingress configuration.
Example instructions that explain how to a create self-signed cert are provided later in the installation step: Step 3: Configure an environment.