Step 4: Install hybrid on GKE

Apply the configuration to the cluster

To install Apigee hybrid into your cluster:

  1. Be sure that you are in the hybrid-base-directory/hybrid-files directory.
  2. Verify that kubectl is set to the correct context. The current context should be set to the cluster to which you are deploying:
    kubectl config get-contexts
  3. Execute the init command:
    $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml

    The init command installs the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook, and it deploys non-Apigee components Istio and Cert Manager.

  4. To check the status of the deployment, you can use these commands:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

    and

    kubectl get pods -n apigee-system

    and

    kubectl get pods -n istio-system

    When the pods are ready, go to the next step.

  5. Do a "dry run" install. Execute the apply command with the --dry-run=true flag. Doing a dry run lets you check for any errors before any changes are made to the cluster.
    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=true
  6. If there are no errors, you can apply the Apigee-specific runtime components to the cluster:
    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml
  7. To check the status of the deployment:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

    Repeat this step until the pods are all ready. The pods may take several minutes to start up.

Get an authorization token

To make the Apigee API calls described later in this topic, you need to get an authorization token that has the Apigee Organization Admin role.

  1. If you are not the owner of the GCP project that is associated with your Apigee hybrid organization, be sure that your GCP user account has the roles/apigee.admin (Apigee Organization Admin) role. You can check the roles assigned to you with this command:
    gcloud projects get-iam-policy GCP_project_name  \
    --flatten="bindings[].members" \
    --format='table(bindings.role)' \
    --filter="bindings.members:your_account_email"
    

    For example:

    gcloud projects get-iam-policy my-project  \
    --flatten="bindings[].members" \
    --format='table(bindings.role)' \
    --filter="bindings.members:myusername@example.com"
  2. If necessary, add the Apigee Organization Admin role to your user account. You can use this command to add the role to your user account:
    gcloud projects add-iam-policy-binding your_GCP_project_name \
      --member user:your_account_email \
      --role roles/apigee.admin

    For example:

    gcloud projects add-iam-policy-binding my-project \
      --member user:myusername@example.com \
      --role roles/apigee.admin
  3. Get an authorization token for your user account:
    export TOKEN=$(gcloud auth print-access-token)
    

Enable synchronizer access

  1. Get an authorization token for your user account.
  2. Call the setSyncAuthorization API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:synchronizer-manager-service-account-email"]}'
    

    Where:

    • your_org_name: The name of your hybrid organization.
    • synchronizer-manager-service-account-email: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: apigee-synchronizer@my-project.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:apigee-synchronizer@my-project.iam.gserviceaccount.com"]}'
    
  3. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
       -d ''
    

    The output looks similar to the following:

    {
       "identities":[
          "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"
       ],
       "etag":"BwWJgyS8I4w="
    }
        

Add the MART host alias to your org

You must add the host alias of the MART endpoint to your Apigee organization. You set this value previously when set the value of the mart.hostAlias property in your overrides file. The management plane needs this address so that it can communicate with the runtime plane over MART.

Follow these steps to add the MART host alias to your organization:

  1. Get the value you set previously in your overrides file for the mart.hostAlias property. For MART to function, the host alias must be a fully qualified domain name.
  2. If you haven't done so, Get an authorization token for your user account.
  3. Execute these two commands to get a token:
    export GOOGLE_APPLICATION_CREDENTIALS=org-admin-service-account-file
    export TOKEN=$(gcloud auth application-default print-access-token)

    Where org-admin-service-account-file is the path on your system to the service account key you downloaded with the Apigee Organization Admin role.

  4. Call the following management API to update your organization with the MART endpoint:
    curl -v -X PUT \
       https://apigee.googleapis.com/v1/organizations/your_org_name \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $TOKEN" \
      -d '{
      "name" : "your_org_name",
      "properties" : {
        "property" : [ {
          "name" : "features.hybrid.enabled",
          "value" : "true"
        }, {
          "name" : "features.mart.server.endpoint",
          "value" : "https://HOST_ALIAS_DNS"
        } ]
      }
    }'

    Here is an example. Be sure to add the prefix "https://" to the host alias.

    curl -v -X PUT \
       https://apigee.googleapis.com/v1/organizations/my_organization \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $TOKEN" \
      -d '{
      "name" : "my_organization",
      "properties" : {
        "property" : [ {
          "name" : "features.hybrid.enabled",
          "value" : "true"
        }, {
          "name" : "features.mart.server.endpoint",
          "value" : "https://foo-mart.example.com"
        } ]
      }
    }'

Save the overrides file

Be sure to save your overrides file. You will need this file to perform future upgrades, patches, or any other modifications to the cluster configuration.