AHR Hybrid Small topology 1.3 - apigee/ahr GitHub Wiki
This Walkthrough is BYOP-oriented [Bring-Your-Own-Project. It was tested in a Qwiklabs environment.
?. If not, be in the home directory
cd ~
?. Clone ahr git repository
git clone https://github.com/apigee/ahr.git
?. Define AHR_HOME variable and add bin directory to the PATH
export AHR_HOME=~/ahr
export PATH=$AHR_HOME/bin:$PATH
Hybrid Install Environment
?. Configure hybrid install environment location
export HYBRID_HOME=~/apigee-hybrid-install
export HYBRID_ENV=$HYBRID_HOME/hybrid-1.3.env
?. Create HYBRID_HOME directory, if it does not exist.
mkdir -p $HYBRID_HOME
?. Use provided example configuraton for a small footprint hybrid runtime cluster.
cp $AHR_HOME/examples/hybrid-sz-s-1.3.sh $HYBRID_ENV
TODO: Add tour on HYBRID_ENV variables; or vi $HYBRID_ENV
GCP Project Settings
?. Set up variable $PROJECT as appropriate.
NOTE: If your gcloud config points at a correct project name, you can use
export PROJECT=$(gcloud config get-value project)
?. If we are in the Qwiklabs projects, use following command
export PROJECT=$(gcloud projects list --filter='project_id~qwiklabs-gcp' --format=value'(project_id)')
?. To verify environment variable,
echo $PROJECT
?. To configure gcloud config set
gcloud config set project $PROJECT
?. Configure REGION variable in current a current session. We are using contents of $HYBRID_END
as a single source of truth.
source <(grep 'export REGION=' $HYBRID_ENV)
?. Enable required APIs
ahr-verify-ctl api-enable
?. Verify and observe list of APIs that are required to be enabled for Apigee Hybrid
ahr-verify-ctl api-check
Provision Load Balancer for Istio Ingress Gateway
?. Create regional load balancer we will use for istio ingress gateway configuration.
gcloud compute addresses create runtime-ip --region $REGION
?. Fetch the ip address of the runtime-ip
address
export RUNTIME_IP=$(gcloud compute addresses describe runtime-ip --region $REGION --format='value(address)')
?. Edit the $HYBRID_ENV file to substitute value of the RUNTIME_IP variable to the IP address for Istio Ingress Gateway.
sed -i -E "s/^(export RUNTIME_IP=).*/\1$RUNTIME_IP/g" $HYBRID_ENV
Source Environment Variables that comprise Hybrid configuration
source $HYBRID_ENV
Create GKE Cluster
?. Define cluster configuration file using provided small topology cluster template
ahr-cluster-ctl template $CLUSTER_TEMPLATE > $CLUSTER_CONFIG
?. Inspect the cluster that we are creating
vi $CLUSTER_CONFIG
?. Create the cluster
ahr-cluster-ctl create
Install Hybrid Prerequisite components
?. Install Certificate Manager
kubectl apply --validate=false -f $CERT_MANAGER_MANIFEST
Install Anthos Service Mash
TODO: convert into a single operation, ahr-*-ctl TODO: WIP: there are some differences in installing 1.5.x and 1.6.x
?. Get ASM installation files
ahr-cluster-ctl asm-get $ASM_VERSION
?. Define ASM_HOME and add ASM bin directory to the path by copying and pasting provided export statements from the previous command output.
export ASM_HOME=$HYBRID_HOME/istio-$ASM_VERSION
export PATH=$ASM_HOME/bin:$PATH
?. Define a mesh_id label to the cluster in the format proj-PROJECT_NUMBER, where PROJECT_NUMBER is the project number of the project that the cluster will be created in.
The mesh_id label is required for metrics to get displayed on the Anthos Service Mesh dashboard in the Cloud Console.
NOTE: PROJECT_NUMBER and MESH_ID are defined in $HYBRID_ENV
?. Inspect $HYBRID_ENV
vi $HYBRID_ENV
?. asm-template operation requires yq
to be present. Either you already have it, or install it using your preferred method or use opinionated minimally-intrusive ahr
method
ahr-verify-ctl prereqs-install-yq
export PATH=~/bin:$PATH
IstioOperator Manifest: from anthos-service-mesh-packages
?. We need to IstioOperator Manifest to customise ASM ingress gateway for Hybrid needs. Let's use provided template
ahr-cluster-ctl asm-template $ASM_TEMPLATE > $ASM_CONFIG
IstioOperator Manifest: $AHR_HOME/templates
NOTE: in this case, we need to define PROJECT_NUMBER. MESH_ID is a
proj-$PROJECT_NUMBER
value. We use $ref to preserve original istio-operator.yaml comments intact. They are useless for kpt, as the markers are broken. They still are a good reference.
export ASM_PROFILE=asm-gcp
export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT} --format="value(projectNumber)")
export ref=\$ref
export ASM_RELEASE=$(echo "$ASM_VERSION"|awk '{sub(/\.[0-9]+-asm\.[0-9]+/,"");print}')
ahr-cluster-ctl template $AHR_HOME/templates/istio-operator-$ASM_RELEASE-$ASM_PROFILE.yaml > $ASM_CONFIG
?. Install ASM
NOTE: notice that we are using asm-gcp profile hardcoded in the istio-operator.yaml spec.profile
field, that's why we don't need to use explicit profile command-line option
istioctl manifest apply -f $ASM_CONFIG
Output:
! global.mtls.enabled is deprecated; use the PeerAuthentication resource instead
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete
NOTE: While troubleshooting, it is a good idea to use
asmctl validate
commandgcloud container clusters get-credentials $CLUSTER --zone=$CLUSTER_ZONE
asmctl validate
Output:
[asmctl version 0.4.1] Using Kubernetes context: qwiklabs-gcp-01-f8b51a666891_europe-west1-b_hybrid-cluster To change the context, use the --context flag Validating enabled APIs OK Validating ingressgateway configuration OK Validating istio system OK
NOTE: If you need to delete asm installation:
kubectl delete namespace istio-system
Apigee Hybrid Runtime Installation
?. Get Hybrid distribution code
ahr-runtime-ctl get
?. Define APIGEECTL_HOME and add its bin directory to the PATH
export APIGEECTL_HOME=$HYBRID_HOME/$(tar tf $HYBRID_HOME/$HYBRID_TARBALL | grep VERSION.txt | cut -d "/" -f 1)
export PATH=$APIGEECTL_HOME:$PATH
Create Organization, Environment, and Environment group
?. We would need wait-for-ready() function defined in ahr-lib.sh. Let's instanciate it
source $AHR_HOME/bin/ahr-lib.sh
?. Verify if Organization name we are going to use passes validity checks
ahr-runtime-ctl org-validate-name $ORG
?. Create Organization and define Analytics region
ahr-runtime-ctl org-create $ORG --ax-region $AX_REGION
?. Create Environment $ENV
ahr-runtime-ctl env-create $ENV
?. Define Environment Group and Host Name
ahr-runtime-ctl env-group-create $ENV_GROUP $RUNTIME_HOST_ALIAS
?. Assign environment $ENV to the environment Group $ENV_GROUP
ahr-runtime-ctl env-group-assign $ORG $ENV_GROUP $ENV
Create Service Account for Components Access
?. Create all apigee component Services Accounts in directory SA_DIR
ahr-sa-ctl create-sa all
ahr-sa-ctl create-key all
?. Configure synchronizer and apigeeconnect component
ahr-runtime-ctl setsync $SYNCHRONIZER_SA_ID
?. Verify Hybrid Control Plane Configuration
ahr-runtime-ctl org-config
?. Observe:
- check that the organizaton is hybrid-enabled
- check that apigee connect is enabled
- check is sync is correct
Create SSC Certificate and KEY
?. Create Key and Self-signed Certificate for Istio Ingress Gateway
ahr-verify-ctl cert-create-ssc $RUNTIME_SSL_CERT $RUNTIME_SSL_KEY $RUNTIME_HOST_ALIAS
?. Inspect certificate contents
openssl x509 -in $RUNTIME_SSL_CERT -text -noout
?. check validity as of today
ahr-verify-ctl cert-is-valid $RUNTIME_SSL_CERT
Apigee Organization Role for Current User Account
If you are not a Project Owner or if you are automating Hybrid installation and use a Service Account, you or that SA needs to have an Apigee Organization Admin role
?. Get an account in the email format for us as a currently run user
NOTE: It is hard to generalize, but for a qwiklabs account, the format would be
user:[email protected]
. If we need it for a Service account, we would use `serviceAccount:' prefix.
export ACCOUNT=user:$(gcloud config list --format='value(core.account)')
?. Add Apigee Hybrid Admin role to the current user account. It is not assigned by default.
gcloud projects add-iam-policy-binding $PROJECT --member $ACCOUNT --role roles/apigee.admin
Install Hybrid runtime components
?. Generate Runtime Configuration yaml file
ahr-runtime-ctl template $AHR_HOME/templates/overrides-small-1.3-template.yaml > $RUNTIME_CONFIG
?. Inspect generated runtime configuration file
vi $RUNTIME_CONFIG
?. Observe:
- TODO:
?. Verify prerequisites
TODO: ahr-verify
?. Install the runtime auxiliary components
ahr-runtime-ctl apigeectl init -f $RUNTIME_CONFIG
?. Wait till ready
ahr-runtime-ctl apigeectl wait-for-ready -f $RUNTIME_CONFIG
?. Install Hybrid runtime components
ahr-runtime-ctl apigeectl apply -f $RUNTIME_CONFIG
?. Wait till ready
ahr-runtime-ctl apigeectl wait-for-ready -f $RUNTIME_CONFIG
Test Hybrid Installation: Manual
Create a test proxy ?. Open apigee.google.com
?. Open Develop/API Proxies
?. +Proxy
?. No target
?. Name: ping, Next
?. Pass through, Next
?. Tick Deployment into test, Create and Deploy
?. Edit Proxy
?. In an OVERVIEW tab, wait till deployed
?. Activate TRACE Tab
?. Select ping proxy version to test in combobox
?. Start Trace Session
Test Hybrid Installation: provided example proxy bundle
$AHR_HOME/proxies/deploy.sh
Execute test request
Test Request for Ping proxy
curl --cacert $RUNTIME_SSL_CERT https://$RUNTIME_HOST_ALIAS/ping -v --resolve "$RUNTIME_HOST_ALIAS:443:$RUNTIME_IP" --http1.1
?. Observe TRACE session results