AHR Hybrid Small topology 1.4 - apigee/ahr GitHub Wiki

This Walkthrough is BYOP-oriented [Bring-Your-Own-Project. It was tested in a Qwiklabs environment.

?. If not, be in the home directory

cd ~

?. Clone ahr git repository

git clone https://github.com/apigee/ahr.git

?. Define AHR_HOME variable and add bin directory to the PATH

export AHR_HOME=~/ahr
export PATH=$AHR_HOME/bin:$PATH

Hybrid Install Environment

?. Configure hybrid install environment location

export HYBRID_HOME=~/apigee-hybrid-install
export HYBRID_ENV=$HYBRID_HOME/hybrid-1.4.env

?. Create HYBRID_HOME directory, if it does not exist.

mkdir -p $HYBRID_HOME

?. Use provided example configuraton for a small footprint hybrid runtime cluster.

cp $AHR_HOME/examples/hybrid-sz-s-1.4.sh $HYBRID_ENV

TODO: Add tour on HYBRID_ENV variables; or vi $HYBRID_ENV

GCP Project Settings

?. Set up variable $PROJECT as appropriate.

NOTE: If your gcloud config points at a correct project name, you can use

export PROJECT=$(gcloud config get-value project)

?. If we are in the Qwiklabs projects, use following command

export PROJECT=$(gcloud projects list --filter='project_id~qwiklabs-gcp' --format=value'(project_id)')

?. To verify environment variable,

echo $PROJECT

?. To configure gcloud config set

gcloud config set project $PROJECT

?. Configure REGION variable in current a current session. We are using contents of $HYBRID_END as a single source of truth.

source <(grep 'export REGION=' $HYBRID_ENV)

?. Enable required APIs

ahr-verify-ctl api-enable

?. Verify and observe list of APIs that are required to be enabled for Apigee Hybrid

ahr-verify-ctl api-check

Provision Load Balancer for Istio Ingress Gateway

?. Create regional load balancer we will use for istio ingress gateway configuration.

gcloud compute addresses create runtime-ip --region $REGION

?. Fetch the ip address of the runtime-ip address

export RUNTIME_IP=$(gcloud compute addresses describe runtime-ip --region $REGION --format='value(address)')

?. Edit the $HYBRID_ENV file to substitute value of the RUNTIME_IP variable to the IP address for Istio Ingress Gateway.

sed -i -E "s/^(export RUNTIME_IP=).*/\1$RUNTIME_IP/g" $HYBRID_ENV

Source Environment Variables that comprise Hybrid configuration

source $HYBRID_ENV

Source helper functions into a current bash session

?. Later, we would need a number of functions like token(), wait-for-ready(), defined in ahr-lib.sh. Let's instantiate them.

source $AHR_HOME/bin/ahr-lib.sh

Create GKE Cluster

?. Define cluster configuration file using provided small topology cluster template

ahr-cluster-ctl template $CLUSTER_TEMPLATE > $CLUSTER_CONFIG

?. Inspect the cluster that we are creating

vi $CLUSTER_CONFIG

?. Create the cluster

ahr-cluster-ctl create

Install Hybrid Prerequisite components

?. Install Certificate Manager

kubectl apply --validate=false -f $CERT_MANAGER_MANIFEST

Install Anthos Service Mesh

TODO: convert into a single operation, ahr-*-ctl TODO: WIP: there are some differences in installing 1.5.x and 1.6.x

?. Get ASM installation files

ahr-cluster-ctl asm-get $ASM_VERSION

?. Define ASM_HOME and add ASM bin directory to the path by copying and pasting provided export statements from the previous command output.

export ASM_HOME=$HYBRID_HOME/istio-$ASM_VERSION
export PATH=$ASM_HOME/bin:$PATH

?. Inspect $HYBRID_ENV

vi $HYBRID_ENV

?. asm-template operation requires yq to be present. Either you already have it, or install it using your preferred method or use opinionated minimally-intrusive ahr method

ahr-verify-ctl prereqs-install-yq
export PATH=~/bin:$PATH

IstioOperator Manifest: $AHR_HOME/templates

NOTE: in this case, we need to define PROJECT_NUMBER. MESH_ID is a proj-$PROJECT_NUMBER value. We use $ref to preserve original istio-operator.yaml comments intact. They are useless for kpt, as the markers are broken. They still are a good reference.

export ASM_PROFILE=asm-gcp

export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT} --format="value(projectNumber)")
export ref=\$ref

export ASM_RELEASE=$(echo "$ASM_VERSION"|awk '{sub(/\.[0-9]+-asm\.[0-9]+/,"");print}')

ahr-cluster-ctl template $AHR_HOME/templates/istio-operator-$ASM_RELEASE-$ASM_PROFILE.yaml > $ASM_CONFIG

Configure your GKE cluster to recognise Istio Mesh for the Anthos/ASM Dashboards to work correctly

?. Add MESH_ID label to the cluster labels. The mesh_id label is required for metrics to get displayed on the Anthos Service Mesh dashboard in the Cloud Console.

ahr-cluster-ctl cluster-add-labels "mesh_id=proj-$PROJECT_NUMBER"

?. Enable workload identity for the GKE cluster

export WORKLOAD_POOL=${PROJECT}.svc.id.goog

gcloud container clusters update ${CLUSTER} --project=${PROJECT} --zone=$CLUSTER_ZONE --workload-pool=${WORKLOAD_POOL}

?. Initialise ASM mesh

curl -H "Authorization: Bearer $(token)" "https://meshconfig.googleapis.com/v1alpha1/projects/${PROJECT}:initialize" --data ''

?. Install ASM NOTE: notice that we are using asm-gcp profile hardcoded in the istio-operator.yaml spec.profile field, that's why we don't need to use explicit profile command-line option

istioctl install -f $ASM_CONFIG

Output:

! global.mtls.enabled is deprecated; use the PeerAuthentication resource instead
✔ Istio core installed                
✔ Istiod installed                
✔ Ingress gateways installed                                                                         
✔ Installation complete    

NOTE: If you need to delete asm installation:

kubectl delete namespace istio-system

Apigee Hybrid Runtime Installation

?. Get Hybrid distribution code

ahr-runtime-ctl get-apigeectl

?. Define APIGEECTL_HOME and add its bin directory to the PATH

export APIGEECTL_HOME=$HYBRID_HOME/$(tar tf $HYBRID_HOME/$APIGEECTL_TARBALL | grep VERSION.txt | cut -d "/" -f 1)
export PATH=$APIGEECTL_HOME:$PATH

Create Organization, Environment, and Environment group

?. Verify if Organization name we are going to use passes validity checks

ahr-runtime-ctl org-validate-name $ORG

?. Create Organization and define Analytics region

ahr-runtime-ctl org-create $ORG --ax-region $AX_REGION

?. Create Environment $ENV

ahr-runtime-ctl env-create $ENV

?. Define Environment Group and Host Name

ahr-runtime-ctl env-group-create $ENV_GROUP $RUNTIME_HOST_ALIAS

?. Assign environment $ENV to the environment Group $ENV_GROUP

ahr-runtime-ctl env-group-assign $ORG $ENV_GROUP $ENV

Create Service Account for Components Access

?. Create all apigee component Services Accounts in directory SA_DIR

ahr-sa-ctl create-sa all
ahr-sa-ctl create-key all

?. Configure synchronizer and apigeeconnect component

ahr-runtime-ctl setsync $SYNCHRONIZER_SA_ID

?. Verify Hybrid Control Plane Configuration

ahr-runtime-ctl org-config

?. Observe:

  • check that the organizaton is hybrid-enabled
  • check that apigee connect is enabled
  • check is sync is correct

Create SSC Certificate and KEY

?. Create Key and Self-signed Certificate for Istio Ingress Gateway

ahr-verify-ctl cert-create-ssc $RUNTIME_SSL_CERT $RUNTIME_SSL_KEY $RUNTIME_HOST_ALIAS

?. Inspect certificate contents

openssl x509 -in $RUNTIME_SSL_CERT -text -noout

?. check validity as of today

ahr-verify-ctl cert-is-valid $RUNTIME_SSL_CERT

Apigee Organization Role for Current User Account

If you are not a Project Owner or if you are automating Hybrid installation and use a Service Account, you or that SA needs to have an Apigee Organization Admin role

?. Get an account in the email format for us as a currently run user

NOTE: It is hard to generalize, but for a qwiklabs account, the format would be user:[email protected]. If we need it for a Service account, we would use `serviceAccount:' prefix.

export ACCOUNT=user:$(gcloud config list --format='value(core.account)')

?. Add Apigee Hybrid Admin role to the current user account. It is not assigned by default.

gcloud projects add-iam-policy-binding $PROJECT --member $ACCOUNT --role roles/apigee.admin

Install Hybrid runtime components

?. Generate Runtime Configuration yaml file

ahr-runtime-ctl template $AHR_HOME/templates/overrides-small-1.4-template.yaml > $RUNTIME_CONFIG

?. Inspect generated runtime configuration file

vi $RUNTIME_CONFIG

?. Observe:

  • TODO:

?. Verify prerequisites

TODO: ahr-verify

?. Install the runtime auxiliary components

ahr-runtime-ctl apigeectl init -f $RUNTIME_CONFIG

?. Wait till ready

ahr-runtime-ctl apigeectl wait-for-ready -f $RUNTIME_CONFIG

?. Install Hybrid runtime components

ahr-runtime-ctl apigeectl apply -f $RUNTIME_CONFIG

?. Wait till ready

ahr-runtime-ctl apigeectl wait-for-ready -f $RUNTIME_CONFIG

Test Hybrid Installation: Manual

Create a test proxy ?. Open apigee.google.com

?. Open Develop/API Proxies

?. +Proxy

?. No target

?. Name: ping, Next

?. Pass through, Next

?. Tick Deployment into test, Create and Deploy

?. Edit Proxy

?. In an OVERVIEW tab, wait till deployed

?. Activate TRACE Tab

?. Select ping proxy version to test in combobox

?. Start Trace Session

Test Hybrid Installation: provided example proxy bundle

$AHR_HOME/proxies/deploy.sh

Execute test request

Test Request for Ping proxy

curl --cacert $RUNTIME_SSL_CERT https://$RUNTIME_HOST_ALIAS/ping -v --resolve "$RUNTIME_HOST_ALIAS:443:$RUNTIME_IP" --http1.1

?. Observe TRACE session results