Install ASM
Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.
Supported ASM versions
See Apigee hybrid: supported platforms for the ASM versions supported in hybrid version 1.5.
Perform ASM setup and configuration steps
To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.
The instructions to install and configure ASM are different depending on your platform. The platforms are divided into the following categories:
- GKE: Google Kubernetes Engine clusters running on Google Cloud.
- Outside Google Cloud: Anthos clusters running on:
- Anthos clusters on VMware (GKE on-prem)
- Anthos on bare metal
- Anthos clusters on AWS
- Amazon EKS
- Other Kubernetes Platforms: Conformant clusters created and running on:
- AKS
- EKS
- OpenShift
GKE
Prepare to install ASM
- Check the environment variables you will need for the following steps, and set them if you
you need to:
echo ${PROJECT_ID}
echo ${CLUSTER_NAME}
echo ${CLUSTER_LOCATION}
- Create an overlay file named
overlay.yaml
with the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443
apigee-runtime
is the default value for the node selector. This is theapigee-runtime
node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit thenodeSelector
property.- STATIC_IP is the IP address for your load balancer. If you have not set one,
omit the
loadBalancerIP
property, but keep thetype
andports
properties.
- Follow the instructions to prepare to install ASM:
- Install
asmcli
and any required tools like git, kubectl, and jq, following the instructions in Install required tools. - Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
- Install ASM with optional features.
Specify the legacy ingress gateway with
--option legacy-default-ingressgateway
. for example:./asmcli install \ --verbose \ --project_id $PROJECT_ID \ --cluster_name $CLUSTER_NAME \ --cluster_location $CLUSTER_LOCATION \ --output_dir dir_path \ --custom_overlay overlay.yaml \ --enable_all \ --option legacy-default-ingressgateway
- dir_path is the output directory where you want
asmcli
to set up your the ASM installation, including all subdirectories. - overlay.yaml is the overlay file you created in the previous steps.
Use these settings when following the instructions in Install with optional features.
- dir_path is the output directory where you want
Troubleshooting
If you encounter an error at refers to gcloud container hub memberships register
,
you may have exceeded the maximum number of clusters registered with GKE Hub. For example:
asmcli_1.12: [WARNING]: Command 'run_command gcloud container hub memberships register my-hybrid-example ...' failed.
Try the following steps to remedy this error and then run asmcli install
again:
- List the GKE Hub memberships for your project:
gcloud container hub memberships list --project=$PROJECT_ID
- Delete the GKE Hub memberships:
gcloud container hub memberships delete "membership" --project=$PROJECT_ID
For more information about GKE Hub limits, see Quotas and limits.
Outside Google Cloud
These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:
- Anthos clusters on VMware (GKE on-prem)
- Anthos on bare metal
- Anthos clusters on AWS
- Amazon EKS
Prepare to install ASM
- Check the environment variables you will need for the following steps, and set them if you
you need to:
echo ${PROJECT_ID}
echo ${CLUSTER_NAME}
echo ${CLUSTER_LOCATION}
- Create an overlay file named
overlay.yaml
with the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
apigee-runtime
is the default value for the node selector. This is theapigee-runtime
node pool you created in Step 1: Create a cluster. If you are using a different node selector or are not using one, change or omit thenodeSelector
property.- STATIC_IP is the IP address for your load balancer. If you have not set one,
omit the
loadBalancerIP
property, but keep thetype
andports
properties.
- Follow the instructions to prepare to install ASM:
- Install
asmcli
and any required tools like git, kubectl, and jq, following the instructions in Install required tools. - Proceed through the step to Grant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.
- Install ASM with optional features.
Specify the legacy ingress gateway with
--option legacy-default-ingressgateway
. for example:./asmcli install \ --verbose \ --project_id $PROJECT_ID \ --cluster_name $CLUSTER_NAME \ --cluster_location $CLUSTER_LOCATION \ --output_dir dir_path \ --custom_overlay overlay.yaml \ --enable_all \ --option legacy-default-ingressgateway
- dir_path is the output directory where you want
asmcli
to set up your the ASM installation, including all subdirectories. - overlay.yaml is the overlay file you created in the previous steps.
Use these settings when following the instructions in Install with optional features.
- dir_path is the output directory where you want
Troubleshooting
If you encounter an error at refers to gcloud container hub memberships register
,
you may have exceeded the maximum number of clusters registered with GKE Hub. For example:
asmcli_1.12: [WARNING]: Command 'run_command gcloud container hub memberships register my-hybrid-example ...' failed.
Try the following steps to remedy this error and then run asmcli install
again:
- List the GKE Hub memberships for your project:
gcloud container hub memberships list --project=$PROJECT_ID
- Delete the GKE Hub memberships:
gcloud container hub memberships delete "membership" --project=$PROJECT_ID
For more information about GKE Hub limits, see Quotas and limits.
GKE on other platforms
These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:
- GKE on-prem (Anthos)
- Anthos on bare metal
- GKE on AWS
Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
- Download and unzip
istioctl
according to the the instructions in the ASM documentation: Downloading the installation file. - Depending on the certificate authority you plan to use, install ASM by following the
instructions in one of the following sections:
- Using Mesh CA: Installing Anthos Service Mesh with Mesh CA
- Supplying your own certificates with Istio CA: Installing Anthos Service Mesh with Istio CA
- Configure the validating webhook with the instructions in Configuring the validating webhook.
- Check the control plane components with the instructinos in
Checking
the control plane components.
Do not continue with "Injecting sidecar proxies."
Other Kubernetes platforms
AKS
Set up and download ASM
Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:
- Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
- Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
- Red Hat OpenShift
Preparing to install Anthos Service Mesh
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-osx.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-win.zip
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests\profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the \bin directory to your PATH:
set PATH=�%\bin:%PATH%
- Now that ASM Istio is installed, check the version of
istioctl
:istioctl version
- Create a namespace called istio-system for the control plane components:
kubectl create namespace istio-system
Linux
Mac OS
Windows
Installing Anthos Service Mesh
- Install Anthos Service Mesh with
istioctl
using theasm-multicloud
profile:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1129-3"
The
--set revision
argument adds a revision label in the formatistio.io/rev=asm-1129-3
to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod. - Check that the
istiod
pods are running withkubectl get pods
:kubectl get pods -n istio-system
Your output should look something like:
NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1129-3-dbfb7c7b6-2ls88 1/1 Running 0 3m21s istiod-asm-1129-3-dbfb7c7b6-fnj8c 1/1 Running 1 3m21s
- Verify that your install completed:
kubectl get svc -n istio-system
Your output should look something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1129-3 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s
Configure the validating webhook
When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.
- Create a file called
istiod-service.yaml
with the following contents:apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: asm-1129-3 app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod istio.io/rev: asm-1129-3 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- Use
kubectl
to apply the validating webhook configuration:kubectl apply -f istiod-service.yaml
- Verify that the configuration was applied:
kubectl get svc -n istio-system
The response should look similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 22s
EKS
Set up and download ASM
Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:
- Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
- Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
- Red Hat OpenShift
Preparing to install Anthos Service Mesh
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-osx.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-win.zip
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests\profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the \bin directory to your PATH:
set PATH=�%\bin:%PATH%
- Now that ASM Istio is installed, check the version of
istioctl
:istioctl version
- Create a namespace called istio-system for the control plane components:
kubectl create namespace istio-system
Linux
Mac OS
Windows
Installing Anthos Service Mesh
- Install Anthos Service Mesh with
istioctl
using theasm-multicloud
profile:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1129-3"
The
--set revision
argument adds a revision label in the formatistio.io/rev=asm-1129-3
to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod. - Check that the
istiod
pods are running withkubectl get pods
:kubectl get pods -n istio-system
Your output should look something like:
NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1129-3-dbfb7c7b6-2ls88 1/1 Running 0 3m21s istiod-asm-1129-3-dbfb7c7b6-fnj8c 1/1 Running 1 3m21s
- Verify that your install completed:
kubectl get svc -n istio-system
Your output should look something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1129-3 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s
Configure the validating webhook
When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.
- Create a file called
istiod-service.yaml
with the following contents:apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: asm-1129-3 app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod istio.io/rev: asm-1129-3 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- Use
kubectl
to apply the validating webhook configuration:kubectl apply -f istiod-service.yaml
- Verify that the configuration was applied:
kubectl get svc -n istio-system
The response should look similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 22s
OpenShift
Set up and download ASM
Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.
This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.12.9-asm.3 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:
- Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
- Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
- Red Hat OpenShift
Preparing to install Anthos Service Mesh
- Grant the
anyuid
security context constraint (SCC) to the istio-system with the followingoc
command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.12.9-asm.3-linux-amd64.tar.gz.1.sig istio-1.12.9-asm.3-linux-amd64.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-linux-amd64.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Grant the
anyuid
security context constraint (SCC) to the istio-system with the followingoc
command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-osx.tar.gz.1.sig
openssl dgst -sha256 -verify /dev/stdin -signature istio-1.12.9-asm.3-osx.tar.gz.1.sig istio-1.12.9-asm.3-osx.tar.gz <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-osx.tar.gz
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests/profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the /bin directory to your PATH:
export PATH=$PWD/bin:$PATH
- Grant the
anyuid
security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc
) command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- Download the Anthos Service Mesh installation file to your current working directory:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip
- Download the signature file and use openssl to verify the signature:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.12.9-asm.3-win.zip.1.sig
openssl dgst -verify - -signature istio-1.12.9-asm.3-win.zip.1.sig istio-1.12.9-asm.3-win.zip <<'EOF'
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t /960IsIgw== -----END PUBLIC KEY----- EOF - Extract the contents of the file to any location on your file system. For example,
to extract the contents to the current working directory:
tar xzf istio-1.12.9-asm.3-win.zip
The command creates an installation directory in your current working directory named
istio-1.12.9-asm.3
that contains:- Sample applications in the
samples
directory. - The
istioctl
command-line tool that you use to install Anthos Service Mesh is in thebin
directory. - The Anthos Service Mesh configuration profiles are in the
manifests\profiles
directory.
- Sample applications in the
- Ensure that you're in the Anthos Service Mesh installation's root directory:
cd istio-1.12.9-asm.3
- For convenience, add the tools in the \bin directory to your PATH:
set PATH=�%\bin:%PATH%
- Now that ASM Istio is installed, check the version of
istioctl
:istioctl version
- Create a namespace called istio-system for the control plane components:
kubectl create namespace istio-system
Linux
Mac OS
Windows
Installing Anthos Service Mesh
- Install Anthos Service Mesh with
istioctl
using theasm-multicloud
profile:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1129-3"
The
--set revision
argument adds a revision label in the formatistio.io/rev=asm-1129-3
to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod. - Check that the
istiod
pods are running withkubectl get pods
:kubectl get pods -n istio-system
Your output should look something like:
NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1129-3-dbfb7c7b6-2ls88 1/1 Running 0 3m21s istiod-asm-1129-3-dbfb7c7b6-fnj8c 1/1 Running 1 3m21s
- Verify that your install completed:
kubectl get svc -n istio-system
Your output should look something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1129-3 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s
Configure the validating webhook
When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.
- Create a file called
istiod-service.yaml
with the following contents:apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: asm-1129-3 app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod istio.io/rev: asm-1129-3 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- Use
kubectl
to apply the validating webhook configuration:kubectl apply -f istiod-service.yaml
- Verify that the configuration was applied:
kubectl get svc -n istio-system
The response should look similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 22s
Customizing the ASM installation
The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, see Enabling optional features.
Summary
You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.
1 2 3 (NEXT) Step 4: Install apigeectl 5 6 7 8 9