The init command installs the
Apigee deployment services
Apigee Deployment Controller and Apigee Admission Webhook, and it deploys non-Apigee
components Istio and Cert Manager.
To check the status of the deployment, you can use these commands:
Do a "dry run" install. Execute the apply command with the --dry-run=true flag. Doing a dry
run lets you check for any errors before any changes are made to the cluster.
Repeat this step until the pods are all ready.
The pods may take several minutes
to start up.
Enable synchronizer access
Create a GCP service account and add the Apigee Organization Admin role
to it. This service account will be used to authenticate an API call that you will make
in a later step. An easy way to create the service account is through the GCP console.
For instructions, see
Creating and managing service accounts in the GCP documentation.
Download the service account key to your system. Follow the instructions in
Creating service account keys in the GCP documentation.
Move the downloaded service account key into your service accounts directory:
/hybrid-base-directory/hybrid-files/service-accounts.
your_org_name: The name of your hybrid organization.
synchronizer-manager-service-account-email: The name of a service account
with the Apigee Synchronizer Manager role.
The name is formed like an email address. For example:
apigee-synchronizer@my-project.iam.gserviceaccount.com
You must add the IP address of the MART endpoint
to your Apigee organization. You set this value previously when set
the value of the mart.hostAlias property in your overrides
file.
The management plane needs this address so that it can communicate with the runtime
plane over MART.
Follow these steps to add the MART IP to your organization:
Get the value you set previously in your overrides file for the
mart.hostAlias property. For MART to function, the host alias must
be a fully qualified domain name.
Locate the service account key with the Apigee Organization Admin role
that you downloaded previously, in the section
Enable synchronizer access.
Be sure to save your overrides file. You will need this file to perform future upgrades,
patches, or any other modifications to the cluster configuration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation version 1.1 is end-of-life and users should upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eTo install Apigee hybrid, execute the \u003ccode\u003einit\u003c/code\u003e command followed by the \u003ccode\u003eapply\u003c/code\u003e command with and without the dry-run flag, then proceed to verify readiness through the provided commands.\u003c/p\u003e\n"],["\u003cp\u003eEnabling synchronizer access requires creating a GCP service account, downloading the service account key, and using it to set permissions via the \u003ccode\u003esetSyncAuthorization\u003c/code\u003e API.\u003c/p\u003e\n"],["\u003cp\u003eAdding the MART IP to your organization involves updating your organization via the management API, ensuring the \u003ccode\u003emart.hostAlias\u003c/code\u003e property in your overrides file is a fully qualified domain name.\u003c/p\u003e\n"],["\u003cp\u003eThe overrides file must be saved as it will be essential for future upgrades, patches, and modifications to the cluster configuration.\u003c/p\u003e\n"]]],[],null,["# Step 4: Install hybrid on GKE\n\n| You are currently viewing version 1.1 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nApply the configuration to the cluster\n--------------------------------------\n\n\nTo install Apigee hybrid into your cluster:\n\n1. Be sure that you are in the \u003cvar translate=\"no\"\u003ehybrid-base-directory\u003c/var\u003e`/hybrid-files` directory.\n2. Execute the `init` command: \n\n ```\n $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml\n ```\n\n The `init` command installs the [Apigee deployment services](/apigee/docs/hybrid/v1.1/apigee-deployment-services)\n Apigee Deployment Controller and Apigee Admission Webhook, and it deploys non-Apigee\n components [Istio](https://istio.io/) and [Cert Manager](https://docs.cert-manager.io/en/latest/).\n3. To check the status of the deployment, you can use these commands: \n\n ```\n $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml\n ```\n\n\n and \n\n ```\n kubectl get pods -n apigee-system\n ```\n\n\n and \n\n ```\n kubectl get pods -n istio-system\n ```\n\n\n When the pods are ready, go to the next step.\n4. Do a \"dry run\" install. Execute the `apply` command with the `--dry-run=true` flag. Doing a dry run lets you check for any errors before any changes are made to the cluster. \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=true\n ```\n5. If there are no errors, you can apply the [Apigee-specific\n runtime components](/apigee/docs/hybrid/v1.1/what-is-hybrid#about-the-runtime-plane) to the cluster: \n\n ```\n $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml\n ```\n6. To check the status of the deployment: \n\n ```\n $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml\n ```\n\n\n Repeat this step until the pods are all ready.\n The pods may take several minutes\n to start up.\n\nEnable synchronizer access\n--------------------------\n\n1. Create a GCP service account and add the **Apigee Organization Admin** role to it. This service account will be used to authenticate an API call that you will make in a later step. An easy way to create the service account is through the GCP console. For instructions, see [Creating and managing service accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud) in the GCP documentation.\n2. Download the service account key to your system. Follow the instructions in [Creating service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud) in the GCP documentation.\n3. Move the downloaded service account key into your service accounts directory: \u003cvar translate=\"no\"\u003e/hybrid-base-directory\u003c/var\u003e`/hybrid-files/service-accounts`.\n4. Execute these two commands to get a token: \n\n export GOOGLE_APPLICATION_CREDENTIALS=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eorg\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eadmin\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eservice\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eaccount\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003efile\u003c/span\u003e\u003c/var\u003e\n export TOKEN=$(gcloud auth application-default print-access-token)\n\n\n Where \u003cvar translate=\"no\"\u003eorg-admin-service-account-file\u003c/var\u003e is the path on your system to the service\n account key you downloaded with the **Apigee Organization Admin** role.\n5. Call the [setSyncAuthorization](/apigee/docs/reference/apis/apigee/rest/v1/organizations/setSyncAuthorization) API to enable the required permissions for Synchronizer: \n\n ```\n curl -X POST -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization\" \\\n -d '{\"identities\":[\"serviceAccount:synchronizer-manager-service-account-email\"]}'\n ```\n\n\n Where:\n - `your_org_name`: The name of your hybrid organization.\n - `synchronizer-manager-service-account-email`: The name of a service account with the **Apigee Synchronizer Manager** role. The name is formed like an email address. For example: `apigee-synchronizer@my-project.iam.gserviceaccount.com`\n\n Example: \n\n ```\n curl -X POST -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization\" \\\n -d '{\"identities\":[\"serviceAccount:apigee-synchronizer@my-project.iam.gserviceaccount.com\"]}'\n ```\n6. To verify that the service account was set, call the following API to get a list of service accounts: \n\n ```\n curl -X POST -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type:application/json\" \\\n \"https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization\" \\\n -d ''\n ```\n\n\n The output looks similar to the following: \n\n ```\n {\n \"identities\":[\n \"serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com\"\n ],\n \"etag\":\"BwWJgyS8I4w=\"\n }\n \n ```\n\nAdd the MART IP to your org\n---------------------------\n\n\nYou must add the IP address of the [MART](/apigee/docs/hybrid/v1.1/what-is-hybrid#mart) endpoint\nto your Apigee organization. You set this value previously when set\nthe value of the `mart.hostAlias` property in your overrides\nfile.\nThe management plane needs this address so that it can communicate with the runtime\nplane over MART.\n\n\nFollow these steps to add the MART IP to your organization:\n| **NOTE:** Perform this step only after have successfully deployed hybrid into your cluster, as explained in [Deploy hybrid to your cluster](/apigee/docs/hybrid/v1.1/install-hybrid).\n\n1. Get the value you set previously in your overrides file for the `mart.hostAlias` property. For MART to function, the host alias must be a fully qualified domain name.\n2. Locate the service account key with the **Apigee Organization Admin** role that you downloaded previously, in the section [Enable synchronizer access](#enable-synchronizer-access).\n3. Execute these two commands to get a token: \n\n export GOOGLE_APPLICATION_CREDENTIALS=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eorg\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eadmin\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eservice\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003eaccount\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-n\"\u003efile\u003c/span\u003e\u003c/var\u003e\n export TOKEN=$(gcloud auth application-default print-access-token)\n\n\n Where \u003cvar translate=\"no\"\u003eorg-admin-service-account-file\u003c/var\u003e is the path on your system to the service\n account key you downloaded with the **Apigee Organization Admin** role.\n4. Call the following management API to update your organization with the MART endpoint: \n\n ```\n curl -v -X PUT \\\n https://apigee.googleapis.com/v1/organizations/your_org_name \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\n \"name\" : \"your_org_name\",\n \"properties\" : {\n \"property\" : [ {\n \"name\" : \"features.hybrid.enabled\",\n \"value\" : \"true\"\n }, {\n \"name\" : \"features.mart.server.endpoint\",\n \"value\" : \"https://HOST_ALIAS_DNS\"\n } ]\n }\n }'\n ```\n\n Here is an example. Be sure to add the prefix \"https://\" to the domain name. \n\n ```\n curl -v -X PUT \\\n https://apigee.googleapis.com/v1/organizations/my_organization \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\n \"name\" : \"my_organization\",\n \"properties\" : {\n \"property\" : [ {\n \"name\" : \"features.hybrid.enabled\",\n \"value\" : \"true\"\n }, {\n \"name\" : \"features.mart.server.endpoint\",\n \"value\" : \"https://foo-mart.example.com\"\n } ]\n }\n }'\n ```\n\nSave the overrides file\n-----------------------\n\n\nBe sure to save your overrides file. You will need this file to perform future upgrades,\npatches, or any other modifications to the cluster configuration.\n| **CONGRATULATIONS!**\n|\n| **You've successfully installed Apigee hybrid. You are now ready to test\n| it.**"]]