Step 4: Install hybrid on GKE

Apply the configuration to the cluster

To install Apigee hybrid into your cluster:

Be sure that you are in the hybrid-base-directory/hybrid-files directory.
Execute the init command:
```
$APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml
```
The init command installs the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook, and it deploys non-Apigee components Istio and Cert Manager.

To check the status of the deployment, you can use these commands:

$APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

and

kubectl get pods -n apigee-system

and

kubectl get pods -n istio-system

When the pods are ready, go to the next step.

Do a "dry run" install. Execute the apply command with the --dry-run=true flag. Doing a dry run lets you check for any errors before any changes are made to the cluster.
```
$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=true
```
If there are no errors, you can apply the Apigee-specific runtime components to the cluster:
```
$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml
```
To check the status of the deployment:
```
$APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml
```
Repeat this step until the pods are all ready. The pods may take several minutes to start up.

Enable synchronizer access

Create a GCP service account and add the Apigee Organization Admin role to it. This service account will be used to authenticate an API call that you will make in a later step. An easy way to create the service account is through the GCP console. For instructions, see Creating and managing service accounts in the GCP documentation.
Download the service account key to your system. Follow the instructions in Creating service account keys in the GCP documentation.
Move the downloaded service account key into your service accounts directory: /hybrid-base-directory/hybrid-files/service-accounts.
Execute these two commands to get a token:
```
export GOOGLE_APPLICATION_CREDENTIALS=org-admin-service-account-file
export TOKEN=$(gcloud auth application-default print-access-token)
```
Where org-admin-service-account-file is the path on your system to the service account key you downloaded with the Apigee Organization Admin role.

Call the setSyncAuthorization API to enable the required permissions for Synchronizer:

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:synchronizer-manager-service-account-email"]}'

Where:

your_org_name: The name of your hybrid organization.
synchronizer-manager-service-account-email: The name of a service account with the Apigee Synchronizer Manager role. The name is formed like an email address. For example: apigee-synchronizer@my-project.iam.gserviceaccount.com

Example:

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
   -d '{"identities":["serviceAccount:apigee-synchronizer@my-project.iam.gserviceaccount.com"]}'

To verify that the service account was set, call the following API to get a list of service accounts:

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type:application/json" \
  "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \
   -d ''

The output looks similar to the following:

{
   "identities":[
      "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"
   ],
   "etag":"BwWJgyS8I4w="
}

Add the MART IP to your org

You must add the IP address of the MART endpoint to your Apigee organization. You set this value previously when set the value of the mart.hostAlias property in your overrides file. The management plane needs this address so that it can communicate with the runtime plane over MART.

Follow these steps to add the MART IP to your organization:

Get the value you set previously in your overrides file for the mart.hostAlias property. For MART to function, the host alias must be a fully qualified domain name.
Locate the service account key with the Apigee Organization Admin role that you downloaded previously, in the section Enable synchronizer access.
Execute these two commands to get a token:
```
export GOOGLE_APPLICATION_CREDENTIALS=org-admin-service-account-file
export TOKEN=$(gcloud auth application-default print-access-token)
```
Where org-admin-service-account-file is the path on your system to the service account key you downloaded with the Apigee Organization Admin role.

Call the following management API to update your organization with the MART endpoint:

curl -v -X PUT \
   https://apigee.googleapis.com/v1/organizations/your_org_name \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
  "name" : "your_org_name",
  "properties" : {
    "property" : [ {
      "name" : "features.hybrid.enabled",
      "value" : "true"
    }, {
      "name" : "features.mart.server.endpoint",
      "value" : "https://HOST_ALIAS_DNS"
    } ]
  }
}'

Here is an example. Be sure to add the prefix "https://" to the domain name.

curl -v -X PUT \
   https://apigee.googleapis.com/v1/organizations/my_organization \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
  "name" : "my_organization",
  "properties" : {
    "property" : [ {
      "name" : "features.hybrid.enabled",
      "value" : "true"
    }, {
      "name" : "features.mart.server.endpoint",
      "value" : "https://foo-mart.example.com"
    } ]
  }
}'

Save the overrides file

Be sure to save your overrides file. You will need this file to perform future upgrades, patches, or any other modifications to the cluster configuration.