This step explains how to create the TLS credentials
that are required for Apigee hybrid to operate.
Create TLS certificates
You are required to provide TLS certificates for the runtime ingress gateway in your
Apigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),
the runtime gateway can accept self-signed credentials. In the following steps,
openssl is used to generate the self-signed credentials.
In this step, you will create the TLS credential files and add them to
the $APIGEE_HELM_CHARTS_HOME/certs directory.
In
Step 6: Create the overrides, you will add the file paths to the cluster
configuration file.
Create a directory for the credential files. Helm charts cannot read files outside the chart
directory, and the TLS credentials are managed with the apigee-virtualhost chart.
therefore create your directory for the credential files within the
$APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/ directory.
DOMAIN is the domain you provided as the hostname for the environment
group you created in Create an environment group.
ENV_GROUP is the name of the environment group where the domain is specified
as a hostname. It's a good practice to include the environment group name in the key and keystore
name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.
This command creates a self-signed certificate/key pair that you can use for the quickstart
installation.
If you have additional environment groups with unique domain names, repeat this step for each
environment group. You will reference these groups and certificates in the cluster
configuration step.
Check to make sure the files are in the $APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/certs directory using the following command:
ls $APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/certs
This you should see two files:
keystore_ENV_GROUP.pem or keystore_ENV_GROUP.crt is the self-signed TLS certificate file.
keystore_ENV_GROUP.key
is the key file.
You now have the credentials needed to manage Apigee hybrid
in your Kubernetes cluster. Next, you will create an overrides file that is used by Kubernetes
to deploy the hybrid runtime components to the cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[[["\u003cp\u003eTLS certificates are necessary for the Apigee hybrid runtime ingress gateway, and for quickstart installations, self-signed credentials generated with openssl are acceptable.\u003c/p\u003e\n"],["\u003cp\u003eCreate a directory within \u003ccode\u003e$APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/\u003c/code\u003e to store the TLS credential files, which are required by the \u003ccode\u003eapigee-virtualhost\u003c/code\u003e chart.\u003c/p\u003e\n"],["\u003cp\u003eUse the provided openssl command to generate self-signed certificate/key pairs, ensuring to replace \u003ccode\u003e$DOMAIN\u003c/code\u003e and \u003ccode\u003e$ENV_GROUP\u003c/code\u003e with your actual domain and environment group name.\u003c/p\u003e\n"],["\u003cp\u003eVerify the creation of the \u003ccode\u003ekeystore_$ENV_GROUP.pem\u003c/code\u003e (or \u003ccode\u003e.crt\u003c/code\u003e) and \u003ccode\u003ekeystore_$ENV_GROUP.key\u003c/code\u003e files in the specified directory after running the command.\u003c/p\u003e\n"],["\u003cp\u003eIf you have multiple environment groups with unique domain names, repeat the openssl step for each group, making note to use a separate, unique environment group name in the file name.\u003c/p\u003e\n"]]],[],null,[]]
