Step 7: Create the overrides

Specify configuration overrides

The Apigee hybrid installer uses defaults for many settings. However, there are a few settings that do not have defaults. You must provide values for these settings, as explained next.

Before you begin

We recommend you review the following scenarios to determine if you want to configure your cluster for them. These configurations are optional.

• If you are planning on installing hybrid in multiple regions, read Multi-region deployment before continuing.
• Apigee hybrid provides default passwords for the Cassandra users. Apigee recommends changing the default user passwords. See Configuring TLS for Cassandra for details.
• If you want to configure the storage and heap settings for Cassandra, see Configure storage and heap settings.
• As described in Part 1: Project and Org setup--Step 1: Enable APIs, For production installation scenarios, configure persistent solid state disk (SSD) storage for Cassandra. Apigee does not support using local SSDs for Apigee hybrid. For details, see Add SSD storage for production deployments.

Configure the cluster

By convention, configuration overrides are written in a file named overrides.yaml typically stored in your $APIGEE_HELM_CHARTS_HOME directory.

1. Create a new file named overrides.yaml in your $APIGEE_HELM_CHARTS_HOME directory.

   The overrides.yaml provides the configuration for your unique Apigee hybrid installation. The overrides file in this step provides a basic configuration for a small-footprint hybrid runtime installation, suitable for your first installation.

2. In overrides.yaml, add the required property values, shown below. A detailed description of each property is provided below.

   Make sure the overrides.yaml file has the following structure and syntax.

   Choose the tab for your the type of service account authentication you are using in your installation: Step 4: Create service accounts.

   • Service account keys in Kubernetes Secrets: Kubernetes Secrets
   • Service account JSON key files: JSON files
   • Service account keys in Vault: Vault
   • Workload Identity Federation for GKE: WIF for GKE
   • Workload Identity Federation: WIF on other platforms

   For an overview of the different authentication options, see Service account authentication methods in Apigee hybrid.

   Select the tab for your installation, production, Production or non-production (demo, evaluation, or proof-of-concept installations), Non-prod depending on your choice in Step 4: Create service accounts.

   For installations in production environments, look at the storage requirements for the Cassandra database in Configure Cassandra for production.

   Kubernetes Secrets

   Production

   Template

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretRefs:
       synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-synchronizer-svc-account"
       runtime: RUNTIME_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-runtime-svc-account"
       udca: UDCA_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-udca-svc-account"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountSecretRef: MART_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-mart-svc-account"
   
   connectAgent:
     serviceAccountSecretRef: MART_SERVICE_ACCOUNT_SECRET
       # Use the same secret for mart and connectAgent
       # For example: "apigee-mart-svc-account"
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
     serviceAccountSecretRef: LOGGER_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-logger-svc-account"
   
   metrics:
     serviceAccountSecretRef: METRICS_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-metrics-svc-account"
   
   udca:
     serviceAccountSecretRef: UDCA_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-udca-svc-account"
   
   watcher:
     serviceAccountSecretRef: WATCHER_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-watcher-svc-account"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountRef: MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-mint-task-scheduler-svc-account"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ SECRET	The name of the Kubernetes secret you for the service account key in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production apigee-cassandra-svc-account apigee-logger-svc-account apigee-mart-svc-account apigee-metrics-svc-account apigee-mint-task-scheduler-svc-account apigee-runtime-svc-account apigee-synchronizer-svc-account apigee-udca-svc-account apigee-watcher-svc-account Non-prod apigee-non-prod-svc-account See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountSecretRefs:
       synchronizer: "apigee-synchronizer-svc-account"
       runtime: "apigee-runtime-svc-account"
       udca: "apigee-udca-svc-account"
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountSecretRef: "apigee-mart-svc-account"
   
   connectAgent:
     serviceAccountSecretRef: "apigee-mart-svc-account"
   
   logger:
     enabled: true
     serviceAccountSecretRef: "apigee-logger-svc-account"
   
   metrics:
     serviceAccountSecretRef: "apigee-metrics-svc-account"
   
   udca:
     serviceAccountSecretRef: "apigee-udca-svc-account"
   
   watcher:
     serviceAccountSecretRef: "apigee-watcher-svc-account"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountRef: apigee-mint-task-scheduler-svc-account
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ SECRET	The name of the Kubernetes secret you for the service account key in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production apigee-cassandra-svc-account apigee-logger-svc-account apigee-mart-svc-account apigee-metrics-svc-account apigee-mint-task-scheduler-svc-account apigee-runtime-svc-account apigee-synchronizer-svc-account apigee-udca-svc-account apigee-watcher-svc-account Non-prod apigee-non-prod-svc-account See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Non-prod

   Template

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretRefs:
       synchronizer: NON_PROD_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-non-prod-svc-account"
       runtime: NON_PROD_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-non-prod-svc-account"
       udca: NON_PROD_SERVICE_ACCOUNT_SECRET
         # For example: "apigee-non-prod-svc-account"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   connectAgent:
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # Use the same secret for mart and connectAgent
       # For example: "apigee-non-prod-svc-account"
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   metrics:
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   udca:
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   watcher:
     serviceAccountSecretRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountRef: NON_PROD_SERVICE_ACCOUNT_SECRET
       # For example: "apigee-non-prod-svc-account"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ SECRET	The name of the Kubernetes secret you for the service account key in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production apigee-cassandra-svc-account apigee-logger-svc-account apigee-mart-svc-account apigee-metrics-svc-account apigee-mint-task-scheduler-svc-account apigee-runtime-svc-account apigee-synchronizer-svc-account apigee-udca-svc-account apigee-watcher-svc-account Non-prod apigee-non-prod-svc-account See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountSecretRefs:
       synchronizer: "apigee-non-prod-svc-account"
       runtime: "apigee-non-prod-svc-account"
       udca: "apigee-non-prod-svc-account"
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   connectAgent:
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   logger:
     enabled: true
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   metrics:
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   udca:
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   watcher:
     serviceAccountSecretRef: "apigee-non-prod-svc-account"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountRef: apigee-non-prod-svc-account
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ SECRET	The name of the Kubernetes secret you for the service account key in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production apigee-cassandra-svc-account apigee-logger-svc-account apigee-mart-svc-account apigee-metrics-svc-account apigee-mint-task-scheduler-svc-account apigee-runtime-svc-account apigee-synchronizer-svc-account apigee-udca-svc-account apigee-watcher-svc-account Non-prod apigee-non-prod-svc-account See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   JSON files

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountPaths:
       # Provide the path relative to the apigee-env chart directory.
       synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-synchronizer.json"
       runtime: RUNTIME_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-runtime.json"
       udca: UDCA_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-udca.json"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
     serviceAccountPath: LOGGER_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-F chart directory.
       # For example: "PROJECT_ID-apigee-logger.json"
   
   mart:
     serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-mart.json"
   
   connectAgent:
     serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH
       # Use the same service account for mart and connectAgent
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-mart.json"
   
   metrics:
     serviceAccountPath: METRICS_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-metrics.json"
   
   udca:
     serviceAccountPath: UDCA_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-udca.json"
   
   watcher:
     serviceAccountPath: WATCHER_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-watcher.json"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountPath: MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-mint-task-scheduler.json"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ FILEPATH	The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example: If the my-project-apigee-synchronizer.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" For non-production environments, the name of the single service account is PROJECT_ID-non-prod.json by default. For production environments, the name of the service account key file that you generated with the create-service-account tool in Step 4: Create service accounts. You can see the service account files in each corresponding chart directory. The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory PROJECT_ID-apigee-cassandra.json apigee-datastore/ PROJECT_ID-apigee-mart.json apigee-org/ PROJECT_ID-apigee-metrics.json apigee-telemetry/ PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/ PROJECT_ID-apigee-runtime.json apigee-env/ PROJECT_ID-apigee-synchronizer.json apigee-env/ PROJECT_ID-apigee-udca.json apigee-org/ PROJECT_ID-apigee-watcher.json apigee-org/ Non-prod Service account file name Chart directory PROJECT_ID-non-prod.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountPaths:
       synchronizer: "my-project-apigee-synchronizer.json"
       runtime: "my-project-apigee-runtime.json"
       udca: "my-project-apigee-udca.json"
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: true
     serviceAccountPath: "my-project-apigee-logger.json"
   
   mart:
     serviceAccountPath: "my-project-apigee-mart.json"
   
   connectAgent:
     serviceAccountPath: "my-project-apigee-mart.json"
   
   metrics:
     serviceAccountPath: "my-project-apigee-metrics.json"
   
   udca:
     serviceAccountPath: "my-project-apigee-udca.json"
   
   watcher:
     serviceAccountPath: "my-project-apigee-watcher.json"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountPath: my-project-apigee-mint-task-scheduler.json"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ FILEPATH	The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example: If the my-project-apigee-synchronizer.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" For non-production environments, the name of the single service account is PROJECT_ID-non-prod.json by default. For production environments, the name of the service account key file that you generated with the create-service-account tool in Step 4: Create service accounts. You can see the service account files in each corresponding chart directory. The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory PROJECT_ID-apigee-cassandra.json apigee-datastore/ PROJECT_ID-apigee-mart.json apigee-org/ PROJECT_ID-apigee-metrics.json apigee-telemetry/ PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/ PROJECT_ID-apigee-runtime.json apigee-env/ PROJECT_ID-apigee-synchronizer.json apigee-env/ PROJECT_ID-apigee-udca.json apigee-org/ PROJECT_ID-apigee-watcher.json apigee-org/ Non-prod Service account file name Chart directory PROJECT_ID-non-prod.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountPaths:
       # Provide the path relative to the apigee-env chart directory.
       synchronizer: NON_PROD_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-non-prod.json"
       runtime: NON_PROD_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-non-prod.json"
       udca: NON_PROD_SERVICE_ACCOUNT_FILEPATH
         # For example: "PROJECT_ID-apigee-non-prod.json"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   connectAgent:
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Use the same service account for mart and connectAgent
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-F chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   metrics:
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   udca:
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   watcher:
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "PROJECT_ID-apigee-non-prod.json"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ FILEPATH	The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example: If the my-project-apigee-synchronizer.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" For non-production environments, the name of the single service account is PROJECT_ID-non-prod.json by default. For production environments, the name of the service account key file that you generated with the create-service-account tool in Step 4: Create service accounts. You can see the service account files in each corresponding chart directory. The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory PROJECT_ID-apigee-cassandra.json apigee-datastore/ PROJECT_ID-apigee-mart.json apigee-org/ PROJECT_ID-apigee-metrics.json apigee-telemetry/ PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/ PROJECT_ID-apigee-runtime.json apigee-env/ PROJECT_ID-apigee-synchronizer.json apigee-env/ PROJECT_ID-apigee-udca.json apigee-org/ PROJECT_ID-apigee-watcher.json apigee-org/ Non-prod Service account file name Chart directory PROJECT_ID-non-prod.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountPaths:
       synchronizer: "hybrid-example-apigee-non-prod.json"
       runtime: "hybrid-example-apigee-non-prod.json"
       udca: "hybrid-example-apigee-non-prod.json"
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   connectAgent:
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   logger:
     enabled: true
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   metrics:
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   udca:
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   watcher:
     serviceAccountPath: "my-project-apigee-non-prod.json"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountPath: my-project-apigee-non-prod.json"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ FILEPATH	The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example: If the my-project-apigee-synchronizer.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" For non-production environments, the name of the single service account is PROJECT_ID-non-prod.json by default. For production environments, the name of the service account key file that you generated with the create-service-account tool in Step 4: Create service accounts. You can see the service account files in each corresponding chart directory. The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory PROJECT_ID-apigee-cassandra.json apigee-datastore/ PROJECT_ID-apigee-mart.json apigee-org/ PROJECT_ID-apigee-metrics.json apigee-telemetry/ PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/ PROJECT_ID-apigee-runtime.json apigee-env/ PROJECT_ID-apigee-synchronizer.json apigee-env/ PROJECT_ID-apigee-udca.json apigee-org/ PROJECT_ID-apigee-watcher.json apigee-org/ Non-prod Service account file name Chart directory PROJECT_ID-non-prod.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Vault

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spc
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountSecretProviderClass: apigee-envsakeys-prod-env-spc
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: true
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spc
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountSecretProviderClass: apigee-envsakeys-test-env-spc
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: true
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   # for message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   WIF for GKE

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: true
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     gsa:
       synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL
         # For example: "apigee-synchronizer@PROJECT_ID.iam.gserviceaccount.com"
       runtime: RUNTIME_SERVICE_ACCOUNT_EMAIL
         # For example: "apigee-runtime@PROJECT_ID.iam.gserviceaccount.com"
       udca: UDCA_SERVICE_ACCOUNT_EMAIL
         # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
     backup:
       enabled: true # Required to create the Cassandra Kubernetes service accounts
                     # for Workload Identity Federation for GKE
                     # See Cassandra backup overview.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     gsa: MART_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com"
   
   connectAgent:
     gsa: MART_SERVICE_ACCOUNT_EMAIL
       # Use the same service account email for mart and connectAgent
       # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com"
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
     gsa: LOGGER_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-logger@PROJECT_ID.iam.gserviceaccount.com"
   
   metrics:
     gsa: METRICS_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-metrics@PROJECT_ID.iam.gserviceaccount.com"
   
   udca:
     gsa: UDCA_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com"
   
   watcher:
     gsa: WATCHER_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-watcher@PROJECT_ID.iam.gserviceaccount.com"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     gsa: MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_EMAIL
       # For example: "apigee-mint-task-scheduler@PROJECT_ID.iam.gserviceaccount.com"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ EMAIL	The service account email addresses for the Google service accounts (GSA) you need to supply if you are using Workload Identity Federation for GKE. These are the service accounts you created in Step 4: Create service accounts. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See: envs[].gsa.synchronizer. envs[].gsa.runtime. envs[].gsa.udca. logger.gsa. connectAgent.gsa. mart.gsa. metrics.gsa. mintTaskScheduler.gsa. udca.serviceAccountRef. watcher.gsa.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: true
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     gsa:
       synchronizer: "apigee-synchronizer@my-project.iam.gserviceaccount.com"
       runtime: "apigee-runtime@my-project.iam.gserviceaccount.com"
       udca: "apigee-udca@my-project.iam.gserviceaccount.com"
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     gsa: "apigee-mart@my-project.iam.gserviceaccount.com"
   
   connectAgent:
     gsa: "apigee-mart@my-project.iam.gserviceaccount.com"
   
   logger:
     enabled: true
     gsa: "apigee-logger@my-project.iam.gserviceaccount.com"
   
   metrics:
     gsa: "apigee-metrics@my-project.iam.gserviceaccount.com"
   
   udca:
     gsa: "apigee-udca@my-project.iam.gserviceaccount.com"
   
   watcher:
     gsa: "apigee-watcher@my-project.iam.gserviceaccount.com"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountPath: my-project-apigee-mint-task-scheduler.json"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ SERVICE_ACCOUNT_ EMAIL	The service account email addresses for the Google service accounts (GSA) you need to supply if you are using Workload Identity Federation for GKE. These are the service accounts you created in Step 4: Create service accounts. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See: envs[].gsa.synchronizer. envs[].gsa.runtime. envs[].gsa.udca. logger.gsa. connectAgent.gsa. mart.gsa. metrics.gsa. mintTaskScheduler.gsa. udca.serviceAccountRef. watcher.gsa.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: true
       gsa: "NON_PROD_SERVICE_ACCOUNT_EMAIL"
       # For example: "apigee-non-prod@PROJECT_ID.iam.gserviceaccount.com"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: true
       # enabled by default
       # See apigee-logger in Service accounts and roles used by hybrid components.
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   NON_PROD_ SERVICE_ACCOUNT_ EMAIL	The service account email addresses for the non-prod Google service account (GSA). This is the apigee-non-prod service account you created in Step 4: Create service accounts. If you are using Workload Identity Federation for GKE in a non-prod installation, specify the service account email address for the gcp.workloadIdentity.gsa property. You will not need to add the gsa property for any individual components. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See gcp.workloadIdentity.gsa.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: true
       gsa: "apigee-non-prod@my-project.iam.gserviceaccount.com"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: true
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   NON_PROD_ SERVICE_ACCOUNT_ EMAIL	The service account email addresses for the non-prod Google service account (GSA). This is the apigee-non-prod service account you created in Step 4: Create service accounts. If you are using Workload Identity Federation for GKE in a non-prod installation, specify the service account email address for the gcp.workloadIdentity.gsa property. You will not need to add the gsa property for any individual components. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See gcp.workloadIdentity.gsa.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   WIF on other platforms

   WIF: secrets

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretRefs:
       synchronizer: SYNCHRONIZER_WORKLOAD_IDENTITY_SECRET
         # For example: "synchronizer-workload-identity-secret"
       runtime: RUNTIME_WORKLOAD_IDENTITY_SECRET
         # For example: "runtime-workload-identity-secret"
       udca: UDCA_WORKLOAD_IDENTITY_SECRET
         # For example: "udca-workload-identity-secret"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountPath: MART_WORKLOAD_IDENTITY_SECRET
       # For example: "mart-workload-identity-secret"
   
   connectAgent:
     serviceAccountPath: MART_WORKLOAD_IDENTITY_SECRET
       # Use the same secret for mart and connectAgent
       # For example: "mart-workload-identity-secret"
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, create a
       # Kubernetes secret for apigee-logger by following the steps
       # under Kubernetes secrets in
       # Step 5: Set up service account authentication.
       # Provide a reference to the secret with the
       # logger.serviceAccountRef property.
   
   metrics:
     serviceAccountPath: METRICS_WORKLOAD_IDENTITY_SECRET
       # For example: "metrics-workload-identity-secret"
   
   udca:
     serviceAccountPath: UDCA_WORKLOAD_IDENTITY_SECRET
       # For example: "udca-workload-identity-secret"
   
   watcher:
     serviceAccountPath: WATCHER_WORKLOAD_IDENTITY_SECRET
       # For example: "watcher-workload-identity-secret"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountRef: MINT_TASK_SCHEDULER_WORKLOAD_IDENTITY_SECRET
       # For example: "apigee-mint-task-scheduler-workload-identity-secret"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ WORKLOAD_IDENTITY_ SECRET	The name of the Kubernetes secret you for the service account credential configuration in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production cassandra-workload-identity-secret logger-workload-identity-secret mart-workload-identity-secret metrics-workload-identity-secret mint-task-scheduler-workload-identity-secret runtime-workload-identity-secret synchronizer-workload-identity-secret udca-workload-identity-secret watcher-workload-identity-secret Non-prod non-prod-workload-identity-secret See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountSecretRefs:
       synchronizer: "synchronizer-workload-identity-secret"
       runtime: "runtime-workload-identity-secret"
       udca: "udca-workload-identity-secret"
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountSecretRef: "mart-workload-identity-secret"
   
   connectAgent:
     serviceAccountSecretRef: "mart-workload-identity-secret"
   
   logger:
     enabled: false
   
   metrics:
     serviceAccountSecretRef: "metrics-workload-identity-secret"
   
   udca:
     serviceAccountSecretRef: "udca-workload-identity-secret"
   
   watcher:
     serviceAccountSecretRef: "watcher-workload-identity-secret"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountRef: "apigee-mint-task-scheduler-workload-identity-secret"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ WORKLOAD_IDENTITY_ SECRET	The name of the Kubernetes secret you for the service account credential configuration in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production cassandra-workload-identity-secret logger-workload-identity-secret mart-workload-identity-secret metrics-workload-identity-secret mint-task-scheduler-workload-identity-secret runtime-workload-identity-secret synchronizer-workload-identity-secret udca-workload-identity-secret watcher-workload-identity-secret Non-prod non-prod-workload-identity-secret See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretRefs:
       synchronizer: NON_PROD_WORKLOAD_IDENTITY_SECRET
         # For example: "non-prod-workload-identity-secret"
       runtime: NON_PROD_WORKLOAD_IDENTITY_SECRET
         # For example: "non-prod-workload-identity-secret"
       udca: NON_PROD_WORKLOAD_IDENTITY_SECRET
         # For example: "non-prod-workload-identity-secret"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountSecretRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # For example: "non-prod-workload-identity-secret"
   
   connectAgent:
     serviceAccountSecretRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # Use the same secret for mart and connectAgent
       # For example: "non-prod-workload-identity-secret"
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, create a
       # Kubernetes secret for apigee-logger by following the steps
       # under Kubernetes secrets in
       # Step 5: Set up service account authentication.
       # Provide a reference to the secret with the
       # logger.serviceAccountRef property.
   
   metrics:
     serviceAccountSecretRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # For example: "non-prod-workload-identity-secret"
   
   udca:
     serviceAccountSecretRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # For example: "non-prod-workload-identity-secret"
   
   watcher:
     serviceAccountSecretRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # For example: "non-prod-workload-identity-secret"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountRef: NON_PROD_WORKLOAD_IDENTITY_SECRET
       # For example: "non-prod-workload-identity-secret"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ WORKLOAD_IDENTITY_ SECRET	The name of the Kubernetes secret you for the service account credential configuration in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production cassandra-workload-identity-secret logger-workload-identity-secret mart-workload-identity-secret metrics-workload-identity-secret mint-task-scheduler-workload-identity-secret runtime-workload-identity-secret synchronizer-workload-identity-secret udca-workload-identity-secret watcher-workload-identity-secret Non-prod non-prod-workload-identity-secret See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountSecretRefs:
       synchronizer: "non-prod-workload-identity-secret"
       runtime: "non-prod-workload-identity-secret"
       udca: "non-prod-workload-identity-secret"
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountSecretRef: "non-prod-workload-identity-secret"
   
   connectAgent:
     serviceAccountSecretRef: "non-prod-workload-identity-secret"
   
   logger:
     enabled: false
   
   metrics:
     serviceAccountSecretRef: "non-prod-workload-identity-secret"
   
   udca:
     serviceAccountSecretRef: "non-prod-workload-identity-secret"
   
   watcher:
     serviceAccountSecretRef: "non-prod-workload-identity-secret"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountRef: "non-prod-workload-identity-secret"
   
   # for message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ WORKLOAD_IDENTITY_ SECRET	The name of the Kubernetes secret you for the service account credential configuration in Step 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production cassandra-workload-identity-secret logger-workload-identity-secret mart-workload-identity-secret metrics-workload-identity-secret mint-task-scheduler-workload-identity-secret runtime-workload-identity-secret synchronizer-workload-identity-secret udca-workload-identity-secret watcher-workload-identity-secret Non-prod non-prod-workload-identity-secret See: envs[].serviceAccountSecretRefs.synchronizer. envs[].serviceAccountSecretRefs.runtime. envs[].serviceAccountSecretRefs.udca. logger.serviceAccountRef. connectAgent.serviceAccountRef. mart.serviceAccountRef. metrics.serviceAccountRef. mintTaskScheduler.serviceAccountRef. udca.serviceAccountRef. watcher.serviceAccountRef.

   WIF: files

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountPaths:
       # Provide the path relative to the apigee-env chart directory.
       synchronizer: SYNCHRONIZER_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-synchronizer-credential-configuration.json"
       runtime: RUNTIME_SERVICE_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-runtime-credential-configuration.json"
       udca: UDCA_SERVICE_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-udca-credential-configuration.json"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE installations.
       # Set to true  for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift
       # installations. See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountPath: MART_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-mart-credential-configuration.json"
   
   connectAgent:
     serviceAccountPath: MART_CREDENTIAL_CONFIGURATION_FILEPATH
       # Use the same service account for mart and connectAgent
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-mart-credential-configuration.json"
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, provide
       # the path to the apigee-logger service account key file with
       # the logger.serviceAccountPath property.
   
   metrics:
     serviceAccountPath: METRICS_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-metrics-credential-configuration.json"
   
   udca:
     serviceAccountPath: UDCA_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-udca-credential-configuration.json"
   
   watcher:
     serviceAccountPath: WATCHER_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-watcher-credential-configuration.json"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountPath: MINT_TASK_SCHEDULER_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-mint-task-scheduler-credential-configuration.json"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH	The path and filename account of the credential configuration files you created in Step 5: Set up service account authentication. Provide the names with the path relative to the chart directory. For example: If the apigee-synchronizer-credential-configuration.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory apigee-cassandra-credential-configuration.json apigee-datastore/ apigee-logger-credential-configuration.json apigee-telemetry/ apigee-mart-credential-configuration.json apigee-org/ apigee-metrics-credential-configuration.json apigee-telemetry/ apigee-mint-task-scheduler-credential-configuration.json apigee-org/ apigee-runtime-credential-configuration.json apigee-env/ apigee-synchronizer-credential-configuration.json apigee-env/ apigee-udca-credential-configuration.json apigee-org/ apigee-watcher-credential-configuration.json apigee-org/ Non-prod Service account file name Chart directory apigee-non-prod-credential-configuration.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountPaths:
       synchronizer: "apigee-synchronizer-credential-configuration.json"
       runtime: "apigee-runtime-credential-configuration.json"
       udca: "apigee-udca-credential-configuration.json"
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountPath: "apigee-mart-credential-configuration.json"
   
   connectAgent:
     serviceAccountPath: "apigee-mart-credential-configuration.json"
   
   logger:
     enabled: false
   
   metrics:
     serviceAccountPath: "apigee-metrics-credential-configuration.json"
   
   udca:
     serviceAccountPath: "apigee-udca-credential-configuration.json"
   
   watcher:
     serviceAccountPath: "apigee-watcher-credential-configuration.json"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountPath: apigee-mint-task-scheduler-credential-configuration.json"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH	The path and filename account of the credential configuration files you created in Step 5: Set up service account authentication. Provide the names with the path relative to the chart directory. For example: If the apigee-synchronizer-credential-configuration.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory apigee-cassandra-credential-configuration.json apigee-datastore/ apigee-logger-credential-configuration.json apigee-telemetry/ apigee-mart-credential-configuration.json apigee-org/ apigee-metrics-credential-configuration.json apigee-telemetry/ apigee-mint-task-scheduler-credential-configuration.json apigee-org/ apigee-runtime-credential-configuration.json apigee-env/ apigee-synchronizer-credential-configuration.json apigee-env/ apigee-udca-credential-configuration.json apigee-org/ apigee-watcher-credential-configuration.json apigee-org/ Non-prod Service account file name Chart directory apigee-non-prod-credential-configuration.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountPaths:
       # Provide the path relative to the apigee-env chart directory.
       synchronizer: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-non-prod-credential-configuration.json"
       runtime: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-non-prod-credential-configuration.json"
       udca: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
         # For example: "apigee-non-prod-credential-configuration.json"
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   mart:
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   connectAgent:
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Use the same service account for mart and connectAgent
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, provide
       # the path to the apigee-non-prod service account key file with
       # the logger.serviceAccountPath property.
   
   metrics:
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   udca:
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   watcher:
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-telemetry chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   mintTaskScheduler: # Required for Monetization for Apigee hybrid
     serviceAccountPath: NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH
       # Provide the path relative to the apigee-org chart directory.
       # For example: "apigee-non-prod-credential-configuration.json"
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH	The path and filename account of the credential configuration files you created in Step 5: Set up service account authentication. Provide the names with the path relative to the chart directory. For example: If the apigee-synchronizer-credential-configuration.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory apigee-cassandra-credential-configuration.json apigee-datastore/ apigee-logger-credential-configuration.json apigee-telemetry/ apigee-mart-credential-configuration.json apigee-org/ apigee-metrics-credential-configuration.json apigee-telemetry/ apigee-mint-task-scheduler-credential-configuration.json apigee-org/ apigee-runtime-credential-configuration.json apigee-env/ apigee-synchronizer-credential-configuration.json apigee-env/ apigee-udca-credential-configuration.json apigee-org/ apigee-watcher-credential-configuration.json apigee-org/ Non-prod Service account file name Chart directory apigee-non-prod-credential-configuration.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountPaths:
       synchronizer: "apigee-non-prod-credential-configuration.json"
       runtime: "apigee-non-prod-credential-configuration.json<"
       udca: "apigee-non-prod-credential-configuration.json"
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   mart:
     serviceAccountPath: "apigee-non-prod-credential-configuration.json"
   
   connectAgent:
     serviceAccountPath: "apigee-non-prod-credential-configuration.json"
   
   logger:
     enabled: false
   
   metrics:
     serviceAccountPath: "apigee-non-prod-credential-configuration.json"
   
   udca:
     serviceAccountPath: "apigee-non-prod-credential-configuration.json"
   
   watcher:
     serviceAccountPath: "apigee-non-prod-credential-configuration.json"
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   mintTaskScheduler:
     serviceAccountPath: apigee-non-prod-credential-configuration.json"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.
   <component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH	The path and filename account of the credential configuration files you created in Step 5: Set up service account authentication. Provide the names with the path relative to the chart directory. For example: If the apigee-synchronizer-credential-configuration.json file resides in the apigee-env/ chart directory, you only need to provide the file name, such as: synchronizer: "FILE_NAME.json" If the file resides in a apigee-env/service-accounts/ directory, you would specify a relative path: synchronizer: "service-accounts/FILE_NAME.json" The default names of the and corresponding chart directories for the service accounts are: Production Service account file name Chart directory apigee-cassandra-credential-configuration.json apigee-datastore/ apigee-logger-credential-configuration.json apigee-telemetry/ apigee-mart-credential-configuration.json apigee-org/ apigee-metrics-credential-configuration.json apigee-telemetry/ apigee-mint-task-scheduler-credential-configuration.json apigee-org/ apigee-runtime-credential-configuration.json apigee-env/ apigee-synchronizer-credential-configuration.json apigee-env/ apigee-udca-credential-configuration.json apigee-org/ apigee-watcher-credential-configuration.json apigee-org/ Non-prod Service account file name Chart directory apigee-non-prod-credential-configuration.json apigee-datastore/ apigee-org/ apigee-telemetry/ See: envs[].serviceAccountPaths.synchronizer. envs[].serviceAccountPaths.runtime. envs[].serviceAccountPaths.udca. logger.serviceAccountPath. connectAgent.serviceAccountPath. mart.serviceAccountPath. metrics.serviceAccountPath. mintTaskScheduler.serviceAccountPath. udca.serviceAccountPath. watcher.serviceAccountPath.

   WIF: Vault

   Production

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spc
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 3
       # Use multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
       # Minimum storage requirements for a production environment.
       # See Configure Cassandra for production.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, add
       # a "logger" : "value" entry in the orgsakeys vault secret
       # using the contents of the apigee-logger key file for the
       # value. See Step 5: Set up service account authentication.
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: prod-env
     serviceAccountSecretProviderClass: apigee-envsakeys-prod-env-spc
   
   cassandra:
     hostNetwork: false
     replicaCount: 3
     storage:
       storageSize: 500Gi
     resources:
       requests:
         cpu: 7
         memory: 15Gi
     maxHeapSize: 8192M
     heapNewSize: 1200M
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: false
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   # For message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Non-prod

   Template

   Values in red, bold italics are property values that you must provide. You can edit their values on this page. They are described in the table below.

   instanceID: UNIQUE_INSTANCE_IDENTIFIER
   namespace: APIGEE_NAMESPACE # Usually "apigee"
   
   gcp:
     projectID: PROJECT_ID
     region: ANALYTICS_REGION
     workloadIdentity:
       enabled: false # Must be set to false to use
         # Workload Identity Federation on other platforms.
     federatedWorkloadIdentity:
       enabled: true
       audience: "AUDIENCE"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: CLUSTER_NAME
     region: CLUSTER_LOCATION # Closest Google Cloud region to your cluster.
   
   org: ORG_NAME
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   # Required for Enhanced per-environment proxy limits:
   enhanceProxyLimits: true
   
   # Required if using data residency with hybrid:
   contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com
   
   envs:
   - name: ENVIRONMENT_NAME
     serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spc
   
   cassandra:
     hostNetwork: false
       # Set to false for single region installations and  for multi-region
       # installations with connectivity between pods in different clusters,
       # like GKE.
       # Set to true for multi-region installations with no communication
       # between pods in different clusters, for example Google Distributed
       # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.
       # See Multi-region deployment: Prerequisites
     replicaCount: 1
       # Use 1 for non-prod installations and multiples of 3 for production.
       # See Configure Cassandra for production for guidelines.
   
   ingressGateways:
   - name: INGRESS_NAME # maximum 17 characters.
     replicaCountMin: 2
     replicaCountMax: 10
     svcAnnotations:  # optional. If you are on AKS, see Known issue #260772383
       SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE
   
   virtualhosts:
   - name: ENVIRONMENT_GROUP_NAME
     selector:
       app: apigee-ingressgateway
       ingress_name: INGRESS_NAME
     sslCertPath: PATH_TO_CERT_FILE
     sslKeyPath: PATH_TO_KEY_FILE
   
   logger:
     enabled: false
       # apigee-logger does not support Workload Identity Federation.
       # See Known issue #341099433.
       # If you want to enable the apigee-logger component, add
       # a "logger" : "value" entry in the orgsakeys vault secret
       # using the contents of the apigee-non-prod key file for the
       # value. See Step 5: Set up service account authentication.
   
   # Required if using Monetization for Apigee hybrid (v1.15.1 and later)
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1" # Must be 1.15.1 or higher.
   
   # If using message payloads larger than 10MB.
   # See configure large message payload support:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Example

   instanceID: "my_hybrid_example"
   namespace: "apigee"
   
   gcp:
     projectID: my-project
     region: us-central1
     workloadIdentity:
       enabled: false
     federatedWorkloadIdentity:
       enabled: true
       audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider"
       credentialSourceFile: "/var/run/service-account/token"
   
   k8sCluster:
     name: hybrid-env
     region: us-central1
   
   org: my-project
   
   serviceAccountSecretProviderClass: apigee-orgsakeys-spc
   
   enhanceProxyLimits: true
   
   contractProvider: https://us-apigee.googleapis.com
   
   envs:
   - name: test
     serviceAccountSecretProviderClass: apigee-envsakeys-test-env-spc
   
   cassandra:
     hostNetwork: false
     replicaCount: 1
   
   ingressGateways:
   - name: my-ingress-1
     replicaCountMin: 2
     replicaCountMax: 10
   
   virtualhosts:
   - name: example-env-group
     selector:
       app: apigee-ingressgateway
       ingress_name: my-ingress-1
     sslCertPath: certs/keystore.pem
     sslKeyPath: certs/keystore.key
   
   logger:
     enabled: false
   
   # Monetization for Apigee hybrid
   runtime:
     image:
       url: "gcr.io/apigee-release/hybrid/apigee-runtime"
       tag: "1.15.1"
   
   # for message payloads larger than 10MB:
   runtime:
     cwcAppend:
       bin_setenv_max_mem: 4096m   # Increase max heap size to 4 gigs
     resources:
       requests:
         memory: 4Gi
       limits:
         memory: 6Gi
   

   The following table describes each of the property values that you must provide in the overrides file. For more information, see Configuration property reference.

   Variable	Description
   UNIQUE_INSTANCE_ IDENTIFIER	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. You can create multiple organizations in the same cluster, but the instanceID must be the same for all orgs in the same Kubernetes cluster. See instanceID.
   APIGEE_NAMESPACE	The Kubernetes namespace for your Apigee hybrid components. The default value is apigee. See namespace.
   PROJECT_ID	Identifies the Google Cloud project where the apigee-logger and the apigee-metrics push their data. This is the value assigned to the environment variable PROJECT_ID. See gcp.projectID.
   ANALYTICS_REGION	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table in Part 1, Step 2: Create an organization). This is the value you assigned to the environment variable ANALYTICS_REGION previously. See gcp.region.
   AUDIENCE	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term audience: . The audience value is the same in each credential configuration file. For example, in the following sample apigee-udca-credential-configuration.json file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } } } The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/ locations/global/workloadIdentityPools/ POOL_ID/providers/WORKLOAD_PROVIDER_ID" See gcp.federatedWorkloadIdentity.audience.
   CLUSTER_NAME	Your Kubernetes cluster name. This is the value assigned to the environment variable CLUSTER_NAME. See k8sCluster.name.
   CLUSTER_LOCATION	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable CLUSTER_LOCATION previously. See k8sCluster.location.
   ORG_NAME	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable ORG_NAME. See org.
   CONTROL_PLANE_ LOCATION	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list see Available Apigee API control plane regions. It is the value assigned to the CONTROL_PLANE_LOCATION environment variable in Step 2: Create an organization. See contractProvider.
   ENVIRONMENT_NAME	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See envs[].name.
   ENVIRONMENT_GROUP_ NAME	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable ENV_GROUP. See virtualhosts[].name.
   INGRESS_NAME	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: ingressGateways[].name. virtualhosts[].selector
   PATH_TO_CERT_FILE PATH_TO_KEY_FILE	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example: sslCertPath: certs/keystore.crt sslKeyPath: certs/keystore.key See: virtualhosts[].sslCertPath. virtualhosts[].sslKeyPath
   SVC_ANNOTATIONS_ KEY: SVC_ANNOTATIONS_ VALUE	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Comment out or delete this section if you are not using it. See ingressGateways[].svcAnnotations.

   Summary

   The configuration file tells Kubernetes how to deploy the hybrid components to a cluster. Next, you will enable synchronizer access so the Apigee runtime and management planes will be able to communicate.

   Next step

   1 2 3 4 5 6 7 (NEXT) Step 8: Enable Control Plane access 9 10 11