本步驟說明如何下載及安裝 Apigee hybrid 運作所需的 cert-manager 和 Anthos 服務網格 (ASM)。
安裝 cert-manager
請使用下列兩個指令之一,從 GitHub 安裝 cert-manager 0.14.2 版。如要找出 Kubernetes 版本,請使用 kubectl version
指令。
- 如果您使用的是 1.15 以上版本的 Kubernetes:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- 比 1.15 舊的 Kubernetes 版本:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
您應該會看到回應,指出已建立 cert-manager 命名空間和多個 cert-manager 資源。
安裝 ASM
Apigee hybrid 會使用 Anthos 服務網格 (ASM) 提供的 Istio 發行版本。請按照下列步驟在叢集中安裝 ASM。
支援的 ASM 版本
如要安裝新的混合式叢集,請在叢集中安裝 ASM 1.6.x。如果您要從混合型 1.2.x 版本升級,請在叢集中安裝 ASM 1.5.x 版本。
執行 ASM 設定步驟
如要完成 ASM 安裝程序,您必須先按照 ASM 說明文件中的 ASM 專屬設定步驟操作。接著,您必須返回這裡完成混合型專屬設定,才能將設定套用至叢集。
- 請按照 ASM 設定和設定步驟操作:
- 如果這是 Apigee Hybrid 的新安裝作業,請安裝 ASM 1.6.x 版本。請參閱「安裝和遷移簡介」。
- 如果您要從舊版混合型升級,請使用 ASM 1.5.x。請參閱「在現有叢集中安裝 Anthos 服務網格」一文。
完成 ASM 設定和設定步驟後,請前往下一節,完成混合型設定和 ASM 安裝步驟。
執行最終混合式設定並安裝 ASM
最後,請在 istio-operator.yaml
檔案中新增混合型專屬設定,並安裝 ASM。
-
請確認您位於 ASM 安裝的根目錄中。例如:
1.6.11-asm.1
。 - 在編輯器中開啟
./asm/cluster/istio-operator.yaml
檔案。 - 在
spec.meshConfig:
下方以縮排方式新增以下程式碼行:要複製的文字
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
顯示刊登位置的範例
插入換行符號以利閱讀
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
- 在
istio-operator.yaml
檔案中,將spec:components
段落新增 (或更新) 至meshConfig:
區段下方,並緊接在values:
上方,其中 reserved_static_ip 是您在專案和機構設定 - 步驟 5:設定 Cloud DNS 中為執行階段入口網站閘道預留的 IP 位址。要複製的文字
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443
顯示刊登位置的範例
插入換行符號以利閱讀
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"} components: pilot: k8s: hpaSpec: maxReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: 123.234.56.78 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443 hpaSpec: maxReplicas: 2 values: . . .
- 請返回先前使用的 ASM 說明文件,完成 ASM 安裝作業 (將
istio-operator.yaml
檔案安裝或套用至叢集)。在選項中,請選擇「PERMISSIVE mTLS」。
摘要
您現在已安裝 cert-manager 和 ASM,可以開始在本機電腦上安裝 Apigee 混合指令列工具。
1 2 (NEXT) 步驟 3:安裝 apigeectl 4 5