步驟 2:安裝 cert-manager 和 ASM

本步驟說明如何下載及安裝 Apigee hybrid 運作所需的 cert-managerAnthos 服務網格 (ASM)。

安裝 cert-manager

請使用下列兩個指令之一,從 GitHub 安裝 cert-manager 0.14.2 版。如要找出 Kubernetes 版本,請使用 kubectl version 指令。

  • 如果您使用的是 1.15 以上版本的 Kubernetes:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
  • 1.15 舊的 Kubernetes 版本:
    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml

您應該會看到回應,指出已建立 cert-manager 命名空間和多個 cert-manager 資源。

安裝 ASM

Apigee hybrid 會使用 Anthos 服務網格 (ASM) 提供的 Istio 發行版本。請按照下列步驟在叢集中安裝 ASM。

支援的 ASM 版本

如要安裝新的混合式叢集,請在叢集中安裝 ASM 1.6.x。如果您要從混合型 1.2.x 版本升級,請在叢集中安裝 ASM 1.5.x 版本。

執行 ASM 設定步驟

如要完成 ASM 安裝程序,您必須先按照 ASM 說明文件中的 ASM 專屬設定步驟操作。接著,您必須返回這裡完成混合型專屬設定,才能將設定套用至叢集。

  1. 請按照 ASM 設定和設定步驟操作:
  2. 完成 ASM 設定和設定步驟後,請前往下一節,完成混合型設定和 ASM 安裝步驟。

執行最終混合式設定並安裝 ASM

最後,請在 istio-operator.yaml 檔案中新增混合型專屬設定,並安裝 ASM。

  1. 請確認您位於 ASM 安裝的根目錄中。例如:1.6.11-asm.1
  2. 在編輯器中開啟 ./asm/cluster/istio-operator.yaml 檔案。
  3. spec.meshConfig: 下方以縮排方式新增以下程式碼行:

    要複製的文字

        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

    顯示刊登位置的範例

    插入換行符號以利閱讀

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
  4. istio-operator.yaml 檔案中,將 spec:components 段落新增 (或更新) 至 meshConfig: 區段下方,並緊接在 values: 上方,其中 reserved_static_ip 是您在專案和機構設定 - 步驟 5:設定 Cloud DNS 中為執行階段入口網站閘道預留的 IP 位址。

    要複製的文字

        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: reserved_static_ip
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
    

    顯示刊登位置的範例

    插入換行符號以利閱讀

    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"}
    spec:
      profile: asm
      hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
      tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
      meshConfig:
        # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified.
        # 1.4 defaulted to false.
        enableAutoMtls: false
        accessLogFile: "/dev/stdout"
        accessLogEncoding: 1
        # This is Apigee's custom access log format. Changes should not be made to this
        # unless first working with the Data and AX teams as they parse these logs for
        # SLOs.
        accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE
          _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:
          METHOD)%
          %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE
          SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV
          ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response
          _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv
          ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%
          ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_
          path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol
          ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S
          ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
        defaultConfig:
          proxyMetadata:
            GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" #
              {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
    
      components:
        pilot:
          k8s:
            hpaSpec:
              maxReplicas: 2
        ingressGateways:
        - name: istio-ingressgateway
          enabled: true
          k8s:
            service:
              type: LoadBalancer
              loadBalancerIP: 123.234.56.78
              ports:
              - name: status-port
                port: 15020
                targetPort: 15020
              - name: http2
                port: 80
                targetPort: 80
              - name: https
                port: 443
              - name: prometheus
                port: 15030
                targetPort: 15030
              - name: tcp
                port: 31400
                targetPort: 31400
              - name: tls
                port: 15443
                targetPort: 15443
            hpaSpec:
              maxReplicas: 2
      values:
        .
        .
        .
  5. 請返回先前使用的 ASM 說明文件,完成 ASM 安裝作業 (將 istio-operator.yaml 檔案安裝或套用至叢集)。在選項中,請選擇「PERMISSIVE mTLS」

摘要

您現在已安裝 cert-manager 和 ASM,可以開始在本機電腦上安裝 Apigee 混合指令列工具。

1 2 (NEXT) 步驟 3:安裝 apigeectl 4 5