gcloud config list
[compute]
region = us-central1
[core]
account = user@acme.com
disable_usage_reporting = False
project = my-hybrid-project
Your active configuration is: [default]
Make sure the compute region or zone is set to the region or zone you
used when you created your cluster. If you
created a regional cluster, use unset to clear the compute/zone property if it is
set. If you
created a zonal cluster, use unset to clear the compute/region property if it is set.
Your config
must have either the compute region or zone set, but not both. For example, to clear the
compute/zone property using unset, use the following command:
gcloud config unset compute/zone
Set a variable with your KDUBECONFIG file path using the following command. This file was created on the admin machine
when you created your cluster.
export KUBECONFIG=KUBECONFIG_PATH
For example:
export KUBECONFIG=~/.kube/my-config
Set up and download ASM
Next, use the ASM documentation to set up your environment and download ASM.
Read the following steps carefully before you begin. We will ask you to perform some of the steps
listed in the ASM documentation, then return here to complete the installation.
Go to the ASM installation instructions and install the appropriate ASM version for your hybrid
setup:
For new hybrid installations, install ASM version 1.6.x:
When you have downloaded and unzipped the ASM installation file, continue
with the following steps:
Make sure you are in the Istio directory that you downloaded and unzipped. For example:
1.6.11-asm.1.
Execute the following command for the version of Istio you installed:
If you installed ASM version 1.6 or newer (1.6.11 or newer recommended), execute the
following command, where your_static_ip is the static IP address you reserved
previously in Reserve a static IP:
If you installed ASM 1.5.x, execute the following command, where your_static_ip is the
static IP address you reserved previously in Reserve a static IP:
The ASM installation you just performed is a minimal installation, sufficient to test and use
Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as
adding, removing, or modifying load balancer port numbers, see
Enabling optional features.
Summary
You now have cert-manager and ASM installed, and you are ready to install the
Apigee hybrid command line tool on your local machine.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation version (1.3) for Apigee hybrid is end-of-life and an upgrade to a newer version is required.\u003c/p\u003e\n"],["\u003cp\u003eCert-manager and Anthos Service Mesh (ASM) must be downloaded and installed as prerequisites for Apigee hybrid operation, with specific versions required for different hybrid setups.\u003c/p\u003e\n"],["\u003cp\u003eBefore installing cert-manager, users should determine their Kubernetes version and use the corresponding \u003ccode\u003ekubectl\u003c/code\u003e command to apply the correct configuration file.\u003c/p\u003e\n"],["\u003cp\u003eInstallation of ASM requires following the ASM documentation up to creating the \u003ccode\u003eistio-system\u003c/code\u003e namespace, then returning to this guide to apply a specific manifest file based on the installed ASM version (either 1.6.x or 1.5.x).\u003c/p\u003e\n"],["\u003cp\u003eThe provided ASM installation is a minimal setup for basic Apigee hybrid use, and further customization is possible for advanced use cases as described in the ASM documentation.\u003c/p\u003e\n"]]],[],null,["# Step 2: Install cert-manager and ASM\n\n| You are currently viewing version 1.3 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to download and install\n[cert-manager](https://cert-manager.io/docs/) and [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/overview) (ASM). These services are required for Apigee hybrid to operate.\n\nInstall cert-manager\n--------------------\n\n\nUse one of the following two commands to install cert-manager v0.14.2 from GitHub.\nTo find your `kubectl` version use the `kubectl version`\ncommand.\n\n- If you have Kubernetes **1.15** or newer: \n\n ```\n kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml\n ```\n- Kubernetes versions older than **1.15** : \n\n ```\n kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml\n ```\n\n\nYou will see a response that the `cert-manager` namespace was created and several cert-manager\nresources were created in that namespace.\n\nPrerequisites\n-------------\n\n1. Check your [Cloud SDK configuration](https://cloud.google.com/sdk/gcloud/reference/config) settings using the following command: \n\n ```\n gcloud config list\n [compute]\n region = us-central1\n [core]\n account = user@acme.com\n disable_usage_reporting = False\n project = my-hybrid-project\n\n Your active configuration is: [default]\n ```\n2. Make sure the compute region or zone is set to the region or zone you used when you created your cluster. If you created a regional cluster, use `unset` to clear the compute/zone property if it is set. If you created a zonal cluster, use `unset` to clear the compute/region property if it is set. Your config must have either the compute region or zone set, but not both. For example, to clear the `compute/zone property` using `unset`, use the following command: \n\n ```\n gcloud config unset compute/zone\n ```\n3. Set a variable with your `KDUBECONFIG` file path using the following command. This file was created on the admin machine when you created your cluster. \n\n ```\n export KUBECONFIG=KUBECONFIG_PATH\n ```\n\n\n For example: \n\n ```\n export KUBECONFIG=~/.kube/my-config\n ```\n\nSet up and download ASM\n-----------------------\n\nNext, use the ASM documentation to set up your environment and download ASM.\n\nRead the following steps carefully before you begin. We will ask you to perform some of the steps\nlisted in the ASM documentation, then return here to complete the installation.\n\n1. Go to the ASM installation instructions and install the appropriate ASM version for your hybrid setup:\n - For **new hybrid installations** , install ASM version 1.6.x:\n\n Go to\n [Installing\n Anthos Service Mesh on premises](https://cloud.google.com/service-mesh/docs/archive/1.6/docs/gke-on-prem-install) and perform all of the ASM steps up to and including\n [Create\n the `istio-system` namespace](https://cloud.google.com/service-mesh/docs/archive/1.6/docs/gke-on-prem-install#create_the_istio-system_namespace), then stop and go to the next section\n [Apply the manifest](#apply-the-manifest) below.\n - For upgrades from Apigee hybrid version 1.2.x, install ASM version 1.5.x: Go to [Installing\n Anthos Service Mesh on premises](https://cloud.google.com/service-mesh/docs/archive/1.5/docs/gke-on-prem-install) and perform all of the ASM steps up to and including\n [Create\n the `istio-system` namespace](https://cloud.google.com/service-mesh/docs/archive/1.5/docs/gke-on-prem-install#create_the_istio-system_namespace), then stop and go to the next section\n [Apply the manifest](#apply-the-manifest) below.\n\n | **Important:** After completing the steps in the section \"**Create the\n | `istio-system` namespace**,\" stop and continue with the steps listed in the next section. We recommend that you wait to apply the manifest file until instructed below.\n\nApply the manifest\n------------------\n\n\n**When you have downloaded and unzipped the ASM installation file**, continue\nwith the following steps:\n\n1. Make sure you are in the Istio directory that you downloaded and unzipped. For example: `1.6.11-asm.1`.\n2. Execute the following command for the version of Istio you installed:\n - If you installed ASM version 1.6 or newer (1.6.11 or newer recommended), execute the following command, where \u003cvar translate=\"no\"\u003eyour_static_ip\u003c/var\u003e is the static IP address you reserved previously in [Reserve a static IP](/apigee/docs/hybrid/v1.3/precog-add-dns#reserve-a-static-ip): \n\n ```\n ./bin/istioctl install --set profile=asm-multicloud \\\n --set values.gateways.istio-ingressgateway.loadBalancerIP=your_static_IP \\\n --set meshConfig.enableAutoMtls=false \\\n --set meshConfig.accessLogFile=/dev/stdout \\\n --set meshConfig.accessLogEncoding=1 \\\n --set meshConfig.accessLogFormat='{\"start_time\":\"%START_TIME%\",\"remote_address\":\"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%\",\"user_agent\":\"%REQ(USER-AGENT)%\",\"host\":\"%REQ(:AUTHORITY)%\",\"request\":\"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\",\"request_time\":\"%DURATION%\",\"status\":\"%RESPONSE_CODE%\",\"status_details\":\"%RESPONSE_CODE_DETAILS%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"upstream_address\":\"%UPSTREAM_HOST%\",\"upstream_response_flags\":\"%RESPONSE_FLAGS%\",\"upstream_response_time\":\"%RESPONSE_DURATION%\",\"upstream_service_time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"x_forwarded_for\":\"%REQ(X-FORWARDED-FOR)%\",\"request_method\":\"%REQ(:METHOD)%\",\"request_path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"request_protocol\":\"%PROTOCOL%\",\"tls_protocol\":\"%DOWNSTREAM_TLS_VERSION%\",\"request_id\":\"%REQ(X-REQUEST-ID)%\",\"sni_host\":\"%REQUESTED_SERVER_NAME%\",\"apigee_dynamic_data\":\"%DYNAMIC_METADATA(envoy.lua)%\"}'\n ```\n - If you installed ASM 1.5.x, execute the following command, where \u003cvar translate=\"no\"\u003eyour_static_ip\u003c/var\u003e is the static IP address you reserved previously in [Reserve a static IP](/apigee/docs/hybrid/v1.3/precog-add-dns#reserve-a-static-ip): \n\n ```\n ./bin/istioctl manifest apply --set profile=asm-onprem \\\n --set values.gateways.istio-ingressgateway.loadBalancerIP=your_static_IP \\\n --set meshConfig.enableAutoMtls=false \\\n --set meshConfig.accessLogFile=/dev/stdout \\\n --set meshConfig.accessLogEncoding=1 \\\n --set meshConfig.accessLogFormat='{\"start_time\":\"%START_TIME%\",\"remote_address\":\"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%\",\"user_agent\":\"%REQ(USER-AGENT)%\",\"host\":\"%REQ(:AUTHORITY)%\",\"request\":\"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\",\"request_time\":\"%DURATION%\",\"status\":\"%RESPONSE_CODE%\",\"status_details\":\"%RESPONSE_CODE_DETAILS%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"upstream_address\":\"%UPSTREAM_HOST%\",\"upstream_response_flags\":\"%RESPONSE_FLAGS%\",\"upstream_response_time\":\"%RESPONSE_DURATION%\",\"upstream_service_time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"x_forwarded_for\":\"%REQ(X-FORWARDED-FOR)%\",\"request_method\":\"%REQ(:METHOD)%\",\"request_path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"request_protocol\":\"%PROTOCOL%\",\"tls_protocol\":\"%DOWNSTREAM_TLS_VERSION%\",\"request_id\":\"%REQ(X-REQUEST-ID)%\",\"sni_host\":\"%REQUESTED_SERVER_NAME%\",\"apigee_dynamic_data\":\"%DYNAMIC_METADATA(envoy.lua)%\"}'\n ```\n3. Finally, return to the ASM documentation to [Check\n the control plane components](https://cloud.google.com/service-mesh/docs/gke-on-prem-install#check_the_control_plane_components) to validate your installation.\n\nCustomizing the ASM installation\n--------------------------------\n\n\nThe ASM installation you just performed is a minimal installation, sufficient to test and use\nApigee hybrid for basic use cases. For information on addressing more advanced use cases, such as\nadding, removing, or modifying load balancer port numbers, see\n[Enabling optional features](https://cloud.google.com/service-mesh/docs/enable-optional-features).\n\nSummary\n-------\n\n\nYou now have cert-manager and ASM installed, and you are ready to install the\nApigee hybrid command line tool on your local machine.\n[1](/apigee/docs/hybrid/v1.3/install-create-cluster-anthos) [2](/apigee/docs/hybrid/v1.3/install-download-cert-manager-istio-anthos) [(NEXT) Step 3: Install apigeectl](/apigee/docs/hybrid/v1.3/install-download-install-anthos) [4](/apigee/docs/hybrid/v1.3/install-copy-overrides-anthos) [5](/apigee/docs/hybrid/v1.3/install-apply-hybrid-anthos)\n\n\u003cbr /\u003e"]]
