gcloud config list
[compute]
region = us-central1
[core]
account = user@acme.com
disable_usage_reporting = False
project = my-hybrid-project
Your active configuration is: [default]
Make sure the compute region or zone is set to the region or zone you
used when you created your cluster. If you
created a regional cluster, use unset to clear the compute/zone property if it is
set. If you
created a zonal cluster, use unset to clear the compute/region property if it is set.
Your config
must have either the compute region or zone set, but not both. For example, to clear the
compute/zone property using unset, use the following command:
gcloud config unset compute/zone
Set a variable with your KDUBECONFIG file path using the following command. This file was created on the admin machine
when you created your cluster.
export KUBECONFIG=KUBECONFIG_PATH
For example:
export KUBECONFIG=~/.kube/my-config
Set up and download ASM
Next, use the ASM documentation to set up your environment and download ASM.
Read the following steps carefully before you begin. We will ask you to perform some of the steps
listed in the ASM documentation, then return here to complete the installation.
Go to the ASM installation instructions and install the appropriate ASM version for your hybrid
setup:
For new hybrid installations, install ASM version 1.6.x:
The ASM installation you just performed is a minimal installation, sufficient to test and use
Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as
adding, removing, or modifying load balancer port numbers, see
Enabling optional features.
Summary
You now have cert-manager and ASM installed, and you are ready to install the
Apigee hybrid command line tool on your local machine.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation version (1.3) for Apigee hybrid is end-of-life and an upgrade to a newer version is required.\u003c/p\u003e\n"],["\u003cp\u003eCert-manager and Anthos Service Mesh (ASM) must be installed for Apigee hybrid to function correctly, using specific commands based on your Kubernetes version.\u003c/p\u003e\n"],["\u003cp\u003ePrior to installing ASM, you must configure your Cloud SDK settings and ensure that either the compute region or zone is set appropriately, but not both, in your configuration.\u003c/p\u003e\n"],["\u003cp\u003eASM installation requires navigating to the ASM documentation, completing specific steps, and then returning to this guide to apply a manifest file.\u003c/p\u003e\n"],["\u003cp\u003eThe provided ASM installation is a minimal one, suitable for basic Apigee hybrid use, with options to customize for more advanced configurations.\u003c/p\u003e\n"]]],[],null,["# Step 2: Install cert-manager and ASM\n\n| You are currently viewing version 1.3 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to download and install\n[cert-manager](https://cert-manager.io/docs/) and [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/overview) (ASM). These services are required for Apigee hybrid to operate.\n\nInstall cert-manager\n--------------------\n\n\nUse one of the following two commands to install cert-manager v0.14.2 from GitHub.\nTo find your `kubectl` version use the `kubectl version`\ncommand.\n\n- If you have Kubernetes **1.15** or newer: \n\n ```\n kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml\n ```\n- Kubernetes versions older than **1.15** : \n\n ```\n kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml\n ```\n\n\nYou will see a response that the `cert-manager` namespace was created and several cert-manager\nresources were created in that namespace.\n\nPrerequisites\n-------------\n\n1. Check your [Cloud SDK configuration](https://cloud.google.com/sdk/gcloud/reference/config) settings using the following command: \n\n ```\n gcloud config list\n [compute]\n region = us-central1\n [core]\n account = user@acme.com\n disable_usage_reporting = False\n project = my-hybrid-project\n\n Your active configuration is: [default]\n ```\n2. Make sure the compute region or zone is set to the region or zone you used when you created your cluster. If you created a regional cluster, use `unset` to clear the compute/zone property if it is set. If you created a zonal cluster, use `unset` to clear the compute/region property if it is set. Your config must have either the compute region or zone set, but not both. For example, to clear the `compute/zone property` using `unset`, use the following command: \n\n ```\n gcloud config unset compute/zone\n ```\n3. Set a variable with your `KDUBECONFIG` file path using the following command. This file was created on the admin machine when you created your cluster. \n\n ```\n export KUBECONFIG=KUBECONFIG_PATH\n ```\n\n\n For example: \n\n ```\n export KUBECONFIG=~/.kube/my-config\n ```\n\nSet up and download ASM\n-----------------------\n\nNext, use the ASM documentation to set up your environment and download ASM.\n\nRead the following steps carefully before you begin. We will ask you to perform some of the steps\nlisted in the ASM documentation, then return here to complete the installation.\n\n1. Go to the ASM installation instructions and install the appropriate ASM version for your hybrid setup:\n - For **new hybrid installations** , install ASM version 1.6.x:\n\n Go to\n [Installing\n Anthos Service Mesh on AWS](https://cloud.google.com/service-mesh/docs/archive/1.6/docs/gke-on-aws-install) and perform all of the ASM steps up to and including\n [Create\n the `istio-system` namespace](https://cloud.google.com/service-mesh/docs/archive/1.6/docs/gke-on-aws-install#create_the_istio-system_namespace), then stop and go to the next section\n [Apply the manifest](#apply-the-manifest) below.\n\n | **Important:** After completing the steps in the section \"**Create\n | the `istio-system` namespace** \" (if installing ASM 1.6) or \"**Preparing resource\n | configuration files**\" (if installing ASM 1.5), stop and continue with the steps listed in the next section. We recommend that you wait to apply the manifest file until instructed below.\n\nApply the manifest\n------------------\n\n\n**When you have downloaded and unzipped the ASM installation file**, continue\nwith the following steps:\n\n1. Make sure you are in the Istio directory that you downloaded and unzipped. For example: `1.6.11-asm.1`.\n2. Execute the following command for the version of Istio you installed:\n - If you installed ASM version 1.6 or newer (1.7 recommended), execute the following command: \n\n ```\n ./bin/istioctl install --set profile=asm-multicloud \\\n --set meshConfig.enableAutoMtls=false \\\n --set meshConfig.accessLogFile=/dev/stdout \\\n --set meshConfig.accessLogEncoding=1 \\\n --set meshConfig.accessLogFormat='{\"start_time\":\"%START_TIME%\",\"remote_address\":\"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%\",\"user_agent\":\"%REQ(USER-AGENT)%\",\"host\":\"%REQ(:AUTHORITY)%\",\"request\":\"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\",\"request_time\":\"%DURATION%\",\"status\":\"%RESPONSE_CODE%\",\"status_details\":\"%RESPONSE_CODE_DETAILS%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"upstream_address\":\"%UPSTREAM_HOST%\",\"upstream_response_flags\":\"%RESPONSE_FLAGS%\",\"upstream_response_time\":\"%RESPONSE_DURATION%\",\"upstream_service_time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"x_forwarded_for\":\"%REQ(X-FORWARDED-FOR)%\",\"request_method\":\"%REQ(:METHOD)%\",\"request_path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"request_protocol\":\"%PROTOCOL%\",\"tls_protocol\":\"%DOWNSTREAM_TLS_VERSION%\",\"request_id\":\"%REQ(X-REQUEST-ID)%\",\"sni_host\":\"%REQUESTED_SERVER_NAME%\",\"apigee_dynamic_data\":\"%DYNAMIC_METADATA(envoy.lua)%\"}'\n ```\n3. Finally, return to the ASM documentation to [Check\n the control plane components](https://cloud.google.com/service-mesh/docs/gke-on-aws-install#check_the_control_plane_components) to validate your installation.\n\nCustomizing the ASM installation\n--------------------------------\n\n\nThe ASM installation you just performed is a minimal installation, sufficient to test and use\nApigee hybrid for basic use cases. For information on addressing more advanced use cases, such as\nadding, removing, or modifying load balancer port numbers, see\n[Enabling optional features](https://cloud.google.com/service-mesh/docs/enable-optional-features).\n\nSummary\n-------\n\n\nYou now have cert-manager and ASM installed, and you are ready to install the\nApigee hybrid command line tool on your local machine.\n[1](/apigee/docs/hybrid/v1.3/install-create-cluster-aws-gke) [2](/apigee/docs/hybrid/v1.3/install-download-cert-manager-istio-aws-gke) [(NEXT) Step 3: Install apigeectl](/apigee/docs/hybrid/v1.3/install-download-install-aws-gke) [4](/apigee/docs/hybrid/v1.3/install-copy-overrides-aws-gke) [5](/apigee/docs/hybrid/v1.3/install-apply-hybrid-aws-gke)\n\n\u003cbr /\u003e"]]
