This step explains how to create the TLS credentials
that are required for Apigee hybrid to operate.
Create TLS certificates
You are required to provide TLS certificates for the runtime ingress gateway in your
Apigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),
the runtime gateway can accept self-signed credentials. In the following steps,
openssl is used to generate the self-signed credentials.
In this step, you will create the TLS credential files and add them to
the $HYBRID_FILES/certs directory.
In
Step 6: Configure the cluster, you will add the file paths to the cluster
configuration file.
Execute the following command to create the credential files and store them in your
$HYBRID_FILES/certs directory:
DOMAIN is the domain you provided as the hostname for the environment
group you created in Create an environment group.
ENV_GROUP is the name of the environment group where the domain is specified
as a hostname. It's a good practice to include the environment group name in the key and keystore
name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.
This command creates a self-signed certificate/key pair that you can use for the quickstart
installation.
If you have additional environment groups with unique domain names, just repeat this step
for each one. You will reference these groups and certificates in the cluster configuration
step.
Check to make sure the files are in the $HYBRID_FILES/certs directory using the following command:
ls $HYBRID_FILES/certs
keystore_ENV_GROUP.key
keystore_ENV_GROUP.pem
Where keystore_ENV_GROUP.pem is the self-signed TLS certificate file and keystore_ENV_GROUP.key
is the key file.
You now have the credentials needed to manage Apigee hybrid
in your Kubernetes cluster. Next, you will create a file that is used by Kubernetes
to deploy the hybrid runtime components to the cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[[["\u003cp\u003eThis documentation explains the process of creating TLS credentials for Apigee hybrid, specifically for the runtime ingress gateway.\u003c/p\u003e\n"],["\u003cp\u003eFor non-production trials, the runtime gateway can use self-signed credentials generated with \u003ccode\u003eopenssl\u003c/code\u003e, as detailed in the instructions.\u003c/p\u003e\n"],["\u003cp\u003eIn production environments, signed certificates are required, and an example using the \u003cem\u003eLets Encrypt\u003c/em\u003e certificate authority is linked.\u003c/p\u003e\n"],["\u003cp\u003eThe created TLS credential files, including a \u003ccode\u003e.key\u003c/code\u003e and a \u003ccode\u003e.pem\u003c/code\u003e file, are stored in the \u003ccode\u003e$HYBRID_FILES/certs\u003c/code\u003e directory.\u003c/p\u003e\n"],["\u003cp\u003eThese TLS credentials will be referenced in the cluster configuration file in a subsequent step, enabling the management of Apigee hybrid in the Kubernetes cluster.\u003c/p\u003e\n"]]],[],null,[]]
