指定設定覆寫
Apigee Hybrid 安裝程式會使用許多設定的預設值,但有幾項設定沒有預設值。您必須提供這些設定的值,詳情請見下文。
事前準備
建議您查看下列情境,判斷是否要為叢集設定這些情境。這些設定為選用項目。
- 如果您打算在多個區域安裝 Hybrid,請先閱讀「多區域部署」一文,再繼續操作。
- Apigee Hybrid 會為 Cassandra 使用者提供預設密碼,但我們建議您變更預設使用者密碼。詳情請參閱「為 Cassandra 設定 TLS」。
- 如要設定 Cassandra 的儲存空間和堆積設定,請參閱「 設定儲存空間和堆積設定」。
- 在實際工作環境的安裝情境中,請為 Cassandra 設定永久固態硬碟 (SSD) 儲存空間。 我們不支援將本機 SSD 用於 Apigee Hybrid。詳情請參閱「 為正式版部署作業新增 SSD 儲存空間」。
設定叢集
依慣例,設定覆寫會寫入 $HYBRID_FILES/overrides 目錄中名為 overrides.yaml 的檔案。
- 在
$HYBRID_FILES/overrides目錄中建立名為overrides.yaml的新檔案。例如:vi $HYBRID_FILES/overrides/overrides.yaml
overrides.yaml提供專屬 Apigee Hybrid 安裝作業的設定。這個步驟中的覆寫檔案提供小型混合式執行階段安裝的基本設定,適合首次安裝。 - 在
overrides.yaml中,新增必要屬性值,如下所示。以下也詳細說明各項屬性。如果您要在 GKE 上安裝 Apigee Hybrid,並打算使用 Workload Identity 驗證 Hybrid 元件,請選取「GKE - Workload Identity」分頁,設定
overrides.yaml檔案。如為所有其他安裝作業,請根據您在「步驟 4:建立服務帳戶和憑證」中的選擇,選取非實際工作環境 (「Non-prod」) 或實際工作環境 (「Prod」) 的分頁。
如要在正式環境中安裝,請參閱「為實際工作環境設定 Cassandra」,瞭解 Cassandra 資料庫的儲存空間需求。
GKE - Workload Identity
請確認
overrides.yaml檔案具有下列結構和語法。red, bold italics 中的值是您必須提供的屬性值。詳情請參閱下表。如果您是在 GKE 上安裝 Apigee Hybrid,可以選擇使用工作負載身分驗證身分,並向 Google API 發出要求。如要瞭解 Workload Identity 的總覽,請參閱:
如要在 GKE 上搭配 Apigee Hybrid 使用 Workload Identity,請使用這個範本,然後按照「步驟 8:安裝 Hybrid 執行階段」中的步驟,建立 Kubernetes 服務帳戶,並將其與您在「步驟 4:建立服務帳戶和憑證」中建立的 Google 服務帳戶建立關聯。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID workloadIdentityEnabled: true k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false # false for all GKE installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use 1 for demo installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. backup: enabled: true # Set to true for initial installation. # This triggers apigeectl to create the apigee-cassandra-backup Kubernetes service account. # See Cassandra backup overview for instructions on using cassandra.backup. virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional envs: - name: ENVIRONMENT_NAME logger: enabled: false # Set to false for all GKE installations.非正式環境
請確認
overrides.yaml檔案具有下列結構和語法。red, bold italics 中的值是您必須提供的屬性值。詳情請參閱下表。Google Cloud 專案區域和 Kubernetes 叢集區域在不同平台之間有所差異。選擇要安裝 Apigee Hybrid 的平台。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra: replicaCount: 1 # Use 1 for non-prod or "demo" installations and multiples of 3 for production. # See Configure Cassandra for production for guidelines. hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE svcLoadBalancerIP: SVC_LOAD_BALANCER_IP # optional envs: - name: ENVIRONMENT_NAME serviceAccountPaths: synchronizer: NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-non-prod.json" udca: NON_PROD_SERVICE_ACCOUNT_FILEPATH runtime: NON_PROD_SERVICE_ACCOUNT_FILEPATH mart: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH connectAgent: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH metrics: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH udca: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH watcher: serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH logger: enabled: false # Set to false to disable logger for GKE installations. # Set to true for all platforms other than GKE. # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: NON_PROD_SERVICE_ACCOUNT_FILEPATH正式環境
請確認
overrides.yaml檔案具有下列結構和語法。red, bold italics 中的值是您必須提供的屬性值。詳情請參閱下表。Google Cloud 專案區域和 Kubernetes 叢集區域在不同平台之間有所差異。選擇要安裝 Apigee Hybrid 的平台。
gcp: region: ANALYTICS_REGION projectID: GCP_PROJECT_ID k8sCluster: name: CLUSTER_NAME region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster. org: ORG_NAME instanceID: "UNIQUE_INSTANCE_IDENTIFIER" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false # Set to false for single region installations and multi-region installations # with connectivity between pods in different clusters, for example GKE installations. # Set to true for multi-region installations with no communication between # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, # AKS, EKS, and OpenShift installations. # See Multi-region deployment: Prerequisites replicaCount: 3 # Use multiples of 3 for production. # See Configure Cassandra for production for guidelines. storage: capacity: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # See Configure Cassandra for production. virtualhosts: - name: ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name: INGRESS_NAME sslCertPath: ./certs/CERT_NAME.pem sslKeyPath: ./certs/KEY_NAME.key ingressGateways: - name: INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, see Known issue #260772383 SVC_ANNOTATIONS_KEY: SVC_ANNOTATIONS_VALUE envs: - name: ENVIRONMENT_NAME serviceAccountPaths: synchronizer: SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-synchronizer.json" udca: UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json" runtime: RUNTIME_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-runtime.json" mart: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-mart.json" connectAgent: serviceAccountPath: MART_SERVICE_ACCOUNT_FILEPATH # Use the same service account for mart and connectAgent metrics: serviceAccountPath: METRICS_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-metrics.json" udca: serviceAccountPath: UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json" watcher: serviceAccountPath: WATCHER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-watcher.json" logger: enabled: false # Set to false to disable logger for GKE installations. # Set to true for all platforms other than GKE. # See apigee-logger in Service accounts and roles used by hybrid components. serviceAccountPath: LOGGER_SERVICE_ACCOUNT_FILEPATH # For example: "./service-accounts/GCP_PROJECT_ID-apigee-logger.json"範例
以下範例顯示已完成的覆寫檔案,並新增了範例屬性值:
gcp: region: us-central1 projectID: hybrid-example k8sCluster: name: apigee-hybrid region: us-central1 org: hybrid-example instanceID: "my_hybrid_example" ao: image: url: "gcr.io/apigee-release/hybrid/apigee-operators" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra: hostNetwork: false replicaCount: 3 virtualhosts: - name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: ./certs/keystore.pem sslKeyPath: ./certs/keystore.key ingressGateways: - name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10 envs: - name: test serviceAccountPaths: synchronizer: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-synchronizer.json udca: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-udca.json runtime: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-runtime.json mart: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-mart.json connectAgent: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, example-hybrid-apigee-mart.json metrics: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-metrics.json udca: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-udca.json watcher: serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, my-hybrid-project-apigee-watcher.json logger: enabled: false # Set to "false" for GKE. Set to "true" for all other Kubernetes platforms. serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json # for production environments, LOGGER_SERVICE_ACCOUNT_NAME.json - 完成後,請儲存檔案。
下表說明您必須在覆寫檔案中提供的各個屬性值。詳情請參閱「設定屬性參考資料」。
| 變數 | 說明 |
|---|---|
| ANALYTICS_REGION | 在 GKE 中,您必須將這個值設為叢集執行的相同區域。在所有其他平台中,請選取最接近叢集的數據分析區域,該區域必須支援數據分析 (請參閱「第 1 部分,步驟 2:建立機構」中的表格)。 這是您先前指派給環境變數 |
| GCP_PROJECT_ID | 識別 apigee-logger 和 apigee-metrics 將資料推送至的 Google Cloud 專案。這是指派給環境變數 PROJECT_ID 的值。 |
| CLUSTER_NAME | Kubernetes 叢集名稱。這是指派給環境變數 CLUSTER_NAME 的值。 |
| CLUSTER_LOCATION | 叢集執行的區域。這是您在「
步驟 1:建立叢集」中建立叢集的地區。 這是您先前指派給環境變數 |
| ORG_NAME | Apigee Hybrid 機構的 ID。這是指派給環境變數 ORG_NAME 的值。 |
| UNIQUE_INSTANCE_IDENTIFIER | 這個執行個體的專屬字串。可以混合使用英文字母和數字,長度上限為 63 個字元。 您可以在同一個叢集中建立多個機構,但同一個 Kubernetes 叢集中所有機構的 |
| ENVIRONMENT_GROUP_NAME | 環境所屬的環境群組名稱。
這是您在「
專案和機構設定 - 步驟 3:建立環境群組」中建立的群組。這是指派給環境變數 ENV_GROUP 的值。
|
| CERT_NAME KEY_NAME |
輸入您先前在「
步驟 5:建立 TLS 憑證」中產生的自行簽署 TLS 金鑰和憑證檔案名稱。這些檔案必須位於 base_directory/hybrid-files/certs 目錄中。例如:sslCertPath: ./certs/keystore.pem sslKeyPath: ./certs/keystore.key |
| INGRESS_NAME | 部署作業的 Apigee Ingress 閘道名稱。這個名稱必須符合下列規定:
請參閱「設定屬性參考資料」中的 |
| SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE | (選用) 這是鍵/值組合,可為預設 Ingress 服務提供註解。雲端平台會使用註解來協助設定混合式安裝作業,例如將負載平衡器類型設為內部或外部。 註解會因平台而異。如需必要和建議的註解,請參閱平台說明文件。 如果您未使用這個部分,請註解掉或刪除。 |
| SVC_LOAD_BALANCER_IP | (選用) 您為負載平衡器保留的 IP 位址。
在支援指定負載平衡器 IP 位址的平台上,系統會使用這個 IP 位址建立負載平衡器。在不允許指定負載平衡器 IP 的平台上,系統會忽略這項屬性。
如果您未使用這個部分,請註解掉或刪除。 |
| ENVIRONMENT_NAME | 使用您在 UI 中建立環境時使用的名稱,如「 專案和機構設定 - 步驟 3:建立環境群組」一文所述。 |
| *_SERVICE_ACCOUNT_FILEPATH | service-accounts/ 目錄中服務帳戶 JSON 檔案的路徑和檔案名稱。名稱必須包含服務帳戶檔案的路徑。可以是完整路徑,也可以是相對於 hybrid-files/ 目錄的路徑。如果加入相對路徑,您必須從 hybrid-files/ 目錄呼叫 apigeectl 指令,套用這項設定。在非正式環境中,單一服務帳戶的名稱預設為 在正式環境中,您使用 您可以在 實際工作環境服務帳戶的預設名稱如下:
|
摘要
設定檔會告訴 Kubernetes 如何將混合式元件部署至叢集。接著,您將啟用同步處理工具存取權,讓 Apigee 執行階段和管理平面能夠通訊。
1 2 3 4 5 6 (NEXT) Step 7: Enable Synchronizer access 8 9 10