安装 Apigee Hybrid 运行时组件
在此步骤中,您将使用 Helm 安装以下 Apigee Hybrid 组件:
- Apigee Operator
- Apigee 数据存储区
- Apigee Telemetry
- Apigee Redis
- Apigee Ingress Manager
- Apigee 组织
- 您的 Apigee 环境
您需要逐个为每个环境安装图表。组件的安装顺序很重要。
安装前注意事项
- 如果您尚未安装 Helm v3.14.2+,请按照安装 Helm 中的说明操作。
-
Apigee Hybrid 先使用 Helm 保护措施来验证配置,然后再安装或升级图表。您可能会在本部分中的每个命令的输出中看到特定于保护措施的信息,例如:
# Source: apigee-operator/templates/apigee-operators-guardrails.yaml apiVersion: v1 kind: Pod metadata: name: apigee-hybrid-helm-guardrail-operator namespace: APIGEE_NAMESPACE annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: app: apigee-hybrid-helm-guardrail如果任何
helm upgrade命令失败,您都可以使用保护措施输出来帮助诊断原因。请参阅使用保护措施诊断问题。 - 注意:在执行任何 Helm 升级/安装命令之前,请在命令末尾添加
--dry-run=server以使用 Helm 试运行功能。您可以使用helm install --h列出支持的命令、选项和用法。
安装步骤
选择混合安装中服务账号身份验证类型的安装说明:
Kubernetes Secret
- 如果没有,请转到
APIGEE_HELM_CHARTS_HOME目录。从该目录运行以下命令。 - 安装 Apigee Operator/Controller:
- 试运行:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
- 安装图表:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
验证 Apigee Operator 安装:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.15.1 1.15.1
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
- 试运行:
-
安装 Apigee 数据存储区:
- 试运行:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
在继续下一步之前,通过检查
apigeedatastore的状态来验证它是否已启动并运行:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
- 试运行:
-
安装 Apigee 遥测:
- 试运行:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
- 试运行:
-
安装 Apigee Redis:
-
试运行:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
-
-
安装 Apigee 入站流量管理器:
-
试运行:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
-
-
安装 Apigee 组织。如果您已在 shell 中设置 $ORG_NAME 环境变量,则可以在以下命令中使用该变量:
-
试运行:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查相应组织的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
-
-
安装环境。
一次只能安装一个环境。使用
--set env=ENV_NAME 指定环境。如果您已在 shell 中设置 $ENV_NAME 环境变量,则可以在以下命令中使用该变量:-
试运行:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME 是用于跟踪
apigee-env图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。 通常,这与ENV_NAME相同。但是,如果环境与环境组具有相同的名称,则您必须为环境和环境组使用不同的版本名称,例如dev-env-release和dev-envgroup-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
-
通过检查相应环境的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
-
-
安装环境组 (
virtualhosts)。- 一次只能安装一个环境组 (virtualhost)。使用
--set envgroup=ENV_GROUP 指定环境组。如果您已在 shell 中设置 $ENV_GROUP 环境变量,则可以在以下命令中使用该变量。对overrides.yaml文件中提到的每个环境组重复运行以下命令:试运行:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME 是用于跟踪
apigee-virtualhosts图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。通常,这与ENV_GROUP相同。但是,如果环境组与安装中的环境具有相同的名称,则必须为环境组和环境使用不同的版本名称,例如dev-envgroup-release和dev-env-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
- 检查 ApigeeRoute (AR) 的状态。
安装
virtualhosts会创建 ApigeeRouteConfig (ARC),它会在 Apigee Watcher 从控制平面拉取环境组相关详细信息后在内部创建 ApigeeRoute (AR)。因此,请检查相应 AR 的状态是否为正在运行:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
- 一次只能安装一个环境组 (virtualhost)。使用
JSON 文件
- 如果没有,请转到
APIGEE_HELM_CHARTS_HOME目录。从该目录运行以下命令。 - 安装 Apigee Operator/Controller:
- 试运行:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
- 安装图表:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
验证 Apigee Operator 安装:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.15.1 1.15.1
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
- 试运行:
-
安装 Apigee 数据存储区:
- 试运行:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
在继续下一步之前,通过检查
apigeedatastore的状态来验证它是否已启动并运行:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
- 试运行:
-
安装 Apigee 遥测:
- 试运行:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
- 试运行:
-
安装 Apigee Redis:
-
试运行:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
-
-
安装 Apigee 入站流量管理器:
-
试运行:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
-
-
安装 Apigee 组织。如果您已在 shell 中设置 $ORG_NAME 环境变量,则可以在以下命令中使用该变量:
-
试运行:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查相应组织的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
-
-
安装环境。
一次只能安装一个环境。使用
--set env=ENV_NAME 指定环境。如果您已在 shell 中设置 $ENV_NAME 环境变量,则可以在以下命令中使用该变量:-
试运行:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME 是用于跟踪
apigee-env图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。 通常,这与ENV_NAME相同。但是,如果环境与环境组具有相同的名称,则您必须为环境和环境组使用不同的版本名称,例如dev-env-release和dev-envgroup-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
-
通过检查相应环境的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
-
-
安装环境组 (
virtualhosts)。- 一次只能安装一个环境组 (virtualhost)。使用
--set envgroup=ENV_GROUP 指定环境组。如果您已在 shell 中设置 $ENV_GROUP 环境变量,则可以在以下命令中使用该变量。对overrides.yaml文件中提到的每个环境组重复运行以下命令:试运行:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME 是用于跟踪
apigee-virtualhosts图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。通常,这与ENV_GROUP相同。但是,如果环境组与安装中的环境具有相同的名称,则必须为环境组和环境使用不同的版本名称,例如dev-envgroup-release和dev-env-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
- 检查 ApigeeRoute (AR) 的状态。
安装
virtualhosts会创建 ApigeeRouteConfig (ARC),它会在 Apigee Watcher 从控制平面拉取环境组相关详细信息后在内部创建 ApigeeRoute (AR)。因此,请检查相应 AR 的状态是否为正在运行:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
- 一次只能安装一个环境组 (virtualhost)。使用
保险柜
- 如果没有,请转到
APIGEE_HELM_CHARTS_HOME目录。从该目录运行以下命令。 - 安装 Apigee Operator/Controller:
- 试运行:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
- 安装图表:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
验证 Apigee Operator 安装:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.15.1 1.15.1
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
- 试运行:
-
安装 Apigee 数据存储区:
- 试运行:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
在继续下一步之前,通过检查
apigeedatastore的状态来验证它是否已启动并运行:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
- 试运行:
-
安装 Apigee 遥测:
- 试运行:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
- 试运行:
-
安装 Apigee Redis:
-
试运行:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
-
-
安装 Apigee 入站流量管理器:
-
试运行:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
-
-
安装 Apigee 组织。如果您已在 shell 中设置 $ORG_NAME 环境变量,则可以在以下命令中使用该变量:
-
试运行:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查相应组织的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
-
-
安装环境。
一次只能安装一个环境。使用
--set env=ENV_NAME 指定环境。如果您已在 shell 中设置 $ENV_NAME 环境变量,则可以在以下命令中使用该变量:-
试运行:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME 是用于跟踪
apigee-env图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。 通常,这与ENV_NAME相同。但是,如果环境与环境组具有相同的名称,则您必须为环境和环境组使用不同的版本名称,例如dev-env-release和dev-envgroup-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
-
通过检查相应环境的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
-
-
安装环境组 (
virtualhosts)。- 一次只能安装一个环境组 (virtualhost)。使用
--set envgroup=ENV_GROUP 指定环境组。如果您已在 shell 中设置 $ENV_GROUP 环境变量,则可以在以下命令中使用该变量。对overrides.yaml文件中提到的每个环境组重复运行以下命令:试运行:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME 是用于跟踪
apigee-virtualhosts图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。通常,这与ENV_GROUP相同。但是,如果环境组与安装中的环境具有相同的名称,则必须为环境组和环境使用不同的版本名称,例如dev-envgroup-release和dev-env-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
- 检查 ApigeeRoute (AR) 的状态。
安装
virtualhosts会创建 ApigeeRouteConfig (ARC),它会在 Apigee Watcher 从控制平面拉取环境组相关详细信息后在内部创建 ApigeeRoute (AR)。因此,请检查相应 AR 的状态是否为正在运行:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
- 一次只能安装一个环境组 (virtualhost)。使用
适用于 GKE 的 WIF
- 如果没有,请转到
APIGEE_HELM_CHARTS_HOME目录。从该目录运行以下命令。 - 安装 Apigee Operator/Controller:
- 试运行:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
- 安装图表:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
验证 Apigee Operator 安装:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.15.1 1.15.1
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
- 试运行:
-
安装 Apigee 数据存储区:
- 试运行:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
为 Cassandra 设置服务账号绑定,以使用 Workload Identity Federation for GKE:
helm upgrade命令的输出应包含 NOTES 部分中的命令。按照这些命令设置服务账号绑定。应包含两条命令,格式如下:生产
gcloud iam service-accounts add-iam-policy-binding CASSANDRA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \ --project PROJECT_ID
且:
生产
kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=CASSANDRA_SERVICE_ACCOUNT_EMAIL \ --namespace APIGEE_NAMESPACE
非生产
kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=NON_PROD_SERVICE_ACCOUNT_EMAIL \ --namespace APIGEE_NAMESPACE
例如:
生产
NOTES: For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). gcloud iam service-accounts add-iam-policy-binding apigee-cassandra@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \ --project my-project kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=apigee-cassandra@my-project.iam.gserviceaccount.com \ --namespace apigee非生产
NOTES: For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \ --project my-project kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=apigee-non-prod@my-project.iam.gserviceaccount.com \ --namespace apigee可选:如果您不想在此时设置 Cassandra 备份,请修改替换文件,以移除或注释掉
cassandra.backupstanza,然后再运行不含--dry-run标志的helm upgrade命令。如需详细了解如何配置 Cassandra 备份,请参阅 Cassandra 备份和恢复。 -
安装图表:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
在继续下一步之前,通过检查
apigeedatastore的状态来验证它是否已启动并运行:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
- 试运行:
-
安装 Apigee 遥测:
- 试运行:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
为 Workload Identity Federation for GKE 设置 Logger 和 Metrics 的服务账号绑定:
helm upgrade命令的输出应包含 NOTES 部分中的命令。按照这些命令设置服务账号绑定。应包含两条命令,格式如下:记录器 KSA:
apigee-logger-apigee-telemetrygcloud iam service-accounts add-iam-policy-binding LOGGER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \ --project PROJECT_ID
沙特阿拉伯的指标:
apigee-metrics-sa生产
gcloud iam service-accounts add-iam-policy-binding METRICS_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \ --project PROJECT_ID
例如:
生产
NOTES: For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). Logger KSA: apigee-logger-apigee-telemetry gcloud iam service-accounts add-iam-policy-binding apigee-logger@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \ --project my-project Metrics KSA: apigee-metrics-sa gcloud iam service-accounts add-iam-policy-binding apigee-metrics@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \ --project my-project非生产
NOTES: For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). Logger KSA: apigee-logger-apigee-telemetry gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \ --project my-project Metrics KSA: apigee-metrics-sa gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \ --project my-project -
安装图表:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
- 试运行:
-
安装 Apigee Redis:
-
试运行:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
-
-
安装 Apigee 入站流量管理器:
-
试运行:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
-
-
安装 Apigee 组织。如果您已在 shell 中设置 $ORG_NAME 环境变量,则可以在以下命令中使用该变量:
-
试运行:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
为组织级组件设置服务账号绑定,以用于 Workload Identity Federation for GKE、MART、Apigee Connect、UDCA 和 Watcher。
helm upgrade命令的输出应包含 NOTES 部分中的命令。按照这些命令设置服务账号绑定。应有 4 个命令。MART KSA:
apigee-mart-PROJECT_ID-ORG_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Connect Agent KSA:
apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Mint 任务调度程序 KSA:(如果您使用的是 Apigee Hybrid 的 Monetization)
apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
UDCA KSA:
apigee-udca-PROJECT_ID-ORG_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Watcher KSA:
apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding WATCHER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
例如:
生产
NOTES: For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). MART KSA: apigee-mart-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \ --project my-project Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \ --project my-project Mint task scheduler KSA: apigee-mint-task-scheduler-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mint-task-scheduler-my-project-1a2b3c4-sa]" \ --project my-project UDCA KSA: apigee-udca-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \ --project my-project Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-watcher@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \ --project my-project非生产
NOTES: For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). MART KSA: apigee-mart-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \ --project my-project Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \ --project my-project UDCA KSA: apigee-udca-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \ --project my-project Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \ --project my-project -
安装图表:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查相应组织的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
-
-
安装环境。
一次只能安装一个环境。使用
--set env=ENV_NAME 指定环境。如果您已在 shell 中设置 $ENV_NAME 环境变量,则可以在以下命令中使用该变量:-
试运行:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME 是用于跟踪
apigee-env图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。 通常,这与ENV_NAME相同。但是,如果环境与环境组具有相同的名称,则您必须为环境和环境组使用不同的版本名称,例如dev-env-release和dev-envgroup-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
为环境级组件设置服务账号绑定,以用于 Workload Identity Federation for GKE、Runtime、Synchronizer 和 UDCA。
helm upgrade命令的输出应包含 NOTES 部分中的命令。按照这些命令设置服务账号绑定。应有 4 个命令。运行时 KSA:
apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding RUNTIME_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
同步器 KSA:
apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
UDCA KSA:
apigee-udca-PROJECT_ID-ORG_HASH_ID-ENV_NAME-ENV_HASH_ID-sa生产
gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
非生产
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
例如:
NOTES: For Apigee Environment GKE Workload Identity, my-env, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA). Runtime KSA: apigee-runtime-my-project-my-env-b2c3d4e-sa gcloud iam service-accounts add-iam-policy-binding apigee-runtime@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-runtime-my-project-my-env-b2c3d4e-sa]" \ --project my-project Synchronizer KSA: apigee-synchronizer-my-project-my-env-b2c3d4e-sa gcloud iam service-accounts add-iam-policy-binding apigee-synchronizer@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-synchronizer-my-project-my-env-b2c3d4e-sa]" \ --project my-project UDCA KSA: apigee-udca-my-project-my-env-b2c3d4e-sa: gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-my-env-b2c3d4e-sa]" \ --project my-project -
安装图表:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
-
通过检查相应环境的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
-
-
安装环境组 (
virtualhosts)。- 一次只能安装一个环境组 (virtualhost)。使用
--set envgroup=ENV_GROUP 指定环境组。如果您已在 shell 中设置 $ENV_GROUP 环境变量,则可以在以下命令中使用该变量。对overrides.yaml文件中提到的每个环境组重复运行以下命令:试运行:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME 是用于跟踪
apigee-virtualhosts图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。通常,这与ENV_GROUP相同。但是,如果环境组与安装中的环境具有相同的名称,则必须为环境组和环境使用不同的版本名称,例如dev-envgroup-release和dev-env-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
- 检查 ApigeeRoute (AR) 的状态。
安装
virtualhosts会创建 ApigeeRouteConfig (ARC),它会在 Apigee Watcher 从控制平面拉取环境组相关详细信息后在内部创建 ApigeeRoute (AR)。因此,请检查相应 AR 的状态是否为正在运行:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
- 一次只能安装一个环境组 (virtualhost)。使用
- (可选)您可以在 Google Cloud console的 Kubernetes:工作负载概览页面中查看 Kubernetes 服务账号的状态。
其他平台上的 WIF
- 如果没有,请转到
APIGEE_HELM_CHARTS_HOME目录。从该目录运行以下命令。 - 安装 Apigee Operator/Controller:
- 试运行:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
- 安装图表:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
验证 Apigee Operator 安装:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.15.1 1.15.1
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
- 试运行:
-
安装 Apigee 数据存储区:
- 试运行:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
如果您已启用 Cassandra 备份或 Cassandra 恢复,请向 Cassandra Kubernetes 服务账号授予模拟关联的
apigee-cassandraIAM 服务账号的权限。-
列出 Cassandra 的 IAM 服务账号的电子邮件地址:
生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-cassandra"
非生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
输出应类似如下所示:
生产
apigee-cassandra apigee-cassandra@my-project.iam.gserviceaccount.com False非生产
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False -
列出 Cassandra Kubernetes 服务账号:
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-cassandra"
输出应类似如下所示:
apigee-cassandra-backup-sa 0 7m37s apigee-cassandra-default 0 7m12s apigee-cassandra-guardrails-sa 0 6m43s apigee-cassandra-restore-sa 0 7m37s apigee-cassandra-schema-setup-my-project-1a2b2c4 0 7m30s apigee-cassandra-schema-val-my-project-1a2b2c4 0 7m29s apigee-cassandra-user-setup-my-project-1a2b2c4 0 7m22s -
如果您已创建
apigee-cassandra-backup-sa或apigee-cassandra-restore-saKubernetes 服务账号,请使用以下命令向每个服务账号授予模拟apigee-cassandraIAM 服务账号所需的访问权限:生产
模板
gcloud iam service-accounts add-iam-policy-binding \ CASSANDRA_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-cassandra@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \ --role=roles/iam.workloadIdentityUser非生产
模板
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \ --role=roles/iam.workloadIdentityUser其中:
CASSANDRA_IAM_SA_EMAIL:Cassandra IAM 服务账号的电子邮件地址。PROJECT_NUMBER:您在其中创建了工作负载身份池的项目的项目编号。POOL_ID:工作负载身份池 ID。MAPPED_SUBJECT:来自 ID 令牌中的声明的 Kubernetes ServiceAccount。在大多数混合安装中,此值将采用以下格式:system:serviceaccount:APIGEE_NAMESPACE:K8S_SA_NAME。- 对于
apigee-cassandra-backup-sa,这会类似于system:serviceaccount:apigee:apigee-cassandra-backup-sa。 - 对于
apigee-cassandra-restore-sa,这会类似于system:serviceaccount:apigee:apigee-cassandra-restore-sa。
- 对于
-
列出 Cassandra 的 IAM 服务账号的电子邮件地址:
-
在继续下一步之前,通过检查
apigeedatastore的状态来验证它是否已启动并运行:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
- 试运行:
-
安装 Apigee 遥测:
- 试运行:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
-
向遥测 Kubernetes 服务账号授予模拟关联的
apigee-metricsIAM 服务账号所需的访问权限。-
列出用于指标的 IAM 服务账号的电子邮件地址:
生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-metrics"
输出应类似如下所示:
apigee-metrics apigee-metrics@my-project.iam.gserviceaccount.com False
非生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
输出应类似如下所示:
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False
-
列出遥测 Kubernetes 服务账号:
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "telemetry"
输出应类似如下所示:
apigee-metrics-apigee-telemetry 0 42m apigee-open-telemetry-collector-apigee-telemetry 0 37m
-
使用以下命令向每个遥测 Kubernetes 服务账号授予模拟
apigee-metricsIAM 服务账号所需的访问权限:生产
Apigee 指标 KSA:
apigee-metrics-apigee-telemetry到apigee-metricsGoogle IAM 服务账号代码
gcloud iam service-accounts add-iam-policy-binding \ METRICS_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-metrics@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \ --role=roles/iam.workloadIdentityUserApigee OpenTelemetry 收集器 KSA:
apigee-open-telemetry-collector-apigee-telemetry到apigee-metricsGoogle IAM 服务账号代码
gcloud iam service-accounts add-iam-policy-binding \ METRICS_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-metrics@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \ --role=roles/iam.workloadIdentityUser非生产
Apigee 指标 KSA:
apigee-metrics-apigee-telemetry到apigee-non-prodGoogle IAM 服务账号代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \ --role=roles/iam.workloadIdentityUserApigee OpenTelemetry 收集器 KSA:
apigee-open-telemetry-collector-apigee-telemetry到apigee-non-prodGoogle IAM 服务账号代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \ --role=roles/iam.workloadIdentityUser
-
列出用于指标的 IAM 服务账号的电子邮件地址:
- 试运行:
-
安装 Apigee Redis:
-
试运行:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
-
-
安装 Apigee 入站流量管理器:
-
试运行:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查可用性来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
-
-
安装 Apigee 组织。如果您已在 shell 中设置 $ORG_NAME 环境变量,则可以在以下命令中使用该变量:
-
试运行:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
-
安装图表:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
-
通过检查相应组织的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
-
向组织级 Kubernetes 服务账号授予模拟关联的 IAM 服务账号所需的权限。
-
列出
apigee-mart、apigee-udca和apigee-watcher组件使用的 IAM 服务账号的电子邮件地址:生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"
输出应类似如下所示:
apigee-mart apigee-mart@my-project.iam.gserviceaccount.com False apigee-udca apigee-udca@my-project.iam.gserviceaccount.com False apigee-watcher apigee-watcher@my-project.iam.gserviceaccount.com False
如果您使用的是 Apigee Hybrid 的创收功能,还需获取
apigee-mint-task-scheduler服务账号的电子邮件地址。gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mint-task-scheduler"
输出应类似如下所示:
apigee-mint-task-scheduler apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com False
非生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
输出应类似如下所示:
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False -
列出组织范围的 Kubernetes 服务账号:
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-connect-agent\|apigee-mart\|apigee-udca\|apigee-watcher"
输出应类似如下所示:
apigee-connect-agent-my-project-123abcd 0 1h4m apigee-mart-my-project-123abcd 0 1h4m apigee-mint-task-scheduler-my-project-123abcd 0 1h3m apigee-udca-my-project-123abcd 0 1h2m apigee-watcher-my-project-123abcd 0 1h1m -
使用以下命令向组织级 Kubernetes 服务账号授予模拟关联的 IAM 服务账号所需的访问权限,如下所示:
生产
Connect Agent KSA:
apigee-connect-agent-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-martIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ APIGEE_MART_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-mart@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \ --role=roles/iam.workloadIdentityUserMART KSA:
apigee-mart-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-martIAM 服务账号。MART 和 Connect 代理使用同一 IAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ APIGEE_MART_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-mart@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser创建任务调度器 KSA:(如果使用 Apigee Hybrid 的 Monetization)
apigee-mint-task-scheduler-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-mint-task-schedulerIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ APIGEE_MINT_TASK_SCHEDULER_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser组织级 UDCA KSA:
apigee-udca-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-udcaIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ APIGEE_UDCA_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-udca-task-scheduler@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \ --role=roles/iam.workloadIdentityUserWatcher KSA:从
apigee-watcher-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-watcherIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ APIGEE_WATCHER_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-watcher@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser非生产
Connect Agent KSA:
apigee-connect-agent-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-non-prodIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \ --role=roles/iam.workloadIdentityUserMART KSA:
apigee-mart-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-non-prodIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser创建任务调度器 KSA:(如果使用 Apigee Hybrid 的 Monetization)
apigee-mint-task-scheduler-ORG_NAME-UUIORG_HASH_IDDKubernetes 服务账号到apigee-non-prodIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser组织级 UDCA KSA:
apigee-udca-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-non-prodIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \ --role=roles/iam.workloadIdentityUserWatcher KSA:从
apigee-watcher-ORG_NAME-ORG_HASH_IDKubernetes 服务账号到apigee-non-prodIAM 服务账号。代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \ --role=roles/iam.workloadIdentityUser
-
列出
-
-
安装环境。
一次只能安装一个环境。使用
--set env=ENV_NAME 指定环境。如果您已在 shell 中设置 $ENV_NAME 环境变量,则可以在以下命令中使用该变量:-
试运行:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME 是用于跟踪
apigee-env图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。 通常,这与ENV_NAME相同。但是,如果环境与环境组具有相同的名称,则您必须为环境和环境组使用不同的版本名称,例如dev-env-release和dev-envgroup-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
-
通过检查相应环境的状态来验证它已启动并正在运行:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
-
向环境范围的 Kubernetes 服务账号授予模拟关联的 IAM 服务账号所需的权限。
-
列出
apigee-runtime、apigee-synchronizer和apigee-udca组件使用的 IAM 服务账号的电子邮件地址:生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"
非生产
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"
输出应类似如下所示:
生产
apigee-runtime apigee-runtime@my-project.iam.gserviceaccount.com False apigee-synchronizer apigee-synchronizer@my-project.iam.gserviceaccount.com False apigee-udca apigee-udca@my-project.iam.gserviceaccount.com False非生产
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False -
列出环境范围的 Kubernetes 服务账号:
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"
输出应类似如下所示:
apigee-runtime-my-project--my-env-cdef123 0 19m apigee-synchronizer-my-project-my-env-cdef123 0 17m apigee-udca-my-project-123abcd 0 1h29m apigee-udca-my-project-my-env-cdef123 0 22m -
使用以下命令向环境范围的 Kubernetes 服务账号授予模拟关联的 IAM 服务账号所需的访问权限,如下所示:
生产
运行时 KSA:
apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-runtimeGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ RUNTIME_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-runtime@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUser同步器 KSA:
apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-synchronizerGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ SYNCHRONIZER_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-synchronizer@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUserUDCA KSA:从
apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-udcaGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ UDCA_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-udca@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUser非生产
运行时 KSA:
apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-non-prodGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUser非生产
同步器 KSA:
apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-non-prodGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUser非生产
UDCA KSA:从
apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-saKSA 到apigee-non-prodGoogle IAM SA代码
gcloud iam service-accounts add-iam-policy-binding \ NON_PROD_IAM_SA_EMAIL \ --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \ --role=roles/iam.workloadIdentityUser示例
gcloud iam service-accounts add-iam-policy-binding \ apigee-non-prod@my-project.iam.gserviceaccount.com \ --member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \ --role=roles/iam.workloadIdentityUser
-
列出
-
-
安装环境组 (
virtualhosts)。- 一次只能安装一个环境组 (virtualhost)。使用
--set envgroup=ENV_GROUP 指定环境组。如果您已在 shell 中设置 $ENV_GROUP 环境变量,则可以在以下命令中使用该变量。对overrides.yaml文件中提到的每个环境组重复运行以下命令:试运行:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME 是用于跟踪
apigee-virtualhosts图表的安装和升级情况的名称。此名称必须与安装中的其他 Helm 版本名称不同。通常,这与ENV_GROUP相同。但是,如果环境组与安装中的环境具有相同的名称,则必须为环境组和环境使用不同的版本名称,例如dev-envgroup-release和dev-env-release。如需详细了解 Helm 中的版本,请参阅 Helm 文档中的三大概念。 -
安装图表:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
- 检查 ApigeeRoute (AR) 的状态。
安装
virtualhosts会创建 ApigeeRouteConfig (ARC),它会在 Apigee Watcher 从控制平面拉取环境组相关详细信息后在内部创建 ApigeeRoute (AR)。因此,请检查相应 AR 的状态是否为正在运行:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
- 一次只能安装一个环境组 (virtualhost)。使用
下一步
在下一步,您将配置 Apigee 入站流量网关并部署代理以测试安装。
(下一步)第 1 步:公开 Apigee 入站流量 2