本步驟說明如何下載及安裝 cert-manager 和 Anthos Service Mesh (ASM),這是 Apigee Hybrid 運作的必要條件。
安裝 cert-manager
使用下列任一指令,從 GitHub 安裝 cert-manager v0.14.2。
如要找出 Kubernetes 版本,請使用 kubectl version 指令。
- 如果 Kubernetes 版本為 1.15 以上:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager.yaml
- 舊版 Kubernetes (1.15 以前):
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.2/cert-manager-legacy.yaml
您應該會看到回應,指出已建立 cert-manager 命名空間和多個 cert-manager 資源。
安裝 ASM
Apigee Hybrid 使用 Anthos 服務網格 (ASM) 提供的 Istio 發行版本。 請按照下列步驟,在叢集中安裝 ASM。
支援的 ASM 版本
如果是全新安裝混合式環境,請在叢集中安裝 ASM 1.6.x。如果從 Hybrid 1.2.x 版升級,請在叢集中安裝 ASM 1.5.x 版。
執行 ASM 設定步驟
如要完成 ASM 安裝作業,請先按照 ASM 說明文件中的步驟,完成 ASM 專屬的設定。然後,您必須返回這裡完成混合專屬設定,再將設定套用至叢集。
- 按照 ASM 設定和設定步驟操作:
- 如果是新安裝 Apigee Hybrid,請安裝 ASM 1.6.x 版。請參閱: 安裝和遷移簡介。
- 如要從舊版混合式升級,請使用 ASM 1.5.x。請參閱「 在現有叢集中安裝 Anthos 服務網格」。
完成 ASM 設定和設定步驟後,請前往下一節,完成混合式設定和 ASM 安裝步驟。
執行最終的混合式設定並安裝 ASM
最後,將混合式專屬設定新增至 istio-operator.yaml 檔案,並安裝 ASM。
-
確認您位於 ASM 安裝的根目錄中。例如:
1.6.11-asm.1。 - 在編輯器中開啟
./asm/cluster/istio-operator.yaml檔案。 - 在
spec.meshConfig:下方縮排新增下列程式碼:要複製的文字
# This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'顯示刊登位置的範例
為提高可讀性而插入的換行符
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
- 在
istio-operator.yaml檔案的meshConfig:區段下方,以及values:上方,新增 (或更新)spec:components節,其中 reserved_static_ip 是您在「專案和機構設定 - 步驟 5:設定 Cloud DNS」中,為執行階段 Ingress 閘道預留的 IP 位址。要複製的文字
ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: reserved_static_ip ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443顯示刊登位置的範例
為提高可讀性而插入的換行符
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: clusterName: "hybrid-example/us-central1/example-cluster" # {"$ref":"#/definitions/io.k8s.cli.substitutions.cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"} tag: 1.5.7-asm.0 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"} meshConfig: # This disables Istio from configuring workloads for mTLS if TLSSettings are not specified. # 1.4 defaulted to false. enableAutoMtls: false accessLogFile: "/dev/stdout" accessLogEncoding: 1 # This is Apigee's custom access log format. Changes should not be made to this # unless first working with the Data and AX teams as they parse these logs for # SLOs. accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE _ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(: METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RE SPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIV ED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response _flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_serv ice_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER% ","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_ path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol ":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_S ERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' defaultConfig: proxyMetadata: GCP_METADATA: "hybrid-example|123456789123|example-cluster|us-central1" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"} components: pilot: k8s: hpaSpec: maxReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer loadBalancerIP: 123.234.56.78 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: prometheus port: 15030 targetPort: 15030 - name: tcp port: 31400 targetPort: 31400 - name: tls port: 15443 targetPort: 15443 hpaSpec: maxReplicas: 2 values: . . .
- 現在請返回先前使用的 ASM 說明文件,完成 ASM 安裝作業 (將
istio-operator.yaml檔案安裝或套用至叢集)。如果系統提供選項,請選擇「PERMISSIVE mTLS」(寬容模式 mTLS)。
摘要
您現在已安裝 cert-manager 和 ASM,可以開始在本機安裝 Apigee Hybrid 指令列工具。
1 2 (NEXT) Step 3: Install apigeectl 4 5