Starting with Apigee hybrid version 1.8, Apigee hybrid uses Apigee ingress gateway to provide an ingress gateway for your hybrid installation. If you prefer to use Anthos Service Mesh for ingress, follow these steps to install Anthos Service Mesh in your cluster.
Supported Anthos Service Mesh versions
See Apigee hybrid: supported platforms for the Anthos Service Mesh versions supported in hybrid version 1.8.
If you are upgrading your hybrid installation, follow the instructions in Upgrade Anthos Service Mesh.
Install Anthos Service Mesh
Perform these steps on a fresh Apigee hybrid installation only if you are not using Apigee ingress gateway.
Perform the procedures using the Anthos Service Mesh documentation appropriate for your platform:
The instructions to install and configure Anthos Service Mesh are different depending on your platform. The platforms are divided into the following categories:
- GKE: Google Kubernetes Engine clusters running on Google Cloud.
- Outside Google Cloud: Anthos clusters running on:
  - Anthos clusters on VMware (GKE on-prem)
- Anthos on bare metal
- Anthos clusters on AWS
- Amazon EKS
 
- Other Kubernetes Platforms: Conformant clusters created and running on:
  - AKS
- EKS
- OpenShift
 
GKE
The sequence for installing Anthos Service Mesh is as follows:
- Prepare for the installation.
- Install the new version of Anthos Service Mesh.
Prepare to install Anthos Service Mesh
- Review the requirements in Upgrade Anthos Service Mesh, but do not perform the upgrade yet.
- Create a new overlay.yamlfile or verify that your existingoverlay.yamlcontains the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' 
- Follow the instructions in the following sections in the Anthos Service Mesh documentation:
                 
                 - Download asmcli
- Grant cluster admin permissions
- Validate project and cluster
- Upgrade with optional features. Stop before starting the "Upgrade Gateways section".
 
Outside Google Cloud
These instructions cover upgrading Anthos Service Mesh on:
- Anthos clusters on VMware (GKE on-prem)
- Anthos on bare metal
- Anthos clusters on AWS
- Amazon EKS
The sequence for installing Anthos Service Mesh is as follows:
- Prepare for the installation.
- Install the new version of Anthos Service Mesh.
Prepare to install Anthos Service Mesh
- Review the requirements in Upgrade Anthos Service Mesh, but do not perform the upgrade yet.
- Create a new overlay.yamlfile or verify that your existingoverlay.yamlcontains the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 values: gateways: istio-ingressgateway: runAsRoot: true meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' 
- Follow the instructions in the following sections in the Anthos Service Mesh documentation:
                 
                 - Download asmcli
- Grant cluster admin permissions
- Validate project and cluster
- Upgrade with optional features. Stop before starting the "Upgrade Gateways section".
 
AKS / EKS
Preparing to install Anthos Service Mesh
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig openssl dgst -verify /dev/stdin -signature 1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig 1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-linux-amd64.tar.gz The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests/profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the /bindirectory to yourPATH:export PATH=$PWD/bin:$PATH 
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz.1.sig openssl dgst -sha256 -verify /dev/stdin -signature 1.17.8-asm.4-distroless-osx.tar.gz.1.sig 1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-osx.tar.gz The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests/profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the /bindirectory to yourPATH:export PATH=$PWD/bin:$PATH 
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip.1.sig openssl dgst -verify - -signature 1.17.8-asm.4-distroless-win.zip.1.sig 1.17.8-asm.4-distroless.win.zip <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-win.zip The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests\profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the \bin directory to your PATH:
        set PATH=%CD%\bin:%PATH% 
- Now that Anthos Service Mesh Istio is installed, check the version of istioctl:istioctl version 
- Create a namespace called istio-system for the control plane components:
  kubectl create namespace istio-system 
Linux
Mac OS
Windows
Installing Anthos Service Mesh
- Edit your overlay.yamlfile or create a new one with the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: /dev/stdout enableTracing: true accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer ports: - name: status-port port: 15021 targetPort: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443
- Install Anthos Service Mesh with istioctlusing theasm-multicloudprofile:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1178-1" \ --filename overlay.yamlYour output should look something like: kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1178-1-798ffb964-2ls88 1/1 Running 0 3m21s istiod-asm-1178-1-798ffb964-fnj8c 1/1 Running 1 3m21s The --set revisionargument adds a revision label in the formatistio.io/rev=asm-1178-1toistiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiodrevision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod.
- Verify that your install completed:
  kubectl get svc -n istio-system Your output should look something like: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1178-1 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s 
OpenShift
Preparing to install Anthos Service Mesh
- Before installing the new version, determine the current revision. You will need
      this information to delete the validating webhook and mutating webhook
      from your current Anthos Service Mesh installation. Use the following command to store the current
      istiodrevision to an environment variable:export DELETE_REV=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')echo $DELETE_REVYour output should look something like 1.16
- Grant the anyuidsecurity context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system 
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig openssl dgst -verify /dev/stdin -signature 1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig 1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-linux-amd64.tar.gz The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests/profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the /bindirectory to yourPATH:export PATH=$PWD/bin:$PATH 
- Grant the anyuidsecurity context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system 
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz.1.sig openssl dgst -sha256 -verify /dev/stdin -signature 1.17.8-asm.4-distroless-osx.tar.gz.1.sig 1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-osx.tar.gz The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests/profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the /bindirectory to yourPATH:export PATH=$PWD/bin:$PATH 
- Grant the anyuidsecurity context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system 
- Download the Anthos Service Mesh installation file to your current working directory:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip 
- Download the signature file and use OpenSSL to verify the signature:
        curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip.1.sig openssl dgst -verify - -signature 1.17.8-asm.4-distroless-win.zip.1.sig 1.17.8-asm.4-distroless.win.zip <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF
- Extract the contents of the file to any location on your file system. For example,
        to extract the contents to the current working directory:
        tar xzf 1.17.8-asm.4-distroless-win.zip The command creates an installation directory in your current working directory named 1.17.8-asm.4-distrolessthat contains:- Sample applications in the samplesdirectory.
- The istioctlcommand-line tool that you use to install Anthos Service Mesh is in thebindirectory.
- The Anthos Service Mesh configuration profiles are in the
            manifests\profilesdirectory.
 
- Sample applications in the 
- Ensure that you're in the Anthos Service Mesh installation's root directory:
        cd 1.17.8-asm.4-distroless 
- For convenience, add the tools in the \bin directory to your PATH:
        set PATH=%CD%\bin:%PATH% 
- Now that Anthos Service Mesh Istio is installed, check the version of istioctl:istioctl version 
- Create a namespace called istio-system for the control plane components:
  kubectl create namespace istio-system 
Linux
Mac OS
Windows
Configure the validating webhook
  When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same
  revision on the validating webhook.
- Create a file called istiod-service.yamlwith the following contents:apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: asm-1178-1 app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod istio.io/rev: asm-1178-1 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' 
- Use kubectlto apply the validating webhook configuration:kubectl apply -f istiod-service.yaml 
- Verify that the configuration was applied:
    kubectl get svc -n istio-system The response should look similar to: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 22s 
Installing Anthos Service Mesh
- Edit your overlay.yamlfile or create a new one with the following contents:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: /dev/stdout enableTracing: true accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer ports: - name: status-port port: 15021 targetPort: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443
- Install Anthos Service Mesh with istioctlusing theasm-multicloudprofile:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1178-1" \ --filename overlayfile.yamlYour output should look something like: kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1178-1-798ffb964-2ls88 1/1 Running 0 3m21s istiod-asm-1178-1-798ffb964-fnj8c 1/1 Running 1 3m21s The --set revisionargument adds a revision label in the formatistio.io/rev=1.6.11-asm.1toistiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiodrevision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod.
- Verify that your install completed:
  kubectl get svc -n istio-system Your output should look something like: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1178-1 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s