Overview

In this lab, you install and configure the Apigee hybrid runtime plane in a cluster on Google Kubernetes Engine (GKE) in Google Cloud. The hybrid deployment model enables you to deploy and manage the Apigee runtime in Kubernetes containers while Apigee hosts the management plane in Google Cloud.

Objectives

In this lab, you perform the following tasks:

• Install and configure the Apigee hybrid runtime plane in a Kubernetes cluster on GKE.
• Create Apigee hybrid environments and an environment group using the Google Cloud console.
• Deploy simple API proxies to the Apigee hybrid environments.
• Validate the environments by testing the API proxies.
• View API proxy analytics in the Google Cloud console.

Reference documentation for the steps described here's at Big picture.

Set up

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Task 1. Verify Google Cloud APIs

To use Apigee hybrid, you must enable a set of Google Cloud APIs for the project. The lab automatically enables most of the APIs needed to install Apigee hybrid. In this task, you use the Google Cloud Console to verify that certain Google Cloud and Apigee APIs are enabled, and enable any required APIs.

• Apigee API: Provides communications between your project and other hybrid services and Google Cloud APIs.
• Apigee Connect API: Enables communication between the Apigee management and runtime planes.
• Cloud Pub/Sub API: Required for quota to operate.
• Cloud Resource Manager API: Validates service accounts used by Apigee hybrid.
• Compute Engine API: Used for cluster management.
• Kubernetes Engine API: Enables the use of Google Kubernetes Engine (GKE) or GKE on-prem (Anthos clusters) for your hybrid runtime installation.

Enable required APIs

1. Sign in to the Google Cloud Console with your lab credentials.

2. In the Google Cloud Console, click the Navigation menu (), and then select APIs & Services > Library.

3. In the Search for APIs & Services box, type Apigee, and then select apigee api.

4. Click the Apigee API.

5. If the Apigee API isn't enabled, click Enable.

6. Repeat the previous steps to enable the Apigee Connect API.

Verify that the APIs are enabled

1. In the Google Cloud Console, on the Navigation menu (), click APIs & Services > Enabled APIs & Services.

2. Scroll the page to view the API table. In the Name column, verify that the APIs listed earlier are included.

   If any of the APIs are not listed, repeat the steps above to enable the API.

Click Check my progress to verify the objective. Enable required APIs.

Task 2. Create the Apigee hybrid organization

To use Apigee hybrid, you must create an organization resource bound to your Google Cloud project. In this task, you execute a script that calls an Apigee management API to create the organization.

For more details about the process and API, see Create an organization.

Create the hybrid organization

1. On the Google Cloud Console title bar, click Activate Cloud Shell ().

2. If prompted, click Continue.

   It takes a few moments to provision and connect to the environment. When you're connected, you're already authenticated, and the project is set to your Google Cloud PROJECT_ID.

3. Copy the provision_hybrid_org.sh script from Cloud Storage to your home directory:

   gcloud storage cp gs://cloud-training/CBL466/provision_hybrid_org.sh ~

4. If prompted, click Authorize.

5. Make the script executable:

   chmod a+x ./provision_hybrid_org.sh

6. Verify that the GOOGLE_CLOUD_PROJECT environment variable is set:

   echo $GOOGLE_CLOUD_PROJECT

   This variable must be set to your Google Cloud project. If it is not set, run the command:

   gcloud config set project {{{project_0.project_id|Project_ID}}}

7. Execute the script, passing in the Google Cloud project ID and region as arguments:

   ./provision_hybrid_org.sh -o {{{project_0.project_id|Project_ID}}} -r {{{project_0.default_region|us-central1}}}

   The project ID is set as your Apigee hybrid organization name. The script takes a minute or two to finish. After the script finishes successfully, it generates output that reports on the status of the hybrid organization.

   Wait for the script to finish before proceeding to the next task.

Task 3. Set up your work environment

In this task, you set up the required environment variables in Cloud Shell. These settings are needed to run gcloud commands that are used to create the cluster and install Apigee hybrid runtime components.

The following environment variables and their values are configured:

Environment variable name	Environment variable value
PROJECT_ID	Your Google Cloud project ID
GCP_REGION	The Google Cloud region used
GCP_ZONE	The Google Cloud zone used
ORG	Your Apigee hybrid organization name
ENV	The Apigee hybrid environment name
ENV_GROUP	The Apigee hybrid environment group name
INGRESS_DN	Domain name for your Apigee ingress (used to invoke the APIs you develop)

The following steps will set up the required variables for the lab.

Configure environment variables

1. Copy the environment setup script from Cloud Storage to your home directory:

   gcloud storage cp gs://cloud-training/CBL466/apigee-env-test.sh ~

2. To set the environment variables, run the following command:

   source ~/apigee-env-test.sh {{{project_0.default_region|us-central1}}} {{{project_0.default_zone|us-central1-a}}}

Task 4. Create Apigee hybrid environments

Apigee environments provide a runtime executing context for an API proxy as it progresses in its lifecycle from development through production. In order for an API to process requests in Apigee, you must deploy the API proxy to an environment.

In this task, you create two Apigee hybrid environments, test and stage in the Google Cloud console.

Create the test environment

1. In the Google Cloud console navigation menu, click View all products.

2. In the View all products page, scroll to the Integration Services section, click the pin next to Apigee, and then click Apigee.

3. In the Apigee navigation menu, scroll to the Management section, and click Environments.

4. To add an environment, in the Environments tab, click Create Environment.

5. To provide the environment details, for Name, type test.

   The Display Name is automatically populated.

6. Leave the remaining settings as their defaults, and click Create.

   A new environment is created with Status: Inactive.

Create the stage environment

Repeat the same steps to create another environment named stage.

1. Navigate back to the Environments page, and click Create Environment.

2. To provide the environment details, for Name, type stage.

3. Leave the remaining settings as their defaults, and click Create.

   Before environments can be used, they must be configured in the Apigee hybrid runtime plane and assigned to a runtime instance. You will do this in a subsequent task in this lab.

Task 5. Create an Apigee hybrid environment group

Environment groups let you group environments together, and provide the hostnames for routing API traffic to proxies that are deployed to the environments within the group. You must create at least one environment group, and you must assign at least one hostname to the group.

In this task, you create an environment group and assign the test, and stage environments to the group.

1. Navigate back to the Environments page, and click the Environment Groups tab.

2. To create and Environment Group, click Create Environment Group.

3. Configure the environment group with the following settings:

   Property	Value (type or select)
   Environment group name	test-group
   Hostnames	-test.hybrid-apigee.net
   Environments	stage, test

   All API proxies that are deployed to environments within this group will be accessible at runtime using the hostnames defined for the group.

4. Click Create.

Task 6. Prepare the Apigee hybrid cluster

In this task, you prepare and authenticate to the cluster using your Cloud Shell login credentials as a cluster administrator. The Apigee hybrid cluster hosts all of the Apigee hybrid runtime components needed to deploy and run API proxies on the hybrid platform.

Note: For background information and more details on the installation, see the documentation page at Create a cluster.

Prepare the cluster

1. In the Google Cloud Console, on the Navigation menu (), click Kubernetes Engine > Clusters.

   

   Note: Confirm that the apigee-hybrid cluster is running before proceeding to the next step. The cluster is provisioned in the background, so you may have to click Refresh at the top of the page to refresh the cluster list. Wait until the cluster is ready before proceeding to the next step.

2. In your Cloud Shell terminal, fetch the apigee-hybrid cluster credentials:

   gcloud container clusters get-credentials apigee-hybrid --zone $GCP_ZONE

3. Create the cluster-admin role binding for the current user:

   kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin \ --user $(gcloud config get-value account) Note: The command grants permissions to the user across the cluster and is needed to install and configure the hybrid runtime plane from Cloud Shell.

4. Run the command to update your .profile file:

   echo "gcloud container clusters get-credentials apigee-hybrid --zone $GCP_ZONE" >> ~/.profile

   This will get the cluster's authentication and endpoint data and setup the current context in future Cloud Shell environments.

Configure the StorageClass

In this subtask, you configure persistent SSD storage for Cassandra, the datastore used by Apigee hybrid.

1. Create a yaml configuration for the StorageClass:

   cat <<EOF > ~/storageclass.yaml --- kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: "apigee-sc" provisioner: kubernetes.io/gce-pd parameters: type: pd-ssd replication-type: none volumeBindingMode: WaitForFirstConsumer allowVolumeExpansion: true EOF

2. Apply the new StorageClass to your cluster:

   kubectl apply -f ~/storageclass.yaml

3. To change the default StorageClass, execute the following commands:

   kubectl patch storageclass standard-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' kubectl patch storageclass apigee-sc -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

4. Verify that apigee-sc is the new default StorageClass:

   kubectl get sc

5. View the StorageClass details:

   kubectl describe sc apigee-sc

   The new StorageClass uses the pd-ssd or Performance (SSD) Persistent Disk type of storage that is suitable for enterprise applications that require lower latency. For more information review the documentation.

Install cert-manager in the cluster

Apigee hybrid uses cert-manager to manage certificates for hybrid workloads. cert-manager is a certificate controller for Kubernetes and OpenShift workloads.

1. To install cert-manager in the cluster, in Cloud Shell, run:

   kubectl apply --validate=false -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml

2. Verify that cert-manager was installed successfully:

   kubectl get all -n cert-manager -o wide

   The output of the command should list objects for cert-manager, cert-manager-cainjector, and cert-manager-webhook.

3. In the Google Cloud Console, navigate to Kubernetes Engine > Workloads.

   

   Note: Confirm that the cert-manager workloads are ready before proceeding to the next step.

Click Check my progress to verify the objective. Create the cluster-admin role and install cert-manager.

Task 7. Create installation dependencies

In this task, you download and create the dependencies that are required to install Apigee hybrid. Apigee hybrid uses Helm charts for installation and management. These charts are hosted in the Google Artifact Registry: oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts.

Helm is an open-source tool that helps manage and deploy applications in a Kubernetes cluster. It uses a packaging format called a Helm chart to describe and package resources for a Kubernetes cluster.

Download Apigee hybrid helm charts

1. Create a base installation directory for your hybrid installation and a subdirectory to store the helm charts:

   mkdir -p ~/apigee/helm

2. Set an environment variable, and change to the helm charts directory:

   export APIGEE_HELM_CHARTS=~/apigee/helm cd $APIGEE_HELM_CHARTS

3. Set environment variables for the helm charts repo and version:

   export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts export CHART_VERSION=1.14.0

4. Use the helm pull command to fetch all of the Apigee hybrid Helm charts:

   helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-env --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-ingress-manager --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-org --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-redis --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-telemetry --version $CHART_VERSION --untar helm pull $CHART_REPO/apigee-virtualhost --version $CHART_VERSION --untar

   For each of the Apigee hybrid runtime components, a helm chart subdirectory is created that contains the yaml files, templates, and chart dependencies.

Create service accounts

Apigee hybrid uses Google Cloud service accounts to authorize hybrid components when they communicate with each other and with services in the management plane. In this task, you create all the service accounts that are needed by Apigee hybrid.

You use the create-service-account tool from the Apigee hybrid distribution to create and store all required service accounts and their keys. Each service account certificate file is created in the helm chart directory for the corresponding hybrid component.

1. Make the create-service-account tool executable:

   chmod a+x $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account

2. To create each service account, run the tool and provide the Apigee hybrid runtime component profile, and directory location to store the certificate file of each service account:

   $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-cassandra --env prod --dir $APIGEE_HELM_CHARTS/apigee-datastore $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-logger --env prod --dir $APIGEE_HELM_CHARTS/apigee-telemetry $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-mart --env prod --dir $APIGEE_HELM_CHARTS/apigee-org $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-metrics --env prod --dir $APIGEE_HELM_CHARTS/apigee-telemetry

3. If prompted, type y and press ENTER to proceed.

   Note: If a message is displayed indicating that the service account already exists, type y to generate new keys.

4. Create service accounts from the remaining Apigee hybrid components:

   $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-runtime --env prod --dir $APIGEE_HELM_CHARTS/apigee-env $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-synchronizer --env prod --dir $APIGEE_HELM_CHARTS/apigee-env $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-udca --env prod --dir $APIGEE_HELM_CHARTS/apigee-org $APIGEE_HELM_CHARTS/apigee-operator/etc/tools/create-service-account --profile apigee-watcher --env prod --dir $APIGEE_HELM_CHARTS/apigee-org Note: Due to lab quota restrictions, the number of service accounts that can be created within a specific time interval is limited. If you see quota errors, re-run the command for any of the service accounts that failed to get created.

5. Because the apigee-udca service account is needed for both organization-scope and environment-scope operations, copy the component's service account certificate file to the apigee-env chart directory:

   cp $APIGEE_HELM_CHARTS/apigee-org/${PROJECT_ID}-apigee-udca.json $APIGEE_HELM_CHARTS/apigee-env

6. Verify that the service account files were created in the correct directories by checking the contents of each chart's directory.

   ls $APIGEE_HELM_CHARTS/apigee-datastore $APIGEE_HELM_CHARTS/apigee-telemetry $APIGEE_HELM_CHARTS/apigee-org $APIGEE_HELM_CHARTS/apigee-env

   Your output should look similar to:

   

Create TLS certificate

Apigee hybrid requires TLS certificates for secure communication between client applications and the runtime ingress gateway. In this subtask, you create a self-signed certificate and add the related files to the $APIGEE_HELM_CHARTS/certs directory.

Note: In a production environment, you will need to use signed certificates issued by a certificate authority (CA).

1. Create a directory to store your TLS credential files:

   mkdir $APIGEE_HELM_CHARTS/apigee-virtualhost/certs

   Because Helm charts cannot read files outside the chart directory, and the TLS credentials are managed with the apigee-virtualhost chart, create your directory that contains the credential files within the $APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/ directory.

2. Execute the command to create the TLS credentials (certificate and key files), and store them in your $APIGEE_HELM_CHARTS/apigee-virtualhost/certs directory:

   openssl req -nodes -new -x509 -keyout $APIGEE_HELM_CHARTS/apigee-virtualhost/certs/key-$ENV_GROUP.pem -out \ $APIGEE_HELM_CHARTS/apigee-virtualhost/certs/cert-$ENV_GROUP.pem -subj "/CN=${ORG}-${ENV}.hybrid-apigee.net"

3. Inspect the details of the certificate:

   sudo openssl x509 -in $APIGEE_HELM_CHARTS/apigee-virtualhost/certs/cert-$ENV_GROUP.pem -text -noout | grep "CN"

   The certificate subject name:

   Issuer: CN = {{{project_0.project_id|Project_ID}}}-test.hybrid-apigee.net Subject: CN = {{{project_0.project_id|Project_ID}}}-test.hybrid-apigee.net

   A self-signed certificate is created that you can use for this lab installation.

4. Verify that the certificate is valid:

   sudo openssl x509 -in $APIGEE_HELM_CHARTS/apigee-virtualhost/certs/cert-$ENV_GROUP.pem -text -noout | grep "Not"

Click Check my progress to verify the objective. Create service accounts.

Task 8. Create Apigee hybrid configuration

Most of the configuration settings needed to install Apigee hybrid for this lab can use default values. However, some settings do not have any defaults and must be set in an overrides file. In this task, you create the apigee namespace in your cluster, and an overrides file that provide values for these configuration settings.

Create the apigee namespace

1. To create the apigee namespace, run the command:

   kubectl create namespace apigee

2. Verify that the namespace was created:

   kubectl get namespace apigee

Create the overrides.yaml configuration file

For more details on the overrides file, see Configure the hybrid runtime.

1. Create a new file named overrides-test.yaml in your $APIGEE_HELM_CHARTS directory.

   The overrides.yaml provides the configuration for your unique Apigee hybrid installation. The overrides file in this step provides a basic configuration for a small-footprint hybrid runtime installation, and includes the configuration for the test and stage Apigee hybrid runtime environments that you created earlier in this lab.

   cat <<EOF > $APIGEE_HELM_CHARTS/overrides.yaml instanceID: "${PROJECT_ID}-hybrid-runtime" namespace: apigee gcp: region: $GCP_REGION projectID: $PROJECT_ID k8sCluster: name: apigee-hybrid region: $GCP_REGION org: $ORG envs: - name: test serviceAccountPaths: synchronizer: ${PROJECT_ID}-apigee-synchronizer.json udca: ${PROJECT_ID}-apigee-udca.json runtime: ${PROJECT_ID}-apigee-runtime.json - name: stage serviceAccountPaths: synchronizer: ${PROJECT_ID}-apigee-synchronizer.json udca: ${PROJECT_ID}-apigee-udca.json runtime: ${PROJECT_ID}-apigee-runtime.json cassandra: hostNetwork: false replicaCount: 3 ingressGateways: - name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10 virtualhosts: - name: ${ENV_GROUP} selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/cert-${ENV_GROUP}.pem sslKeyPath: certs/key-${ENV_GROUP}.pem mart: serviceAccountPath: ${PROJECT_ID}-apigee-mart.json connectAgent: serviceAccountPath: ${PROJECT_ID}-apigee-mart.json metrics: serviceAccountPath: ${PROJECT_ID}-apigee-metrics.json udca: serviceAccountPath: ${PROJECT_ID}-apigee-udca.json watcher: serviceAccountPath: ${PROJECT_ID}-apigee-watcher.json logger: enabled: true serviceAccountPath: ${PROJECT_ID}-apigee-logger.json EOF

2. Verify the file's content to confirm that the environment variable values were correctly substituted:

   cat $APIGEE_HELM_CHARTS/overrides.yaml

Task 9. Control (management) plane configuration

To establish communication between the hybrid runtime and control planes, additional configuration is needed. In this task, you authorize the synchronizer, and Analytics publisher components to access the control plane.

Enable Synchronizer access

Synchronizer access is enabled by making a call to an Apigee hybrid management API.

1. To grant synchronizer access, first fetch the email address of the synchronizer service account:

   export SYNCHRONIZER_SA_EMAIL=$(gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-synchronizer" --format="get(email)"); echo "SYNCHRONIZER_SA_EMAIL=$SYNCHRONIZER_SA_EMAIL"

2. To enable the required permissions for the synchronizer runtime component, call the controlPlaneAccess management API:

   curl -s -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG}/controlPlaneAccess?update_mask=synchronizer_identities" \ -d "{\"synchronizer_identities\":[\"serviceAccount:${SYNCHRONIZER_SA_EMAIL}\"]}" | tee cpa_sync.json

   In order to call an Apigee hybrid management API, you must provide an OAuth access token for authorization purposes. The command generates an OAuth access token using the signed-in user admin account.

   The JSON response from the API call contains the name/ID of a long running operation (LRO), and its state which should be IN_PROGRESS.

3. Extract the LRO ID from the JSON response:

   export LRO=$(cat cpa_sync.json | jq '.name' | cut -d '/' -f 4 | sed 's/"//g'); echo $LRO

4. Verify that the update operation has completed:

   curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG}/operations/${LRO}"

   The response JSON should contain a state attribute with a value of "FINISHED", indicating that the operation is completed. If not, wait for a few seconds and repeat the curl command above.

Enable analytics publisher access

Several Apigee hybrid runtime components publish analytics and debug information to provide information for reporting and debugging. To enable publishing this data, you need to grant additional permissions to the runtime service account to publish data directly to the control plane.

1. To enable analytics publisher access, first fetch the email address of the runtime component service account:

   export RUNTIME_SA_EMAIL=$(gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee-runtime" --format="get(email)"); echo "RUNTIME_SA_EMAIL=$RUNTIME_SA_EMAIL"

2. Set permissions for the runtime service account to publish data to the control plane:

   curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/$ORG/controlPlaneAccess?update_mask=analytics_publisher_identities" \ -d "{\"analytics_publisher_identities\": [\"serviceAccount:${RUNTIME_SA_EMAIL}\"]}" | tee cpa_runtime.json

   The response from the curl command contains a long running operation (LRO) ID, and indicates that the operation is IN_PROGRESS.

3. Extract the LRO ID from the JSON response:

   export LRO=$(cat cpa_runtime.json | jq '.name' | cut -d '/' -f 4 | sed 's/"//g'); echo $LRO

4. Verify that the update operation has completed:

   curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG}/operations/${LRO}"

   The response JSON should contain a state attribute with a value of "FINISHED", indicating that the operation is completed. If not, wait for a few seconds and repeat the curl command above.

Verify control plane access

1. To verify access to the control plane, call the API to get a list of service accounts:

   curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" \ "https://apigee.googleapis.com/v1/organizations/${ORG}/controlPlaneAccess"

2. Verify that the output of the curl command is similar to:

   { "synchronizerIdentities": [ "serviceAccount:apigee-synchronizer@{{{project_0.project_id|Project_ID}}}.iam.gserviceaccount.com" ], "analyticsPublisherIdentities": [ "serviceAccount:apigee-runtime@{{{project_0.project_id|Project_ID}}}.iam.gserviceaccount.com" ] }

Task 10. Install Apigee hybrid runtime components

With the preparation and configuration in place, in this task you install the hybrid runtime components into the cluster.

For more details on the installation steps, see the details here: Install hybrid runtime

Install the Apigee hybrid CRDs

Apigee hybrid uses custom resource definitions (CRDs) to create and manage custom Kubernetes resources in your cluster. These definitions enable the configuration and management of the Cassandra StatefulSet, hybrid runtime components, Apigee organization, environments, and other objects.

Refer to the Apigee Resources documentation for more details.

1. Make sure you are in the $APIGEE_HELM_CHARTS directory:

   cd $APIGEE_HELM_CHARTS

2. To install the Apigee CRDs, run the following command:

   kubectl apply -k apigee-operator/etc/crds/default/ \ --server-side \ --force-conflicts \ --validate=false Ignore any warnings about deprecated terms.

3. To validate the installation, run:

   kubectl get crds | grep apigee

   The command output should look similar to:

   

Install the Apigee hybrid runtime components

In this subtask, you use Helm to install the following Apigee hybrid runtime components:

• Apigee operator
• Apigee datastore
• Apigee telemetry
• Apigee Redis
• Apigee ingress manager
• Apigee organization
• Your Apigee environment(s)

The sequence in which you install the components matters.

1. Perform a "dry run" (test run) to install the Apigee Operator/Controller component:

   helm upgrade operator apigee-operator/ --install --namespace apigee --atomic -f overrides.yaml --dry-run=server Before executing any of the Helm upgrade/install commands, it is a good practice to use the Helm dry-run feature by adding --dry-run=server at the end of the command. The helm chart commands below that install the other hybrid runtime components do not use the dry-run option. You can use it if you like, and then rerun the command without the option to install the chart.

   If there are any errors in the output of the command, check the overrides.yaml file for any configuration issues, and retry the command. You can ignore any warnings that may be reported.

2. If there are no errors in the dry run command output, proceed with the installation:

   helm upgrade operator apigee-operator/ --install --namespace apigee --atomic -f overrides.yaml The helm upgrade command upgrades a release of a chart in your Kubernetes cluster. The release name operator is used to keep track of installation and upgrades of the apigee-operator chart. The install flag instructs helm to run an install if the release does not already exist. If any of the helm upgrade commands fail, you can use the guardrails output to help diagnose the cause. See Diagnosing issues with guardrails for more details.

3. Verify the installation of the Apigee Operator/Controller in the cluster:

   helm ls -n apigee

   You should see output similar to:

   

4. Verify that the deployment is up and running:

   kubectl -n apigee get deploy apigee-controller-manager

5. Install the Apigee hybrid datastore component:

   helm upgrade datastore apigee-datastore/ --install --namespace apigee --atomic -f overrides.yaml

6. Before proceeding to the next step, verify that apigeedatastore is up and running by checking its state:

   kubectl -n apigee get apigeedatastore default If the state of the apigeedatastore is not running, wait a few minutes, and then retry the command above.

7. Install Apigee telemetry:

   helm upgrade telemetry apigee-telemetry/ --install --namespace apigee --atomic -f overrides.yaml

8. Before proceeding to the next step, verify that the apigee-telemetry component is up and running:

   kubectl -n apigee get apigeetelemetry apigee-telemetry

9. Install Apigee Redis:

   helm upgrade redis apigee-redis/ --install --namespace apigee --atomic -f overrides.yaml

10. Before proceeding to the next step, verify that the apigee-redis component is up and running:

    kubectl -n apigee get apigeeredis default

11. Install Apigee Ingress manager:

    helm upgrade ingress-manager apigee-ingress-manager/ --install --namespace apigee --atomic -f overrides.yaml

12. Verify that the apigee-ingressgateway-manager component is up and running:

    kubectl -n apigee get deployment apigee-ingressgateway-manager

13. Install the Apigee organization:

    helm upgrade $ORG apigee-org/ --install --namespace apigee --atomic -f overrides.yaml

14. Verify the Apigee Organization is up and running by checking the state of the respective org:

    kubectl -n apigee get apigeeorg

15. Install the test Apigee hybrid environment:

    helm upgrade test-env apigee-env/ --install --namespace apigee --atomic --set env=test -f overrides.yaml

16. Install the stage Apigee hybrid environment:

    helm upgrade stage-env apigee-env/ --install --namespace apigee --atomic --set env=stage -f overrides.yaml Note: You must install one environment at a time.

17. Verify that both the environments are up and running:

    kubectl -n apigee get apigeeenv

    Rerun the command until both environments are in the running state before proceeding to the next step.

18. Install the environment group (virtualhost):

    helm upgrade $ENV_GROUP apigee-virtualhost/ --install --namespace apigee --atomic --set envgroup=$ENV_GROUP -f overrides.yaml Note: You must install one environment group at a time. Installing the virtualhost creates an ApigeeRouteConfig (ARC) which internally creates an ApigeeRoute (AR) once the Apigee watcher pulls env group related details from the control plane.

19. Verify that the ApigeeRoute is running:

    kubectl -n apigee get ar

20. Finally, in the Google Cloud Console, on the Navigation menu, click Kubernetes Engine, and under Resource Management, click Workloads.

    All the workloads should display OK or Succeeded in the Status column. This indicates that you've successfully installed and configured the Apigee hybrid runtime plane.

Click Check my progress to verify the objective. Install Apigee hybrid runtime components.

Task 11. Test the hybrid installation

In this task, you test the hybrid installation by creating and deploying a simple API proxy to the test environment. After the proxy is deployed, you make a request to the API and verify the response.

Build a test proxy

1. In the Google Cloud console left navigation pane, click Apigee, and then click API proxies.

   a. If Apigee is not available in the navigation pane, click View all products. b. Scroll through the list of products, and in the Integration Services section click the pin next to Apigee. c. Click Apigee.

2. In the Apigee navigation menu, under Proxy development, click API proxies.

3. On the API Proxies page, click Create.

4. On the Create a proxy page, configure the proxy details with the following settings:

   Property	Value (type or select)
   Proxy template	Reverse proxy (Most common)
   Proxy name	TestInstall
   Base path	/v1/testinstall
   Target (Existing API)	https://httpbin.org/status

5. For Deploy environments, select test, and click Ok.

6. Click Create.

   Wait for the proxy to be deployed to the test environment. Once deployed, you should see a green check mark in the Status column under Deployments.

Call the test proxy

1. In the Cloud Shell window, set an environment variable to contain the value of the external IP address of the apigee-ingressgateway hybrid runtime component:

   export LB_EXTERNAL_IP=`kubectl get svc -n apigee -l app=apigee-ingressgateway -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}{"\n"}'`; echo "LB_EXTERNAL_IP=$LB_EXTERNAL_IP"

2. To invoke the TestInstall API proxy, run the following command:

   curl https://${INGRESS_DN}/v1/testinstall/418 --resolve "${INGRESS_DN}:443:${LB_EXTERNAL_IP}" -k

3. Verify that the response from the API is:

   

This validates the hybrid runtime installation and the ingress configuration by successfully processing the input API request and generating the correct response.

Task 12. Test the stage environment

In this task, you test the stage environment by deploying an API proxy to it and verifying its functionality.

Deploy a sample proxy to the stage environment

1. In the Google Cloud console, navigate back to the API Proxies page.

2. To create another API proxy, click Create.

3. On the Create a proxy page, configure the proxy details with the following settings:

   Property	Value (type or select)
   Proxy template	Reverse proxy (Most common)
   Proxy name	HelloAPI
   Base path	/v1/hello
   Target (Existing API)	https://mocktarget.apigee.net

4. Click Next.

5. For Deploy environments, select stage, and click Ok.

6. Click Create.

   Wait for the proxy to be deployed to the stage environment. Once deployed, you should see a green check mark in the Status column under Deployments.

Test the proxy in the stage environment

1. To invoke the HelloAPI proxy, in Cloud Shell, run the following command:

   curl https://${INGRESS_DN}/v1/hello --resolve "${INGRESS_DN}:443:${LB_EXTERNAL_IP}" -k

2. Verify that the response from the API is:

   Hello, Guest!

3. Repeat the curl call to the HelloAPI proxy, passing in the user query parameter:

   curl https://${INGRESS_DN}/v1/hello?user=learner --resolve "${INGRESS_DN}:443:${LB_EXTERNAL_IP}" -k

4. Verify that the response from the API is:

   Hello, learner!

   You have successfully created the new environment and verified that API requests are correctly routed to an API proxy deployed to that environment.

Congratulations!

You have successfully installed and tested Apigee's runtime on GKE and linked it to your Apigee hybrid organization.

In this lab you:

• Created an Apigee hybrid organization.
• Configured the management and runtime planes.
• Installed Apigee hybrid runtime components.
• Validated the installation by deploying and testing API proxies in the Apigee hybrid environments.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2025 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.