This repo contains Kubernetes manifests for Apigee hybrid runtime and is connected with Anthos Config Management for configuration management.
- Organization:
srinandans-hybrid - Environments:
prod1andprod2
Apigee hybrid manifests were generated using the script here
Hashicorp Vault was setup on a separate GKE cluster using instructions here
This setup uses ExternalSecrets, a Kubernetes controller which provisions Kubernetes secrets from external credential management systems like Vault. See here for details about the setup.
cert-manager was installed using the manifests here
There are two ingresses in the setup:
-
An externally available (GCP External Load Balancer) hostname. This setup uses cert-manager and Let's Encrypt to automatically obtain and renew certificates for the ASM Ingress
-
An internally available (GCP Internal Load Balancer) hostname. This setup uses Vault's Credential Management and External Secrets to provision the key, cert and ca.
This setup uses [cert-manager] to to dynamically request and provision certificates. cert-manager is integrated with Vault. Vault acts as the PKI that signs the certificates requested by cert-manager. Vault's PKI Engine was used to create an self signed Issuer (self signed root) to sign the certificates.
These certificates are used for TLS communication within Apigee hybrid (ex: Runtime to UDCA, Synchronizer to Runtime etc.). Details about the setup can be found here
Apigee hybrid allows customers to setup encryption keys for sensitive data like KVMs, Cache etc. This setup uses Vault's KV 2 Secret Engine to store such credentials. Details about the setup can be found here
The installation was executed in the order listed here
- GKE 1.18.12
- Anthos Service Mesh 1.8.3-2
- Anthos Configuration Management
- Apigee hybrid 1.5-rc1
- cert-manager 1.0.4
- Vault 1.6.1
- External Secret 6.0.0
This is not an officially supported Google product# apigee-hybrid