Apigee

Follow these steps if you are using Apigee.

Before you begin

Before you begin this task, complete the following steps:

• Confirm that your GKE cluster has Workload Identity configured. SeeConfigure Workload Identity Federation for GKE for the required steps.
• Confirm that your cluster has a GKE Gateway configured and working. SeeDeploying gateways for more details.
• Install the Apigee Operator for Kubernetes. SeeInstall the Apigee Operator for Kubernetes for installation instructions.

Create theAPIMExtensionPolicy

In this step, create theAPIMExtensionPolicy and apply it to the GKE Gateway running in your cluster. This policy governs all traffic going through the Gateway and its associatedHTTPRoutes, operating similarly to a flowhook at the environment level in Apigee today.

To create theAPIMExtensionPolicy:

1. Create a file namedglobal-ext-lb1-apim-policy.yaml with the following content:

   # global-ext-lb1-apim-policy.yamlapiVersion: apim.googleapis.com/v1kind: APIMExtensionPolicymetadata:  name: global-ext-lb1-apim-policy  namespace: apimspec:  apigeeEnv:ENV_NAME # optional  location: global  failOpen: false  timeout: 1000ms  defaultSecurityEnabled: true  targetRef: # identifies the Gateway where the extension should be applied    name: global-ext-lb1    kind: Gateway    namespace: default

2. ReplaceENV_NAME with the name of the Apigee environment created in the installation stepCreate an Apigee environment.

   Note: If you install the Apigee Operator for Kubernetes using thegenerateEnv=TRUE flag, theapigeeEnv field is not required.

   You can view all available environments in theEnvironments page in the Google Cloud console.

3. Apply the policy:

   kubectl -n apim apply -f global-ext-lb1-apim-policy.yaml

   Once the policy is applied, the Apigee Operator for Kubernetes creates networking resources in the background.

4. Check the status of theAPIMExtensionPolicy using the following command:

   kubectl -n apim get APIMExtensionPolicy

   The output should look similar to the following, with aSTATE ofRUNNING:

   NAME                         STATE      ERRORMESSAGEglobal-ext-lb1-apim-policy   RUNNING

   Note: It may take up to five minutes for the policy to propagate to all load balancer instances.

Test the policy

Use the following command to send a request to the Gateway:

1. Get the Gateway IP address:

   export GATEWAY_IP=$(kubectl get gateways.gateway.networking.k8s.ioGATEWAY_NAME -n default -o=jsonpath='{.status.addresses[0].value}')

   echo $GATEWAY_IP

   ReplaceGATEWAY_NAME with the name of the Gateway, for exampleglobal-ext-lb1.

2. Send a request to an endpoint configured in yourHTTPRoute:

   curl http://$GATEWAY_IP/get -H "Host:HOST_NAME"

   ReplaceHOST_NAME with the hostname defined in the Gateway'sHTTPRoute, for exampleexample.httpbin.com.

3. The request should fail becausedefaultSecurityEnabled: true was set in theAPIMExtensionPolicy resource, which enables API key and access token verification. You should see a response similar to the following:

   {"fault":{"faultstring":"Raising fault. Fault name : RF-insufficient-request-raise-fault","detail":{"errorcode":"steps.raisefault.RaiseFault"}}}

   This indicates that the Apigee extension policy is active and that API key enforcement and access token verification is active.

What's next

• Learn how toAdd policies to the GKE Gateway.
• Learn how toUninstall the Apigee Operator for Kubernetes.

Apigee hybrid

Follow these steps if you are using Apigee hybrid.

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Before you begin

This procedure assumes you have installed the Apigee Operator for Kubernetes by following the steps inInstall the Apigee Operator for Kubernetes for Apigee hybrid.

Create a TLS certificate secret

TheAPIMExtensionPolicy requires the base64-encoded public certificate associated with the environment group hostname. You created this certificate inInstall the Apigee Hybrid Environment using helm. Provide this certificate to the operator by creating a Kubernetes secret in theapim namespace.

1. Get the base64 encoded certificate string from the file you created during installation:

   cat $APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/certs/keystore_ENV_GROUP.pem.base64

2. Create a file namedsecret-cert.yaml with the following content:

   # secret-cert.yamlapiVersion: v1kind: Secretmetadata:  name: apigee-conf  namespace: apimdata:  ca.crt:BASE64_ENCODED_CERT_STRING

3. ReplaceBASE64_ENCODED_CERT_STRING with the output from thecat command in step 1.
4. Apply the secret to your cluster:

   kubectl apply -f secret-cert.yaml

Define and apply theAPIMExtensionPolicy

Define anAPIMExtensionPolicy resource and apply it to the Istio Gateway running in your cluster. This policy extension intercepts traffic managed by the Gateway and its associatedHTTPRoutes and applies Apigee policies before forwarding requests to the backend target.

1. Create a file namedistio-gateway-apim-policy.yaml with the following content:

   # istio-gateway-apim-policy.yamlapiVersion: apim.googleapis.com/v1kind: APIMExtensionPolicymetadata:  name: istio-gateway-apim-policy  namespace: apimspec:  apigeeEnv:ENV_NAME  ingressCertSecret: apigee-conf  apigeeAuthority:HOST_NAME  apigeeIngressIP:INGRESS_IP_ADDRESS  location: global  failOpen: false  timeout: 1000ms  defaultSecurityEnabled: true  targetRef: # identifies the Gateway where the extension should be applied    group: gateway.networking.k8s.io    kind: Gateway    name: istio-gateway    namespace: default

2. Replace the following variables:
   • ENV_NAME: The name of the Apigee hybrid environment you created with service extensions enabled, for examplemy-hybrid-env.
   • HOST_NAME: The domain name used for the Environment group, for examplemy-proxies.example.com.
   • INGRESS_IP_ADDRESS: The ingress IP address for Apigee Hybrid runtime ingress. SeeExpose Apigee ingress for details on retrieving this IP.
3. Apply the policy to your cluster:

   kubectl -n apim apply -f istio-gateway-apim-policy.yaml

4. Once the resource is applied, the Apigee Operator for Kubernetes begins configuring the gateway networking resources. Check the status of theAPIMExtensionPolicy:

   kubectl -n apim get APIMExtensionPolicy

5. Wait until theSTATE showsRUNNING. The output should look similar to the following:

   NAME                         STATE      ERRORMESSAGEistio-gateway-apim-policy    RUNNING

Test the policy

In theAPIMExtensionPolicy created in the previous step,defaultSecurityEnabled was set totrue. This automatically enables API Key and OAuth2 token verification policies for traffic matching this gateway. Test this by sending an unauthenticated request to the samplehttpbin service you configured when verifying the Istio Gateway setup inVerify the Istio Gateway setup.

1. Get the Gateway IP address:

   export GATEWAY_IP=$(kubectl get gateways.gateway.networking.k8s.io istio-gateway -n default -o=jsonpath='{.status.addresses[0].value}')

   echo $GATEWAY_IP

2. Send a request to the/get endpoint configured in your HTTPRoute:

   curl http://$GATEWAY_IP/get -H "Host: example.httpbin.com" -v

3. BecausedefaultSecurityEnabled: true requires authentication (such as a valid API key), Apigee should reject the request with an authentication error. The response should be similar to the following:

   {"fault":{"faultstring":"Raising fault. Fault name : RF-insufficient-request-raise-fault","detail":{"errorcode":"steps.raisefault.RaiseFault"}}}

   This output confirms that theAPIMExtensionPolicy is active and Apigee policies are being enforced by the Istio Gateway.

What's next

Learn how to create API products, developers, and apps to obtain API keys for authenticated requests:

• Managing API products
• Controlling access to your APIs by registering apps
• Registering app developers
• Managing access to your APIs using API keys