Step 2: Install and set up for GKE

You are currently viewing version 1.1 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This step explains how to download and installapigeectl, set up the installation directories, and create Google Cloud service accounts, and TLS credentials that are required for Apigee hybrid to operate.

Download and installapigeectl

apigeectl is the command-line interface (CLI) for installing and managing Apigee hybrid in a Kubernetes cluster.

The following steps describe how to getapigeectl:

  1. Download the release package for your operating system using the following command:

    Mac 64 bit:

    curl -LO https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.1.1/apigeectl_mac_64.tar.gz

    Linux 64 bit:

    curl -LO https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.1.1/apigeectl_linux_64.tar.gz

    Mac 32 bit:

    curl -LO https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.1.1/apigeectl_mac_32.tar.gz

    Linux 32 bit:

    curl -LO https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/1.1.1/apigeectl_linux_32.tar.gz
  2. Create a directory on your system to serve as thebase directory for the Apigee hybrid installation.

  3. Extract the downloaded gzip file contents into the base directory you just created. For example:

    tar xvzffilename.tar.gz -Cpath-to-base-directory
  4. Change directory to the base directory.

  5. The tar contents are, by default, expanded into a directory with the version and platform in its name. For example:./apigeectl_1.0.0-f7b96a8_linux_64. Rename that directory toapigeectl using the following command:

    mv apigeectl_1.0.0-f7b96a8_linux_64 apigeectl
  6. Change directory into the directory. For example:
    cd ./apigeectl

    This directory is theapigeectl home directory. It is where theapigeectl executable command is located.

  7. Create an environment variable to hold this home directory path using the following command:
    export APIGEECTL_HOME=$PWD
  8. Verify that the variable holds the correct path using the following command:
    echo $APIGEECTL_HOME

Set up the project directory structure

The directory structure described below is a suggested approach. It separates Apigee hybrid release software from configuration files that you must create. Through the use of the$APIGEECTL_HOME variable and symbolic links that you create, you can easily switch to a new software version if you choose to. See alsoUpgrading Apigee hybrid.

Note:For the purpose of this quickstart, subsequent installation steps assume that youcreated the project structure as described below. If you follow this suggestedstructure, you will be able to copy and paste most installation commands directly into yourterminal.
  1. Be sure you are in the base directory (the directory where theapigeectl directory is located).
  2. Create a new folder calledhybrid-files. You can give the directory any name you wish, but in the docs, the namehybrid-files is used consistently. Later, you will store configuration files, service account keys, and TLS certificates in this folder. This folder lets you keep your config files separate from theapigeectl software installation:
    mkdir hybrid-files
  3. The current directory structure now looks like the following:
    pwd && ls/hybrid-base-directory  apigeectl  hybrid-files
  4. Change directory into thehybrid-filesfolder using the following command:
    cd hybrid-files
  5. Inside thehybrid-files directory, create the following subdirectories to organize files that you will create later using the following commands:
    mkdir overridesmkdir service-accountsmkdir certs
  6. Inside thehybrid-files directory, create the following symbolic links to$APIGEECTL_HOME. These links allow you to run theapigeectl command from inside thehybrid-files directory.

    Note: If this is not the first time you have used this process, the following symbolic links may already exist. Check to see if the links already exist using the following command. If the directories exist, skip this step.

    ls -l | grep ^l
    ln -s$APIGEECTL_HOME/tools toolsln -s$APIGEECTL_HOME/config configln -s$APIGEECTL_HOME/templates templatesln -s$APIGEECTL_HOME/plugins plugins
  7. To check that the symlinks were created correctly, execute the following command and make sure the link paths point to the correct locations:
    ls -l | grep ^l

Create service accounts

Apigee hybrid uses Google Cloudservice accounts to allow hybrid components to communicate by making authorized API calls. In this step, you use an Apigee hybrid command-line tool to create a set of services accounts. The tool also downloads the service account private keys for you. You must then add these keys to your Apigee hybrid cluster configuration file.

Click to learn more

The following table describes the service accounts that are required by hybrid components to perform authorized communication. See alsoAbout service accounts.

Component*RoleRequired for basic install?Description
apigee-cassandraStorage Object AdminAllows Cassandra backups to Google Cloud Storage, as described inBackup and recovery.
apigee-loggerLogs WriterAllows logging data collection, as described inLogging. Only required for non-GKE cluster installations.
apigee-martNo roleAllows MART service authentication. This service account should not have a role associated with it; as a result, when you create this service account, do not assign a role to it.
apigee-metricsMonitoring Metric WriterAllows metrics data collection, as described inMetrics collection
apigee-org-adminApigee Organization AdminLets you call thegetSyncAuthorization API andsetSyncAuthorization API. You cannot create this service account with thecreate-service-account tool.
apigee-synchronizerApigee Synchronizer ManagerAllows the synchronizer to download proxy bundles and environment configuration data. Also enables operation of the trace feature.
apigee-udcaApigee Analytics AgentAllows the transfer of trace, analytics and deployment status data to the management plane.
* This name is used in the downloaded service account key's filename.

Create the keys:

  1. Be sure that you are in thebase_directory/hybrid-files directory.
  2. Execute the following command from inside thehybrid-files directory. This command creates a service account for theapigee-metrics component and places the downloaded key in the./service-accounts directory.
    ./tools/create-service-account apigee-metrics ./service-accounts

    When you see the following prompt, entery:

    [INFO]: gcloud configured project ID isproject_id. Press: y to proceed with creating service account in project:project_id Press: n to abort.

    If this is the first time an SA with the exact name assigned by the tool was created, then the tool just creates it, and you do not have to do anything further.

    If, however, you see the following message and prompt, entery to generate new keys:

    [INFO]: Service account apigee-metrics@project_id.iam.gserviceaccount.com already exists.... [INFO]: The service account might have keys associated with it. It is recommended to use existing keys. Press: y to generate new keys.(this does not de-activate existing keys) Press: n to skip generating new keys.
  3. Now, create the rest of the service accounts using the following commands:
    ./tools/create-service-account apigee-synchronizer ./service-accounts./tools/create-service-account apigee-udca ./service-accounts./tools/create-service-account apigee-mart ./service-accounts./tools/create-service-account apigee-cassandra ./service-accounts./tools/create-service-account apigee-logger ./service-accounts
  4. Verify that the service account keys were created. You are responsible for storing these private keys securely. The key filenames are prefixed with the name of your Google Cloud project. For example:
    ls ./service-accountsgcp-project-id-apigee-cassandra.jsongcp-project-id-apigee-logger.jsongcp-project-id-apigee-mart.jsongcp-project-id-apigee-metrics.jsongcp-project-id-apigee-synchronizer.jsongcp-project-id-apigee-udca.json
    5. Tip: Apigee hybrid includes a validator that checks your service accounts' key files and permissions whenapigeectl applies the Apigee hybrid runtime components to your cluster. This validation is enabled by default. For more information, seeService account validation.

Create TLS certificates

You are required to provide TLS certificates for the MART and runtime ingress gateways in your Apigee hybrid configuration. The credentials used for the MART gatewaymust be authorized by a certificate authority (CA). For the purpose of this quickstart (a non-production trial installation), the runtime gateway can accept self-signed credentials.

In this step, you will create the TLS credential files and add them to thebase_directory/hybrid-files/certs directory. InStep 3: Configure the cluster, you will add the file paths to the cluster configuration file.

Create TLS credentials for the runtime gateway

The runtime ingress gateway (the gateway that handles API proxy traffic) requires a TLS certificate/key pair. For this quickstart installation, you can use self-signed credentials. In the following steps,openssl is used to generate the credentials.

  1. Be sure that you are in thebase_directory/hybrid-files directory.
  2. Execute the following command from inside thehybrid-files directory using the following command:
    openssl req  -nodes -new -x509 -keyout ./certs/keystore.key -out \    ./certs/keystore.pem -subj '/CN=mydomain.net' -days 3650

    This command creates a self-signed certificate/key pair that you can use for the quickstart installation. The CNmydomain.net can be any value you wish for the self-signed credentials.

  3. Check to make sure the files are in the./certs directory using the following command:
    ls ./certs  keystore.pem  keystore.key

    Wherekeystore.pem is the self-signed TLS certificate file andkeystore.key is the key file.

Create TLS credentials for the MART gateway

As noted inBefore you begin, youmust use an authorized TLS certificate/key pair for the MART gateway configuration. If you have not done so, obtain or create these credentials now.

  1. Obtain or create an TLS certificate/key pair that is authorized by a certificate authority. An example is provided showing how to obtain these credentials using the Let's Encrypt CA. Note that the certificate's common name (CN) must be a valid DNS name. For the example steps, seeObtain TLS credentials: An example.
  2. Copy the credentials into thebase_directory/hybrid-files/certs directory.
  3. When you are finished, you should have two pairs of credential files in the./certs directory. For example:
    ls ./certs  fullchain.pem  privkey.key  keystore.pem  keystore.key

    Wherefullchain.pem is the authorized TLS certificate file andprivkey.key is the authorized key file.

Summary

You now have a home base from which you can configure, deploy, and manage Apigee hybrid in your Kubernetes cluster. Next, you will create a file that will be used by Kubernetes to deploy the hybrid runtime components to the cluster.

12(NEXT) Step 3: Configure the cluster4

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.