Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ SECRET`	The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `apigee-cassandra-svc-account` `apigee-logger-svc-account` `apigee-mart-svc-account` `apigee-metrics-svc-account` `apigee-mint-task-scheduler-svc-account` `apigee-runtime-svc-account` `apigee-synchronizer-svc-account` `apigee-udca-svc-account` `apigee-watcher-svc-account` Non-prod `apigee-non-prod-svc-account` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ SECRET`	The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `apigee-cassandra-svc-account` `apigee-logger-svc-account` `apigee-mart-svc-account` `apigee-metrics-svc-account` `apigee-mint-task-scheduler-svc-account` `apigee-runtime-svc-account` `apigee-synchronizer-svc-account` `apigee-udca-svc-account` `apigee-watcher-svc-account` Non-prod `apigee-non-prod-svc-account` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ SECRET`	The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `apigee-cassandra-svc-account` `apigee-logger-svc-account` `apigee-mart-svc-account` `apigee-metrics-svc-account` `apigee-mint-task-scheduler-svc-account` `apigee-runtime-svc-account` `apigee-synchronizer-svc-account` `apigee-udca-svc-account` `apigee-watcher-svc-account` Non-prod `apigee-non-prod-svc-account` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ SECRET`	The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `apigee-cassandra-svc-account` `apigee-logger-svc-account` `apigee-mart-svc-account` `apigee-metrics-svc-account` `apigee-mint-task-scheduler-svc-account` `apigee-runtime-svc-account` `apigee-synchronizer-svc-account` `apigee-udca-svc-account` `apigee-watcher-svc-account` Non-prod `apigee-non-prod-svc-account` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ EMAIL`	The service account email addresses for the Google service accounts (GSA) you need to supply if you are usingWorkload Identity Federation for GKE. These are the service accounts you created inStep 4: Create service accounts. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See: `envs[].gsa.synchronizer`. `envs[].gsa.runtime`. `envs[].gsa.udca`. `logger.gsa`. `connectAgent.gsa`. `mart.gsa`. `metrics.gsa`. `mintTaskScheduler.gsa`. `udca.serviceAccountRef`. `watcher.gsa`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ SERVICE_ACCOUNT_ EMAIL`	The service account email addresses for the Google service accounts (GSA) you need to supply if you are usingWorkload Identity Federation for GKE. These are the service accounts you created inStep 4: Create service accounts. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See: `envs[].gsa.synchronizer`. `envs[].gsa.runtime`. `envs[].gsa.udca`. `logger.gsa`. `connectAgent.gsa`. `mart.gsa`. `metrics.gsa`. `mintTaskScheduler.gsa`. `udca.serviceAccountRef`. `watcher.gsa`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`NON_PROD_ SERVICE_ACCOUNT_ EMAIL`	The service account email addresses for the non-prod Google service account (GSA). This is the`apigee-non-prod` service account you created inStep 4: Create service accounts. If you are usingWorkload Identity Federation for GKE in a non-prod installation, specify the service account email address for the`gcp.workloadIdentity.gsa` property. You will not need to add the`gsa` property for any individual components. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See`gcp.workloadIdentity.gsa`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`NON_PROD_ SERVICE_ACCOUNT_ EMAIL`	The service account email addresses for the non-prod Google service account (GSA). This is the`apigee-non-prod` service account you created inStep 4: Create service accounts. If you are usingWorkload Identity Federation for GKE in a non-prod installation, specify the service account email address for the`gcp.workloadIdentity.gsa` property. You will not need to add the`gsa` property for any individual components. You can find the email addresses for the service accounts with the following command: gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee" See`gcp.workloadIdentity.gsa`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ WORKLOAD_IDENTITY_ SECRET`	The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `cassandra-workload-identity-secret` `logger-workload-identity-secret` `mart-workload-identity-secret` `metrics-workload-identity-secret` `mint-task-scheduler-workload-identity-secret` `runtime-workload-identity-secret` `synchronizer-workload-identity-secret` `udca-workload-identity-secret` `watcher-workload-identity-secret` Non-prod `non-prod-workload-identity-secret` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ WORKLOAD_IDENTITY_ SECRET`	The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `cassandra-workload-identity-secret` `logger-workload-identity-secret` `mart-workload-identity-secret` `metrics-workload-identity-secret` `mint-task-scheduler-workload-identity-secret` `runtime-workload-identity-secret` `synchronizer-workload-identity-secret` `udca-workload-identity-secret` `watcher-workload-identity-secret` Non-prod `non-prod-workload-identity-secret` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ WORKLOAD_IDENTITY_ SECRET`	The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `cassandra-workload-identity-secret` `logger-workload-identity-secret` `mart-workload-identity-secret` `metrics-workload-identity-secret` `mint-task-scheduler-workload-identity-secret` `runtime-workload-identity-secret` `synchronizer-workload-identity-secret` `udca-workload-identity-secret` `watcher-workload-identity-secret` Non-prod `non-prod-workload-identity-secret` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.
`<component>_ WORKLOAD_IDENTITY_ SECRET`	The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication. The default names of the secrets suggested in this guide are: Production `cassandra-workload-identity-secret` `logger-workload-identity-secret` `mart-workload-identity-secret` `metrics-workload-identity-secret` `mint-task-scheduler-workload-identity-secret` `runtime-workload-identity-secret` `synchronizer-workload-identity-secret` `udca-workload-identity-secret` `watcher-workload-identity-secret` Non-prod `non-prod-workload-identity-secret` See: `envs[].serviceAccountSecretRefs.synchronizer`. `envs[].serviceAccountSecretRefs.runtime`. `envs[].serviceAccountSecretRefs.udca`. `logger.serviceAccountRef`. `connectAgent.serviceAccountRef`. `mart.serviceAccountRef`. `metrics.serviceAccountRef`. `mintTaskScheduler.serviceAccountRef`. `udca.serviceAccountRef`. `watcher.serviceAccountRef`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Variable	Description
`UNIQUE_INSTANCE_ IDENTIFIER`	A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters. Note:You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions). You can create multiple organizations in the same cluster, but the`instanceID` must be the same for all orgs in the same Kubernetes cluster. See `instanceID`.
`APIGEE_NAMESPACE`	The Kubernetes namespace for your Apigee hybrid components. The default value is`apigee`. See`namespace`.
`PROJECT_ID`	Identifies the Google Cloud project where the`apigee-logger` and the`apigee-metrics` push their data. This is the value assigned to the environment variable`PROJECT_ID`. See`gcp.projectID`.
`ANALYTICS_REGION`	In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization). This is the value you assigned to the environment variable`ANALYTICS_REGION` previously. See`gcp.region`.
`AUDIENCE`	The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the term`audience:`. The audience value is the same in each credential configuration file. For example, in the following sample`apigee-udca-credential-configuration.json` file: { "universe_domain": "googleapis.com", "type": "external_account:," "audience": "`AUDIENCE`", "subject_token_type": "`TOKEN_TYPE`", "token_url": "`TOKEN_URL`", "service "impersonation_url": "`IMPERSONATION_URL`", "credential_source": { "file": "`FILE_PATH`", "format": { "type": "text" } }} The audience value will look something like the following (without line breaks): "//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID" Tip: You can delete the credential configuration files after you copy the audience value. See `gcp.federatedWorkloadIdentity.audience`.
`CLUSTER_NAME`	Your Kubernetes cluster name. This is the value assigned to the environment variable`CLUSTER_NAME`. See`k8sCluster.name`.
`CLUSTER_LOCATION`	The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster. This is the value you assigned to the environment variable`CLUSTER_LOCATION` previously. If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in the`us-central1-a` zone, specify`us-central1` for the`CLUSTER_LOCATION`. See `k8sCluster.location`.
`ORG_NAME`	The ID of your Apigee hybrid organization. This is the value assigned to the environment variable`ORG_NAME`. See`org`.
`CONTROL_PLANE_ LOCATION`	Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to the`CONTROL_PLANE_LOCATION` environment variable inStep 2: Create an organization. See`contractProvider`.
`ENVIRONMENT_NAME`	Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group. See`envs[].name`.
`ENVIRONMENT_GROUP_ NAME`	The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variable`ENV_GROUP`.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file. See `virtualhosts[].name`.
`INGRESS_NAME`	The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements: Have a maximum length of 17 characters Contain only lowercase alphanumeric characters, '-' or '.' Start with an alphanumeric character End with an alphanumeric character See: `ingressGateways[].name`. `virtualhosts[].selector`
`PATH_TO_CERT_FILE` `PATH_TO_KEY_FILE`	Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in the`APIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs` directory. For example: sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key See: `virtualhosts[].sslCertPath`. `virtualhosts[].sslKeyPath`
`SVC_ANNOTATIONS_ KEY`:`SVC_ANNOTATIONS_ VALUE`	(Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations. Note: You do not need to set`svcAnnotations` if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway. Comment out or delete this section if you are not using it. See`ingressGateways[].svcAnnotations`.

Step 7: Create the overrides

You are currently viewing version 1.15 of the Apigee hybrid documentation. For more information, see Supported versions.

Specify configuration overrides

The Apigee hybrid installer uses defaults for many settings. However, there are a few settings that do not have defaults. You must provide values for these settings, as explained next.

Before you begin

We recommend you review the following scenarios to determine if you want to configure your cluster for them. These configurations are optional.

If you are planning on installing hybrid in multiple regions, readMulti-region deployment before continuing.
Apigee hybrid provides default passwords for the Cassandra users. Apigee recommends changing the default user passwords. SeeConfiguring TLS for Cassandra for details.
If you want to configure the storage and heap settings for Cassandra, see Configure storage and heap settings.
As described inPart 1: Project and Org setup--Step 1: Enable APIs, For production installation scenarios, configurepersistent solid state disk (SSD) storage for Cassandra. Apigee does not support usinglocal SSDs for Apigee hybrid. For details, seeAdd SSD storage for production deployments.

Configure the cluster

By convention, configuration overrides are written in a file namedoverrides.yaml typically stored in your$APIGEE_HELM_CHARTS_HOME directory.

Note: Theoverrides.yaml file will be used during upgrades, expansions and anytime you need to alter the configuration of your hybrid runtime installation. Apigee recommends you store this file in a source control repository with version control.

Create a new file namedoverrides.yaml in your$APIGEE_HELM_CHARTS_HOME directory.

Theoverrides.yaml provides the configuration for your unique Apigee hybrid installation. The overrides file in this step provides a basic configuration for a small-footprint hybrid runtime installation, suitable for your first installation.

Inoverrides.yaml, add the required property values, shown below. A detailed description of each property is provided below.
Make sure theoverrides.yaml file has the following structure and syntax.
Choose the tab for your the type of service account authentication you are using in your installation:Step 4: Create service accounts.
Service account keys in Kubernetes Secrets:Kubernetes Secrets
Service account JSON key files:JSON files
Service account keys in Vault:Vault
Workload Identity Federation for GKE:WIF for GKE
Workload Identity Federation:WIF on other platforms
For an overview of the different authentication options, seeService account authentication methods in Apigee hybrid.
Select the tab for your installation, production,Production or non-production (demo, evaluation, or proof-of-concept installations),Non-prod depending on your choice inStep 4: Create service accounts.
For installations in production environments, look at the storage requirements for the Cassandra database inConfigure Cassandra for production.
Kubernetes Secrets
Production
Template
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretRefs: synchronizer:SYNCHRONIZER_SERVICE_ACCOUNT_SECRET # For example: "apigee-synchronizer-svc-account" runtime:RUNTIME_SERVICE_ACCOUNT_SECRET # For example: "apigee-runtime-svc-account" udca:UDCA_SERVICE_ACCOUNT_SECRET # For example: "apigee-udca-svc-account"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountRef:MART_SERVICE_ACCOUNT_SECRET # For example: "apigee-mart-svc-account"connectAgent: serviceAccountRef:MART_SERVICE_ACCOUNT_SECRET # Use the same secret for mart and connectAgent # For example: "apigee-mart-svc-account"logger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components. serviceAccountRef:LOGGER_SERVICE_ACCOUNT_SECRET # For example: "apigee-logger-svc-account"metrics: serviceAccountRef:METRICS_SERVICE_ACCOUNT_SECRET # For example: "apigee-metrics-svc-account"udca: serviceAccountRef:UDCA_SERVICE_ACCOUNT_SECRET # For example: "apigee-udca-svc-account"watcher: serviceAccountRef:WATCHER_SERVICE_ACCOUNT_SECRET # For example: "apigee-watcher-svc-account"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountRef:MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_SECRET # For example: "apigee-mint-task-scheduler-svc-account"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ SECRET The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
apigee-cassandra-svc-account
apigee-logger-svc-account
apigee-mart-svc-account
apigee-metrics-svc-account
apigee-mint-task-scheduler-svc-account
apigee-runtime-svc-account
apigee-synchronizer-svc-account
apigee-udca-svc-account
apigee-watcher-svc-account
Non-prod
apigee-non-prod-svc-account
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountSecretRefs: synchronizer: "apigee-synchronizer-svc-account" runtime: "apigee-runtime-svc-account" udca: "apigee-udca-svc-account"cassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountRef: "apigee-mart-svc-account"connectAgent: serviceAccountRef: "apigee-mart-svc-account"logger: enabled: true serviceAccountRef: "apigee-logger-svc-account"metrics: serviceAccountRef: "apigee-metrics-svc-account"udca: serviceAccountRef: "apigee-udca-svc-account"watcher: serviceAccountRef: "apigee-watcher-svc-account"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountRef: apigee-mint-task-scheduler-svc-account# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ SECRET The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
apigee-cassandra-svc-account
apigee-logger-svc-account
apigee-mart-svc-account
apigee-metrics-svc-account
apigee-mint-task-scheduler-svc-account
apigee-runtime-svc-account
apigee-synchronizer-svc-account
apigee-udca-svc-account
apigee-watcher-svc-account
Non-prod
apigee-non-prod-svc-account
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Non-prod
Template
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretRefs: synchronizer:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account" runtime:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account" udca:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"connectAgent: serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # Use the same secret for mart and connectAgent # For example: "apigee-non-prod-svc-account"logger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components. serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"metrics: serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"udca: serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"watcher: serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountRef:NON_PROD_SERVICE_ACCOUNT_SECRET # For example: "apigee-non-prod-svc-account"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ SECRET The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
apigee-cassandra-svc-account
apigee-logger-svc-account
apigee-mart-svc-account
apigee-metrics-svc-account
apigee-mint-task-scheduler-svc-account
apigee-runtime-svc-account
apigee-synchronizer-svc-account
apigee-udca-svc-account
apigee-watcher-svc-account
Non-prod
apigee-non-prod-svc-account
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountSecretRefs: synchronizer: "apigee-non-prod-svc-account" runtime: "apigee-non-prod-svc-account" udca: "apigee-non-prod-svc-account"cassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountRef: "apigee-non-prod-svc-account"connectAgent: serviceAccountRef: "apigee-non-prod-svc-account"logger: enabled: true serviceAccountRef: "apigee-non-prod-svc-account"metrics: serviceAccountRef: "apigee-non-prod-svc-account"udca: serviceAccountRef: "apigee-non-prod-svc-account"watcher: serviceAccountRef: "apigee-non-prod-svc-account"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountRef: apigee-non-prod-svc-account# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ SECRET The name of the Kubernetes secret you for the service account key inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
apigee-cassandra-svc-account
apigee-logger-svc-account
apigee-mart-svc-account
apigee-metrics-svc-account
apigee-mint-task-scheduler-svc-account
apigee-runtime-svc-account
apigee-synchronizer-svc-account
apigee-udca-svc-account
apigee-watcher-svc-account
Non-prod
apigee-non-prod-svc-account
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
JSON files
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the apigee-env chart directory. synchronizer:SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-synchronizer.json" runtime:RUNTIME_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-runtime.json" udca:UDCA_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-udca.json"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components. serviceAccountPath:LOGGER_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-F chart directory. # For example: "PROJECT_ID-apigee-logger.json"mart: serviceAccountPath:MART_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-mart.json"connectAgent: serviceAccountPath:MART_SERVICE_ACCOUNT_FILEPATH # Use the same service account for mart and connectAgent # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-mart.json"metrics: serviceAccountPath:METRICS_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-metrics.json"udca: serviceAccountPath:UDCA_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-udca.json"watcher: serviceAccountPath:WATCHER_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-watcher.json"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountPath:MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-mint-task-scheduler.json"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ FILEPATH The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example:
If themy-project-apigee-synchronizer.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
For non-production environments, the name of the single service account isPROJECT_ID-non-prod.json by default.
For production environments, the name of the service account key file that you generated with thecreate-service-account tool inStep 4: Create service accounts.
You can see the service account files in each corresponding chart directory.
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
PROJECT_ID-apigee-cassandra.json apigee-datastore/
PROJECT_ID-apigee-mart.json apigee-org/
PROJECT_ID-apigee-metrics.json apigee-telemetry/
PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/
PROJECT_ID-apigee-runtime.json apigee-env/
PROJECT_ID-apigee-synchronizer.json apigee-env/
PROJECT_ID-apigee-udca.json apigee-org/
PROJECT_ID-apigee-watcher.json apigee-org/
Non-prod
Service account file name Chart directory
PROJECT_ID-non-prod.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountPaths: synchronizer: "my-project-apigee-synchronizer.json" runtime: "my-project-apigee-runtime.json" udca: "my-project-apigee-udca.json"cassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: true serviceAccountPath: "my-project-apigee-logger.json"mart: serviceAccountPath: "my-project-apigee-mart.json"connectAgent: serviceAccountPath: "my-project-apigee-mart.json"metrics: serviceAccountPath: "my-project-apigee-metrics.json"udca: serviceAccountPath: "my-project-apigee-udca.json"watcher: serviceAccountPath: "my-project-apigee-watcher.json"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountPath: my-project-apigee-mint-task-scheduler.json"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ FILEPATH The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example:
If themy-project-apigee-synchronizer.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
For non-production environments, the name of the single service account isPROJECT_ID-non-prod.json by default.
For production environments, the name of the service account key file that you generated with thecreate-service-account tool inStep 4: Create service accounts.
You can see the service account files in each corresponding chart directory.
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
PROJECT_ID-apigee-cassandra.json apigee-datastore/
PROJECT_ID-apigee-mart.json apigee-org/
PROJECT_ID-apigee-metrics.json apigee-telemetry/
PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/
PROJECT_ID-apigee-runtime.json apigee-env/
PROJECT_ID-apigee-synchronizer.json apigee-env/
PROJECT_ID-apigee-udca.json apigee-org/
PROJECT_ID-apigee-watcher.json apigee-org/
Non-prod
Service account file name Chart directory
PROJECT_ID-non-prod.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the apigee-env chart directory. synchronizer:NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json" runtime:NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json" udca:NON_PROD_SERVICE_ACCOUNT_FILEPATH # For example: "PROJECT_ID-apigee-non-prod.json"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"connectAgent: serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Use the same service account for mart and connectAgent # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"logger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components. serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-F chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"metrics: serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"udca: serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"watcher: serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "PROJECT_ID-apigee-non-prod.json"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ FILEPATH The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example:
If themy-project-apigee-synchronizer.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
For non-production environments, the name of the single service account isPROJECT_ID-non-prod.json by default.
For production environments, the name of the service account key file that you generated with thecreate-service-account tool inStep 4: Create service accounts.
You can see the service account files in each corresponding chart directory.
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
PROJECT_ID-apigee-cassandra.json apigee-datastore/
PROJECT_ID-apigee-mart.json apigee-org/
PROJECT_ID-apigee-metrics.json apigee-telemetry/
PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/
PROJECT_ID-apigee-runtime.json apigee-env/
PROJECT_ID-apigee-synchronizer.json apigee-env/
PROJECT_ID-apigee-udca.json apigee-org/
PROJECT_ID-apigee-watcher.json apigee-org/
Non-prod
Service account file name Chart directory
PROJECT_ID-non-prod.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountPaths: synchronizer: "hybrid-example-apigee-non-prod.json" runtime: "hybrid-example-apigee-non-prod.json" udca: "hybrid-example-apigee-non-prod.json"cassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountPath: "my-project-apigee-non-prod.json"connectAgent: serviceAccountPath: "my-project-apigee-non-prod.json"logger: enabled: true serviceAccountPath: "my-project-apigee-non-prod.json"metrics: serviceAccountPath: "my-project-apigee-non-prod.json"udca: serviceAccountPath: "my-project-apigee-non-prod.json"watcher: serviceAccountPath: "my-project-apigee-non-prod.json"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountPath: my-project-apigee-non-prod.json"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ FILEPATH The path and filename account of the service account JSON files in your corresponding chart directory. Provide the names with the path relative to the chart directory. For example:
If themy-project-apigee-synchronizer.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
For non-production environments, the name of the single service account isPROJECT_ID-non-prod.json by default.
For production environments, the name of the service account key file that you generated with thecreate-service-account tool inStep 4: Create service accounts.
You can see the service account files in each corresponding chart directory.
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
PROJECT_ID-apigee-cassandra.json apigee-datastore/
PROJECT_ID-apigee-mart.json apigee-org/
PROJECT_ID-apigee-metrics.json apigee-telemetry/
PROJECT_ID-apigee-mint-task-scheduler.json apigee-org/
PROJECT_ID-apigee-runtime.json apigee-env/
PROJECT_ID-apigee-synchronizer.json apigee-env/
PROJECT_ID-apigee-udca.json apigee-org/
PROJECT_ID-apigee-watcher.json apigee-org/
Non-prod
Service account file name Chart directory
PROJECT_ID-non-prod.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Vault
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAMEserviceAccountSecretProviderClass: apigee-orgsakeys-spc# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spccassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components.# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectserviceAccountSecretProviderClass: apigee-orgsakeys-spcenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountSecretProviderClass: apigee-envsakeys-prod-env-spccassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: true# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGIONk8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAMEserviceAccountSecretProviderClass: apigee-orgsakeys-spc# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spccassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components.# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1k8sCluster: name: hybrid-env region: us-central1org: my-projectserviceAccountSecretProviderClass: apigee-orgsakeys-spcenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountSecretProviderClass: apigee-envsakeys-test-env-spccassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: true# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"# for message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
WIF for GKE
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: truek8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME gsa: synchronizer:SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL # For example: "apigee-synchronizer@PROJECT_ID.iam.gserviceaccount.com" runtime:RUNTIME_SERVICE_ACCOUNT_EMAIL # For example: "apigee-runtime@PROJECT_ID.iam.gserviceaccount.com" udca:UDCA_SERVICE_ACCOUNT_EMAIL # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production. backup: enabled: true # Required to create the Cassandra Kubernetes service accounts # for Workload Identity Federation for GKE # SeeCassandra backup overview.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: gsa:MART_SERVICE_ACCOUNT_EMAIL # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com"connectAgent: gsa:MART_SERVICE_ACCOUNT_EMAIL # Use the same service account email for mart and connectAgent # For example: "apigee-mart@PROJECT_ID.iam.gserviceaccount.com"logger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components. gsa:LOGGER_SERVICE_ACCOUNT_EMAIL # For example: "apigee-logger@PROJECT_ID.iam.gserviceaccount.com"metrics: gsa:METRICS_SERVICE_ACCOUNT_EMAIL # For example: "apigee-metrics@PROJECT_ID.iam.gserviceaccount.com"udca: gsa:UDCA_SERVICE_ACCOUNT_EMAIL # For example: "apigee-udca@PROJECT_ID.iam.gserviceaccount.com"watcher: gsa:WATCHER_SERVICE_ACCOUNT_EMAIL # For example: "apigee-watcher@PROJECT_ID.iam.gserviceaccount.com"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid gsa:MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_EMAIL # For example: "apigee-mint-task-scheduler@PROJECT_ID.iam.gserviceaccount.com"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ EMAIL The service account email addresses for the Google service accounts (GSA) you need to supply if you are usingWorkload Identity Federation for GKE. These are the service accounts you created inStep 4: Create service accounts. You can find the email addresses for the service accounts with the following command:
gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee"
See:
envs[].gsa.synchronizer.
envs[].gsa.runtime.
envs[].gsa.udca.
logger.gsa.
connectAgent.gsa.
mart.gsa.
metrics.gsa.
mintTaskScheduler.gsa.
udca.serviceAccountRef.
watcher.gsa.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: truek8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env gsa: synchronizer: "apigee-synchronizer@my-project.iam.gserviceaccount.com" runtime: "apigee-runtime@my-project.iam.gserviceaccount.com" udca: "apigee-udca@my-project.iam.gserviceaccount.com"cassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: gsa: "apigee-mart@my-project.iam.gserviceaccount.com"connectAgent: gsa: "apigee-mart@my-project.iam.gserviceaccount.com"logger: enabled: true gsa: "apigee-logger@my-project.iam.gserviceaccount.com"metrics: gsa: "apigee-metrics@my-project.iam.gserviceaccount.com"udca: gsa: "apigee-udca@my-project.iam.gserviceaccount.com"watcher: gsa: "apigee-watcher@my-project.iam.gserviceaccount.com"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountPath: my-project-apigee-mint-task-scheduler.json"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ SERVICE_ACCOUNT_ EMAIL The service account email addresses for the Google service accounts (GSA) you need to supply if you are usingWorkload Identity Federation for GKE. These are the service accounts you created inStep 4: Create service accounts. You can find the email addresses for the service accounts with the following command:
gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee"
See:
envs[].gsa.synchronizer.
envs[].gsa.runtime.
envs[].gsa.udca.
logger.gsa.
connectAgent.gsa.
mart.gsa.
metrics.gsa.
mintTaskScheduler.gsa.
udca.serviceAccountRef.
watcher.gsa.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: true gsa: "NON_PROD_SERVICE_ACCOUNT_EMAIL" # For example: "apigee-non-prod@PROJECT_ID.iam.gserviceaccount.com"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAMEcassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:true # enabled by default # Seeapigee-logger inService accounts and roles used by hybrid components.# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
NON_PROD_ SERVICE_ACCOUNT_ EMAIL The service account email addresses for the non-prod Google service account (GSA). This is theapigee-non-prod service account you created inStep 4: Create service accounts.
If you are usingWorkload Identity Federation for GKE in a non-prod installation, specify the service account email address for thegcp.workloadIdentity.gsa property. You will not need to add thegsa property for any individual components.
You can find the email addresses for the service accounts with the following command:
gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee"
Seegcp.workloadIdentity.gsa.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: true gsa: "apigee-non-prod@my-project.iam.gserviceaccount.com"k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: testcassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: true# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
NON_PROD_ SERVICE_ACCOUNT_ EMAIL The service account email addresses for the non-prod Google service account (GSA). This is theapigee-non-prod service account you created inStep 4: Create service accounts.
If you are usingWorkload Identity Federation for GKE in a non-prod installation, specify the service account email address for thegcp.workloadIdentity.gsa property. You will not need to add thegsa property for any individual components.
You can find the email addresses for the service accounts with the following command:
gcloud iam service-accounts list \ --project ${PROJECT_ID} \ --filter "apigee"
Seegcp.workloadIdentity.gsa.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
WIF on other platforms
WIF: secrets
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretRefs: synchronizer:SYNCHRONIZER_WORKLOAD_IDENTITY_SECRET # For example: "synchronizer-workload-identity-secret" runtime:RUNTIME_WORKLOAD_IDENTITY_SECRET # For example: "runtime-workload-identity-secret" udca:UDCA_WORKLOAD_IDENTITY_SECRET # For example: "udca-workload-identity-secret"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountRef:MART_WORKLOAD_IDENTITY_SECRET # For example: "mart-workload-identity-secret"connectAgent: serviceAccountRef:MART_WORKLOAD_IDENTITY_SECRET # Use the same secret for mart and connectAgent # For example: "mart-workload-identity-secret"logger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, create a # Kubernetes secret for apigee-logger by following the steps # under Kubernetes secrets in #Step 5: Set up service account authentication. # Provide a reference to the secret with the #logger.serviceAccountRef property.metrics: serviceAccountRef:METRICS_WORKLOAD_IDENTITY_SECRET # For example: "metrics-workload-identity-secret"udca: serviceAccountRef:UDCA_WORKLOAD_IDENTITY_SECRET # For example: "udca-workload-identity-secret"watcher: serviceAccountRef:WATCHER_WORKLOAD_IDENTITY_SECRET # For example: "watcher-workload-identity-secret"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountRef:MINT_TASK_SCHEDULER_WORKLOAD_IDENTITY_SECRET # For example: "apigee-mint-task-scheduler-workload-identity-secret"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ WORKLOAD_IDENTITY_ SECRET The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
cassandra-workload-identity-secret
logger-workload-identity-secret
mart-workload-identity-secret
metrics-workload-identity-secret
mint-task-scheduler-workload-identity-secret
runtime-workload-identity-secret
synchronizer-workload-identity-secret
udca-workload-identity-secret
watcher-workload-identity-secret
Non-prod
non-prod-workload-identity-secret
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountSecretRefs: synchronizer: "synchronizer-workload-identity-secret" runtime: "runtime-workload-identity-secret" udca: "udca-workload-identity-secret"cassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountRef: "mart-workload-identity-secret"connectAgent: serviceAccountRef: "mart-workload-identity-secret"logger: enabled: falsemetrics: serviceAccountRef: "metrics-workload-identity-secret"udca: serviceAccountRef: "udca-workload-identity-secret"watcher: serviceAccountRef: "watcher-workload-identity-secret"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountRef: "apigee-mint-task-scheduler-workload-identity-secret"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ WORKLOAD_IDENTITY_ SECRET The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
cassandra-workload-identity-secret
logger-workload-identity-secret
mart-workload-identity-secret
metrics-workload-identity-secret
mint-task-scheduler-workload-identity-secret
runtime-workload-identity-secret
synchronizer-workload-identity-secret
udca-workload-identity-secret
watcher-workload-identity-secret
Non-prod
non-prod-workload-identity-secret
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretRefs: synchronizer:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret" runtime:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret" udca:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"connectAgent: serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # Use the same secret for mart and connectAgent # For example: "non-prod-workload-identity-secret"logger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, create a # Kubernetes secret for apigee-logger by following the steps # under Kubernetes secrets in #Step 5: Set up service account authentication. # Provide a reference to the secret with the #logger.serviceAccountRef property.metrics: serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"udca: serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"watcher: serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountRef:NON_PROD_WORKLOAD_IDENTITY_SECRET # For example: "non-prod-workload-identity-secret"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ WORKLOAD_IDENTITY_ SECRET The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
cassandra-workload-identity-secret
logger-workload-identity-secret
mart-workload-identity-secret
metrics-workload-identity-secret
mint-task-scheduler-workload-identity-secret
runtime-workload-identity-secret
synchronizer-workload-identity-secret
udca-workload-identity-secret
watcher-workload-identity-secret
Non-prod
non-prod-workload-identity-secret
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountSecretRefs: synchronizer: "non-prod-workload-identity-secret" runtime: "non-prod-workload-identity-secret" udca: "non-prod-workload-identity-secret"cassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountRef: "non-prod-workload-identity-secret"connectAgent: serviceAccountRef: "non-prod-workload-identity-secret"logger: enabled: falsemetrics: serviceAccountRef: "non-prod-workload-identity-secret"udca: serviceAccountRef: "non-prod-workload-identity-secret"watcher: serviceAccountRef: "non-prod-workload-identity-secret"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountRef: "non-prod-workload-identity-secret"# for message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ WORKLOAD_IDENTITY_ SECRET The name of the Kubernetes secret you for the service account credential configuration inStep 5: Set up service account authentication.
The default names of the secrets suggested in this guide are:
Production
cassandra-workload-identity-secret
logger-workload-identity-secret
mart-workload-identity-secret
metrics-workload-identity-secret
mint-task-scheduler-workload-identity-secret
runtime-workload-identity-secret
synchronizer-workload-identity-secret
udca-workload-identity-secret
watcher-workload-identity-secret
Non-prod
non-prod-workload-identity-secret
See:
envs[].serviceAccountSecretRefs.synchronizer.
envs[].serviceAccountSecretRefs.runtime.
envs[].serviceAccountSecretRefs.udca.
logger.serviceAccountRef.
connectAgent.serviceAccountRef.
mart.serviceAccountRef.
metrics.serviceAccountRef.
mintTaskScheduler.serviceAccountRef.
udca.serviceAccountRef.
watcher.serviceAccountRef.
WIF: files
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the apigee-env chart directory. synchronizer:SYNCHRONIZER_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-synchronizer-credential-configuration.json" runtime:RUNTIME_SERVICE_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-runtime-credential-configuration.json" udca:UDCA_SERVICE_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-udca-credential-configuration.json"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE installations. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift # installations. SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountPath:MART_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "apigee-mart-credential-configuration.json"connectAgent: serviceAccountPath:MART_CREDENTIAL_CONFIGURATION_FILEPATH # Use the same service account for mart and connectAgent # Provide the path relative to the apigee-org chart directory. # For example: "apigee-mart-credential-configuration.json"logger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, provide # the path to the apigee-logger service account key file with # thelogger.serviceAccountPath property.metrics: serviceAccountPath:METRICS_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-metrics-credential-configuration.json"udca: serviceAccountPath:UDCA_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-udca-credential-configuration.json"watcher: serviceAccountPath:WATCHER_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-watcher-credential-configuration.json"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountPath:MINT_TASK_SCHEDULER_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "apigee-mint-task-scheduler-credential-configuration.json"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH The path and filename account of the credential configuration files you created inStep 5: Set up service account authentication.
Provide the names with the path relative to the chart directory. For example:
If theapigee-synchronizer-credential-configuration.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
apigee-cassandra-credential-configuration.json apigee-datastore/
apigee-logger-credential-configuration.json apigee-telemetry/
apigee-mart-credential-configuration.json apigee-org/
apigee-metrics-credential-configuration.json apigee-telemetry/
apigee-mint-task-scheduler-credential-configuration.json apigee-org/
apigee-runtime-credential-configuration.json apigee-env/
apigee-synchronizer-credential-configuration.json apigee-env/
apigee-udca-credential-configuration.json apigee-org/
apigee-watcher-credential-configuration.json apigee-org/
Non-prod
Service account file name Chart directory
apigee-non-prod-credential-configuration.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountPaths: synchronizer: "apigee-synchronizer-credential-configuration.json" runtime: "apigee-runtime-credential-configuration.json" udca: "apigee-udca-credential-configuration.json"cassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountPath: "apigee-mart-credential-configuration.json"connectAgent: serviceAccountPath: "apigee-mart-credential-configuration.json"logger: enabled: falsemetrics: serviceAccountPath: "apigee-metrics-credential-configuration.json"udca: serviceAccountPath: "apigee-udca-credential-configuration.json"watcher: serviceAccountPath: "apigee-watcher-credential-configuration.json"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountPath: apigee-mint-task-scheduler-credential-configuration.json"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH The path and filename account of the credential configuration files you created inStep 5: Set up service account authentication.
Provide the names with the path relative to the chart directory. For example:
If theapigee-synchronizer-credential-configuration.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
apigee-cassandra-credential-configuration.json apigee-datastore/
apigee-logger-credential-configuration.json apigee-telemetry/
apigee-mart-credential-configuration.json apigee-org/
apigee-metrics-credential-configuration.json apigee-telemetry/
apigee-mint-task-scheduler-credential-configuration.json apigee-org/
apigee-runtime-credential-configuration.json apigee-env/
apigee-synchronizer-credential-configuration.json apigee-env/
apigee-udca-credential-configuration.json apigee-org/
apigee-watcher-credential-configuration.json apigee-org/
Non-prod
Service account file name Chart directory
apigee-non-prod-credential-configuration.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAME# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountPaths: # Provide the path relative to the apigee-env chart directory. synchronizer:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-non-prod-credential-configuration.json" runtime:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-non-prod-credential-configuration.json" udca:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # For example: "apigee-non-prod-credential-configuration.json"cassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILEmart: serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "apigee-non-prod-credential-configuration.json"connectAgent: serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Use the same service account for mart and connectAgent # Provide the path relative to the apigee-org chart directory. # For example: "apigee-non-prod-credential-configuration.json"logger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, provide # the path to the apigee-non-prod service account key file with # thelogger.serviceAccountPath property.metrics: serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-non-prod-credential-configuration.json"udca: serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-non-prod-credential-configuration.json"watcher: serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-telemetry chart directory. # For example: "apigee-non-prod-credential-configuration.json"# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.mintTaskScheduler: # Required for Monetization for Apigee hybrid serviceAccountPath:NON_PROD_CREDENTIAL_CONFIGURATION_FILEPATH # Provide the path relative to the apigee-org chart directory. # For example: "apigee-non-prod-credential-configuration.json"# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH The path and filename account of the credential configuration files you created inStep 5: Set up service account authentication.
Provide the names with the path relative to the chart directory. For example:
If theapigee-synchronizer-credential-configuration.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
apigee-cassandra-credential-configuration.json apigee-datastore/
apigee-logger-credential-configuration.json apigee-telemetry/
apigee-mart-credential-configuration.json apigee-org/
apigee-metrics-credential-configuration.json apigee-telemetry/
apigee-mint-task-scheduler-credential-configuration.json apigee-org/
apigee-runtime-credential-configuration.json apigee-env/
apigee-synchronizer-credential-configuration.json apigee-env/
apigee-udca-credential-configuration.json apigee-org/
apigee-watcher-credential-configuration.json apigee-org/
Non-prod
Service account file name Chart directory
apigee-non-prod-credential-configuration.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountPaths: synchronizer: "apigee-non-prod-credential-configuration.json" runtime: "apigee-non-prod-credential-configuration.json<" udca: "apigee-non-prod-credential-configuration.json"cassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keymart: serviceAccountPath: "apigee-non-prod-credential-configuration.json"connectAgent: serviceAccountPath: "apigee-non-prod-credential-configuration.json"logger: enabled: falsemetrics: serviceAccountPath: "apigee-non-prod-credential-configuration.json"udca: serviceAccountPath: "apigee-non-prod-credential-configuration.json"watcher: serviceAccountPath: "apigee-non-prod-credential-configuration.json"# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"mintTaskScheduler: serviceAccountPath: apigee-non-prod-credential-configuration.json"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
<component>_ CREDENTIAL_ CONFIGURATION_ FILEPATH The path and filename account of the credential configuration files you created inStep 5: Set up service account authentication.
Provide the names with the path relative to the chart directory. For example:
If theapigee-synchronizer-credential-configuration.json file resides in theapigee-env/ chart directory, you only need to provide the file name, such as:
synchronizer: "FILE_NAME.json"
If the file resides in aapigee-env/service-accounts/ directory, you would specify a relative path:
synchronizer: "service-accounts/FILE_NAME.json"
The default names of the and corresponding chart directories for the service accounts are:
Production
Service account file name Chart directory
apigee-cassandra-credential-configuration.json apigee-datastore/
apigee-logger-credential-configuration.json apigee-telemetry/
apigee-mart-credential-configuration.json apigee-org/
apigee-metrics-credential-configuration.json apigee-telemetry/
apigee-mint-task-scheduler-credential-configuration.json apigee-org/
apigee-runtime-credential-configuration.json apigee-env/
apigee-synchronizer-credential-configuration.json apigee-env/
apigee-udca-credential-configuration.json apigee-org/
apigee-watcher-credential-configuration.json apigee-org/
Non-prod
Service account file name Chart directory
apigee-non-prod-credential-configuration.json apigee-datastore/
apigee-org/
apigee-telemetry/
Note:Bothmart andconnectAgent use theapigee-mart service account.
See:
envs[].serviceAccountPaths.synchronizer.
envs[].serviceAccountPaths.runtime.
envs[].serviceAccountPaths.udca.
logger.serviceAccountPath.
connectAgent.serviceAccountPath.
mart.serviceAccountPath.
metrics.serviceAccountPath.
mintTaskScheduler.serviceAccountPath.
udca.serviceAccountPath.
watcher.serviceAccountPath.
WIF: Vault
Production
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAMEserviceAccountSecretProviderClass: apigee-orgsakeys-spc# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spccassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:3 # Use multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines. storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200M # Minimum storage requirements for a production environment. # SeeConfigure Cassandra for production.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, add # a "logger" : "value" entry in theorgsakeys vault secret # using the contents of the apigee-logger key file for the # value. SeeStep 5: Set up service account authentication.# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectserviceAccountSecretProviderClass: apigee-orgsakeys-spcenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: prod-env serviceAccountSecretProviderClass: apigee-envsakeys-prod-env-spccassandra: hostNetwork: false replicaCount: 3 storage: storageSize: 500Gi resources: requests: cpu: 7 memory: 15Gi maxHeapSize: 8192M heapNewSize: 1200MingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: false# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"# For message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Non-prod
Template
Values inred, bold italics are property values that you must provide. You can edit their values on this page. They are described in thetable below.
instanceID:UNIQUE_INSTANCE_IDENTIFIERnamespace:APIGEE_NAMESPACE # Usually "apigee"gcp: projectID:PROJECT_ID region:ANALYTICS_REGION workloadIdentity: enabled: false # Must be set tofalse to use # Workload Identity Federation on other platforms. federatedWorkloadIdentity: enabled: true audience: "AUDIENCE" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name:CLUSTER_NAME region:CLUSTER_LOCATION # Closest Google Cloud region to your cluster.org:ORG_NAMEserviceAccountSecretProviderClass: apigee-orgsakeys-spc# Required forEnhanced per-environment proxy limits:enhanceProxyLimits: true# Required if usingdata residency with hybrid:contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.comenvs:- name:ENVIRONMENT_NAME serviceAccountSecretProviderClass: apigee-envsakeys-ENVIRONMENT_NAME-spccassandra: hostNetwork:false # Set tofalse for single region installations and for multi-region # installations with connectivity between pods in different clusters, # like GKE. # Set totrue for multi-region installations with no communication # between pods in different clusters, for example Google Distributed # Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift. # SeeMulti-region deployment: Prerequisites replicaCount:1 # Use 1 for non-prod installations and multiples of 3 for production. # SeeConfigure Cassandra for production for guidelines.ingressGateways:- name:INGRESS_NAME # maximum 17 characters. replicaCountMin: 2 replicaCountMax: 10 svcAnnotations: # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEvirtualhosts:- name:ENVIRONMENT_GROUP_NAME selector: app: apigee-ingressgateway ingress_name:INGRESS_NAME sslCertPath:PATH_TO_CERT_FILE sslKeyPath:PATH_TO_KEY_FILElogger: enabled:false # apigee-logger does not support Workload Identity Federation. # SeeKnown issue #341099433. # If you want to enable the apigee-logger component, add # a "logger" : "value" entry in theorgsakeys vault secret # using the contents of the apigee-non-prod key file for the # value. SeeStep 5: Set up service account authentication.# Required if usingMonetization for Apigee hybrid (v1.15.1 and later)runtime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1" # Must be 1.15.1 or higher.# If using message payloads larger than 10MB.# Seeconfigure large message payload support:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Example
instanceID: "my_hybrid_example"namespace: "apigee"gcp: projectID: my-project region: us-central1 workloadIdentity: enabled: false federatedWorkloadIdentity: enabled: true audience: "//iam.googleapis.com/projects/123123123123/locations/global/workloadIdentityPools/my-wi-pool/providers/my-wi-provider" credentialSourceFile: "/var/run/service-account/token"k8sCluster: name: hybrid-env region: us-central1org: my-projectserviceAccountSecretProviderClass: apigee-orgsakeys-spcenhanceProxyLimits: truecontractProvider: https://us-apigee.googleapis.comenvs:- name: test serviceAccountSecretProviderClass: apigee-envsakeys-test-env-spccassandra: hostNetwork: false replicaCount: 1ingressGateways:- name: my-ingress-1 replicaCountMin: 2 replicaCountMax: 10virtualhosts:- name: example-env-group selector: app: apigee-ingressgateway ingress_name: my-ingress-1 sslCertPath: certs/keystore.pem sslKeyPath: certs/keystore.keylogger: enabled: false# Monetization for Apigee hybridruntime: image: url: "gcr.io/apigee-release/hybrid/apigee-runtime" tag: "1.15.1"# for message payloads larger than 10MB:runtime: cwcAppend: bin_setenv_max_mem: 4096m # Increase max heap size to 4 gigs resources: requests: memory: 4Gi limits: memory: 6Gi
The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.
Variable Description
UNIQUE_INSTANCE_ IDENTIFIER
A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters.
Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.
See instanceID.
APIGEE_NAMESPACE
The Kubernetes namespace for your Apigee hybrid components.
The default value isapigee.
Seenamespace.
PROJECT_ID Identifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
Seegcp.projectID.
ANALYTICS_REGION In GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization).
This is the value you assigned to the environment variableANALYTICS_REGION previously.
Seegcp.region.
AUDIENCE The allowed audience of the Workload Identity Provider. You can find the value by searching any of the credential configuration files for the termaudience:. The audience value is the same in each credential configuration file.
For example, in the following sampleapigee-udca-credential-configuration.json file:
{ "universe_domain": "googleapis.com", "type": "external_account:," "audience": "AUDIENCE", "subject_token_type": "TOKEN_TYPE", "token_url": "TOKEN_URL", "service "impersonation_url": "IMPERSONATION_URL", "credential_source": { "file": "FILE_PATH", "format": { "type": "text" } }}
The audience value will look something like the following (without line breaks):
"//iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/POOL_ID/providers/WORKLOAD_PROVIDER_ID"
Tip: You can delete the credential configuration files after you copy the audience value.
See gcp.federatedWorkloadIdentity.audience.
CLUSTER_NAME Your Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
Seek8sCluster.name.
CLUSTER_LOCATION The region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.
This is the value you assigned to the environment variableCLUSTER_LOCATION previously.
If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
See k8sCluster.location.
ORG_NAME The ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
Seeorg.
CONTROL_PLANE_ LOCATION Required if you are using Data residency with your Apigee hybrid installation. This is the location where customer core content like proxy bundles is stored. For a list seeAvailable Apigee API control plane regions. It is the value assigned to theCONTROL_PLANE_LOCATION environment variable inStep 2: Create an organization.
SeecontractProvider.
ENVIRONMENT_NAME Use the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
Seeenvs[].name.
ENVIRONMENT_GROUP_ NAME The name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
See virtualhosts[].name.
INGRESS_NAME The name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
Have a maximum length of 17 characters
Contain only lowercase alphanumeric characters, '-' or '.'
Start with an alphanumeric character
End with an alphanumeric character
See:
ingressGateways[].name.
virtualhosts[].selector
PATH_TO_CERT_FILE
PATH_TO_KEY_FILE Enter the path and filename of the self-signed TLS key and certificate files that you generated previously in Step 6: Create TLS certificates. These files must be located in theAPIGEE_HELM_CHARTS_HOME/apigee-virtualhosts/certs directory. For example:
sslCertPath:certs/keystore.crtsslKeyPath:certs/keystore.key
See:
virtualhosts[].sslCertPath.
virtualhosts[].sslKeyPath
SVC_ANNOTATIONS_ KEY:SVC_ANNOTATIONS_ VALUE (Optional). This is a key-value pair that provides annotations for your default ingress service. Your cloud platform uses annotations to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.
Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.
Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented in Expose Apigee ingress gateway.
Comment out or delete this section if you are not using it.
SeeingressGateways[].svcAnnotations.
Note: If you want to create a security perimeter around your cluster and related Cloud services, you can configure one using Google Cloud Virtual Private Cloud (VPC) Service Controls with Apigee hybrid. See Using VPC Service Controls with Apigee and Apigee hybrid for instructions.
Summary
The configuration file tells Kubernetes how to deploy the hybrid components to a cluster. Next, you will enable synchronizer access so the Apigee runtime and management planes will be able to communicate.
Next step
1 2 3 4 5 6 7 (NEXT) Step 8: Enable Control Plane access 9 10 11

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.

Movatterモバイル変換

Step 7: Create the overrides Stay organized with collections Save and categorize content based on your preferences.

Specify configuration overrides

Before you begin

Configure the cluster

Kubernetes Secrets

Production

Template

Production

Non-prod

Example

Production

Non-prod

Non-prod

Template

Production

Non-prod

Example

Production

Non-prod

JSON files

Production

Template

Production

Non-prod

Example

Production

Non-prod

Non-prod

Template

Production

Non-prod

Example

Production

Non-prod

Vault

Production

Template

Example

Non-prod

Template

Example

WIF for GKE

Production

Template

Example

Non-prod

Template

Example

WIF on other platforms

WIF: secrets

Production

Template

Production

Non-prod

Example

Production

Non-prod

Non-prod

Template

Production

Non-prod

Example

Production

Non-prod

WIF: files

Production

Template

Production

Non-prod

Example

Production

Non-prod

Non-prod

Template

Production

Non-prod

Example

Production

Non-prod

Step 7: Create the overrides