You are currently viewing version 1.5 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This topic is intended as an example only. It explains how to obtain a TLS certificate from the certificate authority (CA)Let's Encrypt. These steps are provided primarily as an example to follow if you do not have another ready way to obtain a certificate/key pair that is authorized by a CA. The example shows how to generate certificates using theLet's Encrypt CA, theCertbot client, and Google Cloud PlatformCloud DNS.

Note:See also this Apigee Community article on using Let's Encryptwith Apigee hybrid.

Where you can use these certificates

You must provide TLS certificates for two Istio ingress gateways that are exposed outside the cluster:

Gateway	TLS requirement
Runtime ingress gateway	You can use a self-signed certificate/key pair or authorized TLS certificates.Note: In a production environment, you will need to use signed certificates. You can use either a certificate/key pair or a Kubernetes secret.
MART ingress gateway(optional when not using Apigee Connect)	Requires an authorized TLS certificate/key pair or Kubernetes secret.

See alsoExternal connections.

Requirements

You will need a domain name obtained through a domain name registrar. You can register a domain name through Google Domains or another domain registrar of your choice.

Configure Cloud DNS

To obtain authorized TLS certificates, you must have a qualified domain name. The followingsteps explain how to useGoogle Cloud DNS toobtain a domain name and manage your domain servers.

1. Open theGoogle Cloud console and log in with the account you created inStep 1: Create a Google Cloud account.
2. Select the project that you created inStep 2: Create a Google Cloud project.
3. If you have not already done so, enable theCloud DNS API. SeeEnabling APIs.
4. Create a static IP address:
   • If you are on GKE, follow the instructions in Reserving a static external IP address to create a static IP addresses that external processes can use to communicate with the hybrid runtime ingress. You can give the address any name you wish, for example:apigee-hybrid-runtime. When you finish, you will use the IP number in the cluster configuration in the next step. For example:34.66.75.196
   • If you are on Anthos GKE, follow instructions in the Anthos GKE documentation to create a static IP address.
5. Get the External IP you just reserved.
6. Create record set for the runtime Istio ingress endpoint. This is the address for making API calls to the hybrid gateway. Enter the External IP you obtained in the previous step and add a prefix to the domain name, such asexample-endpoint. For instructions, seeCreate a new record.
   1. Create a managed public zone. For instructions, see Create a managed public zone.
   2. Create a new record set with:
      • DNS Name: The name of the endpoint external API calls will communicate with, like api-services orexample-endpoint
      • Resource Record Type:A
      • TTL andTTL Unit: Accept defaults
      • IP Adddress: The static IP you created.
7. TheZone details view will list foour DNS servers as the NS data for your new zone. Copy the DNS record data, as shown in the following example:

   

8. Return to your domain page at your registrar (for example,Google Domains).
9. Select your domain.
10. SelectDNS.
11. In the Name Servers section, clickEdit.

12. Enter the domain name servers that you copied from the Network Services Cloud DNS page. For example:

    

Now, your Google Cloud DNS will manage the DNS records for your domain.

Install Certbot on a VM

Now that you have Cloud DNS set up to manage your domain servers, you will install the Certbot client with thedns_google plugin on a Cloud VM. The client enables you to get authorized certificates for your domain from a Let's Encrypt endpoint.

1. Open theGoogle Cloud console and log in with the account you created inStep 1: Create a Google Cloud account.
2. Select the project that you created inStep 2: Create a Google Cloud project.
3. SelectIAM & admin > Service accounts.

   TheService accounts view displays a list of the project's service accounts.

4. To create a new service account, click+Create Service Account at the top of the view.

   TheService account details view displays.

5. In theService account name field, enter the name of the service account.

   

   You can optionally add a description in theService account description field. Descriptions are helpful at reminding you what a particular service account is used for.

6. ClickCreate.

   Google Cloud creates a new service account and displays theService account permissions view. Use this view to assign a role to your new service account.

7. Click theSelect a role drop-down list.
8. Select theProject Owner role.
9. ClickContinue.
10. ClickDone.
11. In the Google Cloud console, selectCompute Engine > VM Instances.
12. Create a VM instance namedcertmanager.
13. Under the Boot Disk section, choose CentOS7 and 20 GB for the SSD persistent drive.
14. Set the Service Account to the one you created above.
15. Install Certbot and thedns_google plugin on the machine and run the Certbot client:

    sudo su -yum -y install yum-utilsyum install certbot -yyum install certbot-dns-google -ycertbot certonly --dns-google -d*.your_domain_name,*.your_domain_name --server https://acme-v02.api.letsencrypt.org/directory

    For example:

    sudo su -yum -y install yum-utilsyum install certbot -yyum install certbot-dns-google -ycertbot certonly --dns-google -d*.apigee-hybrid-docs.net,*.apigee-hybrid-docs.net --server https://acme-v02.api.letsencrypt.org/directory

16. You can now find your authorized certificate and private key files in this directory:cd /etc/letsencrypt/live/your_domain_name/

    For example:

    cd /etc/letsencrypt/live/apigee-hybrid-docs.netls  cert.pem  chain.pem  fullchain.pem  privkey.pem  README

17. Copy the filesfullchain.pem andprivkey.pem to your local machine.
18. Optional: Create a Kubernetes secret with the certificate/key pair. See the instructions inOption 2: Kubernetes Secret inConfiguring TLS and mTLS on the Istio ingress.
19. Update your overrides file to point to the certificate and private key.

    For example:

    ...envs:  - name: test    serviceAccountPaths:      synchronizer: "your_keypath/synchronizer-manager-service-account.json      udca: "your_keypath/analytic-agent-service-account.jsonvirtualhosts:  - name: my-env-group    sslCertPath: "$HOME/hybrid/apigee-hybrid-setup/tls/fullchain.pem"    sslKeyPath: "$HOME/hybrid/apigee-hybrid-setup/tls/privkey.pem"mart: # Assuming you are not using Apigee Connect  nodeSelector:    key: cloud.google.com/gke-nodepool    value: apigee-runtime  sslCertPath: "$HOME/hybrid/apigee-hybrid-setup/tls/fullchain.pem"  sslKeyPath: "$HOME/hybrid/apigee-hybrid-setup/tls/privkey.pem"  replicaCountMin: 1  replicaCountMax: 1

    Or if using Kubernetes secrets:

    ...envs:  - name: test    serviceAccountPaths:      synchronizer: "your_keypath/synchronizer-manager-service-account.json      udca: "your_keypath/analytic-agent-service-account.jsonvirtualhosts:  - name: my-env-group    tlsMode: SIMPLE  # Note: SIMPLE is the default, MUTUAL is also an available value.    sslSecret: myorg-test-policy-secret"mart: # Assuming you are not using Apigee Connect  nodeSelector:    key: cloud.google.com/gke-nodepool    value: apigee-runtime    sslSecret: myorg-test-policy-secret"  replicaCountMin: 1  replicaCountMax: 1...

20. Apply the changes:

    If you changed themart configuration, apply the changes:

    apigeectl apply -fyour_overrides_file --all-envs

    If you changed theenvs configuration, apply the changes:

    apigeectl apply -fyour_overrides_file --all-envs

Test the configuration

Deploy and test a proxy, as explained inCreate and deploy a new API proxy.