This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

This example demonstrates how to use Apigee Adapter for Envoy by installing and running Envoy locally, not inside aKubernetes cluster. You can follow the example in this document for both Apigee and Apigee hybrid installations.

API proxy calls go through Envoy running as a native application. Apigee provides API management services, such as API product and developer app creation. Envoy communicates with the Apigee management plane through the adapter's remote service. The adapter also pushes analytics data to Apigee where you can see it inApigee Analytics.

Prerequisites

Check your gcloud configuration

1. Check that yourgcloud configuration is set to the Google Cloud project associated with your Apigee organization.

   To list the current settings. See alsogcloud config.

   gcloud config list

   If necessary, set the correct Google Cloud project ID with this command:

   gcloud config set projectproject-id

2. You must be authenticated with Google Cloud SDK (gcloud) for your Google Cloud project. See alsogcloud auth login.

   gcloud auth login

Provision Apigee

In this step, you will use the Remote Service CLI to provision Apigee Adapter for Envoy assets to Apigee. The provisioning command deploys API proxies used for Apigee adapter operations, sets up a certificate on Apigee, and generates credentials the remote service will use to securely connect from your system to Apigee.

1. Go to the$CLI_HOME directory:

   cd $CLI_HOME

2. (Optional) By default, the adapter looks for default service account credentials in your Google Cloud project for permission to send analytics data to Apigee. If you don't want to use thedefault service account credentials, you can create a service account and reference its key in the provisioning command. The service account must have theapigee.analyticsAgent role. For instructions, seeCreating and managing service accounts.
3. Create the following environment variables. These variables will be used as parameters to the provisioning script:

   exportORG=organization_nameexportENV=environment_nameexportRUNTIME=host_alias_urlexportNAMESPACE=hybrid_runtime_namespace## Apigee hybrid onlyexportAX_SERVICE_ACCOUNT=analytics_service_account## Optional

   Where:

   Variable	Description
   organization_name	The name of your Apigee organization.
   environment_name	The name of an environment in your organization.
   host_alias_url	For Apigee hybrid, a URL that includes thehostAlias for a virtual host defined in your hybrid configuration. For Apigee, a hostname from the environment group that includes the environment. You can find environment groups in the Apigee UI underAdmin > Environments > Groups. Note: The URL must start withhttps://. For example:https://apitest.mydomain.net
   hybrid_runtime_namepace	(Apigee hybrid only) The namespace in which the Hybrid runtimecomponents are deployed. Note: The default namespace for a hybrid deployment isapigee.
   analytics_service_account	(Optional) The path to a Google Cloud service account key JSON file that has theApigee Analytics Agent role. For a detailed description of this parameter, seeProvision command.

4. If you are not an owner of the Google Cloud project associated with the Apigee organization, be sure that your Google Cloud user account includes either theApigee Organization Admin role, or both theAPI Creator and theDeployer roles. SeeGranting, changing, and revoking access to resources.
5. Get an access token:

   TOKEN=$(gcloud auth print-access-token);echo $TOKEN

6. Provision the remote service proxy to Apigee. The command output is redirected to a config file that you will use in a later step.IF YOU ARE UPGRADING:If you are upgradingan existing Apigee Adapter for Envoy, you must add the
   --force-proxy-install flag to theprovision command. This flag forces the Apigee proxy to be replaced with the latest proxy.

   If you arenot upgrading, use this command to provision Apigee. If you are provisioning to Apigee hybrid, be sure to add the--namespace $NAMESPACE parameter:

   ./apigee-remote-service-cli provision --organization $ORG --environment $ENV \     --runtime $RUNTIME --analytics-sa $AX_SERVICE_ACCOUNT --token $TOKEN > config.yaml

   If you are upgrading, use this command with the--force-proxy-install flag to provision Apigee. If you are provisioning to Apigee hybrid, be sure to add the--namespace $NAMESPACE parameter:

   ./apigee-remote-service-cli provision --force-proxy-install --organization $ORG --environment $ENV \     --runtime $RUNTIME --analytics-sa $AX_SERVICE_ACCOUNT --token $TOKEN > config.yaml

7. Check the contents of theconfig.yaml file. It should look something like this:

   #Configurationforapigee-remote-service-envoy(platform:GoogleCloud)#generatedbyapigee-remote-service-cliprovisionon2020-11-2002:49:28apiVersion:v1kind:ConfigMapmetadata:name:apigee-remote-service-envoynamespace:apigeedata:config.yaml:|tenant:remote_service_api:https://apitest.mydomain.com/remote-serviceorg_name:my-orgenv_name:testanalytics:collection_interval:10sauth:jwt_provider_key:https://apitest.mydomain.com/remote-service/token---apiVersion:v1kind:Secretmetadata:name:my-org-new-test-policy-secretnamespace:apigeetype:Opaquedata:remote-service.crt:eyJrZXlzIjpbeyJrdHkiOiJSU0EiLCJhbGci...remote-service.key:LS0tLS1CRUdJTiBSU0EgUFJJVkFURS...remote-service.properties:a2lkPTIwMjAtMDctMDZ...---apiVersion:v1kind:Secretmetadata:name:my-org-new-test-analytics-secretnamespace:apigeetype:Opaquedata:client_secret.json:ewogICJ0eXBlIjogInNlcnZ...---apiVersion:v1kind:ServiceAccountmetadata:name:apigee-remote-service-envoynamespace:apigee

8. If you are using Apigee hybrid, apply the service configuration (the file output by the provisioning command) to the cluster where Apigee hybrid was installed inStep 1: Create a cluster.

Runapigee-remote-service-envoy

You can run the Remote Service either as a native binary or on Docker.

Run the service natively

Execute the service binary with the config file that was output by the provisioning command:

$REMOTE_SERVICE_HOME/apigee-remote-service-envoy -cconfig_file_path/config.yaml

Run the service on Docker

Docker images are published with release tags. For this install, use the latest version. There are three image variations to choose from:

For example, to run the scratch image with your localconfig.yaml available as/config.yaml via a volume mount, use this command:

docker run -v ./config.yaml:/config.yaml google/apigee-envoy-adapter:v2.0.3

For more information, seeSamples command.

Install and run the Envoy proxy

Follow these steps to install and run the Envoy proxy:

1. Download an Envoybinary orbuild it.
2. Run Envoy using a sample configuration file that you generated previously for thehttpbin.org service:

   envoy -c ./samples/envoy-config.yaml

Test the installation

1. Configure an API product and get an API key as explained inHow to obtain an API key.
2. Call thehttpbin service without an API key:

   curl -i http://localhost:8080/headers -H "HOST:httpbin.org"

   Note:You must include theHOST header and set it to the remote service host that was set in the API product.

   The service is now being managed by Apigee, and because you did not supply an API key, the call returns the following error.

   curl -i http://localhost:8080/headers -H "HOST:httpbin.org"HTTP/1.1 403 Forbiddendate: Tue, 12 May 2020 17:51:36 GMTserver: envoycontent-length: 0x-envoy-upstream-service-time: 11

3. Make an API call using the key:

   export APIKEY=YOUR_API_KEYcurl -i http://localhost:8080/headers -H "HOST:httpbin.org" -H "x-api-key: $APIKEY"

   The call should succeed with a 200 status and return a list of headers in the response. For example:

   curl -i httpbin.default.svc.cluster.local/headers -H "x-api-key: kyOTalNNLMPfOSy6rnVeclmVSL6pA2zS"HTTP/1.1 200 OKserver: envoydate: Tue, 12 May 2020 17:55:34 GMTcontent-type: application/jsoncontent-length: 828access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 301{  "headers": {    "Accept": "*/*",    "Content-Length": "0",    "Host": "httpbin.default.svc.cluster.local",    "User-Agent": "curl/7.70.0-DEV",    "X-Api-Key": "kyOTalNNLMPfOSy6rneclmVSL6pA2zS",    "X-Apigee-Accesstoken": "",    "X-Apigee-Api": "httpbin.default.svc.cluster.local",    "X-Apigee-Apiproducts": "httpbin",    "X-Apigee-Application": "httpbin",    "X-Apigee-Authorized": "true",    "X-Apigee-Clientid": "kyOTalNNLMPfOSy6rVeclmVSL6pA2zS",    "X-Apigee-Developeremail": "user@mydomain.com",    "X-Apigee-Environment": "test",    "X-Apigee-Organization": "my-org",    "X-Apigee-Scope": "",    "X-B3-Parentspanid": "1476f9a2329bbdfa",    "X-B3-Sampled": "0",    "X-B3-Spanid": "1ad5c19bfb4bc96f",    "X-B3-Traceid": "6f329a34e8ca07811476f9a2329bbdfa"  }}

Uninstall Apigee Envoy adapter

To remove an Apigee Envoy adapter installation:

1. Wherever you chose to have envoy adapter run (natively or on Docker), remove it.
2. Delete theremote-service andremote-token proxies from your Apigee environment(s). SeeDeleting an API proxy.
3. Remove any unused API products oroperations used by the Envoy adapter use cases. SeeDeleting an API product.

Next steps

API traffic to thehttpbin service is now managed by Apigee. Here are some features you can explore and try:

• Access Apigee Analytics in the Edge UI. Go toAnalyze > API Metrics > API Proxy Performance.
• Explore the CLI options in theReference.