Step 4: Install hybrid on GKE on-prem

You are currently viewing version 1.1 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Apply the configuration to the cluster

To install Apigee hybrid into your cluster:

  1. Be sure that you are in thehybrid-base-directory/hybrid-files directory.
  2. Execute theinit command:
    $APIGEECTL_HOME/apigeectl init -f overrides/overrides.yaml

    Theinit command installs the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook, and it deploys non-Apigee componentsIstio andCert Manager.

  3. To check the status of the deployment, you can use these commands:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

    and

    kubectl get pods -n apigee-system

    and

    kubectl get pods -n istio-system

    When the pods are ready, go to the next step.

  4. Do a "dry run" install. Execute theapply command with the--dry-run=true flag. Doing a dry run lets you check for any errors before any changes are made to the cluster.
    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --dry-run=true
  5. If there are no errors, you can apply theApigee-specific runtime components to the cluster:
    $APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml
  6. To check the status of the deployment:
    $APIGEECTL_HOME/apigeectl check-ready -f overrides/overrides.yaml

    Repeat this step until the pods are all ready. The pods may take several minutes to start up.

Add a static hostname for Cassandra in /etc/hosts

In this step, you will get the IP and hostname of the worker node(s) assigned to Cassandra, and add them to your/etc/hosts file. When using the host network, the pod uses the node hostname and IP. The node hostname is not in DNS; therefore, you must add a static hostname entry in/etc/hosts for each Cassandra worker node.

  1. Execute this command to get the Cassandra worker nodes. The parameterapigee-data is the default node label to which Cassandra is assigned. If you used a different node label, substitute the one you used. SeeHow to label the worker nodes.
    kubectl  get nodes -l apigee.com/apigee-nodepool=apigee-data -o wide

    Example output:

    kubectl get nodes -o wide my-cluster1-844788cc8c-2gx7dNAME                           STATUS   ROLES    AGE   VERSION          INTERNAL-IP    EXTERNAL-IP    OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIMEmy-cluster1-844788cc8c-2gx7d   Ready    none     19d   v1.14.7-gke.24   21.0.129.248   21.0.129.248   Ubuntu 18.04.3 LTS   4.15.0-62-generic   docker://17.3.2
  2. Add the node name(s) and external IP(s) returned by the previous command for each Cassandra worker node to your/etc/hosts file:
    cat /etc/hosts127.0.0.1 localhost21.0.129.248   my-cluster1-844788cc8c-2gx7d

Enable synchronizer access

  1. Create a GCP service account and add theApigee Organization Admin role to it. This service account will be used to authenticate an API call that you will make in a later step. An easy way to create the service account is through the GCP console. For instructions, see Creating and managing service accounts in the GCP documentation.
  2. Download the service account key to your system. Follow the instructions in Creating service account keys in the GCP documentation.
  3. Move the downloaded service account key into your service accounts directory:/hybrid-base-directory/hybrid-files/service-accounts.
  4. Execute these two commands to get a token:
    exportGOOGLE_APPLICATION_CREDENTIALS=org-admin-service-account-fileexportTOKEN=$(gcloudauthapplication-defaultprint-access-token)

    Whereorg-admin-service-account-file is the path on your system to the service account key you downloaded with theApigee Organization Admin role.

  5. Call thesetSyncAuthorization API to enable the required permissions for Synchronizer:
    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \   -d '{"identities":["serviceAccount:synchronizer-manager-service-account-email"]}'

    Where:

    • your_org_name: The name of your hybrid organization.
    • synchronizer-manager-service-account-email: The name of a service account with theApigee Synchronizer Manager role. The name is formed like an email address. For example:apigee-synchronizer@my-project.iam.gserviceaccount.com

    Example:

    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \   -d '{"identities":["serviceAccount:apigee-synchronizer@my-project.iam.gserviceaccount.com"]}'
  6. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \  -H "Content-Type:application/json" \  "https://apigee.googleapis.com/v1/organizations/your_org_name:getSyncAuthorization" \   -d ''

    The output looks similar to the following:

    {   "identities":[      "serviceAccount:my-synchronizer-manager-service_account@my_project_id.iam.gserviceaccount.com"   ],   "etag":"BwWJgyS8I4w="}

Add the MART IP to your org

You must add the IP address of theMART endpoint to your Apigee organization. You set this value previously when set the value of themart.hostAlias property in your overrides file. The management plane needs this address so that it can communicate with the runtime plane over MART.

Follow these steps to add the MART IP to your organization:

NOTE: Perform this step only after have successfully deployed hybrid into your cluster, as explained inDeploy hybrid to your cluster.
  1. Get the value you set previously in your overrides file for themart.hostAlias property. For MART to function, the host alias must be a fully qualified domain name.
  2. Locate the service account key with theApigee Organization Admin role that you downloaded previously, in the section Enable synchronizer access.
  3. Execute these two commands to get a token:
    exportGOOGLE_APPLICATION_CREDENTIALS=org-admin-service-account-fileexportTOKEN=$(gcloudauthapplication-defaultprint-access-token)

    Whereorg-admin-service-account-file is the path on your system to the service account key you downloaded with theApigee Organization Admin role.

  4. Call the following management API to update your organization with the MART endpoint:
    curl -v -X PUT \   https://apigee.googleapis.com/v1/organizations/your_org_name \  -H "Content-Type: application/json" \  -H "Authorization: Bearer $TOKEN" \  -d '{  "name" : "your_org_name",  "properties" : {    "property" : [ {      "name" : "features.hybrid.enabled",      "value" : "true"    }, {      "name" : "features.mart.server.endpoint",      "value" : "https://HOST_ALIAS_DNS"    } ]  }}'

    Here is an example. Be sure to add the prefix "https://" to the domain name.

    curl -v -X PUT \   https://apigee.googleapis.com/v1/organizations/my_organization \  -H "Content-Type: application/json" \  -H "Authorization: Bearer $TOKEN" \  -d '{  "name" : "my_organization",  "properties" : {    "property" : [ {      "name" : "features.hybrid.enabled",      "value" : "true"    }, {      "name" : "features.mart.server.endpoint",      "value" : "https://foo-mart.example.com"    } ]  }}'

Save the overrides file

Be sure to save your overrides file. You will need this file to perform future upgrades, patches, or any other modifications to the cluster configuration.

CONGRATULATIONS!

You've successfully installed Apigee hybrid. You are now ready to test it.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.