Step 3: Configure the GKE on-prem user cluster
Specify configuration overrides
The Apigee hybrid installer uses defaults for many settings; however, there are a few settings that do not have defaults. You must provide values for these settings, as explained next.
- Be sure you are in the
hybrid-base-directory/hybrid-filesdirectory. - Copy the
overrides-small.yamlfile from the$APIGEECTL_HOME/examplesoverridesdirectory:cp
$APIGEECTL_HOME/examples/overrides-small.yaml ./overrides/overrides.yamlThis example file provides a basic configuration for a small-footprint hybrid runtime installation, a configuration that is suitable for a your first installation.
cdinto theoverridesdirectory:- Open
overrides.yamland add the required property values, shown below. A detailed description of each property is also provided below:NOTE: Be sure to disable logging by settinglogger:enabled:falsein the overrides file. Logging is provided by default as part of GKE on-prem.Syntax
The
overrides.yamlfile has the following structure and syntax. Values inred, bold italics are property values that you must provide:gcpProjectID:project-idk8sClusterName:cluster-nameorg:org-nameenvs:-name:environment-name# The same name of the env you created in the UIhostAlias:test-host-aliassslCertPath:./certs/test-cert-name.pemsslKeyPath:./certs/test-key-name.keyserviceAccountPaths:synchronizer:./service-accounts/synchronizer-service-account-name.jsonudca:./service-accounts/udca-service-account-name.jsoncassandra:hostNetwork:truednsPolicy:ClusterFirstWithHostNetingress:runtime:loadBalancerIP:virtual_IP_runtimemart:loadBalancerIP:virtual_IP_martmart:hostAlias:mart-host-aliasserviceAccountPath:./service-accounts/mart-service-account-name.jsonsslCertPath:./certs/mart-cert-name.pemsslKeyPath:./certs/mart-key-name.keymetrics:serviceAccountPath:./service-accounts/metrics-service-account-name.jsonlogger:enabled:false
Example
The following example shows a completed overrides file with example property values added:
gcpProjectID:hybrid-projectk8sClusterName:apigee-hybridorg:hybrid-orgenvs:-name:testhostAlias:"*"sslCertPath:./certs/keystore.pemsslKeyPath:./certs/keystore.keyserviceAccountPaths:synchronizer:./service-accounts/hybrid-project-apigee-synchronizer.jsonudca:./service-accounts/hybrid-project-apigee-udca.jsoncassandra:hostNetwork:truednsPolicy:ClusterFirstWithHostNetingress:runtime:loadBalancerIP:21.0.124.13mart:loadBalancerIP:21.0.124.14mart:hostAlias:"mart.apigee-hybrid-docs.net"serviceAccountPath:./service-accounts/hybrid-project-apigee-mart.jsonsslCertPath:./certs/fullchain.pemsslKeyPath:./certs/privkey.keymetrics:serviceAccountPath:./service-accounts/hybrid-project-apigee-metrics.jsonlogger:enabled:false
- When your finished, save the file.
cd overrides
The following table describes each of the property values that you must provide in the overrides file.
| Variable | Description |
|---|---|
| project-id | Your GCP project ID. |
| cluster-name | Your Kubernetes cluster name. |
| org-name | The name of your Apigee hybrid organization. |
| environment-name | Use the same name that you used when you created an environment in the UI, as explained inStep 5: Add a new environment in the hybrid UI. |
| test-host-alias | (Required) For the quickstart, use the wildcard character " The use of |
| test-cert-nametest-key-name | Enter the name of the self-signed TLS key and certificate files that you generated previously in the step Create TLS credentials for the runtime gateway. These files must be located in thebase_directory/hybrid-files/certs directory. For example:sslCertPath: ./certs/keystore.pemsslKeyPath: ./certs/keystore.key |
| synchronizer-service-account-name | The name of the synchronizer service account key file that you generated with thecreate-service-account tool. For example:synchronizer: ./service-accounts/hybrid-project-apigee-synchronizer.json |
| udca-service-account-name | The name of the udca service account key file that you generated with thecreate-service-account tool. For example:udca: ./service-accounts/hybrid-project-apigee-udca.json |
| virtual_IP_runtime, virtual_IP_mart | To use GKE on-prem integrated load balancing, you need to provide virtual IPs for LoadBalancers on the hybrid MART and runtime services. GKE on-prem automatically configures the virtual IP on the F5 BIG-IP load balancer. For more information, seeSetting up your load balancer for GKE on-prem |
| mart-host-alias | A qualified DNS name for the MART server endpoint. This name must match the common name (CN) used in the authorized TLS certificate required for this configuration. For example,mart.mydomain.comNOTE: The Common Name (CN) in the certificate must agree with the value specified in themart.hostAlias property. If the CN is*.hybrid-domain.net and you've registered the hostmart.hybrid-domain.net, then you would setmart.hostAlias to the valuemart.hybrid-domain.net. |
| mart-service-account-name | The name of the mart service account key file that you generated with thecreate-service-account tool. |
| mart-cert-name mart-key-name | Enter the name of the authorized TLS key and certificate files that you generated previously in the stepCreate TLS credentials for the MART gateway. These files must be located in thebase_directory/hybrid-files/certs directory. For example:sslCertPath: ./certs/fullchain.pemsslKeyPath: ./certs/privkey.key |
| metrics-service-account-name | The name of the metrics service account key file that you generated with thecreate-service-account tool. For example:serviceAccountPath: ./service-accounts/hybrid-project-apigee-metrics.json |
Summary
The configuration file tells Kubernetes how to deploy the hybrid components to a cluster. Next, you will apply this configuration to your cluster.
123(NEXT) Step 4: Install hybrid runtimeExcept as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.