Step 6: Configure the cluster

You are currently viewing version 1.11 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Specify configuration overrides

The Apigee hybrid installer uses defaults for many settings; however, there are a few settings that do not have defaults. You must provide values for these settings, as explained next.

Before you begin

We recommend you review the following scenarios to determine if you want to configure your cluster for them. These configurations are optional.

Configure the cluster

By convention, configuration overrides are written in a file namedoverrides.yaml in your$HYBRID_FILES/overrides directory.

Note: Theoverrides.yaml file will be used during upgrades, expansions and anytime you need to alter the configuration of your hybrid runtime installation. Apigee recommends you store this file in a source control repository with version control.
  1. Create a new file namedoverrides.yaml in your$HYBRID_FILES/overrides directory. For example:
    vi $HYBRID_FILES/overrides/overrides.yaml

    Theoverrides.yaml provides the configuration for your unique Apigee hybrid installation. The overrides file in this step provides a basic configuration for a small-footprint hybrid runtime installation, suitable for your first installation.

  2. Inoverrides.yaml, add the required property values, shown below. A detailed description of each property is also provided below.

    If you are installing Apigee hybrid on GKE and you plan to use Workload Identity to authenticate hybrid components, select theGKE - Workload Identity tab to configure youroverrides.yaml file.

    For all other installations, select the tab for either non-production,Non-prod or production,Prod environments, depending on your choice inStep 4: Create service accounts and credentials.

    For installations in production environments, look at the storage requirements for the Cassandra database inConfigure Cassandra for production.

    GKE - Workload Identity

    Make sure theoverrides.yaml file has the following structure and syntax. Values inred, bold italics are property values that you must provide. They are described in thetable below.

    If you are installing Apigee hybrid onGKE, you have an alternative to authenticate and make requests to Google APIs,Workload Identity. For overviews of Workload Identity, see:

    To use Workload Identity with Apigee hybrid on GKE, use this template and then follow the steps inStep 8: Install hybrid runtime to create the Kubernetes service accounts and associate them with the Google service accounts you created inStep 4: Create service accounts and credentials.

    gcp:  region:ANALYTICS_REGION  projectID:GCP_PROJECT_IDworkloadIdentityEnabled: truek8sCluster:  name:CLUSTER_NAME  region:CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.org:ORG_NAMEinstanceID: "UNIQUE_INSTANCE_IDENTIFIER"  ao:  image:    url: "gcr.io/apigee-release/hybrid/apigee-operators"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2runtime:  image:    url: "gcr.io/apigee-release/hybrid/apigee-runtime"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra:  hostNetwork:false    #false for all GKE installations.    # SeeMulti-region deployment: Prerequisites  replicaCount:3    # Use 1 for demo installations and multiples of 3 for production.    # SeeConfigure Cassandra for production for guidelines.  backup:    enabled: true    # Set to true for initial installation.    # This triggers apigeectl to create the apigee-cassandra-backup Kubernetes service account.    # SeeCassandra backup overview for instructions on using cassandra.backup.virtualhosts:- name:ENVIRONMENT_GROUP_NAME  selector:    app: apigee-ingressgateway    ingress_name:INGRESS_NAME  sslCertPath: ./certs/CERT_NAME.pem  sslKeyPath: ./certs/KEY_NAME.keyingressGateways:- name:INGRESS_NAME # maximum 17 characters.  replicaCountMin: 2  replicaCountMax: 10  svcAnnotations:  # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE  svcLoadBalancerIP:SVC_LOAD_BALANCER_IP  # optionalenvs:- name:ENVIRONMENT_NAMElogger:  enabled:false # Set tofalse for all GKE installations.

    Non-prod

    Make sure theoverrides.yaml file has the following structure and syntax. Values inred, bold italics are property values that you must provide. They are described in thetable below.

    There are differences between the different platforms for the Google Cloud project region and Kubernetes cluster region. Choose the platform where you are installing Apigee hybrid.

    gcp:  region:ANALYTICS_REGION  projectID:GCP_PROJECT_IDk8sCluster:  name:CLUSTER_NAME  region:CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.org:ORG_NAMEinstanceID: "UNIQUE_INSTANCE_IDENTIFIER"  ao:  image:    url: "gcr.io/apigee-release/hybrid/apigee-operators"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2runtime:  image:    url: "gcr.io/apigee-release/hybrid/apigee-runtime"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra:  replicaCount:1    # Use 1 for non-prod or "demo" installations and multiples of 3 for production.    # SeeConfigure Cassandra for production for guidelines.  hostNetwork:false    # Set tofalse for single region installations and multi-region installations    # with connectivity between pods in different clusters, for example GKE installations.    # Set totrue  for multi-region installations with no communication between    # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,    # AKS, EKS, and OpenShift installations.    # SeeMulti-region deployment: Prerequisitesvirtualhosts:- name:ENVIRONMENT_GROUP_NAME  selector:    app: apigee-ingressgateway    ingress_name:INGRESS_NAME  sslCertPath: ./certs/CERT_NAME.pem  sslKeyPath: ./certs/KEY_NAME.keyingressGateways:- name:INGRESS_NAME # maximum 17 characters.  replicaCountMin: 2  replicaCountMax: 10  svcAnnotations:  # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE  svcLoadBalancerIP:SVC_LOAD_BALANCER_IP  # optionalenvs:- name:ENVIRONMENT_NAME  serviceAccountPaths:    synchronizer:NON_PROD_SERVICE_ACCOUNT_FILEPATH      # For example: "./service-accounts/GCP_PROJECT_ID-apigee-non-prod.json"    udca:NON_PROD_SERVICE_ACCOUNT_FILEPATH    runtime:NON_PROD_SERVICE_ACCOUNT_FILEPATHmart:  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATHconnectAgent:  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATHmetrics:  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATHudca:  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATHwatcher:  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATHlogger:  enabled:false        # Set tofalse to disable logger for GKE installations.        # Set totrue for all platforms other than GKE.        # Seeapigee-logger inService accounts and roles used by hybrid components.  serviceAccountPath:NON_PROD_SERVICE_ACCOUNT_FILEPATH

    Prod

    Make sure theoverrides.yaml file has the following structure and syntax. Values inred, bold italics are property values that you must provide. They are described in thetable below.

    There are differences between the different platforms for the Google Cloud project region and Kubernetes cluster region. Choose the platform where you are installing Apigee hybrid.

    gcp:  region:ANALYTICS_REGION  projectID:GCP_PROJECT_IDk8sCluster:  name:CLUSTER_NAME  region:CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.org:ORG_NAMEinstanceID: "UNIQUE_INSTANCE_IDENTIFIER"  ao:  image:    url: "gcr.io/apigee-release/hybrid/apigee-operators"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2runtime:  image:    url: "gcr.io/apigee-release/hybrid/apigee-runtime"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra:  hostNetwork:false    # Set tofalse for single region installations and multi-region installations    # with connectivity between pods in different clusters, for example GKE installations.    # Set totrue  for multi-region installations with no communication between    # pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,    # AKS, EKS, and OpenShift installations.    # SeeMulti-region deployment: Prerequisites  replicaCount:3    # Use multiples of 3 for production.    # SeeConfigure Cassandra for production for guidelines.  storage:    capacity: 500Gi  resources:    requests:      cpu: 7      memory: 15Gi  maxHeapSize: 8192M  heapNewSize: 1200M    # Minimum storage requirements for a production environment.    # SeeConfigure Cassandra for production.virtualhosts:- name:ENVIRONMENT_GROUP_NAME  selector:    app: apigee-ingressgateway    ingress_name:INGRESS_NAME  sslCertPath: ./certs/CERT_NAME.pem  sslKeyPath: ./certs/KEY_NAME.keyingressGateways:- name:INGRESS_NAME # maximum 17 characters.  replicaCountMin: 2  replicaCountMax: 10  svcAnnotations:  # optional. If you are on AKS, seeKnown issue #260772383SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUEenvs:- name:ENVIRONMENT_NAME  serviceAccountPaths:    synchronizer:SYNCHRONIZER_SERVICE_ACCOUNT_FILEPATH      # For example: "./service-accounts/GCP_PROJECT_ID-apigee-synchronizer.json"    udca:UDCA_SERVICE_ACCOUNT_FILEPATH      # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json"    runtime:RUNTIME_SERVICE_ACCOUNT_FILEPATH      # For example: "./service-accounts/GCP_PROJECT_ID-apigee-runtime.json"mart:  serviceAccountPath:MART_SERVICE_ACCOUNT_FILEPATH        # For example: "./service-accounts/GCP_PROJECT_ID-apigee-mart.json"connectAgent:  serviceAccountPath:MART_SERVICE_ACCOUNT_FILEPATH        #Use the same service account for mart and connectAgentmetrics:  serviceAccountPath:METRICS_SERVICE_ACCOUNT_FILEPATH        # For example: "./service-accounts/GCP_PROJECT_ID-apigee-metrics.json"udca:  serviceAccountPath:UDCA_SERVICE_ACCOUNT_FILEPATH        # For example: "./service-accounts/GCP_PROJECT_ID-apigee-udca.json"watcher:  serviceAccountPath:WATCHER_SERVICE_ACCOUNT_FILEPATH        # For example: "./service-accounts/GCP_PROJECT_ID-apigee-watcher.json"logger:  enabled:false        # Set tofalse to disable logger for GKE installations.        # Set totrue for all platforms other than GKE.        # Seeapigee-logger inService accounts and roles used by hybrid components.  serviceAccountPath:LOGGER_SERVICE_ACCOUNT_FILEPATH        # For example: "./service-accounts/GCP_PROJECT_ID-apigee-logger.json"

    Example

    The following example shows a completed overrides file with example property values added:

    gcp:  region: us-central1  projectID: hybrid-examplek8sCluster:  name: apigee-hybrid  region: us-central1org: hybrid-exampleinstanceID: "my_hybrid_example"  ao:  image:    url: "gcr.io/apigee-release/hybrid/apigee-operators"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2runtime:  image:    url: "gcr.io/apigee-release/hybrid/apigee-runtime"    tag: "1.11.2-hotfix.3" # Required for Apigee hybrid v1.11.2 cassandra:  hostNetwork: false  replicaCount: 3virtualhosts:- name: example-env-group  selector:    app: apigee-ingressgateway    ingress_name: my-ingress-1  sslCertPath: ./certs/keystore.pem  sslKeyPath: ./certs/keystore.keyingressGateways:- name: my-ingress-1  replicaCountMin: 2  replicaCountMax: 10envs:- name: test  serviceAccountPaths:    synchronizer: ./service-accounts/my-hybrid-project-apigee-non-prod.json      # for production environments, my-hybrid-project-apigee-synchronizer.json    udca: ./service-accounts/my-hybrid-project-apigee-non-prod.json      # for production environments, my-hybrid-project-apigee-udca.json    runtime: ./service-accounts/my-hybrid-project-apigee-non-prod.json      # for production environments, my-hybrid-project-apigee-runtime.jsonmart:  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, my-hybrid-project-apigee-mart.jsonconnectAgent:  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, example-hybrid-apigee-mart.jsonmetrics:  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, my-hybrid-project-apigee-metrics.jsonudca:  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, my-hybrid-project-apigee-udca.jsonwatcher:  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, my-hybrid-project-apigee-watcher.jsonlogger:  enabled: false # Set to "false" for GKE. Set to "true" for all other Kubernetes platforms.  serviceAccountPath: ./service-accounts/my-hybrid-project-apigee-non-prod.json    # for production environments, LOGGER_SERVICE_ACCOUNT_NAME.json
  3. When you are finished, save the file.

The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.

VariableDescription
ANALYTICS_REGIONIn GKE, You must set this value to the same region where the cluster is running. In all other platforms, select the closest analytics region to your cluster that has Analytics support (see the table inPart 1, Step 2: Create an organization.

This is the value you assigned to the environment variableANALYTICS_REGION previously.

GCP_PROJECT_IDIdentifies the Google Cloud project where theapigee-logger and theapigee-metrics push their data. This is the value assigned to the environment variablePROJECT_ID.
CLUSTER_NAMEYour Kubernetes cluster name. This is the value assigned to the environment variableCLUSTER_NAME.
CLUSTER_LOCATIONThe region where the cluster is running. This is the region where you created the cluster in Step 1: Create a cluster.

This is the value you assigned to the environment variableCLUSTER_LOCATION previously.

If you are working with zonal clusters, you must specify theregion in which your cluster was created. For example, if you created your cluster in theus-central1-a zone, specifyus-central1 for theCLUSTER_LOCATION.
ORG_NAMEThe ID of your Apigee hybrid organization. This is the value assigned to the environment variableORG_NAME.
UNIQUE_INSTANCE_IDENTIFIER

A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters in length.

Note:You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).

You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster.

ENVIRONMENT_GROUP_NAMEThe name of the environment group your environments are assigned to. This is the group you created in Project and org setup - Step 3: Create an environment group. This is the value assigned to the environment variableENV_GROUP.Note:If you wish to place cluster instances in multiple regions, you must be careful about how you define your environments and virtual hosts. If you have one or more environments attached to an environment group, you must include that same environment group configuration in each cluster instance's overrides file.
CERT_NAME
KEY_NAME		Enter the name of the self-signed TLS key and certificate files that you generated previously in Step 5: Create TLS certificates. These files must be located in thebase_directory/hybrid-files/certs directory. For example:
sslCertPath: ./certs/keystore.pemsslKeyPath: ./certs/keystore.key
INGRESS_NAMEThe name of the Apigee ingress gateway for your deployment. This can be any name that meets the following requirements:
  • Have a maximum length of 17 characters
  • Contain only lowercase alphanumeric characters, '-' or '.'
  • Start with an alphanumeric character
  • End with an alphanumeric character

SeeingressGateways[].name in the Configuration property reference

SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE(Optional). This is a key-value pair that provides annotations for your default ingress service. Annotations are used by your cloud platform to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external.

Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.

Note: You do not need to setsvcAnnotations if you are creating your own Kubernetes service for ingress deployment as documented inExpose Apigee ingress gateway.

Comment out or delete this section if you are not using it.

SVC_LOAD_BALANCER_IP(Optional). An IP address you have reserved for your load balancer. On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP, this property is ignored.Note: You do not need to setLoadBalancerIP if you are creating your own Kubernetes service for ingress deployment as documented inExpose Apigee ingress gateway. In production installations, it is recommended to create your own Kubernetes service.

Comment out or delete this section if you are not using it.

ENVIRONMENT_NAMEUse the same name that you used when you created an environment in the UI, as explained in Project and org setup - Step 3: Create an environment group.
*_SERVICE_ACCOUNT_FILEPATHThe path and filename account of the service account JSON files in yourservice-accounts/ directory. The names must include the path to the service account file. This can be a full path, or the path relative to yourhybrid-files/ directory. If you include a relative path, you must callapigeectl, the command to apply this configuration, from yourhybrid-files/ directory.

For non-production environments, the name of the single service account isGCP_PROJECT_ID-non-prod.json by default.

For production environments, the name of the service account key file that you generated with thecreate-service-account tool inHybrid runtime setup - Step 4: Create service accounts and credentials.

You can see the list of service account files in yourservice-accounts/ directory.

The default names of the production environment service accounts are:

  • Cassandra:GCP_PROJECT_ID-apigee-cassandra.json
  • Logger:GCP_PROJECT_ID-apigee-logger.json
  • MART:GCP_PROJECT_ID-apigee-mart.json
  • Connect agent:GCP_PROJECT_ID-apigee-mart.json
  • Metrics:GCP_PROJECT_ID-apigee-metrics.json
  • Apigee runtime:GCP_PROJECT_ID-
  • Synchronizer:GCP_PROJECT_ID-apigee-synchronizer.json
  • UDCA:GCP_PROJECT_ID-apigee-udca.json
  • Watcher:GCP_PROJECT_ID-apigee-watcher.json
Note:Bothmart andconnectAgent use theapigee-mart service account.
Note: If you want to create a security perimeter around your cluster and related Cloud services, you can configure one using Google Cloud Virtual Private Cloud (VPC) Service Controls with Apigee hybrid. See Using VPC Service Controls with Apigee and Apigee hybrid for instructions.

Summary

The configuration file tells Kubernetes how to deploy the hybrid components to a cluster. Next, you will enable synchronizer access so the Apigee runtime and management planes will be able to communicate.

123456(NEXT) Step 7: Enable Synchronizer access8910

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.