Step 3: Install ASM

You are currently viewing version 1.5 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Install ASM

Apigee hybrid uses the Istio distribution provided with Anthos Service Mesh (ASM). Follow these steps to install ASM in your cluster.

Supported ASM versions

SeeApigee hybrid: supported platforms for the ASM versions supported in hybrid version 1.5.

Perform ASM setup and configuration steps

To complete the ASM installation, you must first follow ASM-specific setup and configuration steps in the ASM documentation. Then, you must return here to complete the hybrid-specific configuration before applying the configuration to the cluster.

The instructions to install and configure ASM are different depending on your platform. The platforms are divided into the following categories:

  • GKE: Google Kubernetes Engine clusters running on Google Cloud.
  • Outside Google Cloud: Anthos clusters running on:
    • Anthos clusters on VMware (GKE on-prem)
    • Anthos on bare metal
    • Anthos clusters on AWS
    • Amazon EKS
  • Other Kubernetes Platforms: Conformant clusters created and running on:
    • AKS
    • EKS
    • OpenShift

GKE

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo ${PROJECT_ID}echo ${CLUSTER_NAME}echo ${CLUSTER_LOCATION}
  2. Create an overlay file namedoverlay.yaml with the following contents:
    apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:ingressGateways:-name:istio-ingressgatewayenabled:truek8s:nodeSelector:# default node selector, if different or not using node selectors, change accordingly.cloud.google.com/gke-nodepool:apigee-runtimeresources:requests:cpu:1000mservice:type:LoadBalancerloadBalancerIP:STATIC_IP# If you do not have a reserved static IP, leave this out.ports:-name:http-status-portport:15021-name:http2port:80targetPort:8080-name:httpsport:443targetPort:8443
    • apigee-runtime is the default value for the node selector. This is theapigee-runtime node pool you created inStep 1: Create a cluster. If you are using a different node selector or are not using one, change or omit thenodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit theloadBalancerIP property, but keep thetype andports properties.
  3. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  4. Installasmcli and any required tools like git, kubectl, and jq, following the instructions inInstall required tools.
  5. Proceed through the step toGrant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.Theasmcli validate command tries to validate theistio-system namespace, which in a fresh Apigee hybrid installation, you have not created yet. Therefore skip the "Validate project and cluster" step.
  6. Install ASM with optional features. Specify the legacy ingress gateway with--option legacy-default-ingressgateway. for example:
    ./asmcli install \  --verbose \  --project_id $PROJECT_ID \  --cluster_name $CLUSTER_NAME \  --cluster_location $CLUSTER_LOCATION \  --output_dirdir_path \  --custom_overlayoverlay.yaml \  --enable_all \  --option legacy-default-ingressgateway
    • dir_path is the output directory where you wantasmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions inInstall with optional features.

Troubleshooting

If you encounter an error at refers togcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloudcontainer hub memberships register my-hybrid-example...' failed.

Try the following steps to remedy this error and then runasmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, seeQuotas and limits.

Outside Google Cloud

These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:

  • Anthos clusters on VMware (GKE on-prem)
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Prepare to install ASM

  1. Check the environment variables you will need for the following steps, and set them if you you need to:
    echo ${PROJECT_ID}echo ${CLUSTER_NAME}echo ${CLUSTER_LOCATION}
  2. Create an overlay file namedoverlay.yaml with the following contents:
    apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:ingressGateways:-name:istio-ingressgatewayenabled:truek8s:nodeSelector:# default node selector, if different or not using node selectors, change accordingly.cloud.google.com/gke-nodepool:apigee-runtimeresources:requests:cpu:1000mservice:type:LoadBalancerloadBalancerIP:STATIC_IP# If you do not have a reserved static IP, leave this out.ports:-name:http-status-portport:15021-name:http2port:80targetPort:8080-name:httpsport:443targetPort:8443meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
    • apigee-runtime is the default value for the node selector. This is theapigee-runtime node pool you created inStep 1: Create a cluster. If you are using a different node selector or are not using one, change or omit thenodeSelector property.
    • STATIC_IP is the IP address for your load balancer. If you have not set one, omit theloadBalancerIP property, but keep thetype andports properties.
  3. Follow the instructions to prepare to install ASM:
    1. Anthos prerequisites.
    2. Permissions required to install Anthos Service Mesh.
    3. Plan an installation.
  4. Installasmcli and any required tools like git, kubectl, and jq, following the instructions inInstall required tools.
  5. Proceed through the step toGrant cluster admin permissions and stop. Do not perform the "Validate project and cluster" step.Theasmcli validate command tries to validate theistio-system namespace, which in a fresh Apigee hybrid installation, you have not created yet. Therefore skip the "Validate project and cluster" step.
  6. Install ASM with optional features. Specify the legacy ingress gateway with--option legacy-default-ingressgateway. for example:
    ./asmcli install \  --verbose \  --project_id $PROJECT_ID \  --cluster_name $CLUSTER_NAME \  --cluster_location $CLUSTER_LOCATION \  --output_dirdir_path \  --custom_overlayoverlay.yaml \  --enable_all \  --option legacy-default-ingressgateway
    • dir_path is the output directory where you wantasmcli to set up your the ASM installation, including all subdirectories.
    • overlay.yaml is the overlay file you created in the previous steps.

    Use these settings when following the instructions inInstall with optional features.

Troubleshooting

If you encounter an error at refers togcloud container hub memberships register, you may have exceeded the maximum number of clusters registered with GKE Hub. For example:

asmcli_1.12: [WARNING]:  Command 'run_command gcloudcontainer hub memberships register my-hybrid-example...' failed.

Try the following steps to remedy this error and then runasmcli install again:

  1. List the GKE Hub memberships for your project:
    gcloud container hub memberships list --project=$PROJECT_ID
  2. Delete the GKE Hub memberships:
    gcloud container hub memberships delete "membership" --project=$PROJECT_ID

For more information about GKE Hub limits, seeQuotas and limits.

GKE on other platforms

These instructions are for installing and setting up ASM for Apigee hybrid instances using Anthos to run on:

  • GKE on-prem (Anthos)
  • Anthos on bare metal
  • GKE on AWS

Read the following steps carefully before you begin. We will ask you to perform some of the steps listed in the ASM documentation, then return here to complete the installation.

  1. Download and unzipistioctlaccording to the the instructions in the ASM documentation:Downloading the installation file.
  2. Depending on the certificate authority you plan to use, install ASM by following the instructions in one of the following sections:
    1. Using Mesh CA:Installing Anthos Service Mesh with Mesh CA
    2. Supplying your own certificates with Istio CA:Installing Anthos Service Mesh with Istio CA
  3. Configure the validating webhook with the instructions inConfiguring the validating webhook.
  4. Check the control plane components with the instructinos inChecking the control plane components.

    Do not continue with "Injecting sidecar proxies."

Note: For GKE on-prem installations these instruction assume your clients are SNI (Server Name Indication) enabled. If not, follow the instructions inEnable non-SNI and HTTP clients

Other Kubernetes platforms

AKS

Set up and download ASM

Read the following steps carefully before you begin.We will ask you to perform some of the steps listed in the ASM documentation, then return here tocomplete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.28.2-asm.4 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes
  • Red Hat OpenShift

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig
    openssldgst-verify/dev/stdin-signature istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig istio-1.28.2-asm.4-linux-amd64.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    6. Mac OS

  6. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz
  7. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz.1.sig
    openssldgst-sha256-verify/dev/stdin-signature istio-1.28.2-asm.4-osx.tar.gz.1.sig istio-1.28.2-asm.4-osx.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  8. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-osx.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  9. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  10. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    11. Windows

  11. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip
  12. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip.1.sig
    openssldgst-verify--signature istio-1.28.2-asm.4-win.zip.1.sig istio-1.28.2-asm.4-win.zip <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  13. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-win.zip

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests\profiles directory.
  14. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  15. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  16. Now that ASM Istio is installed, check the version ofistioctl:
    istioctl version
  17. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh withistioctl using theasm-multicloud profile:
    istioctl install \    --set profile=asm-multicloud \    --set revision="asm-1282-4"

    The--set revision argument adds a revision label in the formatistio.io/rev=asm-1282-4 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

    Tip: The revision can only contain letters, numbers and dashes.
  2. Check that theistiod pods are running withkubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGEistio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13sistio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57sistiod-asm-1282-4-dbfb7c7b6-2ls88      1/1     Running   0          3m21sistiod-asm-1282-4-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGEistio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35sistiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46sistiod-asm-1282-4      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file calledistiod-service.yaml with the following contents:
    apiVersion:v1kind:Servicemetadata:name:istiodnamespace:istio-systemlabels:istio.io/rev:asm-1282-4app:istiodistio:pilotrelease:istiospec:ports:-port:15010name:grpc-xds#plaintextprotocol:TCP-port:15012name:https-dns#mTLSwithk8s-signedcertprotocol:TCP-port:443name:https-webhook#validationandinjectiontargetPort:15017protocol:TCP-port:15014name:http-monitoring#prometheusstatsprotocol:TCPselector:app:istiodistio.io/rev:asm-1282-4meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  2. Usekubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGEistiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s

EKS

Set up and download ASM

Read the following steps carefully before you begin.We will ask you to perform some of the steps listed in the ASM documentation, then return here tocomplete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.28.2-asm.4 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig
    openssldgst-verify/dev/stdin-signature istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig istio-1.28.2-asm.4-linux-amd64.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    6. Mac OS

  6. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz
  7. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz.1.sig
    openssldgst-sha256-verify/dev/stdin-signature istio-1.28.2-asm.4-osx.tar.gz.1.sig istio-1.28.2-asm.4-osx.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  8. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-osx.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  9. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  10. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    11. Windows

  11. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip
  12. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip.1.sig
    openssldgst-verify--signature istio-1.28.2-asm.4-win.zip.1.sig istio-1.28.2-asm.4-win.zip <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  13. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-win.zip

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests\profiles directory.
  14. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  15. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  16. Now that ASM Istio is installed, check the version ofistioctl:
    istioctl version
  17. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh withistioctl using theasm-multicloud profile:
    istioctl install \    --set profile=asm-multicloud \    --set revision="asm-1282-4"

    The--set revision argument adds a revision label in the formatistio.io/rev=asm-1282-4 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

    Tip: The revision can only contain letters, numbers and dashes.
  2. Check that theistiod pods are running withkubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGEistio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13sistio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57sistiod-asm-1282-4-dbfb7c7b6-2ls88      1/1     Running   0          3m21sistiod-asm-1282-4-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGEistio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35sistiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46sistiod-asm-1282-4      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file calledistiod-service.yaml with the following contents:
    apiVersion:v1kind:Servicemetadata:name:istiodnamespace:istio-systemlabels:istio.io/rev:asm-1282-4app:istiodistio:pilotrelease:istiospec:ports:-port:15010name:grpc-xds#plaintextprotocol:TCP-port:15012name:https-dns#mTLSwithk8s-signedcertprotocol:TCP-port:443name:https-webhook#validationandinjectiontargetPort:15017protocol:TCP-port:15014name:http-monitoring#prometheusstatsprotocol:TCPselector:app:istiodistio.io/rev:asm-1282-4meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  2. Usekubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGEistiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s

OpenShift

Set up and download ASM

Read the following steps carefully before you begin.We will ask you to perform some of the steps listed in the ASM documentation, then return here tocomplete the installation.

This guide explains how to do a clean installation of Anthos Service Mesh (ASM) version 1.28.2-asm.4 on Anthos attached clusters. Use this guide to install Anthos Service Mesh on the following environments:

Preparing to install Anthos Service Mesh

    Linux

  1. Grant theanyuid security context constraint (SCC) to the istio-system with the followingoc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  2. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz
  3. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig
    openssldgst-verify/dev/stdin-signature istio-1.28.2-asm.4-linux-amd64.tar.gz.1.sig istio-1.28.2-asm.4-linux-amd64.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  4. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  5. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  6. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    7. Mac OS

  7. Grant theanyuid security context constraint (SCC) to the istio-system with the followingoc command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  8. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz
  9. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-osx.tar.gz.1.sig
    openssldgst-sha256-verify/dev/stdin-signature istio-1.28.2-asm.4-osx.tar.gz.1.sig istio-1.28.2-asm.4-osx.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  10. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-osx.tar.gz

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  11. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  12. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH

    13. Windows

  13. Grant theanyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  14. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip
  15. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.28.2-asm.4-win.zip.1.sig
    openssldgst-verify--signature istio-1.28.2-asm.4-win.zip.1.sig istio-1.28.2-asm.4-win.zip <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  16. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.28.2-asm.4-win.zip

    The command creates an installation directory in your current working directory namedistio-1.28.2-asm.4 that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests\profiles directory.
  17. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.28.2-asm.4
  18. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  19. Now that ASM Istio is installed, check the version ofistioctl:
    istioctl version
  20. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh withistioctl using theasm-multicloud profile:
    istioctl install \    --set profile=asm-multicloud \    --set revision="asm-1282-4"

    The--set revision argument adds a revision label in the formatistio.io/rev=asm-1282-4 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

    Tip: The revision can only contain letters, numbers and dashes.
  2. Check that theistiod pods are running withkubectl get pods:
    kubectl get pods -n istio-system

    Your output should look something like:

    NAME                                      READY   STATUS    RESTARTS   AGEistio-ingressgateway-88b6fd976-flgp2  1/1     Running   0          3m13sistio-ingressgateway-88b6fd976-p5dl9  1/1     Running   0          2m57sistiod-asm-1282-4-dbfb7c7b6-2ls88      1/1     Running   0          3m21sistiod-asm-1282-4-dbfb7c7b6-fnj8c      1/1     Running   1          3m21s
  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGEistio-ingressgateway  LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35sistiod                ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46sistiod-asm-1282-4      ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file calledistiod-service.yaml with the following contents:
    apiVersion:v1kind:Servicemetadata:name:istiodnamespace:istio-systemlabels:istio.io/rev:asm-1282-4app:istiodistio:pilotrelease:istiospec:ports:-port:15010name:grpc-xds#plaintextprotocol:TCP-port:15012name:https-dns#mTLSwithk8s-signedcertprotocol:TCP-port:443name:https-webhook#validationandinjectiontargetPort:15017protocol:TCP-port:15014name:http-monitoring#prometheusstatsprotocol:TCPselector:app:istiodistio.io/rev:asm-1282-4meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  2. Usekubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGEistiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s

Customizing the ASM installation

The ASM installation you just performed is a minimal installation, sufficient to test and use Apigee hybrid for basic use cases. For information on addressing more advanced use cases, such as adding, removing, or modifying load balancer port numbers, seeEnabling optional features.

Summary

You now have cert-manager and ASM installed, and you are ready to install the Apigee hybrid command line tool on your local machine.

123(NEXT) Step 4: Install apigeectl56789

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.