Starting with Apigee hybrid version 1.8, Apigee hybrid uses the Apigee ingress gateway to provide the ingress gateway for hybrid.

Configuring Apigee ingress gateway

You can configure your ingress gateways in youroverrides.yaml. For example:

ingressGateways:- name:INGRESS_NAME  replicaCountMin:REPLICAS_MIN  replicaCountMax:REPLICAS_MAX  resources:    requests:      cpu:CPU_COUNT_REQ      memory:MEMORY_REQ    limits:      cpu:CPU_COUNT_LIMIT      memory:MEMORY_LIMIT  svcAnnotations:  # optional.SVC_ANNOTATIONS_KEY:SVC_ANNOTATIONS_VALUE  svcLoadBalancerIP:SVC_LOAD_BALANCER_IP # optional

ingressGateways:- name: prod1  replicaCountMin: 2  replicaCountMax: 100  resources:    requests:      cpu: 1      memory: 1Gi    limits:      cpu: 2      memory: 2Gi  svcAnnotations:  # optional. SeeKnown issue 243599452.    networking.gke.io/load-balancer-type: "Internal"  svcLoadBalancerIP: 198.252.0.123

• INGRESS_NAME is the name of the ingress gateway deployment. This can be any name that meets the following requirements:
  • Have a maximum length of 17 characters
  • Contain only lowercase alphanumeric characters, '-' or '.'
  • Start with an alphanumeric character
  • End with an alphanumeric character

  SeeingressGateways[].name in the Configuration property reference

• REPLICAS_MIN andREPLICAS_MAX The minimum and maximum replica counts for Apigee ingress gateway in your installation. SeeingressGateways[].replicaCountMin andingressGateways[].replicaCountMax in the Configuration property reference.
• CPU_COUNT_REQ andMEMORY_REQ The CPU and memory request for each replica of Apigee ingress gateway in your installation.Set these properties if you have previously set them for your Anthos Service Mesh ingress gateway, for example in youroverlay.yaml file.

  SeeingressGateways[].resources.requests.cpu andingressGateways[].resources.requests.memory in the Configuration property reference.

• CPU_COUNT_LIMIT andMEMORY_LIMIT The maximum CPU and memory limits for each replica of Apigee ingress gateway in your installation.Set these properties if you have previously set them for your Anthos Service Mesh ingress gateway, for example in youroverlay.yaml file.

  SeeingressGateways[].resources.limits.cpu andingressGateways[].resources.limits.memory in the Configuration property reference.

• SVC_ANNOTATIONS_KEYSVC_ANNOTATIONS_VALUE (optional):Note: TheingressGateways[].svcAnnotations field inoverrides.yaml is not working as expected. SeeKnown issue 243599452

  This is a key-value pair that provides annotations for your default ingress service. Annotations are used by your cloud platform to help configure your hybrid installation, for example setting the loadbalancer type to either internal or external. For example:

  ingressGateways:  svcAnnotations:    networking.gke.io/load-balancer-type: "Internal"

  Annotations vary from platform to platform. Refer to your platform documentation for required and suggested annotations.

  Note: You do not need to setAnnotations here if you are creating your own Kubernetes service for ingress gateway deployment as documented inExpose Apigee ingress gateway. SeeingressGateways[].svcAnnotations in the Configuration property reference.
• SVC_LOAD_BALANCER_IP (optional). On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.Caution: Make sure not to specify the same IP address as the current istio-ingressgateway. This could cause problems while that service is still on the cluster.Note: You do not need to setLoadBalancerIP if you are creating your own Kubernetes service for ingress gateway deployment as documented inExpose Apigee ingress gateway. SeeingressGateways[].svcLoadBalancerIP in the Configuration property reference.

Apply the Apigee ingress gateway configuration

Apply changes to the organization scope withapigeectl.

$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --org

Management tasks

Some common management tasks for the Apigee ingress gateway:

Stop supplying configuration to ASM

After upgrading to Apigee hybrid v1.8 and migrating traffic to Apigee ingress gateway, you can stop supplying routing configuration to Anthos Service Mesh.

1. Update the Apigee controller to stop updating Anthos Service Mesh CR objects in the API server. In your overrides file, set:

   ao:  args:    disableIstioConfigInAPIServer: true

Apply the configuration changes:

$APIGEECTL_HOME/apigeectl init -fOVERRIDES_FILE

Seeao in the Configuration properties reference for details.

2. Check the status of the deployment with the following command, because the previous command restarted the controller:

   $APIGEECTL_HOME/apigeectl check-ready -fOVERRIDES_FILE

3. Update thevirtualhosts. Every virtual host needs to include theapp selector label with the valueapp: apigee-ingressgateway. With this change, Anthos Service Mesh gateway won't be able to read Apigee routing configuration.

   Add or replace theselector property in each virtual host as follows:

   virtualhosts:- name:ENV_GROUP  selector:    app: apigee-ingressgateway # required  ...

   Apply the configuration changes:

   $APIGEECTL_HOME/apigeectl apply -fOVERRIDES_FILE --settings virtualhosts

   For more information seevirtualhosts.selector in the Configuration property reference.

Scaling Apigee ingress gateway:

Update the following properties in your overrides file.

• ingressGateways[].replicaCountMax
• ingressGateways[].replicaCountMin

SeeingressGateways in the Configuration properties reference for details.

Apply the changes withapigeectl apply --org.

Updating resource allocation

Update the following properties in your overrides file.

• ingressGateways[].resources.limits.cpu
• ingressGateways[].resources.limits.memory
• ingressGateways[].resources.requests.cpu
• ingressGateways[].resources.requests.memory

SeeingressGateways in the Configuration properties reference for details.

Apply the changes withapigeectl apply --org.

Updating the Apigee ingress gateway service

Update the following properties in your overrides file.

• ingressGateways[].svcAnnotations
• ingressGateways[].svcLoadBalancerIP

SeeingressGateways in the Configuration properties reference for details.

Apply the changes withapigeectl apply --org.

Disable the load balancer for the default Apigee ingress gateway service:

If you create acustom Kubernetes service for your ingress gateway deployment, you can disable creation of a load balanceer on the default Kubernetes service. Update theingressGateways[].svcType property toClusterIP in your overrides file. For example:

ingressGateways:  - name: my-ingress-gateway    replicaCountMin: 2    replicaCountMax: 10svcType: ClusterIP

Apply the changes withapigeectl apply --org.

Configure TLS and mTLS

SeeConfiguring TLS and mTLS on the ingress gateway.

Enabling non-SNI clients

SeeEnable non-SNI and HTTP clients.

Installing additional Apigee ingress gateways

In theoverrides.yaml file you can add multiple ingress gateways. TheingressGateways configuration property is an array. For more information, seeingressGateways in the Configuration properties reference.

For example:

ingressGateways:- name:fruit  replicaCountMin: 2  replicaCountMax: 10- name:meat  replicaCountMin: 2  replicaCountMax: 10

Apply the changes withapigeectl apply --org.

Targeting an Apigee ingress to a virtual host

You can target a labeled Apigee ingress gateway to a specific virtual host in your overrides file. This configuration specifies the ingress gateway where Apigee will apply the virtual host's configuration. In the following example, the virtual hostspam-vh is configured to use the ingress gateway labeledmeat and the other two virtual hosts use thefruit ingress gateway. The ingress gateways must be properly labeled, as explained inInstalling additional Anthos Service Mesh gateways.Note:You must specify both theselector:app andselector:ingress_name properties to properly apply an ingress gateway to a virtual host.

virtualhosts:- name: spam-vh  sslCertPath: cert-spam.crt  sslKeyPath: cert-spam.keyselector:    app: apigee-ingressgateway    ingress_name: meat- name: banana-vh  sslCertPath: cert-banana.crt  sslKeyPath: cert-banana.keyselector:    app: apigee-ingressgateway    ingress_name: fruit- name: plum-vh  sslCertPath: cert-plum.crt  sslKeyPath: cert-plum.keyselector:    app: apigee-ingressgateway    ingress_name: fruit

How does this work with my existing Anthos Service Mesh/Istio installation in another namespace?

As long as Apigee is installed in a dedicated namespace - Apigee ingress gateway can be run alongside an already existing Anthos Service Mesh/Istio installation in the cluster. Apigee ingress gateway doesn't store any configuration in apiserver hence there won't be any conflict.

Who is responsible for upgrading Apigee ingress gateway components?

Upgrade of Apigee ingress gateway components is taken care of by Apigee and happens during regular hybrid upgrades and patch releases.

How do I expose port 80 in Apigee ingress gateway?

Port 80 is not supported by Apigee ingress gateway. If you are migrating from Anthos Service Mesh to Apigee ingress gateway, and followed the instructions inthe community post to enable Port 80, it will not work with Apigee Ingress gateway.