You are currently viewing version 1.8 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This topic explains how to add a second Apigee hybrid organization (org) to an existing Kubernetes cluster. In this multi-org per cluster configuration, both orgs use and share the same Cassandra ring. Each org can have multiple environments and environment groups configured.

Warning:A multi-org per cluster configuration is supported with specificlimitations. Until these limitations are mitigated, we do not recommend that you use this configuration.Note: If you are already using multi-org clusters and would like to migrate the orgs to single org clusters, see Migrating an org to another cluster.

Limitations

A multi-org per cluster configuration is supported with the following limitations.Until these limitations are mitigated, we do not recommend that you use this configuration.

Note: The maximum number of orgs that you can add to a single cluster is limited. SeeLimits for details.

• If you are going to have multiple Apigee hybrid instances, each instance should have its own cluster. Multiple Apigee hybrid instances running on the same kubernetes cluster can lead to issues of instability potentially causing downtime.
• Pod metrics are only sent to the first Google Cloud project that was configured. This limitation is most apparent in the Cloud Monitoring tool. It only affects cluster metrics; API analytics are not affected. The metrics for the other Apigee orgs will not be sent to the matching Google Cloud project.
• All logging from the pods are sent to the first Google Cloud project that was configured. This limitation is most apparent in the Cloud Logging tool. The logs for the other Apigee orgs will not be sent to the matching Google Cloud project. Logs are still captured at the pod level and can be retrieved withkubectl commands. However, they are not sent to the correct Cloud project through Cloud Logging.
• You cannot delete org data in the Cassandra database for just one org. This means that you cannot remove orgs selectively. Any modification to the database configuration affects all orgs that are deployed to that cluster.
• The hybrid upgrade procedure upgrades the entire cluster all at once.
• Backup and restore is done as a cluster, and cannot be done for a specific org.
• The Apigee API Monitoring feature (Timeline, Recent, Investigate) only works for the first org that was configured and deployed. It will not work for the other orgs in a multi-org cluster.

Multi-org options

This section describes how Apigee Support handles existing multi-org clusters and recommendations for future deployments:

• If you have existing multi-org Kubernetes clusters deployed in non-production and production contexts, Apigee Support will continue to support them. However, note the technical limitations outlinedin the next section. We recommend that youchange any future production deployments to use one Apigee org per cluster.
• If you have existing multi-org clusters in non-production contexts, Apigee Support will continue to support them. We recommend that you migrate any production clusters to a new configuration that uses one Apigee org per cluster.

Prerequisites

Before continuing, note the following:

• You must have an existing hybrid org with one or more environments installed and configured in an existing Kubernetes cluster. See thehybrid installation instructions.
• When combining multiple orgs in a single cluster, the hybrid versions must all match. Before adding a second org to a cluster, upgrade the existing hybrid installation, if necessary. SeeUpgrading Apigee hybrid.

Create an org to add to the existing cluster

To create the additional org, follow the steps inPart 1: Project and org setup.

Note: If you have an existing org you want to add to your Apigee hybrid installation, you can skip toConfigure the new org.

Configure the new org

In the following steps, you will create a new overrides file and configure it for the new org. Anoverrides.yaml file can only support one org's information. Therefore, you must create a newoverrides.yaml file and apply it to the existing Kubernetes cluster.

1. Create service accounts for use with the new org. SeeCreate service accounts.
2. Make note of the TLS certificate files (.key and.pem) in yourcerts directory. If you need to create them again, you can follow the instructions inCreate TLS certificates.
3. Copy your existingoverrides.yaml to a new file to use as a starting point for configuring your new org. For example:new-overrides.yaml.
4. Edit the new overrides file with the following configurations:

   org:"new-org-name"instanceID:"instance-id"##MustmatchtheinstanceIDofyourexistingorg.k8sCluster:name:"existing-cluster-name"region:"existing-cluster-analytics-region"gcp:projectID:"new-project-id"name:"new-project-id"region:"new-project-default-location"namespace:namespace##mustbethesameforbothnewandexistingorgsvirtualhosts:-name:new-environment-group-namesslCertPath:./certs/cert-file-name#.crtor.pemsslKeyPath:./certs/key-file-name#.keyenvs:-name:new-environment-nameserviceAccountPaths:runtime:./new-service-accounts-directory/new-project-id-apigee-runtime.jsonsynchronizer:./new-service-accounts-directory/new-project-id-apigee-synchronizer.jsonudca:./new-service-accounts-directory/new-project-id-apigee-udca.jsonconnectAgent:serviceAccountPath:./new-service-accounts-directory/new-project-id-apigee-mart.jsonmart:serviceAccountPath:./new-service-accounts-directory/new-project-id-apigee-mart.jsonmetrics:serviceAccountPath:./new-service-accounts-directory/new-project-id-apigee-metrics.jsonwatcher:serviceAccountPath:./new-service-accounts-directory/new-project-id-apigee-watcher.json

   The following table describes each of the property values that you must provide in the overrides file. For more information, seeConfiguration property reference.

   Variable	Description
   new-org-name	The name of your new org.
   instance-id	All orgs in in this cluster must have the same instance ID. Therefore this must match theinstanceID entry in the overrides file for your original org.For multi-region installations, each region requires its own cluster, because individual clusters do not span regions. Therefore, each cluster must have its own unique instance ID shared by every org in the cluster.
   existing-cluster-name	The name of the cluster you are adding this org to. It must match thek8sCluster.name entry in the overrides file for your original cluster.
   existing-cluster-analytics-region	The region where the original cluster is provisioned. It must match thek8sCluster.region entry in the overrides file for your original cluster.
   new-project-id	The project ID of your new project. The project ID and org name are the same.
   new-project-default-location	The analytics region you specified when you created the new org. It does not have to be the same as the region for the existing org.
   namespace	All orgs in the cluster must share the same namespace. Be sure to use the same namespace that was used for the original org. Note that the default namespace isapigee.
   new-environment-group-name	The new environment group you created for the new org.
   cert-file-name and key-file-name	The TLS cert and key files for the cluster that you checked or created instep 1 in this section.
   new-environment-name	The name of the environment you created for the new org.
   new-service-accounts-directory	The directory where the service account key files you created for the new org are located.

Apply the configuration

Apply the new org configuration to your cluster:

1. Do a dry run installation to check for any problems:

   apigeectl apply -foverrides/new-overrides.yaml --org --dry-run=client

   Note: It's a good practice to do a dry run before applying the configuration to determine if there are any issues.
2. If there are no issues, apply the org-level components. This step installs the Cassandra jobs (user and schema), Apigee Connect, Apigee Watcher and MART services:

   apigeectl apply -foverrides/new-overrides.yaml --org

3. Install the environment. This step installs apigee-runtime, synchronizer and UDCA components, per environment:

   apigeectl apply -foverrides/new-overrides.yaml --env ${ENV_NAME} --dry-run=client

   apigeectl apply -foverrides/new-overrides.yaml --env ${ENV_NAME}

   Note: If you have multiple environments in your new org, repeat this step for each environment.
4. Apply the load balancer changes. This step configures the ingress to listen to the new virtual host(s) for the second org:Important: Do not duplicate hostnames/domain names between two orgs, as it can result in unpredictable routing.

   apigeectl apply -foverrides/new-overrides.yaml --settings virtualhosts --dry-run=client

   apigeectl apply -foverrides/new-overrides.yaml --settings virtualhosts

5. Enable synchronizer access for your new org following the steps inEnable Synchronizer access.