APIM Operator: Before you begin

Stay organized with collections Save and categorize content based on your preferences.

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes the steps you must complete before you can install and configure the Apigee APIM Operator for Kubernetes (Preview). To learn more about the benefits of using the APIM Operator, see Apigee APIM Operator for Kubernetes overview.

Required roles

To get the permissions that you need to set up the resources required to install and use the APIM Operator, ask your administrator to grant you the following IAM roles on the organization:

• Create and manage the Google Kubernetes Engine (GKE) cluster: Container Admin (roles/container.admin)
• Create and manage service accounts: Service Account Admin (roles/iam.serviceAccountAdmin)
• Create and manage service extensions: Service Extensions Admin (roles/networkservices.serviceExtensionsAdmin)
• Create and manage network endpoint groups (NEGs): Compute Instance Admin (roles/compute.instanceAdmin)
• Create and manage backend services: Compute Load Balancer Admin (roles/compute.loadBalancerAdmin)
• Create and manage Apigee resources: Apigee Admin (roles/apigee.admin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Required set up tasks

Before you install the APIM Operator, make sure to complete the following tasks to set up the resources you need to use the feature:

1. Provision an Apigee instance using version 1-14-0-apigee-4 or later.

   You can view instance versions in the Instance details page of the Apigee UI in Google Cloud console.Go to the Instances page in the Google Cloud console to select an instance and view its details:

   Go to Instances

   You can use APIM Operator with a Subscription or Pay-as-you-go Apigee organization. For more details about provisioning paid Apigee instances, see Before you begin.

2. Install the Google Cloud CLI.

   After the Google Cloud CLI is installed, run the gcloud components update command to get the latest gcloud components.

3. Install and configure the kubectl command-line tool.
4. Install Helm (version v3.14.3 or later).

5. Create a GKE cluster with Workload Identity Federation for GKE and GKE Gateway enabled.

   Workload Identity Federation for GKE is enabled by default when using Autopilot mode to create and manage your clusters. For more information, see Autopilot overview.

   For the steps required to create a new cluster with Workload Identity Federation for GKE and GKE Gateway enabled using Autopilot, see Deploying Gateways.

6. Deploy a GKE Gateway to your cluster.

   You can choose to configure and deploy an internal Gateway or an external Gateway to use with APIM Operator. If you choose to deploy an internal Gateway, a proxy-only subnet and shared VPC are required. For the purposes of this guide, we recommend that you deploy an external Gateway. For more information, see GKE Gateway controller requirements.

   To deploy the GKE Gateway, use the steps outlined in Deploy an external Gateway. When you create the Gateway, use the following yaml configuration:

   # gateway.yamlkind:GatewayapiVersion:gateway.networking.k8s.io/v1beta1metadata:name:global-ext-lb1namespace:defaultspec:gatewayClassName:gke-l7-global-external-managedlisteners:-name:httpprotocol:HTTPallowedRoutes:kinds:-kind:HTTPRoutenamespaces:from:Allport:80

   Apply the file to your cluster:

   kubectlapply-fgateway.yaml

7. Deploy a backend application to your cluster.

   To deploy the backend application exposed by the global-ext-lb1 Gateway you created and deployed:

   1. Create a new file named target.yaml.
   2. Copy the following content into the new file:

      # target.yamlapiVersion:v1kind:Namespacemetadata:name:http---apiVersion:v1kind:ServiceAccountmetadata:name:httpbinnamespace:http---apiVersion:v1kind:Servicemetadata:name:httpbinnamespace:httplabels:app:httpbinservice:httpbinspec:type:LoadBalancerports:-name:httpsport:80targetPort:80selector:app:httpbin---apiVersion:apps/v1kind:Deploymentmetadata:name:httpbinnamespace:httpspec:replicas:1selector:matchLabels:app:httpbinversion:v1template:metadata:labels:app:httpbinversion:v1spec:serviceAccountName:httpbincontainers:-image:docker.io/kennethreitz/httpbinimagePullPolicy:IfNotPresentname:httpbinports:-containerPort:80resources:requests:cpu:1memory:1024Milimits:cpu:1memory:1024Mi

   3. Apply the configuration to your cluster:

      kubectlapply-ftarget.yaml

   For more information on deploying backend applications to GKE clusters, see Deploy the demo applications.

8. Deploy the HTTPRoute resource to your cluster to map traffic from the Gateway to your backend service.

   For more information on the HTTPRoute resource, see Deploy the HTTPRoute (for internal Gateways) or Create an HTTPRoute (for external Gateways).

   For the purposes of this guide, we recommend that you deploy an external Gateway and HTTPRoute, following the steps in Create an HTTPRoute. When you create the HTTPRoute, use the following yaml configuration:

   # httproute.yamlkind:HTTPRouteapiVersion:gateway.networking.k8s.io/v1beta1metadata:name:http-bin-routenamespace:httpspec:parentRefs:-kind:Gatewayname:global-ext-lb1namespace:defaulthostnames:-apigee-apim-operator-test.apigee.netrules:-matches:-path:value:/backendRefs:-name:httpbinkind:Serviceport:80namespace:http

   Apply the file to your cluster:

   kubectlapply-fhttproute.yaml

9. Verify the GKE Gateway setup to confirm that it is working as expected.
   1. Get the Gateway details using the following command:

      kubectlgetgatewayglobal-ext-lb1

      The output should appear similar to the following:

       NAME CLASS ADDRESS PROGRAMMED AGE global-ext-lb1 gke-l7-global-external-managed 34.54.193.72True 11d 

      Confirm that an IP address is assigned to the Gateway and that the value of PROGRAMMED is True.

   2. Describe the Gateway to confirm the route is attached:

      kubectldescribegatewayglobal-ext-lb1

      The output should look similar to the following:

       ... Listeners: Attached Routes: 1 Conditions: Last Transition Time: 2024-10-03T03:10:17Z ...

      Confirm that the value of Attached Routes is 1, indicating that the route is attached.

   3. Send a request to the Gateway:

      curlhttp://GATEWAY_IP_ADDRESS/get\-H"Host: HOST_NAME"

      Where:

      • GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, where GATEWAY_NAME is the name of the Gateway:

        kubectlgetgateways.gateway.networking.k8s.ioGATEWAY_NAME-o=jsonpath="{.status.addresses[0].value}"

      • HOST_NAME is the hostname defined in the Gateway's HTTPRoute. You can retrieve the HOST_NAME using the following command:

        kubectlgetHTTPRouteHTTPROUTE_NAME-nNAMESPACE

      Forexample:

      curlhttp://34.54.193.72/get\ -H"Host: apigee-apim-operator-test.apigee.net"

      The response should appear similar to the following:

       { "args": {}, "headers": { "Accept": "*/*", "Host": "apigee-apim-operator-test.apigee.net", "User-Agent": "curl/8.7.1", "X-Cloud-Trace-Context": "2bb8a80e29e80662ff9cb89971c447d9/13083106619927322701" }, "origin": "67.164.1.10,34.54.193.72", "url": "http://apigee-apim-operator-test.apigee.net/get" }

What's next

Learn how to Install the APIM Operator.