This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Google Cloud
- Articles & Information
- Cloud Product Articles
- How to Install Apigee Envoy Adapter with Envoy in ...
Topic Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
LinkedIn
Twitter
imesh
Staff
Topic Options
- Article History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
1
1
1,652
1. Install Prerequisites
1.1 Create a Virtual Machine on GCP
Create a CentOS compute instance of e2-standard-2 on GCP in one of the GCP projects that you have access to. You could use any infrastructure as a service (IaaS) platform for this purpose, it does not need to be GCP:
PROJECT_ID=# gcp project id
VM_NAME=$(whoami)-envoy-1
gcloud beta compute --project=${PROJECT_ID} instances create ${VM_NAME} --zone=us-central1-a --machine-type=e2-standard-2 --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --image=centos-8-v20210122 --image-project=centos-cloud --boot-disk-size=20GB --boot-disk-type=pd-standard --boot-disk-device-name=${VM_NAME} --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --reservation-affinity=any
1.2 SSH to the Virtual Machine
SSH to the compute instance through the GCP console UI.
1.3 Install Envoy
1) Install yum-utils and add Envoy yum repository:
sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://getenvoy.io/linux/centos/tetrate-getenvoy.repo
2) List Envoy distributions available:
yum --showduplicates list getenvoy-envoy | expand
Note: Press 'y' if above command prompts for importing GPG keys.
An example output:
Last metadata expiration check: 0:00:04 ago on Mon 25 Jan 2021 01:36:13 AM UTC. Installed Packages getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p72.g28ef262 @tetrate-getenvoy-stable Available Packages ... getenvoy-envoy.x86_64 1.15.0.p0.g50ef094-1p67.g2aa564b tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.15.1.p0.g670a4a6-1p69.ga5345f6 tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.16.0.p0.g8fb3cb8-1p69.ga5345f6 tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.16.2.p0.ge98e41a-1p71.gbe6132a tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p71.gbe6132a tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p72.g28ef262 tetrate-getenvoy-stable
3) Install the latest distribution of Envoy v1.16:
sudo yum install -y getenvoy-envoy-1.16.2.p0.ge98e41a-1p71.gbe6132a
4) Verify Envoy version installed:
envoy --version
An example output:
envoy version: e98e41a8e168af7acae8079fc0cd68155f699aa3/1.16.2/clean-getenvoy-be6132a-envoy/RELEASE/BoringSSL
Reference: https://www.envoyproxy.io/docs/envoy/latest/start/install#install-envoy-on-centos-linux
1.4 Install Apigee Envoy Adapter CLI
1) Create a new folder for installing Apigee Envoy Adapter:
sudo mkdir -p /opt/apigee/envoy-adapter sudo chown -R $(whoami) /opt/apigee/envoy-adapter cd /opt/apigee/envoy-adapter export ENVOY_HOME=$(pwd)
2) Download the latest release of the Apigee Remote Service CLI into $ENVOY_HOME. Be sure to grab the correct package for your operating system.
Reference: https://github.com/apigee/apigee-remote-service-cli/releases
sudo yum install -y wget
wget https://github.com/apigee/apigee-remote-service-cli/releases/download/v2.0.2/apigee-remote-service-cli_2.0.2_linux_64-bit.tar.gz
3) Extract Apigee Remote Service CLI distribution:
mkdir apigee-remote-service-cli/
tar -xvfapigee-remote-service-cli_2.0.2_linux_64-bit.tar.gz -C apigee-remote-service-cli/
1.5 Install Apigee Envoy Adapter
1) Download the latest release of the Apigee Remote Service for Envoy into $ENVOY_HOME.
Reference: https://github.com/apigee/apigee-remote-service-envoy/releases
wget https://github.com/apigee/apigee-remote-service-envoy/releases/download/v2.0.2/apigee-remote-service-envoy_2.0.2_linux_64-bit.tar.gz
2) Extract Apigee Remote Service for Envoy distribution:
mkdir apigee-remote-service-envoy/ tar -xvf apigee-remote-service-envoy_2.0.2_linux_64-bit.tar.gz -C apigee-remote-service-envoy/
3) Export following environment variables, add those paths to the PATH variable, add those to ~/.bash_profile and source ~/.bash_profile:
# export environment variables: export APIGEE_ENVOY_CLI_HOME=/opt/apigee/envoy-adapter/apigee-remote-service-cli export APIGEE_ENVOY_REMOTE_SERVICE_HOME=/opt/apigee/envoy-adapter/apigee-remote-service-envoy export PATH=$PATH:$APIGEE_ENVOY_CLI_HOME export PATH=$PATH:$APIGEE_ENVOY_REMOTE_SERVICE_HOME # add environment variables to ~/.bash_profile: echo "export APIGEE_ENVOY_CLI_HOME=$APIGEE_ENVOY_CLI_HOME" >> ~/.bash_profile echo "export APIGEE_ENVOY_REMOTE_SERVICE_HOME=$APIGEE_ENVOY_REMOTE_SERVICE_HOME" >> ~/.bash_profile echo "export PATH=$PATH:$APIGEE_ENVOY_CLI_HOME" >> ~/.bash_profile echo "export PATH=$PATH:$APIGEE_ENVOY_REMOTE_SERVICE_HOME" >> ~/.bash_profile source ~/.bash_profile
1.6. Verify The Installation
Execute below commands to verify the Envoy, Apigee Envoy Adapter CLI and Apigee Envoy Adapter installations:
1) Verify Envoy installation:
envoy --version
An example output:
envoy version: e98e41a8e168af7acae8079fc0cd68155f699aa3/1.16.2/clean-getenvoy-be6132a-envoy/RELEASE/BoringSSL
2) Verify Apigee Envoy Adapter CLI installation:
apigee-remote-service-cli version
An example output:
apigee-remote-service-cli version 2.0.2 2021-06-07T15:34:33Z [bca09431c4426302b0822b41ed75ffb3c9b6dff8]
proxy version unknown (specify --hybrid-config OR --runtime to check)
3) Verify Apigee Envoy Adapter installation:
apigee-remote-service-envoy --help
An example output:
Usage: [flags] Flags: -a, --analytics-secret string Analytics secret mount point (default "/analytics-secret") -c, --config string Config file (default "config.yaml") h, --help help for this command -j, --json-log Log as JSON -l, --log-level string Logging level (default "info") -p, --policy-secret string Policy secret mount point (default "/policy-secret")
2. Initialize Apigee Envoy Adapter
2.1 Set Apigee Edge Cloud Environment Context
Set Apigee Edge Cloud environment context using following environment variables:
export ORG=#Edge cloud organization export ENV=#Edge cloud environment export USER=#Apigee username export PASSWORD=$#Apigee password
2.2 Initialize Apigee Envoy Adapter
Provision Apigee Remote Service using below command, set MFA value if required:
export TOKEN=$(get_token)
export MFA=#multi-factor authentication (MFA) code apigee-remote-service-cli provision --legacy --username $USER --token $TOKEN --organization $ORG --environment $ENV --mfa $MFA > config.yaml # verify generated config.yaml file: cat config.yaml
Notes:
- Use get_token command line utility for generating an Access Token
- The MFA code will expire within a short time period. Hence, you may need to update it and re-execute above command if it expires before executing apigee-remote-service-cli provision command.
- Use apigee-remote-service-cli provision --help for all available options
The above command will create and deploy an API proxy with the name "remote-service" in the given Apigee Edge Cloud environment. The generated config.yaml file will be used for configuring Apigee Envoy Adapter (apigee-remote-service-envoy).
2.3 Create an API Product
Log into Apigee Edge Cloud and create an API product with the name “ENVOY-TRAINING” by specifying following values:
- Select the relevant Edge Cloud environment
- Add “remote-service” API proxy, "/verifyApiKey" and “/get” paths to it.
- The "remote-service" API proxy is used by the Apigee Envoy Adapter for communicating with Edge. The "/verifyApiKey" API resource is used for verifying API keys.
- The https://httpbin.org/get will be used as the target endpoint of the example API proxy created in Envoy. Therefore, the target endpoint path "/get" needs to be allowed in the API product. This will be validated by the Apigee Envoy Adapter.
- Add “localhost:8080” as a target server hostname under the “Apigee Remote Service Targets” section of the API product.
- In this tutorial the hostname "localhost" and port 8080 will be used for exposing the HTTP listener in Envoy. Apigee Envoy Adapter will use that information for validate the incoming API requests.
2.4 Create a Developer Application
Create a Developer Application and connect it to the above API product. Export the API Key to an environment variable:
export API_KEY=#value
2.5 Generate Envoy Configuration
1) Generate a sample Envoy configuration file using below Apigee Envoy Adapter CLI command:
apigee-remote-service-cli samples create --template envoy-1.16 -c ./config.yaml
2) Verify generated Envoy configuration file:
cat samples/envoy-config.yaml
3) Add the following section under "access_log:" element in the " samples/envoy-config.yaml" file for forwarding access logs to stdout (this is an optional step):
- name: envoy.access_loggers.file
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/stdout
3. Start Envoy and Apigee Envoy Adapter
3.1 Create Terminal Windows
Create two new SSH sessions (terminal windows) using Google Cloud console UI in addition to the existing one. The next few steps will require 3 terminals:
- Starting Envoy
- Starting Apigee Envoy Adapter
- Sending an API request
3.2 Start Apigee Envoy Adapter
In the first terminal window start Apigee Envoy Adapter (apigee-remote-service-envoy) by executing below commands:
cd /opt/apigee/envoy-adapter/ apigee-remote-service-envoy -c config.yaml -l debug
3.3 Start Envoy
In the second terminal window start Envoy by executing below commands:
cd /opt/apigee/envoy-adapter/ envoy -c samples/envoy-config.yaml
3.4 Trace Apigee Remote Service API Proxy
Log into Apigee Edge Cloud UI and start a Trace session in remote-service API proxy. In this trace session we could see API requests sent by Apigee Envoy Adapter for listing API products and verifying API keys.
4. Verify The Deployment
1) In the third terminal window send an API request to Envoy using below curl command:
curl -i http://localhost:8080/get
If everything has worked correctly, an output similar to following should be seen:
HTTP/1.1 403 Forbidden date: Wed, 27 Jan 2021 00:08:38 GMT server: envoy content-length: 0
2) Export the API Key obtained from the Application and send another API request:
export API_KEY=# api key value curl -i -H "x-api-key: $API_KEY" http://localhost:8080/get
Now, if the given API key is valid, an output similar to following should be seen:
HTTP/1.1 200 OK
date: Wed, 27 Jan 2021 00:20:24 GMT
content-type: application/json
content-length: 806
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 144
{
"args": {},
"headers": {
"Accept": "*/*",
"Content-Length": "0",
"Host": "localhost",
"User-Agent": "curl/7.61.1",
"X-Amzn-Trace-Id": "Root=1-6010b1c8-7f1fdbdb2e3218900ffcffdc",
"X-Api-Key": "----masked----",
"X-Apigee-Accesstoken": "",
"X-Apigee-Api": "localhost:8080",
"X-Apigee-Apiproducts": "ENVOY-TRAINING",
"X-Apigee-Application": "ENVOY-TRAINING",
"X-Apigee-Authorized": "true",
"X-Apigee-Clientid": "----masked----",
"X-Apigee-Developeremail": "----masked----",
"X-Apigee-Environment": "test",
"X-Apigee-Organization": "----masked----",
"X-Apigee-Scope": "",
"X-Envoy-Expected-Rq-Timeout-Ms": "15000"
},
"origin": "35.238.255.139",
"url": "https://localhost/get"
}
Check Envoy logs:
[2021-01-27T00:20:23.150Z] "GET /get HTTP/1.1" 200 - 0 806 131 128 "-" "curl/7.61.1" "21fdf6d0-7926-40a0-bde9-96fe6ba06ced" "localhost:8080" "184.72.216.47:443
Check Apigee Envoy Adapter logs:
2021-01-27T00:20:24.440Z DEBUG auth/auth.go:98 Authenticate: key: 0btHi..., claims: map[strin
g]interface {}(nil)
2021-01-27T00:20:24.440Z DEBUG auth/auth.go:125 using api key from request
2021-01-27T00:20:24.440Z DEBUG auth/auth.go:157 Authenticate success: &auth.Context{Co
ntext:(*server.Handler)(0xc0001c80c0), ClientID:"0btHi...", AccessToken:"", Application:"ENVOY-TRAININ
G", APIProducts:[]string{"ENVOY-TRAINING"}, Expires:time.Time{wall:0x0, ext:63747304457, loc:(*time.Lo
cation)(0x14a3be0)}, DeveloperEmail:"----masked----", Scopes:[]string{""}, APIKey:"0btHi..."}
2021-01-27T00:20:24.440Z DEBUG product/manager.go:89 Authorizing request:
products: [ENVOY-TRAINING]
scopes: []
operation: GET /get
target: localhost:8080
- product: ENVOY-TRAINING
authorized
5. References
Topic Labels
Comments
Abhijeet1
Staff
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
08-08-2023
11:09 AM
Can use following command directly to install envoy package (1.3 Install Envoy)
$ sudo yum install yum-utils
$ sudo rpm --import 'https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key'
$ curl -sL 'https://rpm.dl.getenvoy.io/public/config.rpm.txt?distro=el&codename=7' > /tmp/tetrate-getenvoy-rpm-stable.repo
$ sudo yum-config-manager --add-repo '/tmp/tetrate-getenvoy-rpm-stable.repo'
$ sudo yum makecache --disablerepo='*' --enablerepo='tetrate-getenvoy-rpm-stable'
$ sudo yum install getenvoy-envoy