@dknezic    @saurabhcbsa  hii 

my overrides.yaml file looks like this

virtualhosts:
  - name: test-env-group
    sslCertPath: ./certs/keystore.pem
    sslKeyPath: ./certs/keystore.key

envs:
  - name: test

so my group name is test-env-group and the environment is test 

@saurabhcbsa hi thanks for quick respond 

so i just would like to highlight something while i have installed asm using custom-overlay.yaml file but while installation i got some error log captured 

Error from server (NotFound): services "istio-ingressgateway" not found

i got this error message but although asm is successfully installed and even I do not have any pod name as ingress gateway or istio-ingress gateway

below is the workload deployment

and here is the service

@saurabhcbsa yes 

but i am not sure where i am doing mistake could you guide me on it or if it good if you have a script only for the cluster and asm apart from that i will do 

@mcdomingo thanks for such a great explanation just would like to ask two more things 😁

1 . In the apigee hybrid 1.7 docs there is also a command as asmcli validate before the installation

./asmcli validate \
  --project_id $PROJECT_ID \
  --cluster_name $CLUSTER_NAME \
  --cluster_location $CLUSTER_LOCATION \
  --fleet_id $FLEET_PROJECT_ID \
  --output_dir $DIR_PATH

so there i am also facing issues like this

asmcli: [ERROR]: The istio-system namespace doesn't exist.
Please create the "istio-system" and retry, or run the script with the
'--enable_namespace_creation' flag to allow the script to enable it on your behalf.
Alternatively, use --enable_all|-e to allow this tool to handle all dependencies.

so when i try to use the flat --enable_all or -e or anything that start with --enable 

it failed and said validation can't run with --enable or -e flag but this flag perfectly run in asmcli install command 

2. )

should I have to use your overlay file or i have to use the custom_overlay.yaml file that is mentioned on the doc of apigee hybrid below shown

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          nodeSelector:
            # default node selector, if different or not using node selectors, change accordingly.
            cloud.google.com/gke-nodepool: apigee-runtime
          resources:
            requests:
              cpu: 1000m
          readinessProbe:
            initialDelaySeconds: 45
            periodSeconds: 60
          service:
            type: LoadBalancer
            loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
            ports:
              - name: http-status-port
                port: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443
  meshconfig:
    accessLogFormat:
      '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

like I have already reserved an external IP so I can use it here 

also i will give it a try with your shared asmcli install command 

Thanks