Create a CentOS compute instance of e2-standard-2 on GCP in one of the GCP projects that you have access to. You could use any infrastructure as a service (IaaS) platform for this purpose, it does not need to be GCP:
PROJECT_ID=# gcp project id VM_NAME=$(whoami)-envoy-1 gcloud beta compute --project=${PROJECT_ID} instances create ${VM_NAME} --zone=us-central1-a --machine-type=e2-standard-2 --subnet=default --network-tier=PREMIUM --maintenance-policy=MIGRATE --image=centos-8-v20210122 --image-project=centos-cloud --boot-disk-size=20GB --boot-disk-type=pd-standard --boot-disk-device-name=${VM_NAME} --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --reservation-affinity=any
SSH to the compute instance through the GCP console UI.
1) Install yum-utils and add Envoy yum repository:
sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://getenvoy.io/linux/centos/tetrate-getenvoy.repo
2) List Envoy distributions available:
yum --showduplicates list getenvoy-envoy | expand
Note: Press 'y' if above command prompts for importing GPG keys.
An example output:
Last metadata expiration check: 0:00:04 ago on Mon 25 Jan 2021 01:36:13 AM UTC. Installed Packages getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p72.g28ef262 @tetrate-getenvoy-stable Available Packages ... getenvoy-envoy.x86_64 1.15.0.p0.g50ef094-1p67.g2aa564b tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.15.1.p0.g670a4a6-1p69.ga5345f6 tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.16.0.p0.g8fb3cb8-1p69.ga5345f6 tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.16.2.p0.ge98e41a-1p71.gbe6132a tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p71.gbe6132a tetrate-getenvoy-stable getenvoy-envoy.x86_64 1.17.0.p0.g5c801b2-1p72.g28ef262 tetrate-getenvoy-stable
3) Install the latest distribution of Envoy v1.16:
sudo yum install -y getenvoy-envoy-1.16.2.p0.ge98e41a-1p71.gbe6132a
4) Verify Envoy version installed:
envoy --version
An example output:
envoy version: e98e41a8e168af7acae8079fc0cd68155f699aa3/1.16.2/clean-getenvoy-be6132a-envoy/RELEASE/BoringSSL
Reference: https://www.envoyproxy.io/docs/envoy/latest/start/install#install-envoy-on-centos-linux
1) Create a new folder for installing Apigee Envoy Adapter:
sudo mkdir -p /opt/apigee/envoy-adapter sudo chown -R $(whoami) /opt/apigee/envoy-adapter cd /opt/apigee/envoy-adapter export ENVOY_HOME=$(pwd)
2) Download the latest release of the Apigee Remote Service CLI into $ENVOY_HOME. Be sure to grab the correct package for your operating system.
Reference: https://github.com/apigee/apigee-remote-service-cli/releases
sudo yum install -y wget
wget https://github.com/apigee/apigee-remote-service-cli/releases/download/v2.0.2/apigee-remote-service-cli_2.0.2_linux_64-bit.tar.gz
3) Extract Apigee Remote Service CLI distribution:
mkdir apigee-remote-service-cli/
tar -xvfapigee-remote-service-cli_2.0.2_linux_64-bit.tar.gz -C apigee-remote-service-cli/
1) Download the latest release of the Apigee Remote Service for Envoy into $ENVOY_HOME.
Reference: https://github.com/apigee/apigee-remote-service-envoy/releases
wget https://github.com/apigee/apigee-remote-service-envoy/releases/download/v2.0.2/apigee-remote-service-envoy_2.0.2_linux_64-bit.tar.gz
2) Extract Apigee Remote Service for Envoy distribution:
mkdir apigee-remote-service-envoy/ tar -xvf apigee-remote-service-envoy_2.0.2_linux_64-bit.tar.gz -C apigee-remote-service-envoy/
3) Export following environment variables, add those paths to the PATH variable, add those to ~/.bash_profile and source ~/.bash_profile:
# export environment variables: export APIGEE_ENVOY_CLI_HOME=/opt/apigee/envoy-adapter/apigee-remote-service-cli export APIGEE_ENVOY_REMOTE_SERVICE_HOME=/opt/apigee/envoy-adapter/apigee-remote-service-envoy export PATH=$PATH:$APIGEE_ENVOY_CLI_HOME export PATH=$PATH:$APIGEE_ENVOY_REMOTE_SERVICE_HOME # add environment variables to ~/.bash_profile: echo "export APIGEE_ENVOY_CLI_HOME=$APIGEE_ENVOY_CLI_HOME" >> ~/.bash_profile echo "export APIGEE_ENVOY_REMOTE_SERVICE_HOME=$APIGEE_ENVOY_REMOTE_SERVICE_HOME" >> ~/.bash_profile echo "export PATH=$PATH:$APIGEE_ENVOY_CLI_HOME" >> ~/.bash_profile echo "export PATH=$PATH:$APIGEE_ENVOY_REMOTE_SERVICE_HOME" >> ~/.bash_profile source ~/.bash_profile
Execute below commands to verify the Envoy, Apigee Envoy Adapter CLI and Apigee Envoy Adapter installations:
1) Verify Envoy installation:
envoy --version
An example output:
envoy version: e98e41a8e168af7acae8079fc0cd68155f699aa3/1.16.2/clean-getenvoy-be6132a-envoy/RELEASE/BoringSSL
2) Verify Apigee Envoy Adapter CLI installation:
apigee-remote-service-cli version
An example output:
apigee-remote-service-cli version 2.0.2 2021-06-07T15:34:33Z [bca09431c4426302b0822b41ed75ffb3c9b6dff8]
proxy version unknown (specify --hybrid-config OR --runtime to check)
3) Verify Apigee Envoy Adapter installation:
apigee-remote-service-envoy --help
An example output:
Usage: [flags] Flags: -a, --analytics-secret string Analytics secret mount point (default "/analytics-secret") -c, --config string Config file (default "config.yaml") h, --help help for this command -j, --json-log Log as JSON -l, --log-level string Logging level (default "info") -p, --policy-secret string Policy secret mount point (default "/policy-secret")
Set Apigee Edge Cloud environment context using following environment variables:
export ORG=#Edge cloud organization export ENV=#Edge cloud environment export USER=#Apigee username export PASSWORD=$#Apigee password
Provision Apigee Remote Service using below command, set MFA value if required:
export TOKEN=$(get_token)
export MFA=#multi-factor authentication (MFA) code apigee-remote-service-cli provision --legacy --username $USER --token $TOKEN --organization $ORG --environment $ENV --mfa $MFA > config.yaml # verify generated config.yaml file: cat config.yaml
Notes:
The above command will create and deploy an API proxy with the name "remote-service" in the given Apigee Edge Cloud environment. The generated config.yaml file will be used for configuring Apigee Envoy Adapter (apigee-remote-service-envoy).
Log into Apigee Edge Cloud and create an API product with the name “ENVOY-TRAINING” by specifying following values:
Create a Developer Application and connect it to the above API product. Export the API Key to an environment variable:
export API_KEY=#value
1) Generate a sample Envoy configuration file using below Apigee Envoy Adapter CLI command:
apigee-remote-service-cli samples create --template envoy-1.16 -c ./config.yaml
2) Verify generated Envoy configuration file:
cat samples/envoy-config.yaml
3) Add the following section under "access_log:" element in the " samples/envoy-config.yaml" file for forwarding access logs to stdout (this is an optional step):
- name: envoy.access_loggers.file
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/stdout
Create two new SSH sessions (terminal windows) using Google Cloud console UI in addition to the existing one. The next few steps will require 3 terminals:
In the first terminal window start Apigee Envoy Adapter (apigee-remote-service-envoy) by executing below commands:
cd /opt/apigee/envoy-adapter/ apigee-remote-service-envoy -c config.yaml -l debug
In the second terminal window start Envoy by executing below commands:
cd /opt/apigee/envoy-adapter/ envoy -c samples/envoy-config.yaml
Log into Apigee Edge Cloud UI and start a Trace session in remote-service API proxy. In this trace session we could see API requests sent by Apigee Envoy Adapter for listing API products and verifying API keys.
1) In the third terminal window send an API request to Envoy using below curl command:
curl -i http://localhost:8080/get
If everything has worked correctly, an output similar to following should be seen:
HTTP/1.1 403 Forbidden date: Wed, 27 Jan 2021 00:08:38 GMT server: envoy content-length: 0
2) Export the API Key obtained from the Application and send another API request:
export API_KEY=# api key value curl -i -H "x-api-key: $API_KEY" http://localhost:8080/get
Now, if the given API key is valid, an output similar to following should be seen:
HTTP/1.1 200 OK date: Wed, 27 Jan 2021 00:20:24 GMT content-type: application/json content-length: 806 server: envoy access-control-allow-origin: * access-control-allow-credentials: true x-envoy-upstream-service-time: 144 { "args": {}, "headers": { "Accept": "*/*", "Content-Length": "0", "Host": "localhost", "User-Agent": "curl/7.61.1", "X-Amzn-Trace-Id": "Root=1-6010b1c8-7f1fdbdb2e3218900ffcffdc", "X-Api-Key": "----masked----", "X-Apigee-Accesstoken": "", "X-Apigee-Api": "localhost:8080", "X-Apigee-Apiproducts": "ENVOY-TRAINING", "X-Apigee-Application": "ENVOY-TRAINING", "X-Apigee-Authorized": "true", "X-Apigee-Clientid": "----masked----", "X-Apigee-Developeremail": "----masked----", "X-Apigee-Environment": "test", "X-Apigee-Organization": "----masked----", "X-Apigee-Scope": "", "X-Envoy-Expected-Rq-Timeout-Ms": "15000" }, "origin": "35.238.255.139", "url": "https://localhost/get" }
Check Envoy logs:
[2021-01-27T00:20:23.150Z] "GET /get HTTP/1.1" 200 - 0 806 131 128 "-" "curl/7.61.1" "21fdf6d0-7926-40a0-bde9-96fe6ba06ced" "localhost:8080" "184.72.216.47:443
Check Apigee Envoy Adapter logs:
2021-01-27T00:20:24.440Z DEBUG auth/auth.go:98 Authenticate: key: 0btHi..., claims: map[strin g]interface {}(nil) 2021-01-27T00:20:24.440Z DEBUG auth/auth.go:125 using api key from request 2021-01-27T00:20:24.440Z DEBUG auth/auth.go:157 Authenticate success: &auth.Context{Co ntext:(*server.Handler)(0xc0001c80c0), ClientID:"0btHi...", AccessToken:"", Application:"ENVOY-TRAININ G", APIProducts:[]string{"ENVOY-TRAINING"}, Expires:time.Time{wall:0x0, ext:63747304457, loc:(*time.Lo cation)(0x14a3be0)}, DeveloperEmail:"----masked----", Scopes:[]string{""}, APIKey:"0btHi..."} 2021-01-27T00:20:24.440Z DEBUG product/manager.go:89 Authorizing request: products: [ENVOY-TRAINING] scopes: [] operation: GET /get target: localhost:8080 - product: ENVOY-TRAINING authorized
Can use following command directly to install envoy package (1.3 Install Envoy)
$ sudo yum install yum-utils
$ sudo rpm --import 'https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key'
$ curl -sL 'https://rpm.dl.getenvoy.io/public/config.rpm.txt?distro=el&codename=7' > /tmp/tetrate-getenvoy-rpm-stable.repo
$ sudo yum-config-manager --add-repo '/tmp/tetrate-getenvoy-rpm-stable.repo'
$ sudo yum makecache --disablerepo='*' --enablerepo='tetrate-getenvoy-rpm-stable'
$ sudo yum install getenvoy-envoy