Supported versions:
Unsupported versions:
In this step, you will use Helm to install the following Apigee hybrid components:
You will install the charts for each environment one at a time. The sequence in which you install the components matters.
Apigee hybrid uses Helm guardrails to verify the configuration before installing or upgrading a chart. You may see guardrail-specific information in the output of each of the commands in this section, for example:
# Source: apigee-operator/templates/apigee-operators-guardrails.yaml
apiVersion: v1
kind: Pod
metadata:
name: apigee-hybrid-helm-guardrail-operator
namespace: APIGEE_NAMESPACE
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app: apigee-hybrid-helm-guardrail
If any of the helm upgrade commands fail, you can use the guardrails output to help
diagnose the cause. See Diagnosing issues with guardrails.
--dry-run=server at the end of
the command. See helm install --h to list supported commands, options,
and usage.Select the installation instructions for the service account authentication type in your hybrid installation:
APIGEE_HELM_CHARTS_HOME directory. Run the
following commands from that directory.helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.16.5 1.16.5
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
Install Apigee datastore:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify apigeedatastore is up and running by checking its state before
proceeding to the next step:
kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
Install Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
Install Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
Install Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:
Dry run:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
Install the environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the
$ENV_NAME environment variable in your shell, you can use that in the
following commands:
Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation.
Usually this is the same as ENV_NAME. However, if your environment has the same name
as your environment group, you must use different release names for the environment and environment group,
for example dev-env-release and dev-envgroup-release. For more information on releases
in Helm, see Three big concepts in the
Helm documentation.
Install the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
virtualhosts).
--set envgroup=ENV_GROUP. If you have set the
$ENV_GROUP environment variable in your shell, you can use that in the
following commands. Repeat the following
commands for each env group mentioned in your overrides.yaml file:
Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-virtualhosts chart. This name must be unique from the other Helm release names in your
installation. Usually this is the same as ENV_GROUP. However, if your environment group
has the same name as an environment in your installation, you must use different release names for the
environment group and environment, for example dev-envgroup-release and dev-env-release.
For more information on releases in Helm, see
Three big concepts in the Helm documentation.
Install the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
Installing the virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates
ApigeeRoute (AR) once the Apigee watcher pulls env group related
details from the control plane. Therefore, check that the corresponding
AR's state is running:
kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
APIGEE_HELM_CHARTS_HOME directory. Run the
following commands from that directory.helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.16.5 1.16.5
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
Install Apigee datastore:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify apigeedatastore is up and running by checking its state before
proceeding to the next step:
kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
Install Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
Install Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
Install Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:
Dry run:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
Install the environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the
$ENV_NAME environment variable in your shell, you can use that in the
following commands:
Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation.
Usually this is the same as ENV_NAME. However, if your environment has the same name
as your environment group, you must use different release names for the environment and environment group,
for example dev-env-release and dev-envgroup-release. For more information on releases
in Helm, see Three big concepts in the
Helm documentation.
Install the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
virtualhosts).
--set envgroup=ENV_GROUP. If you have set the
$ENV_GROUP environment variable in your shell, you can use that in the
following commands. Repeat the following
commands for each env group mentioned in your overrides.yaml file:
Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-virtualhosts chart. This name must be unique from the other Helm release names in your
installation. Usually this is the same as ENV_GROUP. However, if your environment group
has the same name as an environment in your installation, you must use different release names for the
environment group and environment, for example dev-envgroup-release and dev-env-release.
For more information on releases in Helm, see
Three big concepts in the Helm documentation.
Install the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
Installing the virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates
ApigeeRoute (AR) once the Apigee watcher pulls env group related
details from the control plane. Therefore, check that the corresponding
AR's state is running:
kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
APIGEE_HELM_CHARTS_HOME directory. Run the
following commands from that directory.helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.16.5 1.16.5
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
Install Apigee datastore:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify apigeedatastore is up and running by checking its state before
proceeding to the next step:
kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
Install Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
Install Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
Install Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:
Dry run:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
Install the environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the
$ENV_NAME environment variable in your shell, you can use that in the
following commands:
Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation.
Usually this is the same as ENV_NAME. However, if your environment has the same name
as your environment group, you must use different release names for the environment and environment group,
for example dev-env-release and dev-envgroup-release. For more information on releases
in Helm, see Three big concepts in the
Helm documentation.
Install the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
virtualhosts).
--set envgroup=ENV_GROUP. If you have set the
$ENV_GROUP environment variable in your shell, you can use that in the
following commands. Repeat the following
commands for each env group mentioned in your overrides.yaml file:
Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-virtualhosts chart. This name must be unique from the other Helm release names in your
installation. Usually this is the same as ENV_GROUP. However, if your environment group
has the same name as an environment in your installation, you must use different release names for the
environment group and environment, for example dev-envgroup-release and dev-env-release.
For more information on releases in Helm, see
Three big concepts in the Helm documentation.
Install the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
Installing the virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates
ApigeeRoute (AR) once the Apigee watcher pulls env group related
details from the control plane. Therefore, check that the corresponding
AR's state is running:
kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
APIGEE_HELM_CHARTS_HOME directory. Run the
following commands from that directory.helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.16.5 1.16.5
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
Install Apigee datastore:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Set up the service account bindings for Cassandra for Workload Identity Federation for GKE:
The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be two commands in the form of:
gcloud iam service-accounts add-iam-policy-binding CASSANDRA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-cassandra-default]" \ --project PROJECT_ID
And:
kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=CASSANDRA_SERVICE_ACCOUNT_EMAIL \ --namespace APIGEE_NAMESPACE
kubectl annotate serviceaccount apigee-cassandra-default \ iam.gke.io/gcp-service-account=NON_PROD_SERVICE_ACCOUNT_EMAIL \ --namespace APIGEE_NAMESPACE
For example:
NOTES:
For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
gcloud iam service-accounts add-iam-policy-binding apigee-cassandra@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \
--project my-project
kubectl annotate serviceaccount apigee-cassandra-default \
iam.gke.io/gcp-service-account=apigee-cassandra@my-project.iam.gserviceaccount.com \
--namespace apigee
NOTES:
For Cassandra backup GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-cassandra-default]" \
--project my-project
kubectl annotate serviceaccount apigee-cassandra-default \
iam.gke.io/gcp-service-account=apigee-non-prod@my-project.iam.gserviceaccount.com \
--namespace apigee
Optional: If you do not want to set up Cassandra backup at this time, edit your overrides file to remove or comment out the cassandra.backup stanza before running the helm upgrade command without the --dry-run flag. See Cassandra backup and restore for more information about configuring Cassandra backup.
Install the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify apigeedatastore is up and running by checking its state before
proceeding to the next step:
kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
Install Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Set up the service account bindings for Loggeer and Metrics for Workload Identity Federation for GKE:
The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be two commands in the form of:
Logger KSA: apigee-logger-apigee-telemetry
gcloud iam service-accounts add-iam-policy-binding LOGGER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \ --project PROJECT_ID
Metrics KSA: apigee-metrics-sa
gcloud iam service-accounts add-iam-policy-binding METRICS_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-metrics-sa]" \ --project PROJECT_ID
For example:
NOTES:
For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
Logger KSA: apigee-logger-apigee-telemetry
gcloud iam service-accounts add-iam-policy-binding apigee-logger@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \
--project my-project
Metrics KSA: apigee-metrics-sa
gcloud iam service-accounts add-iam-policy-binding apigee-metrics@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \
--project my-project
NOTES:
For GKE Workload Identity, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
Logger KSA: apigee-logger-apigee-telemetry
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-logger-apigee-telemetry]" \
--project my-project
Metrics KSA: apigee-metrics-sa
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-metrics-sa]" \
--project my-project
Install the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
Install Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
Install Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:
Dry run:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Set up the service account bindings for org-scoped components for Workload Identity Federation for GKE, MART, Apigee Connect, UDCA, and Watcher.
The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be four commands.
MART KSA: apigee-mart-PROJECT_ID-ORG_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mart-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Connect Agent KSA: apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding MART_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-connect-agent-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Mint Task Scheduler KSA: (If you are using Monetization for Apigee hybrid) apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding MINT_TASK_SCHEDULER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-mint-task-scheduler-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
UDCA KSA: apigee-udca-PROJECT_ID-ORG_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
Watcher KSA: apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding WATCHER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-watcher-PROJECT_ID-ORG_HASH_ID-sa]" \ --project PROJECT_ID
For example:
NOTES:
For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
MART KSA: apigee-mart-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \
--project my-project
Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-mart@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \
--project my-project
Mint task scheduler KSA: apigee-mint-task-scheduler-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mint-task-scheduler-my-project-1a2b3c4-sa]" \
--project my-project
UDCA KSA: apigee-udca-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \
--project my-project
Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-watcher@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \
--project my-project
NOTES:
For Apigee Organization GKE Workload Identity, my-project, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
MART KSA: apigee-mart-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-mart-my-project-1a2b3c4-sa]" \
--project my-project
Connect Agent KSA: apigee-connect-agent-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-connect-agent-my-project-1a2b3c4-sa]" \
--project my-project
UDCA KSA: apigee-udca-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-1a2b3c4-sa]" \
--project my-project
Watcher KSA: apigee-watcher-my-project-1a2b3c4-sa
gcloud iam service-accounts add-iam-policy-binding apigee-non-prod@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-watcher-my-project-1a2b3c4-sa]" \
--project my-project
Install the chart:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
Install the environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the
$ENV_NAME environment variable in your shell, you can use that in the
following commands:
Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation.
Usually this is the same as ENV_NAME. However, if your environment has the same name
as your environment group, you must use different release names for the environment and environment group,
for example dev-env-release and dev-envgroup-release. For more information on releases
in Helm, see Three big concepts in the
Helm documentation.
Set up the service account bindings for env-scoped components for Workload Identity Federation for GKE, Runtime, Synchronizer, and UDCA.
The output from the helm upgrade command should have contained commands in the NOTES section. Follow those commands to set up the service account bindings. There should be four commands.
Runtime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding RUNTIME_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
Synchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding SYNCHRONIZER_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
UDCA KSA: apigee-udca-PROJECT_ID-ORG_HASH_ID-ENV_NAME-ENV_HASH_ID-sa
gcloud iam service-accounts add-iam-policy-binding UDCA_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
gcloud iam service-accounts add-iam-policy-binding NON_PROD_SERVICE_ACCOUNT_EMAIL \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:PROJECT_ID.svc.id.goog[apigee/apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa]" \ --project PROJECT_ID
For example:
NOTES:
For Apigee Environment GKE Workload Identity, my-env, please make sure to add the following membership to the IAM policy binding using the respective kubernetes SA (KSA).
Runtime KSA: apigee-runtime-my-project-my-env-b2c3d4e-sa
gcloud iam service-accounts add-iam-policy-binding apigee-runtime@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-runtime-my-project-my-env-b2c3d4e-sa]" \
--project my-project
Synchronizer KSA: apigee-synchronizer-my-project-my-env-b2c3d4e-sa
gcloud iam service-accounts add-iam-policy-binding apigee-synchronizer@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-synchronizer-my-project-my-env-b2c3d4e-sa]" \
--project my-project
UDCA KSA: apigee-udca-my-project-my-env-b2c3d4e-sa:
gcloud iam service-accounts add-iam-policy-binding apigee-udca@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[apigee/apigee-udca-my-project-my-env-b2c3d4e-sa]" \
--project my-project
Install the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
virtualhosts).
--set envgroup=ENV_GROUP. If you have set the
$ENV_GROUP environment variable in your shell, you can use that in the
following commands. Repeat the following
commands for each env group mentioned in your overrides.yaml file:
Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-virtualhosts chart. This name must be unique from the other Helm release names in your
installation. Usually this is the same as ENV_GROUP. However, if your environment group
has the same name as an environment in your installation, you must use different release names for the
environment group and environment, for example dev-envgroup-release and dev-env-release.
For more information on releases in Helm, see
Three big concepts in the Helm documentation.
Install the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
Installing the virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates
ApigeeRoute (AR) once the Apigee watcher pulls env group related
details from the control plane. Therefore, check that the corresponding
AR's state is running:
kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
APIGEE_HELM_CHARTS_HOME directory. Run the
following commands from that directory.helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2025-06-26 00:42:44.492009 -0800 PST deployed apigee-operator-1.16.5 1.16.5
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 34s
Install Apigee datastore:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
apigee-cassandraIAM service account.
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-cassandra"
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
The output should look similar to the following:
apigee-cassandra apigee-cassandra@my-project.iam.gserviceaccount.com False
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-cassandra"
The output should look similar to the following:
apigee-cassandra-backup-sa 0 7m37s
apigee-cassandra-default 0 7m12s
apigee-cassandra-guardrails-sa 0 6m43s
apigee-cassandra-restore-sa 0 7m37s
apigee-cassandra-schema-setup-my-project-1a2b2c4 0 7m30s
apigee-cassandra-schema-val-my-project-1a2b2c4 0 7m29s
apigee-cassandra-user-setup-my-project-1a2b2c4 0 7m22s
apigee-cassandra-backup-sa or apigee-cassandra-restore-sa Kubernetes service accounts, grant each of them access to impersonate the apigee-cassandra IAM service account with the following command:
gcloud iam service-accounts add-iam-policy-binding \
CASSANDRA_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-cassandra@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-cassandra-backup-sa" \
--role=roles/iam.workloadIdentityUserWhere:
CASSANDRA_IAM_SA_EMAIL: the email address of the Cassandra IAM service account.PROJECT_NUMBER: the project number of the project where you created the workload identity pool.
POOL_ID: the workload identity pool ID.MAPPED_SUBJECT: the Kubernetes ServiceAccount
from the claim in your ID token. In most hybrid installations,
this will have the format: system:serviceaccount:APIGEE_NAMESPACE:K8S_SA_NAME.
apigee-cassandra-backup-sa, this will be something similar
to system:serviceaccount:apigee:apigee-cassandra-backup-sa.apigee-cassandra-restore-sa, this will be something similar
to system:serviceaccount:apigee:apigee-cassandra-restore-sa.Verify apigeedatastore is up and running by checking its state before
proceeding to the next step:
kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 51s
Install Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 55s
apigee-metricsIAM service account.
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-metrics"
The output should look similar to the following:
apigee-metrics apigee-metrics@my-project.iam.gserviceaccount.com False
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
The output should look similar to the following:
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "telemetry"
The output should look similar to the following:
apigee-metrics-apigee-telemetry 0 42m apigee-open-telemetry-collector-apigee-telemetry 0 37m
apigee-metrics IAM service account with the following command:
Apigee Metrics KSA: apigee-metrics-apigee-telemetry to apigee-metrics Google IAM service account
gcloud iam service-accounts add-iam-policy-binding \
METRICS_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-metrics@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \
--role=roles/iam.workloadIdentityUserApigee OpenTelemetry Collector KSA: apigee-open-telemetry-collector-apigee-telemetry to apigee-metrics Google IAM service account
gcloud iam service-accounts add-iam-policy-binding \
METRICS_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-metrics@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \
--role=roles/iam.workloadIdentityUserApigee Metrics KSA: apigee-metrics-apigee-telemetry to apigee-non-prod Google IAM service account
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-metrics-apigee-telemetry" \
--role=roles/iam.workloadIdentityUserApigee OpenTelemetry Collector KSA: apigee-open-telemetry-collector-apigee-telemetry to apigee-non-prod Google IAM service account
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-open-telemetry-collector-apigee-telemetry" \
--role=roles/iam.workloadIdentityUserInstall Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 79s
Install Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 16s
Install Apigee organization. If you have set the $ORG_NAME environment variable in your shell, you can use that in the following commands:
Dry run:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml \ --dry-run=server
Install the chart:
helm upgrade $ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE my-project-123abcd running 4m18s
apigee-mart, apigee-udca, and apigee-watcher components:
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"
The output should look similar to the following:
apigee-mart apigee-mart@my-project.iam.gserviceaccount.com False apigee-udca apigee-udca@my-project.iam.gserviceaccount.com False apigee-watcher apigee-watcher@my-project.iam.gserviceaccount.com False
If you are using Monetization for Apigee hybrid, also get the email address of the apigee-mint-task-scheduler service account.
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mint-task-scheduler"
The output should look similar to the following:
apigee-mint-task-scheduler apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com False
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
The output should look similar to the following:
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-connect-agent\|apigee-mart\|apigee-udca\|apigee-watcher"
The output should look similar to the following:
apigee-connect-agent-my-project-123abcd 0 1h4m
apigee-mart-my-project-123abcd 0 1h4m
apigee-mint-task-scheduler-my-project-123abcd 0 1h3m
apigee-udca-my-project-123abcd 0 1h2m
apigee-watcher-my-project-123abcd 0 1h1m
Connect agent KSA: apigee-connect-agent-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mart IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
APIGEE_MART_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-mart@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserMART KSA: apigee-mart-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mart IAM service account. MART and Connect agent use the same IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
APIGEE_MART_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-mart@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserMint task scheduler KSA: (if using Monetization for Apigee hybrid)
apigee-mint-task-scheduler-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-mint-task-scheduler IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
APIGEE_MINT_TASK_SCHEDULER_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-mint-task-scheduler@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserOrg-scoped UDCA KSA: apigee-udca-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-udca IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
APIGEE_UDCA_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-udca-task-scheduler@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserWatcher KSA: apigee-watcher-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-watcher IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
APIGEE_WATCHER_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-watcher@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserConnect agent KSA: apigee-connect-agent-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-connect-agent-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserMART KSA: apigee-mart-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mart-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserMint task scheduler KSA: (if using Monetization for Apigee hybrid)
apigee-mint-task-scheduler-ORG_NAME-UUIORG_HASH_IDD Kubernetes service account to apigee-non-prod IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-mint-task-scheduler-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserOrg-scoped UDCA KSA: apigee-udca-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserWatcher KSA: apigee-watcher-ORG_NAME-ORG_HASH_ID Kubernetes service account to apigee-non-prod IAM service account.
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-watcher-my-org-123abcd" \
--role=roles/iam.workloadIdentityUserInstall the environment.
You must install one environment at a time. Specify the environment with
--set env=ENV_NAME. If you have set the
$ENV_NAME environment variable in your shell, you can use that in the
following commands:
Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml \ --dry-run=server
ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-env chart. This name must be unique from the other Helm release names in your installation.
Usually this is the same as ENV_NAME. However, if your environment has the same name
as your environment group, you must use different release names for the environment and environment group,
for example dev-env-release and dev-envgroup-release. For more information on releases
in Helm, see Three big concepts in the
Helm documentation.
Install the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set env=$ENV_NAME \ -f overrides.yaml
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-my-project-my-env running 3m1s
apigee-runtime, apigee-synchronizer, and apigee-udca components:
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-non-prod"
gcloud iam service-accounts list --project PROJECT_ID | grep "apigee-mart\|apigee-udca\|apigee-watcher"
The output should look similar to the following:
apigee-runtime apigee-runtime@my-project.iam.gserviceaccount.com False
apigee-synchronizer apigee-synchronizer@my-project.iam.gserviceaccount.com False
apigee-udca apigee-udca@my-project.iam.gserviceaccount.com False
apigee-non-prod apigee-non-prod@my-project.iam.gserviceaccount.com False
kubectl get serviceaccount -n APIGEE_NAMESPACE | grep "apigee-runtime\|apigee-synchronizer\|apigee-udca"
The output should look similar to the following:
apigee-runtime-my-project--my-env-cdef123 0 19m
apigee-synchronizer-my-project-my-env-cdef123 0 17m
apigee-udca-my-project-123abcd 0 1h29m
apigee-udca-my-project-my-env-cdef123 0 22m
Runtime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-runtime Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
RUNTIME_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-runtime@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUserSynchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-synchronizer Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
SYNCHRONIZER_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-synchronizer@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUserUDCA KSA: apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-udca Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
UDCA_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-udca@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUserRuntime KSA: apigee-runtime-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-runtime-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUserSynchronizer KSA: apigee-synchronizer-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-synchronizer-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUserUDCA KSA: apigee-udca-PROJECT_ID-ENV_NAME-ENV_HASH_ID-sa KSA to apigee-non-prod Google IAM SA
gcloud iam service-accounts add-iam-policy-binding \
NON_PROD_IAM_SA_EMAIL \
--member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/MAPPED_SUBJECT" \
--role=roles/iam.workloadIdentityUsergcloud iam service-accounts add-iam-policy-binding \
apigee-non-prod@my-project.iam.gserviceaccount.com \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/system:serviceaccount:apigee:apigee-udca-my-project-my-env-cdef123" \
--role=roles/iam.workloadIdentityUservirtualhosts).
--set envgroup=ENV_GROUP. If you have set the
$ENV_GROUP environment variable in your shell, you can use that in the
following commands. Repeat the following
commands for each env group mentioned in your overrides.yaml file:
Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml \ --dry-run=server
ENV_GROUP_RELEASE_NAME is a name used to keep track of installation and upgrades of the
apigee-virtualhosts chart. This name must be unique from the other Helm release names in your
installation. Usually this is the same as ENV_GROUP. However, if your environment group
has the same name as an environment in your installation, you must use different release names for the
environment group and environment, for example dev-envgroup-release and dev-env-release.
For more information on releases in Helm, see
Three big concepts in the Helm documentation.
Install the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ --set envgroup=$ENV_GROUP \ -f overrides.yaml
Installing the virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates
ApigeeRoute (AR) once the Apigee watcher pulls env group related
details from the control plane. Therefore, check that the corresponding
AR's state is running:
kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2m
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-ingressgateway-internal-chaining-my-project-123abcd running 19m my-project-myenvgroup-000-321dcba running 2m30s
In the next step, you will configure the Apigee ingress gateway and deploy a proxy to test your installation.
(NEXT) Step 1: Expose Apigee ingress 2Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-11 UTC.