The Apigee Hybrid management plane must be able to reach the
MART service
in the runtime plane. For this reason, you must expose the MART
endpoint to requests coming from outside of the cluster.
The MART endpoint is a secure TLS connection. Hybrid uses an
Istio
ingress gateway service to expose traffic to this endpoint.
This topic explains the steps to take to expose the MART endpoint.
Adding the MART service account
MART requires a GCP service account for authentication.
In the GCP setup step, Add service accounts, you
created a service account with no role for MART.
Locate the key file you downloaded for that service account.
The file should have a .json extension.
Add the key file path to the mart.serviceAccountPath property:
...
mart:
sslCertPath:
sslKeyPath:
hostAlias:
serviceAccountPath: "path to a file"
...
Add the
mart.sslCertPath, mart.sslKeyPath, and mart.hostAlias
properties. The following table describes these properties:
Property
Value
mart.sslCertPath mart.sslKeyPath
The MART certificate/key pair must be authorized by a certificate authority (CA).
If you have not previously created an authorized cert/key pair, then you must do
so now and enter the certificate and key filenames for the corresponding property
values. If you need help generating the authorized cert/key pair, see
Obtain TLS credentials: An example.
mart.hostAlias.
(Required) A qualified DNS name for the MART server endpoint. For example,
foo-mart.mydomain.com.
For example, where the host alias is a qualified domain name:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-07 UTC."],[[["This documentation is for Apigee hybrid version 1.3, which is end-of-life, and users should upgrade to a newer version."],["The MART endpoint needs to be exposed to external requests, requiring a secure TLS connection through an Istio ingress gateway."],["Setting up MART requires a trusted TLS key/certificate pair (self-signed certificates are not permitted) and a qualified domain name."],["A GCP service account key file is required for MART authentication, and its path needs to be specified in the `mart.serviceAccountPath` property in the overrides file."],["The `mart.sslCertPath`, `mart.sslKeyPath`, and `mart.hostAlias` properties must be added to the overrides file, ensuring the certificate's Common Name (CN) matches the `mart.hostAlias` value."]]],[]]