The Apigee Hybrid management plane ordinarily communicates with the
MART service
in the runtime plane via Apigee Connect.
This is the recommended configuration. However, if you want to use the MART Istio
ingress gateway service instead of Apigee Connect, you will want to expose the MART
endpoint to requests coming from outside of the cluster.
The MART endpoint is a secure TLS connection. Hybrid uses an
Istio
ingress gateway service to expose traffic to this endpoint.
This topic explains the steps to take to expose the MART endpoint.
Adding the MART service account
MART requires a Google Cloud service account for authentication.
In the Google Cloud setup step, Add service accounts, you
created a service account with no role for MART.
Locate the key file you downloaded for that service account.
The file should have a .json extension.
Add the key file path to the mart.serviceAccountPath property:
...
mart:
sslCertPath:
sslKeyPath:
hostAlias:
serviceAccountPath: "path to a file"
...
Add the
mart.sslCertPath, mart.sslKeyPath, and mart.hostAlias
properties. The following table describes these properties:
Property
Value
mart.sslCertPath mart.sslKeyPath
The MART certificate/key pair must be authorized by a certificate authority (CA).
If you have not previously created an authorized cert/key pair, then you must do
so now and enter the certificate and key filenames for the corresponding property
values. If you need help generating the authorized cert/key pair, see
Obtain TLS credentials: An example.
mart.hostAlias.
(Required) A qualified DNS name for the MART server endpoint. For example,
foo-mart.mydomain.com.
For example, where the host alias is a qualified domain name:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-07 UTC."],[[["This documentation version (1.6) is end-of-life and users are encouraged to upgrade to a newer version for continued support."],["Exposing the MART endpoint, instead of using Apigee Connect, involves using an Istio ingress gateway service for external access."],["Setting up the MART endpoint requires providing a trusted TLS key/certificate pair, which must be authorized by a Certificate Authority and must not be self-signed."],["Configuring MART also requires a Google Cloud service account with its associated key file, and specifying its path in the `mart.serviceAccountPath` property of the overrides file."],["The MART setup requires setting `mart.sslCertPath`, `mart.sslKeyPath`, and `mart.hostAlias` in the overrides file, where the Common Name (CN) in the certificate must match the value provided in the `mart.hostAlias` property."]]],[]]
