How to deploy Apigee Operator on GKE with ArgoCD: A GitOps Approach

Google Cloud Apigee Knowledge Hub
, ,
1

Deploying Apigee APIM Operator on GKE with ArgoCD: A GitOps Approach

Managing APIs effectively is crucial for modern applications, especially those running on Kubernetes. Google Cloud’s Apigee offers the Apigee APIM Operator for Kubernetes, designed to simplify API management by allowing developers to use familiar Kubernetes tools and a declarative approach.

Why APIM Operator is Required: “Bridging the Gap”

The APIM Operator isn’t strictly “required” in the sense that Apigee can function without it. However, it’s required if you want to manage your Apigee configurations directly from your Kubernetes environment using Kubernetes-native tools and workflows.

Without the Operator, you would typically manage Apigee policies and API products through the Apigee UI or Apigee’s own management APIs. The Operator fills a crucial gap by allowing Kubernetes-native teams to manage API products, operations, and policies as code within their existing Kubernetes infrastructure. It essentially extends Kubernetes to understand and control Apigee-specific resources, making it a more seamless experience for organizations deeply invested in Kubernetes.

In short, it’s about empowering cloud-native developers to manage sophisticated API functionalities without leaving their Kubernetes comfort zone.

This article explores how to deploy and manage the Apigee APIM Operator and its resources on Google Kubernetes Engine (GKE) in a GitOps fashion using ArgoCD.

What is the Apigee APIM Operator?

The Apigee APIM Operator for Kubernetes allows you to configure Apigee API management capabilities natively within your GKE cluster. Instead of an traditional proxy-based approach, it integrates with the GKE Gateway and Google Cloud Load Balancer (GCLB) using service extensions. This means API policies are enforced at the ingress level. In the future there will be support for AKS and EKS

Key features and concepts:

  • Kubernetes-Native: Define API Products, Operations, and Policies as Kubernetes Custom Resources (CRDs) like APIProduct, APIOperationSet, and APIMExtensionPolicy.
  • GKE Gateway Integration: The operator configures the GKE Gateway (which provisions a GCLB) to intercept traffic and apply Apigee policies via an ext-proc callout to the Apigee runtime.
  • Declarative Configuration: API management is defined in YAML files, version-controlled in Git, and applied to the cluster.

This approach aligns API management with existing Kubernetes workflows, making it ideal for platform teams and developers already using Kubernetes.

Why GitOps with ArgoCD?

GitOps is a paradigm for managing infrastructure and applications where Git is the single source of truth. ArgoCD is a popular open-source (now CNCF) declarative, GitOps continuous delivery tool for Kubernetes.

Using ArgoCD to manage the Apigee APIM Operator deployment provides:

  • Automation: Automatically synchronizes the desired state in Git with the live state in the GKE cluster.
  • Version Control & Auditability: All changes to API configurations are versioned in Git, providing a clear audit trail.
  • Consistency: Ensures environments are consistently configured based on the Git repository.
  • Rollbacks: Easily roll back to previous states by reverting changes in Git.
  • Developer Self-Service: Developers can manage API definitions through pull requests.

Architectural Patterns

Several patterns can be used when deploying the APIM Operator, as outlined in Apigee APIM Operator deployment patterns:

1. Single Region: GKE cluster and Apigee instance in the same region.

The GKE Gateway sends traffic to Apigee for policy enforcement via Private Service Connect (PSC). See diagram below to describe this

diag1
diag11247×756 103 KB

2. Single Region with GitOps Setup:

The above pattern, but with ArgoCD managing the Kubernetes manifests for the operator and its CRDs from a Git repository. See diagram below to describe this

diag2
diag21247×702 84.7 KB

3. Shared-VPC Setup:

The GKE cluster and Apigee are deployed within a Shared VPC network. See diagram below to describe this.

diag3
diag31389×772 95.4 KB

The core idea is that the GKE Gateway, configured by the APIM Operator, acts as the Policy Enforcement Point (PEP), calling out to the Apigee data plane (the Policy Decision Point - PDP).

Implementing GitOps with ArgoCD

The provided GitHub repositories demonstrate a practical GitOps setup:

  • AyoSal/argocd-apimops: Provides sample ArgoCD Application manifests, likely using an App of Apps pattern, to deploy the APIM Operator and the API management CRs.

Typical Workflow:

  1. Setup: Use scripts from apim-operator to prepare the GKE cluster, service accounts, and install the operator.
  2. ArgoCD Application: Define an ArgoCD Application pointing to the argocd-apimops repository. This repository contains the YAML manifests for:
  • The APIM Operator deployment itself.
  • APIMExtensionPolicy: Configures the connection to Apigee and targets a specific GKE Gateway.
  • APIProduct: Defines an API product in Apigee.
  • APIOperationSet: Maps API paths/methods to the API Product and defines quotas.
  1. Synchronization: ArgoCD detects changes in the Git repository (e.g., a new API product definition) and applies them to the GKE cluster using kubectl. The APIM Operator, watching these CRs, then configures Apigee and the GKE Gateway accordingly.

Install ArgoCD

To apply the ArgoCD application for the APIM Operator, use the following command:

kubectl apply -f https://raw.githubusercontent.com/AyoSal/argocd-apimops/main/application.yaml

Install APIM CRDs

To install the APIM CRDs, create an ArgoCD Application, as shown below. This application points to the helm chart in the public repository, with repoURL specifying the chart’s location and targetRevision indicating the desired version.

kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: apigee-apim-operator-crds
  namespace: argocd
spec:
  project: default
  source:
    repoURL: us-docker.pkg.dev/apigee-release/apigee-k8s-tooling-helm-charts
    chart: apigee-apim-operator-crds
    targetRevision: '1.0.0'
    helm:
      releaseName: apigee-apim-operator-crds
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: apim
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
EOF

Install APIM Operator

Similarly to install APIM Operator, we will use ArgoCD’s applicationSet where we will use the first source item to point to the public repo where that helm chart is hosted and second source will point to the internal git repository where we store the override yaml file

kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: apigee-apim-operator-helm-appset
  namespace: argocd
spec:
  generators:
  - list:
      elements:
      - version: 1.0.0
  template:
    metadata:
      name: apigee-apim-operator-helm
      namespace: argocd
    spec:
      project: default
      sources:
      - repoURL: us-docker.pkg.dev/apigee-release/apigee-k8s-tooling-helm-charts
        chart: apigee-apim-operator-helm
        targetRevision: '{{version}}'
        helm:
          releaseName: apigee-apim-operator-helm
          valueFiles:
          - $values/<path to overrides.yaml>
      - repoURL: <repo for the overrides>
        targetRevision: HEAD
        ref: values
      destination:
        server: 'https://kubernetes.default.svc'
        namespace: apim
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
EOF

Install APIM Custom Resources:

kubectl apply -f - <<EOF
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: manifests-appset
  namespace: argocd
spec:
  generators:
    - list:
        elements:
          - {}
  template:
    metadata:
      name: manifests
    spec:
      project: default
      source:
        repoURL: 'https://github.com/AyoSal/argocd-apimops/tree/main/manifests'
        targetRevision: HEAD
        path: 'manifests'
        directory:
          recurse: true
          include: '**/*.yaml'
      destination:
        server: 'https://kubernetes.default.svc'
        # The namespace is intentionally left blank. Argo CD will instead use the namespace specified in the YAML files.
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
EOF

Customer Benefits

Simplified Architecture: Reuses the GKE Gateway, avoiding an extra gateway layer.
Unified Tooling: Developers and operators use the same Kubernetes tools (YAML, kubectl, Git) for apps and API management.
Leverage GCP Investment: Tightly integrated with Google Cloud’s networking and security infrastructure.
Faster Deployment Cycles: GitOps automation accelerates the deployment of API changes.
Consistent Governance: Enforce API management best practices through code and version control.

Conclusion

The Apigee APIM Operator, when combined with ArgoCD, provides a powerful, Kubernetes-native, and GitOps-driven way to manage APIs on GKE. This approach not only streamlines operations but also deeply integrates with the Google Cloud ecosystem, offering significant advantages in terms of simplicity, security, and developer experience compared to solutions like Kong, especially for organizations committed to GKE and Google Cloud.

Resources

  • Apigee Operator public page here

  • Apigee Operator with ArgoCD repo here

  • Apigee Operator resource reference here

  • Apigee Operator and Operator crds can be found here

  • Setup Apigee Operator with GCP cloud shell and bash scripts here

:memo: Co-author: Niraj Tulachan | @ntulachan

:thought_balloon: Let’s talk — Google Cloud Sales Specialist awaits

3 Likes