Registering and Running in Connected Mode with a Connected App
Before You Begin
Before registering Flex Gateway, you must complete the following tasks:
-
-
Include the following scopes:
-
Read Servers
-
Manage Servers
-
View Organization
-
-
Save the Id and Secret of the Connected app you configure.
-
-
Request Manage Servers and Read Servers permissions in Runtime Manager from your Anypoint Platform admin
-
Collect the following information from your Anypoint Platform instance:
-
The Organization ID for the organization where you want to run Flex Gateway
See Find your Organization ID for more information on how to find your Organization ID.
-
The Environment ID for the environment where you want to run Flex Gateway
See What API Manager Looks Like for more information on how to find your Environment ID.
-
Register and Run with a Connected App as a Linux Service
Flex Gateway runs on the following Long Term Support (LTS) versions of Linux:
-
Amazon Linux 2023
-
CentOS 8
-
Debian (Bullseye, Bookworm)
-
Red Hat Enterprise Linux (9)
-
Red Hat Enterprise Linux (9) on IBM Power (ppc64le)
-
SUSE Linux Enterprise (SLES 15 SP3)
-
SUSE Linux Enterprise (SLES 15 SP3) on IBM Power (ppc64le)
-
Ubuntu (Focal, Jammy)
To register a Flex Gateway with Anypoint Platform, you must enter the registration command and then the start command. Each command includes information specific to your Anypoint Platform instance and must be updated before executing. See Before You Begin for more information on how to find the information you will need.
-
--client-id
= the Id for the Connected App you configured in Access Management -
--client-secret
= the Secret for the Connected App you configured in Access Management -
--environment
= the Environment Id for the environment in Anypoint Platform where you want the Flex Gateway to run -
--organization
= your Organization ID in Anypoint Platform -
--split
(optional) = the flag that determines whether registration information should split into multiple files. The default value isfalse
.If
split
is set totrue
, registration information is split into two files:registration.yaml
andcertificate.yaml
. Iffalse
, all registration information is contained in one file:registration.yaml
. -
--output-directory
(optional) = the directory in which registration information is output -
my-gateway
= the name you want to assign the gateway cluster
Register Flex Gateway
Register your Flex Gateway instance using the data that you gathered for the command options.
flexctl registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/usr/local/share/mulesoft/flex-gateway/conf.d \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Start Commands
Start Flex Gateway with the following command:
sudo systemctl start flex-gateway
Verify that the Flex Gateway service is running successfully:
systemctl list-units flex-gateway*
If flex-gateway.service
has a status of active
, Flex Gateway is successfully running.
UNIT LOAD ACTIVE SUB DESCRIPTION
flex-gateway.service loaded active running Application
In Runtime Manager, click ← Flex Gateway in the left navigation to find your new gateway in the UI. Notice that your gateway’s current status is Connected. Refresh the page, if necessary.
After 30 days, a stopped or deleted gateway is removed from the Runtime Manager UI. Otherwise, the UI continues to list the gateway even if it is no longer running or connected. |
Register and Run with a Connected App in a Container
You can register and run Flex Gateway for use in one of the following containers:
Register and Run with a Connected App in a Docker Container
To register a Flex Gateway with Anypoint Platform, you must enter the registration command and then the start command. Each command includes information specific to your Anypoint Platform instance and must be updated before executing. See Before You Begin for more information on how to find the information you will need.
Collect Your Registration Data
Before registering your Flex Gateway instance, collect information for the following registration command options:
-
--client-id
= the Id for the Connected App you configured in Access Management -
--client-secret
= the Secret for the Connected App you configured in Access Management -
--environment
= the Environment Id for the environment in Anypoint Platform where you want the Flex Gateway to run -
--organization
= your Organization ID in Anypoint Platform -
--split
(optional) = the flag that determines whether registration information should split into multiple files. The default value isfalse
.If
split
is set totrue
, registration information is split into two files:registration.yaml
andcertificate.yaml
. Iffalse
, all registration information is contained in one file:registration.yaml
. -
--output-directory
(optional) = the directory in which registration information is output -
my-gateway
= the name you want to assign the gateway cluster
Register Flex Gateway
Register your Flex Gateway instance using the data that you gathered for the command options.
Create a new directory called flex-registration (or similar) and then run the registration command in this new directory. The command creates registration files in this location.
|
docker run --entrypoint flexctl \
-v "$(pwd)":/registration -u $UID mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Start Command
Run the following start command in the same directory where you ran the registration command:
docker run --rm \
-v "$(pwd)":/usr/local/share/mulesoft/flex-gateway/conf.d \
-p 8080:8080 \
mulesoft/flex-gateway
Specify an optional name you want to assign to your Flex Replica by including the following: -e FLEX_NAME=<name-for-flex-replica> \ .
|
In Runtime Manager, click ← Flex Gateway in the left navigation to find your new gateway in the UI. Notice that your gateway’s current status is Connected. Refresh the page, if necessary.
After 30 days, a stopped or deleted gateway is removed from the Runtime Manager UI. Otherwise, the UI continues to list the gateway even if it is no longer running or connected. |
Register and Run with a Connected App in a Podman Container
To register a Flex Gateway with Anypoint Platform, you must enter the registration command and then the start command. Each command includes information specific to your Anypoint Platform instance and must be updated before executing. See Before You Begin for more information on how to find the information you will need.
Collect Your Registration Data
Before registering your Flex Gateway instance, collect information for the following registration command options:
-
--client-id
= the Id for the Connected App you configured in Access Management -
--client-secret
= the Secret for the Connected App you configured in Access Management -
--environment
= the Environment Id for the environment in Anypoint Platform where you want the Flex Gateway to run -
--organization
= your Organization ID in Anypoint Platform -
--split
(optional) = the flag that determines whether registration information should split into multiple files. The default value isfalse
.If
split
is set totrue
, registration information is split into two files:registration.yaml
andcertificate.yaml
. Iffalse
, all registration information is contained in one file:registration.yaml
. -
--output-directory
(optional) = the directory in which registration information is output -
my-gateway
= the name you want to assign the gateway cluster
Register Flex Gateway
Register your Flex Gateway instance using the data that you gathered for the command options.
Create a new directory called flex-registration (or similar) and then run the registration command in this new directory. The command creates registration files in this location.
|
podman run --entrypoint flexctl --userns=keep-id \
-v "$(pwd)":/registration:Z -u $UID docker.io/mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Start Command
Run the following start command in the same directory where you ran the registration command:
podman run --rm \
-v "$(pwd)":/usr/local/share/mulesoft/flex-gateway/conf.d \
-p 8080:8080 \
docker.io/mulesoft/flex-gateway
Specify an optional name you want to assign to your Flex Replica by including the following: -e FLEX_NAME=<name-for-flex-replica> \ .
|
In Runtime Manager, click ← Flex Gateway in the left navigation to find your new gateway in the UI. Notice that your gateway’s current status is Connected. Refresh the page, if necessary.
After 30 days, a stopped or deleted gateway is removed from the Runtime Manager UI. Otherwise, the UI continues to list the gateway even if it is no longer running or connected. |
Register and Run with a Connected App in a Kubernetes Cluster
Register Flex Gateway, and then use Helm to deploy Flex Gateway to a node in your cluster and connect to Anypoint Platform. After deploying, use Runtime Manager to verify that the gateway is present and connected to Anypoint Platform.
When deploying Flex Gateway to a Kubernetes cluster that enables role-based access control (RBAC), you must have cluster-level permissions to permit installation of custom resource definitions (CRDs) used by Flex Gateway.
Complete the following steps:
In Connected Mode, Flex Gateway typically serves as an ingress or Edge API gateway that receives traffic from outside of the cluster. Flex Gateway can also act as a standalone gateway for internal (east-west) services.
Most management takes place within Anypoint Platform:
-
Deploy APIs to your cluster.
-
Apply policies and other configurations.
-
Create resources (with the exception of Configuration and Service resources).
In Connected Mode, resource creation through kubectl apply
is possible but restricted to the following resource types:
Configuration, Service, Extension, and PolicyBinding of types tls
, tls-inbound
, and tls-outbound
. For more info about resources, see Declarative Configuration Reference Guide.
Collect Your Registration Data
Before registering your Flex Gateway instance, collect information for the following registration command options:
-
--client-id
= the Id for the Connected App you configured in Access Management -
--client-secret
= the Secret for the Connected App you configured in Access Management -
--environment
= the Environment Id for the environment in Anypoint Platform where you want the Flex Gateway to run -
--organization
= your Organization ID in Anypoint Platform -
--split
(optional) = the flag that determines whether registration information should split into multiple files. The default value isfalse
.If
split
is set totrue
, registration information is split into two files:registration.yaml
andcertificate.yaml
. Iffalse
, all registration information is contained in one file:registration.yaml
. -
--output-directory
(optional) = the directory in which registration information is output -
my-gateway
= the name you want to assign the gateway cluster
Register Flex Gateway
Register your Flex Gateway instance using the data that you gathered for the command options.
You can register using one of the following container runtimes:
Docker
Run the following command to register using Docker:
docker run --entrypoint flexctl \
-v "$(pwd)":/registration -u $UID mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Podman
Run the following command to register using Podman:
podman run --entrypoint flexctl --userns=keep-id \
-v "$(pwd)":/registration:Z -u $UID docker.io/mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Install Helm Chart into the Namespace
A Helm chart installs Flex Gateway, monitoring tools, and applications. A minimum Helm version of 3.0.0 is required. Refer to Helm Chart Settings for configuration options.
-
Add a Helm repository named
flex-gateway
for your chart:helm repo add flex-gateway https://flex-packages.anypoint.mulesoft.com/helm
The command either adds the repository or skips this process if a Helm repository with that name already exists on your machine:
-
If the repository is new, the command returns the following message:
"flex-gateway" has been added to your repositories
-
If the repository already exists, the command returns the following message:
"flex-gateway" already exists with the same configuration, skipping
-
-
Run
helm repo up
.The command returns the following message:
Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "flex-gateway" chart repository Update Complete. ⎈Happy Helming!⎈
If you have more than one Helm repository on your machine, the message in your terminal window lists all of the repositories.
-
Run the Helm command for deploying your gateway in Connected Mode:
helm -n gateway upgrade -i --create-namespace \ ingress flex-gateway/flex-gateway \ --set gateway.mode=connected \ --set-file registration.content=registration.yaml
This command creates the
gateway
namespace and a release namedingress
if they do not exist. You can use names of your choice for your namespace and release. The command syntax for the Helm repository and chart names is<helm-repo-name>/<helm-chart-name>
.The command uses
--set gateway.mode=connected
because the default for the Helm chart is Local Mode.When you install Flex Gateway, a Service type
LoadBalancer
is created by default. You must have the appropriate permissions to create a load balancer in your cloud. If the load balancer is not provisioned or has issues with the provisioning process, you must choose another type by changing theservice.type
property during the installation.By default, Flex Gateways running in Kubernetes or Openshift use a readiness probe. If there’s no API deployed to your Flex Gateway instance, the readiness state is false
. This isn’t an issue with custom readiness probe configurations.When successful, the command prints a message indicating an upgrade to your
ingress
release:Release "ingress" does not exist. Installing it now. NAME: ingress LAST DEPLOYED: Mon Mar 20 21:36:19 2023 NAMESPACE: gateway STATUS: deployed REVISION: 1 TEST SUITE: None
The
REVISION
value increments theingress
release by1
each time you run this command with the same namespace, repository, and chart names. For example, if you run the command a second time, you find a new revision number (REVISION: 2
). TheLAST DEPLOYED
date reflects the date of that revision.
In Runtime Manager, click ← Flex Gateway in the left navigation to find your new gateway in the UI. Notice that your gateway’s current status is Connected. Refresh the page, if necessary.
After 30 days, a stopped or deleted gateway is removed from the Runtime Manager UI. Otherwise, the UI continues to list the gateway even if it is no longer running or connected. |
Helm Chart Settings
To modify the default Helm settings with new values, such as resource
values for CPU and memory settings, see Update Pod Settings for a Flex Gateway Deployment Through a Helm Chart. For additional Helm chart configurations, see Manage Kubernetes Deployments.
Before modifying a Helm chart for a Flex Gateway deployment, review the default Helm chart settings:
-
Open the flex-gateway page in ArtifactHUB
-
Run
helm show values <repository-name>/<chart-name>
from a terminal window.Example:helm show values flex-gateway/flex-gateway
The example returns default values of a repository and chart with the same name.
To view the Helm chart README
, run helm show readme <repository-name>/<chart-name>
from a terminal window.
helm show readme flex-gateway/flex-gateway
Register and Run with a Connected App in an OpenShift Cluster
Register Flex Gateway, and then use Helm to deploy Flex Gateway to a node in your cluster and connect to Anypoint Platform. After deploying, use Runtime Manager to verify that the gateway is present and connected to Anypoint Platform.
When deploying Flex Gateway to a Kubernetes cluster that enables role-based access control (RBAC), you must have cluster-level permissions to permit installation of custom resource definitions (CRDs) used by Flex Gateway.
In OpenShift, the cluster-admin
role provides this level of access.
From the command line, OpenShift procedures match Kubernetes procedures. Complete the following steps:
In Connected Mode, Flex Gateway typically serves as an ingress or Edge API gateway that receives traffic from outside of the cluster. Flex Gateway can also act as a standalone gateway for internal (east-west) services.
Most management takes place within Anypoint Platform:
-
Deploy APIs to your cluster.
-
Apply policies and other configurations.
-
Create resources (with the exception of Configuration and Service resources).
In Connected Mode, resource creation through kubectl apply
is possible but restricted to the following resource types:
Configuration, Service, Extension, and PolicyBinding of types tls
, tls-inbound
, and tls-outbound
. For more info about resources, see Declarative Configuration Reference Guide.
Collect Your Registration Data
Before registering your Flex Gateway instance, collect information for the following registration command options:
-
--client-id
= the Id for the Connected App you configured in Access Management -
--client-secret
= the Secret for the Connected App you configured in Access Management -
--environment
= the Environment Id for the environment in Anypoint Platform where you want the Flex Gateway to run -
--organization
= your Organization ID in Anypoint Platform -
--split
(optional) = the flag that determines whether registration information should split into multiple files. The default value isfalse
.If
split
is set totrue
, registration information is split into two files:registration.yaml
andcertificate.yaml
. Iffalse
, all registration information is contained in one file:registration.yaml
. -
--output-directory
(optional) = the directory in which registration information is output -
my-gateway
= the name you want to assign the gateway cluster
Register Flex Gateway
Register your Flex Gateway instance using the data that you gathered for the command options.
You can register using one of the following container runtimes:
Docker
Run the following command to register using Docker:
docker run --entrypoint flexctl \
-v "$(pwd)":/registration -u $UID mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Podman
Run the following command to register using Podman:
podman run --entrypoint flexctl --userns=keep-id \
-v "$(pwd)":/registration:Z -u $UID docker.io/mulesoft/flex-gateway \
registration create \
--client-id=<your-connected-app-client-id> \
--client-secret=<your-connected-app-client-secret> \
--environment=<your-environment-id> \
--connected=true \
--organization=<your-org-id> \
--output-directory=/registration \
my-gateway
Use sudo
if you encounter file permission issues when running this command.
If you are in Europe you will need to add the --anypoint-url=https://eu1.anypoint.mulesoft.com flag
to your command.
|
In the output directory, you should see the following new registration file(s):
-
registration.yaml
-
certificate.yaml
(generated only if thesplit
registration parameter is set totrue
, otherwise certificate information will be contained inregistration.yaml
)
These generated files are credentials for you to connect your Flex Gateway. If you lose them you can no longer connect your Flex Gateway. |
In Runtime Manager, click ← Flex Gateway in the left navigation to find your gateway in the UI. Notice that your gateway’s status is Disconnected. Refresh the page, if necessary.
Install Helm Chart into the Namespace
A Helm chart installs Flex Gateway, monitoring tools, and applications. A minimum Helm version of 3.0.0 is required. Refer to Helm Chart Settings for configuration options.
-
Add a Helm repository named
flex-gateway
for your chart:helm repo add flex-gateway https://flex-packages.anypoint.mulesoft.com/helm
The command either adds the repository or skips this process if a Helm repository with that name already exists on your machine:
-
If the repository is new, the command returns the following message:
"flex-gateway" has been added to your repositories
-
If the repository already exists, the command returns the following message:
"flex-gateway" already exists with the same configuration, skipping
-
-
Run
helm repo up
.The command returns the following message:
Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "flex-gateway" chart repository Update Complete. ⎈Happy Helming!⎈
If you have more than one Helm repository on your machine, the message in your terminal window lists all of the repositories.
-
Run the Helm command for deploying your gateway in Connected Mode:
helm -n gateway upgrade -i --create-namespace \ ingress flex-gateway/flex-gateway \ --set gateway.mode=connected \ --set-file registration.content=registration.yaml
This command creates the
gateway
namespace and a release namedingress
if they do not exist. You can use names of your choice for your namespace and release. The command syntax for the Helm repository and chart names is<helm-repo-name>/<helm-chart-name>
.The command uses
--set gateway.mode=connected
because the default for the Helm chart is Local Mode.When you install Flex Gateway, a Service type
LoadBalancer
is created by default. You must have the appropriate permissions to create a load balancer in your cloud. If the load balancer is not provisioned or has issues with the provisioning process, you must choose another type by changing theservice.type
property during the installation.By default, Flex Gateways running in Kubernetes or Openshift use a readiness probe. If there’s no API deployed to your Flex Gateway instance, the readiness state is false
. This isn’t an issue with custom readiness probe configurations.When successful, the command prints a message indicating an upgrade to your
ingress
release:Release "ingress" does not exist. Installing it now. NAME: ingress LAST DEPLOYED: Mon Mar 20 21:36:19 2023 NAMESPACE: gateway STATUS: deployed REVISION: 1 TEST SUITE: None
The
REVISION
value increments theingress
release by1
each time you run this command with the same namespace, repository, and chart names. For example, if you run the command a second time, you find a new revision number (REVISION: 2
). TheLAST DEPLOYED
date reflects the date of that revision.
In Runtime Manager, click ← Flex Gateway in the left navigation to find your new gateway in the UI. Notice that your gateway’s current status is Connected. Refresh the page, if necessary.
After 30 days, a stopped or deleted gateway is removed from the Runtime Manager UI. Otherwise, the UI continues to list the gateway even if it is no longer running or connected. |
Helm Chart Settings
To modify the default Helm settings with new values, such as resource
values for CPU and memory settings, see Update Pod Settings for a Flex Gateway Deployment Through a Helm Chart. For additional Helm chart configurations, see Manage Kubernetes Deployments.
Before modifying a Helm chart for a Flex Gateway deployment, review the default Helm chart settings:
-
Open the flex-gateway page in ArtifactHUB
-
Run
helm show values <repository-name>/<chart-name>
from a terminal window.Example:helm show values flex-gateway/flex-gateway
The example returns default values of a repository and chart with the same name.
To view the Helm chart README
, run helm show readme <repository-name>/<chart-name>
from a terminal window.
helm show readme flex-gateway/flex-gateway