Contact Us 1-800-596-4880

Installing Runtime Fabric on Self-Managed Kubernetes

Anypoint Runtime Fabric can be installed and operated on an Amazon Elastic Kubernetes Service (Amazon EKS), Azure Kubernetes Service (AKS) or Google Kubernetes Engine (GKE) installation that you manage.

Before you Begin

Before installing Anypoint Runtime Fabric in a self-managed Kubernetes environment, ensure the following:

  • You have read and understand the architecture and requirements outlined in Runtime Fabric on Self-Managed Kubernetes

  • You have installed and configured your Kubernetes environment as follows:

    • Running an EKS, AKS, or GKE Kubernetes environment. Other Kubernetes environments are not supported.

    • Running a supported Kubernetes version

    • Running an ingress controller to send external requests to applications.

If you want to use a local registry with Runtime Fabric, follow the installation instructions in Using a Local Registry with Runtime Fabric on Self-Managed Kubernetes. You must set up the local registry during installation.

Configure your Network to Support Runtime Fabric on Self-Managed Kubernetes

Network configuration must be performed by an IT administrator.

Before installing or using Runtime Fabric on Self-Managed Kubernetes, ensure that the following ports and hostnames are configured correctly.

Port Configuration

To install or run Runtime Fabric, ensure that you have configured the following ports on your Kubernetes installation:

Port Layer 4 Protocol Layer 5 Protocol Source Destination Description

443

TCP

HTTPS

Internet

All nodes

Allow inbound requests to Mule runtime servers

443

TCP

AMQP over WebSockets

All nodes

Internet

Anypoint Platform management services

443

TCP

HTTPS

All nodes

Internet

API Manager policy updates, API Analytics Ingestion, and Resource retrieval (application files, container images).

443 (v1.8.50, or later)

TCP

Lumberjack

All nodes

Internet

Anypoint Monitoring, Anypoint Visualizer

5044 (deprecated)

TCP

Lumberjack

All nodes

Internet

Anypoint Monitoring, Anypoint Visualizer

This port and hostname are deprecated in Anypoint Runtime Fabric, version 1.8.50 and later.

If you are using a previous version of Anypoint Runtime Fabric you must add this port your allow list. If you are using a newer version, use the port and hostname specified above.

Port Used by the Persistence Gateway

The Persistent Gateway requires a Postgres-compliant database to store persistent data across Mule application replicas. Ensure that your Kubernetes cluster has access to this database and port. See Persistence Gateway.

Hostname Configuration

To function correctly, Runtime Fabric on Self-Managed Kubernetes requires the following hostname configurations:

Port Protocol Hostnames Description

443

AMQP over WebSockets

  • US control plane: transport-layer.prod.cloudhub.io

  • EU control plane: transport-layer.prod-eu.msap.io

Runtime Fabric message broker for interaction with the control plane.

443 (v1.8.50, or later)

TCP (Lumberjack)

  • US control plane: dias-ingestor-router.us-east-1.prod.cloudhub.io

  • EU control plane: dias-ingestor-nginx.prod-eu.msap.io

Anypoint Monitoring agent for Runtime Fabric.

5044 (deprecated)

TCP (Lumberjack)

  • US control plane: dias-ingestor-nginx.prod.cloudhub.io

  • EU control plane: dias-ingestor-nginx.prod-eu.msap.io

Anypoint Monitoring agent for Runtime Fabric.

This port and hostname are deprecated in Anypoint Runtime Fabric, version 1.8.50 and later.

If you are using a previous version of Anypoint Runtime Fabric you must add this port and hostname to your allow list. If you are using a newer version, use the port and hostname specified below. This is applicable to endpoints in both the US and EU clouds.

443

HTTPS

anypoint.mulesoft.com

Anypoint Platform for pulling assets.

443

HTTPS

kubernetes-charts.storage.googleapis.com

Kubernetes base charts repository.

443

HTTPS

docker-images-prod.s3.amazonaws.com

Kubernetes base charts repository.

443

HTTPS

  • US control plane: worker-cloud-helm-prod.s3.amazonaws.com

  • EU control plane: worker-cloud-helm-prod-eu-rt.s3.amazonaws.com, worker-cloud-helm-prod-eu-rt.s3.eu-central-1.amazonaws.com

Runtime Fabric version repository. The Runtime Fabric installation uses software from this repository during installation and upgrades.

443

HTTPS

  • US control plane: exchange2-asset-manager-kprod.s3.amazonaws.com

  • EU control plane: exchange2-asset-manager-kprod-eu.s3.amazonaws.com, exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com

Anypoint Exchange for application assets.

443

HTTPS

  • US control plane: exchange-files.anypoint.mulesoft.com

  • EU control plane: exchange-files.eu1.anypoint.mulesoft.com

Anypoint Exchange for application files.

443

HTTPS

  • US control plane: rtf-runtime-registry.kprod.msap.io

  • EU control plane: rtf-runtime-registry.kprod-eu.msap.io

Runtime Fabric Docker repository.

443

HTTPS

  • US control plane: prod-us-east-1-starport-layer-bucket.s3.amazonaws.com, prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com

  • EU control plane: prod-eu-central-1-starport-layer-bucket.s3.amazonaws.com, prod-eu-central-1-starport-layer-bucket.s3.eu-central-1.amazonaws.com

Runtime Fabric Docker image delivery.

443

HTTPS

  • US control plane: runtime-fabric.s3.amazonaws.com

  • EU control plane: runtime-fabric-eu.s3.amazonaws.com

Runtime Fabric Docker repository.

443

HTTPS

  • US control plane: configuration-resolver.prod.cloudhub.io

  • EU control plane: configuration-resolver.prod-eu.msap.io

Anypoint Configuration Resolver.

Certificate Configuration

To allow different endpoints to use mutual TLS authentication to establish a connection, you must configure SSL passthrough to allow the following certificates:

Control Plane Certificates

US control plane

transport-layer.prod.cloudhub.io
configuration-resolver.prod.cloudhub.io

EU control plane

transport-layer.prod-eu.msap.io
configuration-resolver.prod-eu.msap.io

Create a Runtime Fabric using Runtime Manager

The procedures in this section should be performed by a MuleSoft organization administrator.

To install Runtime Fabric on Self-Managed Kubernetes, first create a Runtime Fabric using Runtime Manager. This is required to obtain the activation data which is needed during installation.

  1. From Anypoint Platform, select Runtime Manager.

  2. Click Runtime Fabrics.

  3. Click Create Runtime Fabric.

  4. Enter the name of the new Runtime Fabric, then select one of the following options:

    • Amazon Elastic Kubernetes Service

    • Azure Kubernetes Service

  5. Click Next.

  6. Review the Support responsibility disclaimer, then if you agree click Accept.

    Runtime Manager creates the Runtime Fabric and displays the Activation State page. This page displays the activation data used to install Runtime Fabric on a Kubernetes service. Copy this data to the clipboard for use in the next section.

Download the rtfctl Utility

The tasks in the section must be performed by an IT administrator.

Runtime Fabric on Self-Managed Kubernetes uses the rtfctl command-line utility for installation and management tasks. See Install the Runtime Fabric Command Line Tool.

  1. Download the rtfctl command-line utility:

    rtfctl is supported on Windows, MacOS (Darwin), and Linux. Choose the appropriate method:

    • Windows

      curl -L https://anypoint.mulesoft.com/runtimefabric/api/download/rtfctl-windows/latest -o rtfctl.exe
    • MacOS (Darwin)

      curl -L https://anypoint.mulesoft.com/runtimefabric/api/download/rtfctl-darwin/latest -o rtfctl
    • Linux

      curl -L https://anypoint.mulesoft.com/runtimefabric/api/download/rtfctl/latest -o rtfctl
  2. Change file permissions for the rtfctl command-line utility:

    sudo chmod +x rtfctl

Install Runtime Fabric

After creating a Runtime Fabric in Runtime Manager and obtaining the activation data, install Runtime Fabric into your Kubernetes service using the rtfctl command-line utility.

If your Kubernetes configuration is not located in the \~/.kube/config directory, set the KUBECONFIG environment variable before running rtfctl:

export KUBECONFIG=<path-to-kubeconfig>
  1. Validate that your Kubernetes environment is read for installation:

    rtfctl validate <activation_data>

    The validate option verifies that:

    • The Kubernetes environment is running.

    • All required components exist.

    • All required services are available.

      The rtfctl command-line utility outputs any incompatibilities with the Kubernetes environment.

  2. Install Runtime Fabric:

    rtfctl install <activation_data>

    <activation_data> is the activation data obtained after creating the Runtime Fabric using Runtime Manager. During installation, the rtfctl utility displays any errors encountered.

Insert the Mule License Key

The procedures in the section must be performed by an IT administrator.

After the installation has completed succesfully, insert the Mule license key.

  1. Base64 encode the new Mule .lic license file provided by MuleSoft:

    • On MacOS, run the following command:

      BASE64_ENCODED_LICENSE=$(base64 -b0 license.lic)
    • On Unix, run the following command:

      BASE64_ENCODED_LICENSE=$(base64 -w0 license.lic)
    • On Windows, choose one of the following:

      • Use a WSL or Cygwin shell that includes the base64 tool and use the above Unix command.

      • Use the base64.exe program included with Windows git (C:\Program Files\Git\usr\bin).

      • Use the following Powershell command:

        $BASE64_ENCODED_LICENSE=[convert]::ToBase64String((Get-Content -path "license.lic" -Encoding byte))
  2. On the controller node acting as the leader during installation (the installer node), use the rtfctl utility with the Base64 value of your license key:

    rtfctl apply mule-license $BASE64_ENCODED_LICENSE
  3. To verify the Mule license key has applied correctly, run:

    rtfctl get mule-license

Configure the Ingress Resource Template

The procedures in this section should be performed by an IT administrator.

If your ingress controller requires custom annotations and ingress class definition, follow the instructions in Defining a Custom Ingress Configuration.

For GKE customers, the ingress controller included with GKE will provision a separate HTTP load balancer per application by default. Please read this KB article for more details.

Validate Your Runtime Fabric

The procedures in this section should be performed by an IT administrator.

After completing the installation, your Runtime Fabric should be activated within your Anypoint organization. To validate your installation, go to Anypoint Runtime Manager and confirm that the status of the Runtime Fabric is Active.

Before deploying an application to your Runtime Fabric:

  1. Associate the Runtime Fabric with at least one Anypoint environment.

  2. Review and update the Inbound Traffic settings based upon your Kubernetes environment.

  3. Deploy an application to verify that Runtime Fabric is installed and configured correctly.