Contact Us 1-800-596-4880

Installing Runtime Fabric Using Helm

You can use Helm to install Anypoint Runtime Fabric on an Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Kubernetes Service Anywhere (Amazon EKS-A), Azure Kubernetes Service (AKS), Alibaba Cloud Container Service for Kubernetes (ACK), Google Kubernetes Engine (GKE), Rancher Kubernetes Engine (RKE) or VMware Tanzu Kubernetes Grid installation that you manage.

Steps to Install Runtime Fabric Using Helm

When you use Helm to install Runtime Fabric, you:

  1. Create a Runtime Fabric using Runtime Manager

  2. Create the rtf namespace for Runtime Fabric

  3. Create a Docker pull secret for pulling the Runtime Fabric component images

  4. Optionally, configure additional authorized namespaces

  5. Add the Runtime Fabric Helm repository

  6. Download the values.yml file and install Runtime Fabric

  7. Complete install steps

Before you Begin

Before installing Anypoint Runtime Fabric in a Kubernetes environment, ensure that you have:

  • Reviewed the architecture and requirements outlined in the Runtime Fabric Overview.

  • Configured your network to support Runtime Fabric.

  • Installed and configured your Kubernetes environment as follows:

    • Running an ACK, AKS, EKS, EKS-A, GKE, RKE, or VMware Tanzu Kubernetes environment. Other Kubernetes environments are not supported.

    • Running a supported Kubernetes version.

    • Running an ingress controller to send external requests to applications.

  • Installed Helm 3 or later and have privileged user permissions.

  • If you use Helm to manage your Runtime Fabric installation, you can use the rtfctl command line utility later to manage Mule license keys and proxies. However, you’ll need to track any post-installation changes you make, as explained in the upgrade documentation.

Helm Support

Runtime Fabric supports installations, upgrades, and rollbacks using Helm for versions 1.13 and later.

Create a Runtime Fabric Using Runtime Manager

To install Runtime Fabric with Helm, first create a Runtime Fabric using Runtime Manager. This is required to obtain the activation data that is needed during installation.

  1. From Anypoint Platform, select Runtime Manager.

  2. Click Runtime Fabrics.

  3. Click Create Runtime Fabric.

  4. Enter the name of the new Runtime Fabric, then select one of the following options:

    • Amazon Elastic Kubernetes Service

    • Azure Kubernetes Service

    • Google Kubernetes Engine

  5. Review the Support responsibility disclaimer, and if you agree, click Accept.

  6. Click Helm.

The remaining steps in the Helm-install process reference placeholder values. You can retrieve the actual values from Runtime Manager when you create the Runtime Fabric instance.

Create A Namespace for Runtime Fabric

You must create a namespace named rtf in your Kubernetes cluster. This namespace is where you install Runtime Fabric components.

To create the namespace, run:

kubectl create ns rtf

Using rtf as a namespace applies only in the case of single cluster or single instance.

Create A Docker Pull Secret

After you create the namespace, create a pull secret so you can retrieve the Docker images needed to install and run Runtime Fabric.

The default registry URL is If you’re using a local registry, specify those values here.

To create the pull secret, run:

kubectl create secret docker-registry <pull_secret> --namespace rtf --docker-server=<docker_registry_url> --docker-username=<docker_registry_username> --docker-password=<docker_ registry_password>

Add the Runtime Fabric Helm Repository

You need to add the Runtime Fabric Helm repo to the namespace you created. The Runtime Fabric Helm repo contains the chart needed to install Runtime Fabric.

To add the Helm repo, run:

helm repo add <name> <helm_repo_url> --username <your_username> --password <your_password>

If you already added the Helm repo, and you get a result that Runtime Fabric skipped adding the repo, run helm repo update before installing, or upgrading to, a new Runtime Fabric version.

(Optional) Configure Authorized Namespaces

You can optionally configure authorized namespaces, which enable you to deploy Runtime Fabric alongside other services in a Kubernetes cluster.

Before You Begin

Before configuring authorized namespaces, note the following:

  • You must create the authorized-namespaces ConfigMap file before installing Runtime Fabric. Additionally, you must name the ConfigMap, authorized-namespaces.

  • The rtf:resource-metrics-collector ClusterRole has cluster-wide permissions to get and list nodes, pods, and namespaces and has watch permissions for nodes. The role ClusterRole is defined as follows:

    kind: ClusterRole
      name: rtf:resource-metrics-collector
        {{- include "labels.standard" . | nindent 4 }}
      - apiGroups: [""]
        resources: ["nodes", "pods", "namespaces"]
        verbs: ["list", "get"]
      - apiGroups: [""]
        resources: ["nodes"]
        verbs: ["watch"]
    1. In your cluster, create an additional namespace for application deployments, and add the necessary labels to the namespace. To do so, create a YAML file with the following contents:

      apiVersion: v1
      kind: Namespace
        name: <namespace>
    2. Apply the file you just created:

      kubectl apply -f <filename>.yaml
    3. Repeat steps 1 and 2 to add as many namespaces as you need.

    4. Create the RoleBinding for the Runtime Fabric agent ClusterRole that includes the Runtime Fabric agent ServiceAccount. To do so, apply the following configuration in your additional namespace:

      kind: RoleBinding
        name: <name>
        namespace: <additional_namespace>
        - kind: ServiceAccount
          name: rtf-agent
          namespace: <rtf_namespace>
      # If using persistence gateway uncomment and provide the following. Ref:
      # subjects:
      #  - kind: ServiceAccount
      #    name: rtf-persistence-gateway
      #    namespace: <rtf_namespace>
        kind: ClusterRole
        name: rtf:agent

To use clustered apps in authorized namespaces mode, the following RoleBinding must be created:

kind: RoleBinding
  name: rtf-mule-clusterip-service
  namespace: <app_namespace>
- kind: ServiceAccount
  name: mule-clusterip-service
  namespace: <rtf_namespace>
  kind: ClusterRole
  name: rtf:mule-clusterip-service
  1. In the rtf namespace, create a ConfigMap file named authorized-namespaces and list any additional namespaces:

    apiVersion: v1
    kind: ConfigMap
      name: authorized-namespaces
      namespace: <rtf_namespace>
      ADDITIONAL_NAMESPACE_1: "additional-namespace1"
      ADDITIONAL_NAMESPACE_2: "additional-namespace2"
  2. If, after fully installing Runtime Fabric, you later add or delete any namespaces from the ConfigMap, you must restart the Runtime Fabric agent pod. To do so, run the following command:

    kubectl -nrtf delete po -l app=agent

    After you delete the pod, Kubernetes starts a new one.

Install Runtime Fabric

To install Runtime Fabric, use the values.yml file supplied by Runtime Manager.

  1. Download the values.yml file.

  2. Add any optional parameters needed.

    If you’re using authorized namespaces, set authorizedNamespaces to true.

  3. Run the following command:

    helm install runtime-fabric rtf/rtf-agent --version <VERSION_FROM_UI> -f values.yaml -n <namespace>

Values.yml Reference

The following is an example values.yml file.

activationData: <activation_data>
muleLicense: <mule_license_key>
customLog4jEnabled: false
  nodeWatcherEnabled: true
  deploymentRateLimitPerSecond: 1
  authorizedNamespaces: false
    pullSecretName: rtf-pull-secret
  - /var/lib/docker/containers
  - /var/log/containers
  - /var/log/pods
If you are configuring a Runtime Fabric BYOK with an EU control plane, review the changes in Hostname Configuration for a correct configuration. Specifically, the property rtfRegistry:

Required Parameters

These required values are created and added to values.yml when you create the Runtime Fabric in Runtime Manager:

Key Value Example


Activation data



Registry URL


Registry secret



Mule license for applications

<mule_license_key>. Must be Base64 encoded.

Optional Parameters

Set these optional parameters in values.yml as needed before installing Runtime Fabric.

Key Value Example


Enables or disables custom Log4j configurations

customLog4jEnabled: true, default is false


Enables or disables additional namespaces

authorizedNamespaces: true, default is false


Enables crds installations

crds.install: true, for first Runtime Fabric installation and false for subsequent installations

  • proxy.http_proxy

  • proxy.http_no_proxy

Proxy and no_proxy values


Anypoint Monitoring proxy values



The Filebeat read path

  • /var/lib/docker/

  • /var/log/containers

  • /var/log/pods


Enables or disables node watcher for the cluster

nodeWatcherEnabled:true default value true


Sets the deployment rate limit per second

deploymentRateLimitPerSecond: 1 default value 1

Insert the Mule License Key

If you didn’t add the Mule license key during install, you can add it using the rtfctl command line utility or Helm.

Before you install the license key, encode it to Base64 format.

Encode the License Key

  • On MacOS, run the following command:

    base64 -b 0 -i <license-file>
  • On Unix, run the following command:

    base64 -w0 <license-file>
  • On Windows, choose one of the following:

    • Use a WSL or Cygwin shell that includes the base64 tool and use the above Unix command.

    • Use the base64.exe program included with Windows git (C:\Program Files\Git\usr\bin).

    • Use the following Powershell command:

      $BASE64_ENCODED_LICENSE=[convert]::ToBase64String((Get-Content -path "license.lic" -Encoding byte))

Apply the License Key Using rtfctl

  1. On the controller node acting as the leader during installation (the installer node), run the following command:

    rtfctl apply mule-license $BASE64_ENCODED_LICENSE

    You can also apply the Mule license providing the file path directly:

    rtfctl apply mule-license --file /path/to/license.lic
    Any value used with rtfcl apply updates does not work for OpenShift. You have to update the values in the OpenShift console.
  2. To verify the Mule license key has applied correctly, run:

    rtfctl get mule-license

Apply the License Key Using Helm

To apply the license using Helm, run the following command:

helm upgrade runtime-fabric rtf/rtf-agent --set muleLicense=$BASE64_ENCODED_LICENSE -n rtf --reuse-values --version <current-version>

Configure the Ingress Resource Template

If your ingress controller requires custom annotations and ingress class definition, follow the instructions in Defining a Custom Ingress Configuration.

For GKE customers, the ingress controller included with GKE will provision a separate HTTP load balancer per application by default. Please read this KB article for more details.

Validate Your Runtime Fabric

After completing the installation, your Runtime Fabric should be activated within your Anypoint organization. To validate your installation, go to Anypoint Runtime Manager and confirm that the status of the Runtime Fabric is Active.

Before deploying an application to your Runtime Fabric:

  1. Associate the Runtime Fabric with at least one Anypoint environment.

  2. Review and update the Inbound Traffic settings based upon your Kubernetes environment.

  3. Deploy an application to verify that Runtime Fabric is installed and configured correctly.

Perform a Rollback

To roll back to a previous version of Runtime Fabric using helm, refer to the Helm rollback documentation for the command description.