Installing Runtime Fabric Using Helm

You can use Helm to install Anypoint Runtime Fabric on an Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Kubernetes Service Anywhere (Amazon EKS-A), Azure Kubernetes Service (AKS), Alibaba Cloud Container Service for Kubernetes (ACK), Google Kubernetes Engine (GKE), Rancher Kubernetes Engine (RKE) or VMware Tanzu Kubernetes Grid installation that you manage.

Steps to Install Runtime Fabric Using Helm

When you use Helm to install Runtime Fabric, you:

Create a Runtime Fabric using Runtime Manager
Create the rtf namespace for Runtime Fabric
Create a Docker pull secret for pulling the Runtime Fabric component images
Optionally, configure additional authorized namespaces
Add the Runtime Fabric Helm repository
Download the values.yml file and install Runtime Fabric
Complete install steps

Before you Begin

Before installing Anypoint Runtime Fabric in a Kubernetes environment, ensure that you have:

Reviewed the architecture and requirements outlined in the Runtime Fabric Overview.
Configured your network to support Runtime Fabric.
Installed and configured your Kubernetes environment as follows:
- Running an ACK, AKS, EKS, EKS-A, GKE, RKE, or VMware Tanzu Kubernetes environment. Other Kubernetes environments are not supported.
- Running a supported Kubernetes version.
- Running an ingress controller to send external requests to applications.
Installed Helm 3 or later and have privileged user permissions.

If you use Helm to manage your Runtime Fabric installation, you can use the rtfctl command line utility later to manage Mule license keys and proxies. However, you’ll need to track any post-installation changes you make, as explained in the upgrade documentation.

Helm Support

Runtime Fabric supports installations, upgrades, and rollbacks using Helm for versions 1.13 and later.

Create a Runtime Fabric Using Runtime Manager

To install Runtime Fabric with Helm, first create a Runtime Fabric using Runtime Manager. This is required to obtain the activation data that is needed during installation.

From Anypoint Platform, select Runtime Manager.
Click Runtime Fabrics.
Click Create Runtime Fabric.
Enter the name of the new Runtime Fabric, then select one of the following options:
- Amazon Elastic Kubernetes Service
- Azure Kubernetes Service
- Google Kubernetes Engine
Review the Support responsibility disclaimer, and if you agree, click Accept.
Click Helm.

When creating the Runtime Fabric, the business unit you choose is set as the owner business unit. This business unit is referenced in usage reports for reporting allocated cluster capacity. Ensure that you select the correct business unit during installation.

The remaining steps in the Helm-install process reference placeholder values. You can retrieve the actual values from Runtime Manager when you create the Runtime Fabric instance.

Create A Namespace for Runtime Fabric

You must create a namespace named rtf in your Kubernetes cluster. This namespace is where you install Runtime Fabric components.

To create the namespace, run:

kubectl create ns rtf

Using rtf as a namespace applies only in the case of single cluster or single instance.

Create A Docker Pull Secret

After you create the namespace, create a pull secret so you can retrieve the Docker images needed to install and run Runtime Fabric.

The default registry URL is rtf-runtime-registry.kprod.msap.io. If you’re using a local registry, specify those values here.

To create the pull secret, run:

kubectl create secret docker-registry <pull_secret> --namespace rtf --docker-server=<docker_registry_url> --docker-username=<docker_registry_username> --docker-password=<docker_ registry_password>

Add the Runtime Fabric Helm Repository

You need to add the Runtime Fabric Helm repo to the namespace you created. The Runtime Fabric Helm repo contains the chart needed to install Runtime Fabric.

To add the Helm repo, run:

helm repo add <name> <helm_repo_url> --username <your_username> --password <your_password>

If you already added the Helm repo, and you get a result that Runtime Fabric skipped adding the repo, run helm repo update before installing, or upgrading to, a new Runtime Fabric version.

(Optional) Configure Authorized Namespaces

You can optionally configure authorized namespaces, which enable you to deploy Runtime Fabric alongside other services in a Kubernetes cluster.

Before You Begin

Before configuring authorized namespaces, note the following:

You must create the authorized-namespaces ConfigMap file before installing Runtime Fabric. Additionally, you must name the ConfigMap, authorized-namespaces.

The rtf:resource-metrics-collector ClusterRole has cluster-wide permissions to get and list nodes, pods, and namespaces and has watch permissions for nodes. The role ClusterRole is defined as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: rtf:resource-metrics-collector
  labels:
    {{- include "labels.standard" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["nodes", "pods", "namespaces"]
    verbs: ["list", "get"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["watch"]

In your cluster, create an additional namespace for application deployments, and add the necessary labels to the namespace. To do so, create a YAML file with the following contents:

apiVersion: v1
kind: Namespace
metadata:
  name: <namespace>
  labels:
    rtf.mulesoft.com/agentNamespace: <rtf_namespace>
    rtf.mulesoft.com/envId: <environment_id>
    rtf.mulesoft.com/org: <org_id>
    rtf.mulesoft.com/role: workers

Apply the file you just created:
```
kubectl apply -f <filename>.yaml
```
Repeat steps 1 and 2 to add as many namespaces as you need.

Create the RoleBinding for the Runtime Fabric agent ClusterRole that includes the Runtime Fabric agent ServiceAccount. To do so, apply the following configuration in your additional namespace:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <name>
  namespace: <additional_namespace>
subjects:
  - kind: ServiceAccount
    name: rtf-agent
    namespace: <rtf_namespace>
# If using persistence gateway uncomment and provide the following. Ref: https://docs.mulesoft.com/runtime-fabric/latest/persistence-gateway#persistence-gateway-with-authorized-namespaces
# subjects:
#  - kind: ServiceAccount
#    name: rtf-persistence-gateway
#    namespace: <rtf_namespace>

roleRef:
  kind: ClusterRole
  name: rtf:agent
  apiGroup: rbac.authorization.k8s.io

To use clustered apps in authorized namespaces mode, the following RoleBinding must be created:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rtf-mule-clusterip-service
  namespace: <app_namespace>
subjects:
- kind: ServiceAccount
  name: mule-clusterip-service
  namespace: <rtf_namespace>
roleRef:
  kind: ClusterRole
  name: rtf:mule-clusterip-service
  apiGroup: rbac.authorization.k8s.io

In the rtf namespace, create a ConfigMap file named authorized-namespaces and list any additional namespaces:

apiVersion: v1
kind: ConfigMap
metadata:
  name: authorized-namespaces
  namespace: <rtf_namespace>
data:
  ADDITIONAL_NAMESPACE_1: "additional-namespace1"
  ADDITIONAL_NAMESPACE_2: "additional-namespace2"

If, after fully installing Runtime Fabric, you later add or delete any namespaces from the ConfigMap, you must restart the Runtime Fabric agent pod. To do so, run the following command:
```
kubectl -nrtf delete po -l app=agent
```
After you delete the pod, Kubernetes starts a new one.

Install Runtime Fabric

To install Runtime Fabric, use the values.yml file supplied by Runtime Manager.

Download the values.yml file.
Add any optional parameters needed.

If you’re using authorized namespaces, set authorizedNamespaces to true.

Run the following command:

helm install runtime-fabric rtf/rtf-agent --version <VERSION_FROM_UI> -f values.yaml -n <namespace>

Values.yml Reference

The following is an example values.yml file.

activationData: <activation_data>
proxy:
  http_proxy:
  http_no_proxy:
  monitoring_proxy:
muleLicense: <mule_license_key>
customLog4jEnabled: false
global:
  nodeWatcherEnabled: true
  deploymentRateLimitPerSecond: 1
  authorizedNamespaces: false
  image:
    rtfRegistry: rtf-runtime-registry.kqa.msap.io
    pullSecretName: rtf-pull-secret
  containerLogPaths:
  - /var/lib/docker/containers
  - /var/log/containers
  - /var/log/pods

If you are configuring a Runtime Fabric BYOK with an EU control plane, review the changes in Hostname Configuration for a correct configuration. Specifically, the property rtfRegistry: rtf-runtime-registry.kprod-eu.msap.io.

Required Parameters

These required values are created and added to values.yml when you create the Runtime Fabric in Runtime Manager:

Key Value Example

Key	Value	Example
`activationData`	Activation data	YW55cG9pbnQubXVsZXNvZnQuY29tOjBmODdmYzYzLTM3MWUtNDU2Yy1iODg5LTU5NTkyNjYyZjUxZQ==
`rtfRegistry`	Registry URL	`rtf-runtime-registry.kprod.msap.io`
`pullSecretName`	Registry secret	`<pull_secret>`
`muleLicense`	Mule license for applications	`<mule_license_key>`. Must be Base64 encoded.

activationData

Activation data

YW55cG9pbnQubXVsZXNvZnQuY29tOjBmODdmYzYzLTM3MWUtNDU2Yy1iODg5LTU5NTkyNjYyZjUxZQ==

rtfRegistry

Registry URL

rtf-runtime-registry.kprod.msap.io

pullSecretName

Registry secret

<pull_secret>

muleLicense

Mule license for applications

<mule_license_key>. Must be Base64 encoded.

Optional Parameters

Set these optional parameters in values.yml as needed before installing Runtime Fabric.

Key Value Example

Key	Value	Example
`customLog4jEnabled`	Enables or disables custom Log4j configurations	`customLog4jEnabled: true`, default is `false`
`authorizedNamespaces`	Enables or disables additional namespaces	`authorizedNamespaces: true`, default is false
`crds.install`	Enables crds installations	`crds.install: true`, for first Runtime Fabric installation and false for subsequent installations
`proxy.http_proxy` `proxy.http_no_proxy`	Proxy and no_proxy values	`http://<user>:<pass>@<10.0.0.1>:<8080>;` `<1.1.1.1:8888,2.2.2.2:9999>`
`proxy.monitoring_proxy`	Anypoint Monitoring proxy values	`socks5://<user>:<pass>@<10.0.0.2>:<8080>`
`global.containerLogPaths`	The Filebeat read path	`/var/lib/docker/` `/var/log/containers` `/var/log/pods`
`nodeWatcherEnabled`	Enables or disables node watcher for the cluster	`nodeWatcherEnabled:true` default value `true`
`deploymentRateLimitPerSecond`	Sets the deployment rate limit per second	`deploymentRateLimitPerSecond: 1` default value `1`
`fipsEnabled`	Enable FIPS for Helm managed Runtime Fabrics.	`fipsEnabled: true` default value `false`

customLog4jEnabled

Enables or disables custom Log4j configurations

customLog4jEnabled: true, default is false

authorizedNamespaces

Enables or disables additional namespaces

authorizedNamespaces: true, default is false

crds.install

Enables crds installations

crds.install: true, for first Runtime Fabric installation and false for subsequent installations

proxy.http_proxy
proxy.http_no_proxy

Proxy and no_proxy values

http://<user>:<pass>@<10.0.0.1>:<8080>;
<1.1.1.1:8888,2.2.2.2:9999>

proxy.monitoring_proxy

Anypoint Monitoring proxy values

socks5://<user>:<pass>@<10.0.0.2>:<8080>

global.containerLogPaths

The Filebeat read path

/var/lib/docker/
/var/log/containers
/var/log/pods

nodeWatcherEnabled

Enables or disables node watcher for the cluster

nodeWatcherEnabled:true default value true

deploymentRateLimitPerSecond

Sets the deployment rate limit per second

deploymentRateLimitPerSecond: 1 default value 1

fipsEnabled

Enable FIPS for Helm managed Runtime Fabrics.

fipsEnabled: true default value false

Insert the Mule License Key

If you didn’t add the Mule license key during install, you can add it using the rtfctl command line utility or Helm.

Before you install the license key, encode it to Base64 format.

Encode the License Key

On MacOS, run the following command:
```
base64 -b 0 -i <license-file>
```
On Unix, run the following command:
```
base64 -w0 <license-file>
```
On Windows, choose one of the following:
- Use a WSL or Cygwin shell that includes the base64 tool and use the above Unix command.
- Use the base64.exe program included with Windows git (C:\Program Files\Git\usr\bin).
- Use the following Powershell command:
  $BASE64_ENCODED_LICENSE=[convert]::ToBase64String((Get-Content -path "license.lic" -Encoding byte))

Apply the License Key Using rtfctl

On the controller node acting as the leader during installation (the installer node), run the following command:
```
rtfctl apply mule-license $BASE64_ENCODED_LICENSE
```
You can also apply the Mule license providing the file path directly:
```
rtfctl apply mule-license --file /path/to/license.lic
```
Any value used with rtfcl apply updates does not work for OpenShift. You have to update the values in the OpenShift console.
To verify the Mule license key has applied correctly, run:
```
rtfctl get mule-license
```

Apply the License Key Using Helm

To apply the license using Helm, run the following command:

helm upgrade runtime-fabric rtf/rtf-agent --set muleLicense=$BASE64_ENCODED_LICENSE -n rtf --reuse-values --version <current-version>

Configure the Ingress Resource Template

If your ingress controller requires custom annotations and ingress class definition, follow the instructions in Defining a Custom Ingress Configuration.

For GKE customers, the ingress controller included with GKE will provision a separate HTTP load balancer per application by default. Please read this KB article for more details.

Validate Your Runtime Fabric

After completing the installation, your Runtime Fabric should be activated within your Anypoint organization. To validate your installation, go to Anypoint Runtime Manager and confirm that the status of the Runtime Fabric is Active.

Before deploying an application to your Runtime Fabric:

Associate the Runtime Fabric with at least one Anypoint environment.
Review and update the Inbound Traffic settings based upon your Kubernetes environment.
Deploy an application to verify that Runtime Fabric is installed and configured correctly.

Perform a Rollback

To roll back to a previous version of Runtime Fabric using helm, refer to the Helm rollback documentation for the command description.