+
+

Managing Proxies on Runtime Fabric on Self-Managed Kubernetes

Runtime Fabric on Self-Managed Kubernetes uses two types of proxies when running and hosting applications:

  • System proxies: include proxies that enable connectivity among Kubernetes cluster services, including the Docker daemon and other internal components. When using Runtime Fabric on Self-Managed Kubernetes you are responsible for configuring and managing system proxies.

  • Application proxies: include proxies that enable connectivity to applications running on Runtime Fabric.

You can configure the proxy settings used by Runtime Fabric outbound connections to the internet. This includes both HTTP proxies for connecting to the Anypoint Platform control plane and SOCKS5 proxies for sending metrics and logs to Anypoint Monitoring. You can also configure proxies for applications.

Install rtfctl

The rtfctl command line tool is required to manage proxy settings on Runtime Fabric. Follow the steps to Install rtfctl before configuring proxy settings.

You can apply proxy settings during installation of Runtime Fabric on Self-Managed Kubernetes if you install using Helm. For more information, refer to the Installing Runtime Fabric on Self-Managed Kubernetes Using Helm documentation.

Configure an Anypoint Monitoring Proxy

Because the monitoring agent requires a SOCKS5 proxy, you need two proxy types if you use Anypoint Monitoring.

The SOCKS5 proxy must connect to Anypoint Monitoring over TCP at the following endpoints:

  • US control plane: dias-ingestor-router.us-east-1.prod.cloudhub.io

  • EU control plane: dias-ingestor-router.eu-central-1.prod-eu.msap.io

This step is performed one time on one controller node.
  1. Log into a controller node where rtfctl is installed.

  2. Run the following command, replacing the placeholder values with the following:

    sudo /opt/anypoint/runtimefabric/rtfctl apply monitoring-proxy "socks5://<user>:<pass>@<10.0.0.2>:<8080>"
    • <user>: the username needed to authenticate to the SOCKS5 proxy.

    • <pass>: the password needed to authenticate to the SOCKS5 proxy.

      The password must be URL encoded.
    • <10.0.0.2>: The IP address or hostname used to access the SOCKS5 proxy.

    • <8080>: The host port on the host where the SOCKS5 proxy is listening for requests.

  3. To verify the change was successful, run the following command to output the current value of the monitoring proxy:

    sudo /opt/anypoint/runtimefabric/rtfctl get monitoring-proxy

    The output should match the value expected.

Configure an HTTP Proxy for Services in Runtime Fabric

You can configure HTTP and HTTPS proxies so that outbound components can communicate with the control plane.

Note that Anypoint Monitoring uses its own proxy settings, as do Mule applications.

Updating an HTTP proxy causes each machine in the cluster to restart all pods running on it. Although no downtime occurs if you are running multiple replicas, you should perform HTTP proxy updates during a maintenance window.

  • Apply the proxy values to the services running within Runtime Fabric.

  • If you are using Runtime Fabric installer 1.0.x, run the script on each node of your Runtime Fabric to update the cluster.

Perform these steps one time on one controller node.
  1. Log in to a controller node where rtfctl has been installed.

  2. Run the following command, replacing the placeholder values with the following:

    sudo /opt/anypoint/runtimefabric/rtfctl apply http-proxy "http://<user>:<pass>@<10.0.0.1>:<8080>" --no-proxy "<1.1.1.1:8888,2.2.2.2:9999>"
    • <user>: the username needed to authenticate to the HTTP proxy.

    • <pass>: the password needed to authenticate to the HTTP proxy.

      The password must be URL encoded.
    • <10.0.0.1>: Specifies the IP address or hostname to access the HTTP proxy.

    • <8080>: Specifies the port on the host where the HTTP proxy is listening for requests.

    • <1.1.1.1:8888,2.2.2.2:9999>: Specifies the RTF_NO_PROXY hosts and ports, delimited by commas.

    • (Optional) --confirm: Skips manual acknowledgement of the change. If not specified, the rtfctl apply proxy command prompts you to confirm the change before continuing.

  3. To verify the change was successful, run the following command to output the current value of the HTTP proxy:

    sudo /opt/anypoint/runtimefabric/rtfctl get http-proxy

    The output should match the value expected.

  4. To remove the proxy values, run:

    sudo /opt/anypoint/runtimefabric/rtfctl apply http-proxy '' --no-proxy ''

About the HTTP_PROXY Environment Variable

After applying a proxy for services in Runtime Fabric, you could see a warning similar to:

Warning: Proxy configurations in the environment "HTTP_PROXY: " does not match configurations in Runtime Fabric "YOUR_PROXY"

Runtime Fabric generates this warning to let you know that you have not set the HTTP_PROXY environment variable or that the variable does not match the value used for Runtime Fabric services. The settings do not have to match, but Runtime Fabric generates the warning so you’re aware services could be impacted.

Many Linux tools use the HTTP_PROXY environment variable to provide their proxy settings. If your environment requires a proxy for Internet access, you likely need to set the HTTP_PROXY environment variable for commands that require Internet access.

This could affect other tools that also use HTTP or HTTPS operations but do not require Internet access, such as kubectl. You can use the NO_PROXY environment variable to establish connections that should not be proxied.

Refer to the documentation for your Linux tools for more information on which environment variables affect its proxy behavior.

About the NO_PROXY Environment Variable

By default, NO_PROXY is set to 0.0.0.0/0 and .local. These settings ensure that the proxy does not route any IPV4 destination addresses.

Configure a Proxy for the API Manager Agent

You can use a proxy to establish communication for Mule applications that you manage with API Manager. This proxy configuration must be set on each Mule application, even if you are using the same configuration for all applications. Note this setting is independent from the application-level proxy that applications use to communicate with other external endpoints, as explained in Configure a Proxy for a Mule Application.

To configure a proxy for the API Manager Agent, add the following properties to the application:

anypoint.platform.proxy_host=hostname
anypoint.platform.proxy_port=port
anypoint.platform.proxy_username=username
anypoint.platform.proxy_password=password

Configure a Proxy for a Mule Application

Applications deployed in Runtime Fabric do not inherit proxy settings from the Runtime Fabric cluster. You must configure a proxy for each application.

You can set up a proxy on each connector (such as an HTTP requestor) or set up a proxy with application properties as shown in the following example. Setting up a proxy with application properties is less work if you have a large number of connectors in an application.

http.nonProxyHosts=localhost|*.svc.cluster.local|*.monitoring.svc.cluster.local
http.proxyHost=172.19.0.23
http.proxyPort=3128
https.proxyHost=172.19.0.23
https.proxyPort=3128

java.net.useSystemProxies=false
com.ning.http.client.AsyncHttpClientConfig.useProxySelector=false
com.ning.http.client.AsyncHttpClientConfig.useProxyProperties=true

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!