Beliebte Suchanfragen

Cloud Native



Agile Methoden



Fine-tuning MuleSoft's Anytime Runtime Fabric on OpenShift

16.8.2023 | 3 minutes of reading time

MuleSoft's Anypoint Runtime Fabric version 2.0 no longer supports Vanilla Kubernetes. It only supports EKS, EKDS-A, AKS, GKE and OpenShift in different environments.

So how to install Anypoint Runtime Fabric on OpenShift? The MuleSoft documentation provides a good guideline on how to install a basic setup of Runtime Fabric on OpenShift (s. For the advanced settings, it is helpful to have a sound understanding of how OpenShift works.

From my point of view, MuleSoft should improve the documentation in two areas.

Ingress traffic for OpenShift cluster

OpenShift uses route resources to define how pods can be accessed from outside the cluster. It will not consider Kubernetes Ingress resources for Ingress traffic. Creating or modifying a Kubernetes Ingress automatically creates or updates an OpenShift route. Default domains in routes consist of the route name and the namespace name together with the base domain. OpenShift is using a wildcard certificate for domains that follow the described notation. This makes both HTTPS enablement for applications and the maintenance of it quite easy.

The challenge is how to set up the Runtime Fabric Ingress-Template with HTTPS and to use the wildcard certificate of OpenShift.

Long story short, the cluster admin needs to copy the OpenShift wildcard cluster certificate to the Runtime Fabric namespace.

  1. Copy the wildcard certificate to your local file system:
1oc get secret -n openshift-ingress router-certs-default -o yaml > default_certificate.yaml
  1. Remove the status and meta-information and change the namespace to the Runtime Fabric namespace. Your file should look like this:
1apiVersion: v1
3 tls.crt: LS0ti..
4 tls.key: LS...
5kind: Secret
7 name: router-certs-default
8 namespace: <Runtime Fabric namespace in my case rtf>
  1. Finally, execute the following command to create the secret with wildcard certificate to the Runtime Fabric namespace:
1oc create -f default_certificate.yaml

For those who want to understand the reason behind this: For TLS connections, the Kubernetes Ingress requires a hostname and a secret name. OpenShift only creates a route if the secret with that name exists in that namespace. Use {} as a wildcard for the attribute TLS in an Ingress (you can find an example of this here). This will create a route which is using the wildcard certificate of the ingress-controller. However, Anypoint doesn't accept this as a valid endpoint for Ingress traffic. To use a valid wildcard certificate in the Runtime Fabric Ingress-Template, the cluster administrator needs to copy the cluster wildcard certificate to the Runtime Fabric namespace.

On the bright side: route type (edge, reencrypt, passthrough) defined by an annotation works fine with the Runtime Fabric Ingress-Template.

Hint: The description above is not intended for a production environment. 

Using a dedicated namespace to deploy MuleSoft applications

The standard configuration of Runtime Fabric on OpenShift will create a namespace with the ID of the environment of the deployed application.  You can define a list of target namespaces in which to deploy Mule applications (see here). The installation documentation is describing which Kubernetes resources are needed. The target namespace requires a Label with the Anypoint environment_id and org_id. The documentation leaves out where to find these IDs.

The org_id can be found in Anypoint's Access Management. In the menu Organization you will get a list of all available organizations. If you click on one of them, you see in the Organization info the "Organization Id".

The environment_ids are a bit trickier. In Access Management there is a menu entry for environments that lists all available environments. If you look closely at the links for the environments, you notice an ID at the end of each URL. This ID is the environment_id. The easiest way to get the ID is to press CTRL and click on the link. In the new tab you can copy the environment_id  from the URL (don't worry that it shows the list of organizations).

This MuleSoft blog article describes another way to get the environment_id: Like always, there are multiple ways to solve a problem.


Anypoint Runtime Fabric is easy to handle on OpenShift. Some fine-tuning is required here and there, but nothing major. In the next blog article, we will show you how to run Runtime Fabric locally on a development computer.

share post




Gemeinsam bessere Projekte umsetzen.

Wir helfen deinem Unternehmen.

Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.

Hilf uns, noch besser zu werden.

Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.