Install the agent and provision Amplify Central access as described in https://github.com/Axway/agents-mulesoft/blob/main/README.md.
- Amplify organization id
- Amplify Central environment name
- Public/Private key pem files
- Service account client id
As well as access to Amplify Central it is assumed you have access to the Mulesoft Anypoint Platform. You need:
- Credentials with access to the organization the agents will attach to.
- Mulesoft environment name to discover from (e.g. Sandbox)
The agents read their configuration from a YAML files. To set up your config file copy the content of default_mulesoft_discovery_agent.yml into a new file named mulesoft_discovery_agent, and replace the default values that reflect your environment.
./mulesoft_discovery_agent --pathConfig <path to mulesoft_discovery_agent.yaml>
| Variable Name | YAML Path | Description | Location / Default |
|---|---|---|---|
| CENTRAL_AGENTNAME | central.agentname | Agent name to visualize the agent status in Amplify | |
| CENTRAL_ADDITIONALTAGS | central.additionalTags | Additional tag names to publish separated by a comma | |
| CENTRAL_APISERVERVERSION | central.apiServerVersion | Version of the API Server that the agent will communicate with | v1alpha1 |
| CENTRAL_APPENDDATAPLANETOTITLE | central.appenddataplanetotitle | When true appends the data plane title to the Consumer Instance description and title. When false, nothing is changed | true |
| CENTRAL_AUTH_CLIENTID | central.auth.clientId | The DOSA ID of the AMPLIFY Central Service Account created | AMPLIFY Central -> Access -> Service Accounts |
| CENTRAL_AUTH_KEYPASSWORD | central.auth.keyPassword | The password for the private key, if applicable | |
| CENTRAL_AUTH_PRIVATEKEY | central.auth.privateKey | The private key file path from the commands above | ./private_key.pem |
| CENTRAL_AUTH_PUBLICKEY | central.auth.publicKey | The public key file path from the commands above | ./public_key.pem |
| CENTRAL_AUTH_REALM | central.auth.realm | The Realm used to authenticate for AMPLIFY Central | Broker |
| CENTRAL_AUTH_TIMEOUT | central.auth.timeout | The timeout to wait for the authentication server to respond (ns - default, us, ms, s, m, h) | 10s |
| CENTRAL_AUTH_URL | central.auth.url | The URL used to authenticate for AMPLIFY Central | https://login.axway.com/auth |
| CENTRAL_ENVIRONMENT | central.environment | Environment eventually set by download kit in AMPLIFY Central | Name of the AMPLIFY Central environment |
| CENTRAL_MODE | central.mode | How to send endpoints back to Central. (publishToEnvironment = API Server, publishToEnvironmentAndCatalog = API Server and Catalog) | publishToEnvironmentAndCatalog |
| CENTRAL_ORGANIZATIONID | central.organizationID | The Organization ID from AMPLIFY Central | Platform -> Click User -> Organization |
| CENTRAL_PLATFORMURL | central.platformURL | The URL to the platform instance being used to get user information such as email address used for smtp notifications | https://platform.axway.com |
| CENTRAL_POLLINTERVAL | central.pollInterval | The frequency in which Central is polled for subscriptions (ns - default, us, ms, s, m, h) | 60s |
| CENTRAL_PROXYURL | central.proxyUrl | The url for the proxy for Amplify Central (e.g. http://username:password@hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty |
| CENTRAL_SSL_CIPHERSUITES | central.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. See below for currently supported cipher suites. | See below for default cipher suite setting |
| CENTRAL_SSL_INSECURESKIPVERIFY | central.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false |
| CENTRAL_SSL_MAXVERSION | central.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty |
| CENTRAL_SSL_MINVERSION | central.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 |
| CENTRAL_SSL_NEXTPROTOS | central.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. |
| CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE | central.subscriptions.approval.mode | The mode for approving subscriptions on AMPLIFY Central (manual, auto, webhook) | manual |
| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_AUTHSECRET | central.subscriptions.approval.webhook.authSecret | The authentication secret to pass to the subscription approval webhook (if any) | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_HEADERS | central.subscriptions.approval.webhook.headers | The headers to pass to the subscription approval webhook (if any). | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_APPROVAL_WEBHOOK_URL | central.subscriptions.approval.webhook.url | The url for a subscription approval webhook (if any). CENTRAL_SUBSCRIPTIONS_APPROVAL_MODE must be set to "webhook" for webhooks to be invoked | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_AUTHTYPE | central.subscriptions.approval.notifications.smtp.authtype | The authentication type based on the email server. You may have to refer to the email server properties and specifications | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_FROMADDRESS | central.subscriptions.notifications.smtp.fromaddress | Email address which will represent the sender | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_HOST | central.subscriptions.notifications.smtp.host | SMTP server where the email notifications will originate from | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PASSWORD | central.subscriptions.approval.notifications.smtp.password | Login password for the SMTP server | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_PORT | central.subscriptions.notifications.smtp.port | Port of the SMTP server | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_APIKEYS | central.subscriptions.notifications.smtp.subscribe.apikeys | Body of the email notification for action subscribe on APIKey authorization if your API is secured using an APIKey credential:header:{keyHeaderName}/value:${key} | Internally, this value defaults to "Your API is secured using an APIKey credential: header: ${keyHeaderName} / value: ${key}" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_BODY | central.subscriptions.approval.notifications.smtp.subscribe.body | Body of the email notification for action subscribe. | Internally, this value defaults to "Subscription created for Catalog Item: ${catalogItemName} ${authtemplate} " |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_OAUTH | central.subscriptions.notifications.smtp.subscribe.oauth | Body of the email notification for action subscribe on OAuth authorization if your API is secured using OAuth token. You can obtain your token using grant_type=client_credentials with the following client_id=${clientID} and client_secret=${clientSecret} | Internally, this value defaults to "Your API is secured using OAuth token. You can obtain your token using grant_type=client_credentials with the following client_id=${clientID} and client_secret=${clientSecret}" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBE_SUBJECT | central.subscriptions.approval.notifications.smtp.subscribe.subject | Subject of the email notification for action subscribe. | Internally, this value defaults to "Subscription Notification" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.subscribedfailed.body | Body of the email notification for action subscribe failed. | Internally, this value defaults to "Could not subscribe to CatalogItem: ${catalogItemName}" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_SUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.subscribefailed.subject | Subject of the email notification for action subscribe failed. | Internally, this value defaults to "Subscription Failed Notification" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_BODY | central.subscriptions.notifications.smtp.unsubscribe.body | Body of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription for Catalog Item: ${catalogItemName} has been unsubscribed" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBE_SUBJECT | central.subscriptions.notifications.smtp.unsbuscribe.subject | Subject of the email notification for action unsubscribe. | Internally, this value defaults to "Subscription Removal Notification" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_BODY | central.subscriptions.notifications.smtp.unsbuscribedfailed.body | Body of the email notification for action unsubscribe failed. | Internally, this value defaults to "Could not unsubscribe to Catalog Item: ${catalogItemName}" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_UNSUBSCRIBEFAILED_SUBJECT | central.subscriptions.notifications.smtp.unsubscribefailed.subject | Subject of the email notification for action unsubscribe failed. | Internally, this value defaults to "Subscription Removal Failed" |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_SMTP_USERNAME | central.subscriptions.notifications.smtp.username | Login user for the SMTP server | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_HEADERS | central.subscriptions.notifications.webhook.headers | Information used to verify the webhook. Provided by the customer, and may include such information as contentType and Authorization. | Internally, this value defaults to empty |
| CENTRAL_SUBSCRIPTIONS_NOTIFICATIONS_WEBHOOK_URL | central.subscriptions.notifications.webhook.url | URL where the webhook server is defined | Internally, this value defaults to empty |
| CENTRAL_TEAM | central.team | The Team name in AMPLIFY Central that all published APIs will be linked to | AMPLIFY Central -> Access -> Teams |
| CENTRAL_URL | central.url | The URL to the AMPLIFY Central instance being used for this discovery agent | https://apicentral.axway.com |
| LOG_FILE_CLEANBACKUPS | log.file.cleanbackups | The max age of a backup file, in days | 0 |
| LOG_FILE_KEEPFILES | log.file.keepfiles | The max number of log file backups to keep | 7 |
| LOG_FILE_NAME | log.file.name | The name of the log files | [[Agent executable name]].log |
| LOG_FILE_PATH | log.file.path | The path (relative or absolute) to save logs files, if output type file or both | logs |
| LOG_FILE_ROTATEEVERYMEGABYTES | log.file.rotateeverymegabytes | The max size, in megabytes that a log file can grow to | 100 |
| LOG_FORMAT | log.format | The format to print log messages (json, line, package) | json |
| LOG_LEVEL | log.level | The log level for output messages (debug, info, warn, error) | info |
| LOG_MASKEDVALUES | log.maskedValues | Comma-separated list of key words to identify within the agent config and used to mask its corresponding sensitive data. Key words are matched by whole words and are case sensitive | (empty value list) |
| LOG_OUTPUT | log.output | The output for the log lines (stdout, file, both) | stdout |
| MULESOFT_ANYPOINTEXCHANGEURL | mulesoft.anypointExchangeUrl | Mulesoft Anypoint Exchange URL | https://anypoint.mulesoft.com |
| MULESOFT_AUTH_LIFETIME | mulesoft.auth.lifetime | The session lifetime. The agent will automatically refresh the access token as it approaches the end of its lifetime | 60m |
| MULESOFT_AUTH_PASSWORD | mulesoft.auth.password | The password for the Mulesoft Anypoint username created for this agent | |
| MULESOFT_AUTH_USERNAME | mulesoft.auth.username | The Mulesoft Anypoint username created for this agent | |
| MULESOFT_CACHEPATH | mulesoft.cachePath | Path entry to store stateful cache between agent invocations | /tmp |
| MULESOFT_DISCOVERYIGNORETAGS | mulesoft.discoveryIgnoreTags | Comma-separated black list of tags that, if any are present, will prevent an API being publised to Amplify Central. Take precedence over MULESOFT_DISCOVERYTAGS | (empty tag list) |
| MULESOFT_DISCOVERYTAGS | mulesoft.discoveryTags | Comma-separated list of tags that, if any are present, will allow an API to be publised to Amplify Central. All APIs are discovered if not tags are specified | (empty tag list) |
| MULESOFT_ENVIRONMENT | mulesoft.environment | The Mulesoft Anypoint Exchange the agent connects to, e.g. Sandbox. | |
| MULESOFT_ORGNAME | mulesoft.orgName | The Mulesoft Anypoint Business Unit the agent connects to | |
| MULESOFT_POLLINTERVAL | mulesoft.pollInterval | The frequency in which Mulesoft API Manager is polled for new endpoints. | 30s |
| MULESOFT_PROXYURL | mulesoft.proxyUrl | The url for the proxy for API Manager (e.g. http://username:password@hostname:port). If empty, no proxy is defined. | Internally, this value defaults to empty |
| MULESOFT_SSL_CIPHERSUITES | mulesoft.ssl.cipherSuites | An array of strings. It is a list of supported cipher suites for TLS versions up to TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites is used, with a preference order based on hardware performance. See below for currently supported cipher suites. | See below for default cipher suite setting |
| MULESOFT_SSL_INSECURESKIPVERIFY | mulesoft.ssl.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. | Internally defaulted to false |
| MULESOFT_SSL_MAXVERSION | mulesoft.ssl.maxVersion | String value for the maximum SSL/TLS version that is acceptable. If empty, then the maximum version supported by this package is used, which is currently TLS 1.3. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, this value defaults to empty |
| MULESOFT_SSL_MINVERSION | mulesoft.ssl.minVersion | String value for the minimum SSL/TLS version that is acceptable. If zero, empty TLS 1.0 is taken as the minimum. Allowed values are: TLS1.0, TLS1.1, TLS1.2, TLS1.3 | Internally, the value defaults toTLS1.2 |
| MULESOFT_SSL_NEXTPROTOS | mulesoft.ssl.nestProtos | An array of strings. It is a list of supported application level protocols, in order of preference, based on the ALPN protocol list. Allowed values are: h2, htp/1.0, http/1.1, h2c | Internally empty. Default negotiation. |
| STATUS_HEALTHCHECKINTERVAL | status.healthCheckInterval | Time in seconds between running periodic health checker (binary agents only). Allowed values are from 30 to 300 seconds. | 30s |
| STATUS_HEALTHCHECKPERIOD | status.healthCheckPeriod | Time in minutes allotted for services to be ready before exiting the agent. Allowed values are from 1 to 5 minutes. | 3m |
| STATUS_PORT | status.port | The port that the healthcheck endpoint will listen on | 8989 |
The allowed cipher suites string values are allowed: ECDHE-ECDSA-AES-128-CBC-SHA, ECDHE-ECDSA-AES-128-CBC-SHA256, ECDHE-ECDSA-AES-128-GCM-SHA256, ECDHE-ECDSA-AES-256-CBC-SHA, ECDHE-ECDSA-AES-256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-ECDSA-RC4-128-SHA, ECDHE-RSA-3DES-CBC3-SHA, ECDHE-RSA-AES-128-CBC-SHA, ECDHE-RSA-AES-128-CBC-SHA256, ECDHE-RSA-AES-128-GCM-SHA256, ECDHE-RSA-AES-256-CBC-SHA, ECDHE-RSA-AES-256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-RSA-RC4-128-SHA, RSA-RC4-128-SHA, RSA-3DES-CBC3-SHA, RSA-AES-128-CBC-SHA, RSA-AES-128-CBC-SHA256, RSA-AES-128-GCM-SHA256, RSA-AES-256-CBC-SHA, RSA-AES-256-GCM-SHA384, TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256
The list of default cipher suites is: ECDHE-ECDSA-AES-256-GCM-SHA384, ECDHE-RSA-AES-256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES-128-GCM-SHA256, ECDHE-RSA-AES-128-GCM-SHA256, ECDHE-ECDSA-AES-128-CBC-SHA256, ECDHE-RSA-AES-128-CBC-SHA256
docker build -t mulesoft-discovery -f Dockerfile.discovery .After making the public/private keys associated with the CENTRAL_AUTH_CLIENTID, make a resource of type secret from the files.
kubectl create secret generic key-pair --from-file=publicKey=public_key.pem --from-file=privateKey=private_key.pemAlso, create a secret based on the credentials associated with the mulesoft account by populating the values in muleauth-discovery.yaml
apiVersion: v1
kind: Secret
metadata:
name: muleauth
type: Opaque
stringData:
username:
password:
kubectl apply -f mulesoft-auth.yaml.yamlProvide the environment Variables required by the manifest file.
kubectl apply -f discovery-deployment.yaml