This document outlines an agenda for an online Meetup discussing externalizing TLS certificates and properties for Runtime Fabric applications. The agenda includes guidelines, a walkthrough of a utility for externalizing certificates, a demo, and Q&A. Deepak Suseelan from MuleSoft will present on three options for externalizing certificates - injecting during deployment, using secure properties, and a custom admission controller. The presentation will demonstrate a utility for the second option using secure properties and discuss tradeoffs of each approach.

1. Oct, 2021
Online English Meetup Group
Externalize TLS Certificates and properties for
Runtime Fabric Applications
Sandeep Deshmukh
Moderator
Deepak Suseelan
Technical Architect
MuleSoft
Speakers:
Recording

2. 2
● Guidelines
● Walkthrough of Utility
● Demo
● Q&A
Agenda

3. All contents © MuleSoft, LLC
MuleSoft Meetups: Virtual Muleys
3

4. All contents © MuleSoft, LLC
Guidelines for today
1. Pop questions in the chat and anyone can try to answer!
2. Remaining questions will be asked in your behalf at the end of the
session
3. The Recording will be shared in the Meetups page and in the
VirtualMuleys Youtube Channel
4. Your feedback drives the content of these meetups, fill the surveys
at the end of the event, let us know what you think!
4

5. All contents © MuleSoft, LLC
+25 Virtual Community Meetups in October
New Meetup groups looking for speakers
• Communication, Media, Technology
• Higher Education
• Nonprofit Organizations
Local virtual events in +20 cities
• Join from anywhere!
→ Join the Global Group: https://meetups.mulesoft.com/online-group-english/
→ RSVP for upcoming events: https://meetups.mulesoft.com/events/
5

6. All contents © MuleSoft, LLC
Speakers
6
Deepak Suseelan
Technical Architect ,
MuleSoft Professional Services

7. All contents © MuleSoft, LLC
This presentation involves custom developed components that is not part of MuleSoft
product suite and therefore not supported by MuleSoft support. Technical assistance for
these components are limited to this presentation and associated documentation.This is
an UNLICENSED utility, please review the considerations. If you need assistance on
extending this application, contact your MuleSoft Customer Success representative or
MuleSoft Professional Services
Disclaimer

8. All contents © MuleSoft, LLC
Anypoint Runtime Fabric
VM
Mule
App
VM
Mule
App
Mule
App
Runtime Fabric components
Runtime Fabric appliance
Mule
App
network
Runtime Fabric
Mule
App
Mule
App
VM
Runtime Fabric orchestrates and automates the
deployment of Mule runtimes into containers in any
cloud or on-premises environment
Benefits
● Deploy consistently across any cloud or data center
● Run multiple runtime versions in the same Runtime
Fabric
● Scale horizontally and redeploy w/ zero-downtime
● Easily manage via the control plane hosted by
MuleSoft
● Flexible deployment upon existing infrastructure or
managed K8s services
Overview

9. All contents © MuleSoft, LLC
Issues with bundling certificates with application
● Use of self-signed or non-compliant certificates
● Unable to track and renew certificates in a timely manner
● Cannot guarantee the safety of private keys
● Unable to track non-compliant certificates
● No accountability
● Security Constraints
Why Externalize Certificates

10. All contents © MuleSoft, LLC
Option 1( Most Common) - Inject TLS certificates during CD process
● Most commonly used solution
● Does not involve any custom mule components
● Does not modify the container after it is created
Certificate Externalization With RTF
● TLS certificates get stored in Anypoint Exchange repo
along with the application
● Any change in certificate would mean re-deployment of
all the applications

11. All contents © MuleSoft, LLC
Option 2 - Using Secure Properties
Certificate Externalization With RTF
https://docs.mulesoft.com/runtime-fabric/1.10/manage-secure-properties

12. All contents © MuleSoft, LLC
Option 2 - Using Secure Properties
Link: https://github.com/mulesoft-catalyst/rtf-secure-file-provider
Certificate Externalization With RTF
● Separation of TLS certificate deployment pipeline from Application deployment
● TLS certificates are never stored as part of the application even in Exchange
● No need to re-deploy applications after updating certificate
● Possibility of hitting the size limit of secure properties Depending on the number of files
being stored
● Container modified after deployment for adding files to classpath

13. Performance Tools
Demo

14. All contents © MuleSoft, LLC
Option 3 - Using Custom Admission Controller
Certificate Externalization With RTF Self Managed

15. All contents © MuleSoft, LLC
Option 3 - Using Custom Admission Controller
Link: https://github.com/mulesoft-catalyst/RTF-Custom-Admission-Controller
Certificate Externalization With RTF
● Separation of TLS certificate deployment pipeline from Application deployment
● TLS certificates are never stored as part of the application even in Exchange
● No need to re-deploy applications after updating certificate
● Files can be stored in any external storage with no size restrictions
● Only for RTF on self managed kubernetes
● The webhook becomes the most critical part of your infrastructure. It needs to be highly
available and fault tolerant.
● Webhook is a Mule application and will be counted towards core subscription
● Requires at least intermediate level knowledge of Kubernetes

16. Performance Tools
Demo

17. 17
Thank you