Skip to main content
Flex Gateway

Search

MuleSoft Flex Gateway local mode integration

© 2024 Cequence Security. All Rights Reserved.

MuleSoft Flex Gateway local mode integration

  • Updated on
  • ~ minute read
Download PDF

MuleSoft Flex Gateway local mode enables organizations to run and manage Flex Gateway independently of the Anypoint Platform control plane. In local mode, API instances, routing rules, and policy definitions are managed through declarative YAML configuration files rather than through Anypoint API Manager. This approach suits infrastructure-as-code workflows and environments where direct dependency on the Anypoint control plane must be minimized.

The Cequence Unified API Protection (UAP) platform's passive integration for Flex Gateway local mode uses a WebAssembly (WASM) policy that runs directly inside the gateway process. Unlike the connected-mode integration, local mode requires no CloudHub proxy application and no Anypoint Monitoring permissions. The WASM policy contains the Cequence client library, which authenticates with the Cequence UAP platform using OAuth2 and forwards captured transaction data directly to Cequence Edge or Bridge.

Traffic flow

The following sequence describes how traffic moves through the integration.

  1. A client sends a request to an upstream service. Flex Gateway receives the request.
  2. Flex Gateway forwards the request to the upstream service.
  3. The upstream service returns a response. The WASM policy captures both the request and the response synchronously.
  4. The downstream client receives the response from the upstream service.
  5. The WASM policy queues the transaction using the Cequence client library, which authenticates with the Cequence UAP platform using OAuth2 and forwards the transaction to Cequence Edge or Bridge.
  6. Cequence Edge or Bridge processes the transaction data and makes it available in the Cequence UAP platform dashboards.

Known limitations

Before you begin, note the following limitations of the Cequence UAP platform's passive integration with MuleSoft Flex Gateway in local mode.

  • Request and response bodies that exceed 32 KB are truncated to 32 KB. The header cq-body-truncated: true is added to truncated transactions.
  • Responses with HTTP status codes 500 and above are not captured. Only status codes 100 through 499 are forwarded to the Cequence UAP platform.

Before you start

Verify that your environment meets the following requirements before you begin the installation.

Requirement Details
MuleSoft Flex Gateway Version 1.11.4
Deployment target Docker, Amazon EKS (Elastic Kubernetes Service), or OpenShift ROSA (Red Hat OpenShift Service on AWS)
Cequence WASM policy files Contains the WASM binary and configuration YAML files. Download from the Cequence support portal.
Cequence client ID and client secret Generated from the Cequence UAP management portal. See Generating a Cequence client ID and client secret.
Cequence auth endpoint URL Fully qualified URL of the authentication endpoint in your Cequence UAP deployment.
Cequence Edge or Bridge URL Fully qualified URL of the Cequence Edge or Bridge transaction endpoint.
Docker 28.4.0 or later For Docker deployments.
AWS access to deploy an EKS cluster For EKS deployments.
kubectl v1.26.0 or later For EKS and Kubernetes deployments.
Helm 3.0.0 or later For EKS and Kubernetes deployments.

Generating a Cequence client ID and client secret

The WASM policy must authenticate to the Cequence UAP platform to forward transaction data. The following procedure creates the authentication credentials the policy requires.

  1. Log in to the Cequence UAP management portal. The URL has the form https://ui.your-tenant-name.domain.
  2. Navigate to General Settings > User Management. The User Management pane appears.
  3. Select the Clients tab.
  4. Click Add New Client. The new client dialog box appears.
  5. In the Client Name field, enter a name for the client. This value becomes the client ID. Record the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. Optional: To change the token lifespan from the default 1800 seconds, enter a value in the Token Lifespan field.
  8. Click Save. A dialog box displays the client secret.
  9. Click the copy icon to copy the secret to the clipboard, then click Close. The client list appears.

Record the client secret. For security reasons, the Cequence UAP platform does not display this value again.

Integration installation

Installing the Cequence passive integration for Flex Gateway local mode involves two steps: configuring the Cequence policy binding file with your environment's values, then deploying the policy files to the gateway. The deployment procedure varies by platform.

Configuring the policy binding

The Cequence bundle includes three YAML files and a WASM binary. The cequence_definition.yaml and cequence_implementation.yaml files do not require changes. The cequence_binding.yaml file contains the service addresses and policy configuration that must be updated for your environment before deployment.

  1. Download the Cequence bundle as described in Before you start.
  2. Extract the bundle:

    tar xvzf cequence-local-mode-flexgateway.tar.gz

    The extracted directory contains two subfolders: policies-docker-linux for Docker deployments, and policies-k8s for Kubernetes and ROSA deployments.
  3. From the appropriate subfolder for your platform, open cequence_binding.yaml in a text editor.

  4. Update the following values.

    Field Description
    cequence-auth-servicespec.address Fully qualified URL of your Cequence authentication endpoint.
    cequence-edge-servicespec.address Fully qualified URL of your Cequence Edge or Bridge endpoint.
    cequenceAuthUrl Must exactly match the cequence-auth-service address above.
    cequenceEdgeUrl Must exactly match the cequence-edge-service address above.
    serviceNamespace Must match the metadata.namespace value set for all resources. Default: default.
    cequenceAuthEnabled Set to true to enable OAuth2 authentication with the Cequence UAP platform.
    cequenceClientId Cequence client ID generated in Generating a Cequence client ID and client secret.
    cequenceClientSecret Cequence client secret generated in Generating a Cequence client ID and client secret.
    cequenceAuthPath Path component of the Cequence authentication endpoint. Example: /auth/realms/example/protocol/openid-connect/token.
    cequenceEdgePath Path component of the Cequence Edge or Bridge transaction endpoint. Default: /api-transactions.
    enableDebugLogs Set to true for detailed diagnostic output. Set to false for production environments.

The cequenceMinStatusCode and cequenceMaxStatusCode fields control which HTTP response status codes are captured. The default range (100–499) excludes 5xx responses, which is the expected behavior described in Known limitations.

When targeting specific APIs rather than all APIs on the gateway, add a labels selector under spec.targetRef.selector in the binding file, and apply the corresponding label to those API instance resources.

Deploying on Docker

In Docker local mode, Flex Gateway watches its configuration directory for YAML file changes and applies them automatically without a restart. Do not mount the entire conf.d/ directory. Mounting the entire directory removes the gateway's built-in extensions. Mount each configuration file individually.

Running container: When adding the Cequence policy to a gateway container that is already running, copy the three policy files into the container's configuration directory.

docker cp cequence_definition.yaml     flex-gateway:/etc/mulesoft/flex-gateway/conf.d/
docker cp cequence_implementation.yaml flex-gateway:/etc/mulesoft/flex-gateway/conf.d/
docker cp cequence_binding.yaml        flex-gateway:/etc/mulesoft/flex-gateway/conf.d/

New container: When starting a new container, mount each configuration file as a separate volume. On Apple Silicon (M1/M2/M3), include the --platform linux/amd64 flag.

docker run --rm \
  --platform linux/amd64 \
  --name flex-gateway \
  -v /path/to/registration.yaml:/etc/mulesoft/flex-gateway/conf.d/registration.yaml \
  -v /path/to/api-instance.yaml:/etc/mulesoft/flex-gateway/conf.d/api-instance.yaml \
  -v /path/to/cequence_definition.yaml:/etc/mulesoft/flex-gateway/conf.d/cequence_definition.yaml \
  -v /path/to/cequence_implementation.yaml:/etc/mulesoft/flex-gateway/conf.d/cequence_implementation.yaml \
  -v /path/to/cequence_binding.yaml:/etc/mulesoft/flex-gateway/conf.d/cequence_binding.yaml \
  -p 8081:8081 \
  mulesoft/flex-gateway

Deploying on Kubernetes (EKS)

The Kubernetes deployment uses a ConfigMap (a Kubernetes resource that stores configuration data as key-value pairs) to make the WASM binary available inside the gateway pod. The Cequence YAML resources are then applied to the cluster using kubectl.

  1. From the policies-k8s directory, update the namespace in all policy files when you are not using the default namespace:

    ./update-namespace.sh <your-namespace>
  2. Create a ConfigMap from the WASM binary:

    kubectl create configmap cequence-wasm --from-file=cequence.wasm=./cequence_policy.wasm -n <your-namespace>

  3. Mount the ConfigMap into the Flex Gateway pod so that the WASM file is available at /etc/mulesoft/flex-gateway/wasm/cequence.wasm. Use the method that matches how Flex Gateway was deployed in your environment.

    Helm — use when Flex Gateway was deployed with Helm and you have Helm release management access:

    helm upgrade flex-gateway mulesoft/flex-gateway \
  -n <your-namespace> --reuse-values \
  --set "extraVolumes[0].name=cequence-wasm" \
  --set "extraVolumes[0].configMap.name=cequence-wasm" \
  --set "extraVolumeMounts[0].name=cequence-wasm" \
  --set "extraVolumeMounts[0].mountPath=/etc/mulesoft/flex-gateway/wasm" \
  --set "extraVolumeMounts[0].readOnly=true"

    kubectl patch — use when you have kubectl access to the namespace but not Helm release management access:

    kubectl patch deployment flex-gateway -n <your-namespace> --type=json -p='[
  {"op":"add","path":"/spec/template/spec/volumes/-",
   "value":{"name":"cequence-wasm","configMap":{"name":"cequence-wasm"}}},
  {"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-",
   "value":{"name":"cequence-wasm","mountPath":"/etc/mulesoft/flex-gateway/wasm","readOnly":true}}
]'

  4. Verify that the WASM file is visible inside the pod:
     

    POD=$(kubectl get pod -n <your-namespace> -l app=flex-gateway -o jsonpath='{.items[0].metadata.name}')
kubectl exec -n <your-namespace> $POD -- ls -lh /etc/mulesoft/flex-gateway/wasm/

  5. Apply the Cequence policy resources:
     

    kubectl apply -f cequence_definition.yaml    -n <your-namespace>
kubectl apply -f cequence_implementation.yaml -n <your-namespace>
kubectl apply -f cequence_binding.yaml        -n <your-namespace>

Deploying on OpenShift (ROSA)

ROSA deployments follow the same Kubernetes steps described in Deploying on Kubernetes (EKS), with two additional requirements: an OpenShift Security Context Constraint (SCC) grant for the Flex Gateway service account, and support for the Flex Gateway Operator as a mount method. Use oc or kubectl interchangeably on ROSA.

  1. Grant the anyuid SCC to the Flex Gateway service account. Replace flex-gateway with the actual service account name in your cluster:

    oc adm policy add-scc-to-user anyuid -z flex-gateway -n <flex-gateway-namespace>
  2. Follow steps 1 and 2 in Deploying on Kubernetes (EKS) to update the namespace and create the ConfigMap, substituting your ROSA namespace.

  3. Mount the ConfigMap into the Flex Gateway pod. When Flex Gateway was deployed using the Flex Gateway Operator, which is the standard MuleSoft-supported method for OpenShift, use the operator approach. Otherwise, use the Helm or kubectl patch approach described in Deploying on Kubernetes (EKS).

    Flex Gateway Operator — use when Flex Gateway was deployed via the OpenShift Operator:

    oc edit flexgateway <gateway-name> -n <your-namespace>

    Add the following under spec:

    spec:
  volumes:
    - name: cequence-wasm
      configMap:
        name: cequence-wasm
  volumeMounts:
    - name: cequence-wasm
      mountPath: /etc/mulesoft/flex-gateway/wasm
      readOnly: true

  4. Apply the Cequence policy resources:
     

    kubectl apply -f cequence_definition.yaml    -n <your-namespace>
kubectl apply -f cequence_implementation.yaml -n <your-namespace>
kubectl apply -f cequence_binding.yaml        -n <your-namespace>

Verifying the installation

After deploying the policy files, verify that Flex Gateway loaded the Cequence resources without errors and that transactions are being captured.

On Kubernetes and ROSA, verify that the extension and policy binding resources are present.

kubectl get extension     -n <namespace> | grep cequence
kubectl get policybinding -n <namespace> | grep cequence

Check the gateway logs for the following lines, which indicate a successful policy load.

[cequence] Policy configured (debug_logs=false)
[cequence] Root context initialized

Send a request through the gateway and verify that the gateway logs show the transaction being captured and forwarded.

[cequence] Captured GET /your-path (12 headers)
[cequence] Built transaction abc123 (GET /your-path - 200)
[cequence] Root: sending 1 transaction(s) to edge
[cequence] Root: edge callback - 1 transaction(s) sent (status=200)

In the Cequence UAP platform, open the API Discovery dashboard and verify that the endpoint appears.

Log levels

In local mode, log verbosity is controlled by the enableDebugLogs field in cequence_binding.yaml rather than a named log level property.

Value Description
false Info level. Logs informational events and failures. Recommended for production environments.
true Debug level. Logs detailed per-request diagnostic output. Use for troubleshooting only.

To change the log level, update enableDebugLogs in cequence_binding.yaml and redeploy the file. On Docker, Flex Gateway detects the change automatically. On Kubernetes and ROSA, reapply the file with kubectl apply.

Troubleshooting

Symptom Cause Resolution
Extension default/route, default/extension-definition, or default/tls-outbound not found (Docker only) The entire conf.d/ directory was mounted as a volume in Docker, which removes the gateway's built-in extensions. Switch to individual file mounts as described in Deploying on Docker.
ApiInstance not found on cequence-policy-binding The targetRef in cequence_binding.yaml references an API instance name that does not exist. On Docker, run grep -r "kind: ApiInstance" /etc/mulesoft/flex-gateway/conf.d/ to find the correct name. On Kubernetes or ROSA, run kubectl get apiinstances -n <namespace>. Update the binding file with the correct name and redeploy.
serviceNamespace mismatch error in logs The serviceNamespace value in the binding configuration does not match metadata.namespace in the resource definitions. Run ./update-namespace.sh <namespace> from the policies-k8s directory, or update the namespace manually in all three YAML files, then redeploy.
no such file: cequence.wasm (Kubernetes and ROSA only) The WASM ConfigMap was not mounted into the gateway pod. Complete the ConfigMap mount step in Deploying on Kubernetes (EKS) before applying the policy resources.
unable to validate against any SCC (ROSA only) The Flex Gateway service account does not have the required OpenShift Security Context Constraint (SCC) permission. Run oc adm policy add-scc-to-user anyuid -z <service-account> -n <namespace>.
edge callback status=401 The Cequence credentials in cequence_binding.yaml are invalid or missing. Verify that cequenceAuthEnabled is set to true and that cequenceClientId and cequenceClientSecret are set to the values generated in Generating a Cequence client ID and client secret.
5xx responses are not appearing in the Cequence UAP platform HTTP 5xx responses are excluded from capture by default. This is expected behavior. To capture 5xx responses, increase cequenceMaxStatusCode in cequence_binding.yaml and redeploy the file.
Was this article helpful?
Japanese (Japan)