With kubectl in Kubernetes
Deploy with kubectl in Kubernetes

Follow this guide to deploy and configure Airlock Microgateway using kubectl.

Prerequisites

Deployment

Follow the instructions below to deploy Airlock Microgateway with an echo and a Redis service.

  • Manifest files for Airlock Microgateway
  • 1.
    Create the folder getting_started/.
  • 2.
    Create the file microgateway-config.yaml in the folder getting_started/, which contains the ConfigMap with the Airlock Microgateway configuration:
  • copy
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: microgateway-config
      labels:
        app: microgateway-config
    data:
      config.yaml: |
        log:
          level: info
     
        session:
          redis_hosts: [redis-master]
    
        remote_ip:
          header: X-Forwarded-For
          internal_proxies:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
      
        apps:
          - virtual_host:
              name: virtinc
              hostname: virtinc.com
            mappings:
              - session_handling: enforce_session
                deny_rule_groups:
                  - level: strict
                backend:
                  hosts:
                    - name: echoserver
                      port: 8080
    …Show more…Show less
  • 3.
    Follow the instructions below to create the file microgateway-secret.yaml in the folder getting_started/.
  • Create the file microgateway.passphrase in the folder getting_started/, which contains the passphrase for encryption.

    copy
    openssl rand -base64 102 | tr -d '\n' > getting_started/microgateway.passphrase
    
    • For the premium edition, do the following:
    • Copy the Microgateway license file to getting_started/microgateway.lic.
    • The content of the license file looks like:

      -----BEGIN LICENSE----- 
      eJxFkEuzokgUhP+LWyeCAgqRjugFLwURhAvycJgFaAkFWLxBuNH/vY1eTC/z 
      ... 
      ... 
      ...   
      -----END LICENSE-----
    • Run the following command:
    • copy
      kubectl create secret generic microgateway-secret \
        --from-file=license=getting_started/microgateway.lic \
        --from-file=passphrase=getting_started/microgateway.passphrase \
        --dry-run=client \
        -o yaml > getting_started/microgateway-secret.yaml
    • For the community edition, do the following:
    • Run the following command:
    • copy
      kubectl create secret generic microgateway-secret \
        --from-file=passphrase=getting_started/microgateway.passphrase \
        --dry-run=client \
        -o yaml > getting_started/microgateway-secret.yaml
  • 4.
    Create the file microgateway-deployment.yaml in the folder getting_started/, which contains the Deployment definition for Airlock Microgateway:
  • copy
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: microgateway
      labels:
        app: microgateway
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: microgateway
      template:
        metadata:
          labels:
            app: microgateway
          annotations:
            prometheus.io/scrape: "true"
            prometheus.io/port: "9102"
        spec:
          initContainers:
            - name: configbuilder
              image: ergon/airlock-microgateway-configbuilder:3.1.0          
              imagePullPolicy: IfNotPresent
              volumeMounts:
                - name: config
                  mountPath: /config/config.yaml
                  subPath: config.yaml
                - name: secret
                  mountPath: /secret/
                  readOnly: true
                - name: config-files
                  mountPath: /resources-gen
          containers:
            - name: microgateway
              image: ergon/airlock-microgateway:3.1.0          
              imagePullPolicy: IfNotPresent
              ports:
                - name: http
                  containerPort: 8080
                - name: https
                  containerPort: 8443
                - name: probes
                  containerPort: 9090
                - name: metrics
                  containerPort: 9102
              volumeMounts:
                - name: config-files
                  mountPath: /config/
              livenessProbe:
                failureThreshold: 9
                timeoutSeconds: 5
                httpGet:
                  path: /alive
                  port: probes
                initialDelaySeconds: 90
              readinessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthy
                  port: probes
                initialDelaySeconds: 10
              lifecycle:
                preStop:
                  exec:
                    command:
                      - /usr/bin/sleep
                      - "10"
              resources:
                requests:
                  memory: 256Mi
                  cpu: 30m
                limits:
                  memory: 4048Mi
          volumes:
            - name: config
              configMap:
                name: microgateway-config
            - name: secret
              secret:
                secretName: microgateway-secret
            - name: config-files
              emptyDir: {}
    …Show more…Show less
  • 5.
    Create the file microgateway-service.yaml in the folder getting_started/, which contains the Service definition for Airlock Microgateway:
  • copy
    apiVersion: v1
    kind: Service
    metadata:
      name: microgateway-service
      labels:
        app: microgateway
    spec:
      selector:
        app: microgateway
      ports:
        - name: http
          port: 8080
        - name: https
          port: 8443
    …Show more…Show less
  • Manifest file for Redis
  • 1.
    Create the file redis.yaml in the folder getting_started/, which contains all resource definitions for Redis:
  • copy
    --- 
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: redis-master
      labels:
        app: redis
    spec:
      selector:
        matchLabels:
          app: redis
          role: master
      serviceName: redis-headless
      template:
        metadata:
          labels:
            app: redis
            role: master
        spec:
          containers:
            - name: redis
              image: docker.io/bitnami/redis:5.0.9-debian-10-r4
              imagePullPolicy: IfNotPresent
              command:
                - /bin/bash 
                - -c 
                - | 
                  if [[ -n $REDIS_PASSWORD_FILE ]]; then 
                    password_aux=`cat ${REDIS_PASSWORD_FILE}` 
                    export REDIS_PASSWORD=$password_aux 
                  fi 
                  if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then 
                    cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf 
                  fi 
                  if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then 
                    cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf 
                  fi 
                  ARGS=("--port" "${REDIS_PORT}") 
                  ARGS+=("--protected-mode" "no") 
                  ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") 
                  ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") 
                  /run.sh ${ARGS[@]} 
              env: 
                - name: REDIS_REPLICATION_MODE 
                  value: master 
                - name: ALLOW_EMPTY_PASSWORD 
                  value: "yes" 
                - name: REDIS_PORT 
                  value: "6379" 
              ports: 
                - name: redis 
                  containerPort: 6379 
              volumeMounts: 
                - name: redis-data 
                  mountPath: /data 
                  subPath: 
                - name: config 
                  mountPath: /opt/bitnami/redis/mounted-etc 
                - name: redis-tmp-conf 
                  mountPath: /opt/bitnami/redis/etc/ 
          volumes: 
            - name: config 
              configMap: 
                name: redis 
            - name: redis-data 
              emptyDir: {} 
            - name: redis-tmp-conf 
              emptyDir: {} 
    --- 
    apiVersion: v1
    kind: Service
    metadata:
      name: redis-headless
      labels:
        app: redis
    spec:
      ports:
        - name: redis
          port: 6379
          targetPort: redis
      selector:
        app: redis
      clusterIP: None
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: redis-master
      labels:
        app: redis
    spec:
      ports:
        - name: redis
          port: 6379
          targetPort: redis
      selector:
        app: redis
        role: master
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: redis
    data:
      redis.conf: |-
        # User-supplied configuration:
        # Enable AOF https://redis.io/topics/persistence#append-only-file
        appendonly yes
        # Disable RDB persistence, AOF persistence already enabled.
        save ""
      master.conf: |-
        dir /data
      replica.conf: |-
        dir /data
        slave-read-only yes
        rename-command FLUSHDB ""
        rename-command FLUSHALL ""
    …Show more…Show less
  • Manifest file for the echo server
  • 1.
    Create the file echo.yaml in the folder getting_started/, which contains all resource definitions for the echo server:
  • copy
    --- 
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: echo-deployment
      labels:
        app: echoserver
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: echoserver
      template:
        metadata:
          labels:
            app: echoserver
        spec:
          containers:
            - name: echoserver
              image: ealen/echo-server:0.5.1
              imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 8080
              env:
                - name: PORT
                  value: "8080"
          restartPolicy: Always
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: echoserver
      labels:
        app: echoserver
    spec:
      selector:
        app: echoserver
      ports:
        - name: http-8080
          protocol: TCP
          port: 8080
          targetPort: 8080
    …Show more…Show less
  • Manifest file for Ingress
  • 1.
    Create the file ingress.yaml in the folder getting_started/, which contains the definition for the Ingress controller:
  • copy
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: microgateway-ingress
      labels:
        app: microgateway-ingress
      annotations:
        nginx.ingress.kubernetes.io/rewrite-target: /
        kubernetes.io/ingress.class: nginx
    spec:
      rules:
        - host: virtinc.com
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: microgateway-service
                    port:
                      number: 8080
    …Show more…Show less
  • Deploy the Kubernetes resources
  • 1.
    Run the following command to the deploy the Kubernetes resources:
  • copy
    kubectl apply -f getting_started/

Verification

Follow the instructions below to verify that the Helm release could be deployed successfully.

  • 1.
    Check the status of the pods:
  • copy
    kubectl get pods

    All pods have a STATUS of Running.

  • 2.
    Send a curl request to the echo server:
  • copy
    curl -v -k http://$(minikube ip)/ -H "Host: virtinc.com"

    In case that Airlock Microgateway was not deployed in Minikube, replace the part $(minikube ip) with the IP address of the Ingress of your Kubernetes cluster.

  • The request is sent to the echo server.
  • The Airlock Microgateway logs show, that the request has been filtered by Microgateway.

Uninstall

Follow the instructions below to uninstall the deployment.

  • 1.
    Uninstall the deployment
  • copy
    kubectl delete -f getting_started/

Further information and links