Follow this guide to deploy and configure Airlock Microgateway using kubectl.
Prerequisites
- Kubernetes cluster
- Install kubectl
- Install curl
In case no Kubernetes cluster is available, use Minikube to deploy Airlock Microgateway and getting used to it.
Deployment
Follow the instructions below to deploy Airlock Microgateway with an echo and a Redis service.
- Manifest files for Airlock Microgateway
- Create the folder
getting_started/. - Create the file
microgateway-config.yamlin the folder getting_started/, which contains the ConfigMap with the Airlock Microgateway configuration: - Follow the instructions below to create the file
microgateway-secret.yamlin the folder getting_started/. - For the premium edition, do the following:
- Copy the Microgateway license file to
getting_started/microgateway.lic. - Run the following command:
- For the community edition, do the following:
- Run the following command:
- Create the file
microgateway-deployment.yamlin the folder getting_started/, which contains the Deployment definition for Airlock Microgateway: - Create the file
microgateway-service.yamlin the folder getting_started/, which contains the Service definition for Airlock Microgateway:
Show moreShow lesscopy
apiVersion: v1
kind: ConfigMap
metadata:
name: microgateway-config
labels:
app: microgateway-config
data:
config.yaml: |
log:
level: info
session:
redis_hosts: [redis-master]
remote_ip:
header: X-Forwarded-For
internal_proxies:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
apps:
- virtual_host:
name: virtinc
hostname: virtinc.com
mappings:
- session_handling: enforce_session
deny_rule_groups:
- level: strict
backend:
hosts:
- name: echoserver
port: 8080Create the file microgateway.passphrase in the folder getting_started/, which contains the passphrase for encryption.
copy
openssl rand -base64 102 | tr -d '\n' > getting_started/microgateway.passphrase
The content of the license file looks like:
-----BEGIN LICENSE----- eJxFkEuzokgUhP+LWyeCAgqRjugFLwURhAvycJgFaAkFWLxBuNH/vY1eTC/z ... ... ... -----END LICENSE-----
copy
kubectl create secret generic microgateway-secret \ --from-file=license=getting_started/microgateway.lic \ --from-file=passphrase=getting_started/microgateway.passphrase \ --dry-run=client \ -o yaml > getting_started/microgateway-secret.yaml
copy
kubectl create secret generic microgateway-secret \ --from-file=passphrase=getting_started/microgateway.passphrase \ --dry-run=client \ -o yaml > getting_started/microgateway-secret.yaml
Show moreShow lesscopy
apiVersion: apps/v1
kind: Deployment
metadata:
name: microgateway
labels:
app: microgateway
spec:
replicas: 1
selector:
matchLabels:
app: microgateway
template:
metadata:
labels:
app: microgateway
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9102"
spec:
initContainers:
- name: configbuilder
image: ergon/airlock-microgateway-configbuilder:3.2.0
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /config/config.yaml
subPath: config.yaml
- name: secret
mountPath: /secret/
readOnly: true
- name: config-files
mountPath: /resources-gen
containers:
- name: microgateway
image: ergon/airlock-microgateway:3.2.0
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
- name: probes
containerPort: 9090
- name: metrics
containerPort: 9102
volumeMounts:
- name: config-files
mountPath: /config/
livenessProbe:
failureThreshold: 9
timeoutSeconds: 5
httpGet:
path: /alive
port: probes
initialDelaySeconds: 90
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthy
port: probes
initialDelaySeconds: 10
lifecycle:
preStop:
exec:
command:
- /usr/bin/sleep
- "10"
resources:
requests:
memory: 256Mi
cpu: 30m
limits:
memory: 4048Mi
volumes:
- name: config
configMap:
name: microgateway-config
- name: secret
secret:
secretName: microgateway-secret
- name: config-files
emptyDir: {}Show moreShow lesscopy
apiVersion: v1
kind: Service
metadata:
name: microgateway-service
labels:
app: microgateway
spec:
selector:
app: microgateway
ports:
- name: http
port: 8080
- name: https
port: 8443- Manifest file for Redis
- Create the file
redis.yamlin the folder getting_started/, which contains all resource definitions for Redis:
Show moreShow lesscopy
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis-master
labels:
app: redis
spec:
selector:
matchLabels:
app: redis
role: master
serviceName: redis-headless
template:
metadata:
labels:
app: redis
role: master
spec:
containers:
- name: redis
image: docker.io/bitnami/redis:5.0.9-debian-10-r4
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -c
- |
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
ARGS=("--port" "${REDIS_PORT}")
ARGS+=("--protected-mode" "no")
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
/run.sh ${ARGS[@]}
env:
- name: REDIS_REPLICATION_MODE
value: master
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
- name: REDIS_PORT
value: "6379"
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: redis-data
mountPath: /data
subPath:
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc/
volumes:
- name: config
configMap:
name: redis
- name: redis-data
emptyDir: {}
- name: redis-tmp-conf
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: redis-headless
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
targetPort: redis
selector:
app: redis
clusterIP: None
---
apiVersion: v1
kind: Service
metadata:
name: redis-master
labels:
app: redis
spec:
ports:
- name: redis
port: 6379
targetPort: redis
selector:
app: redis
role: master
---
apiVersion: v1
kind: ConfigMap
metadata:
name: redis
data:
redis.conf: |-
# User-supplied configuration:
# Enable AOF https://redis.io/topics/persistence#append-only-file
appendonly yes
# Disable RDB persistence, AOF persistence already enabled.
save ""
master.conf: |-
dir /data
replica.conf: |-
dir /data
slave-read-only yes
rename-command FLUSHDB ""
rename-command FLUSHALL ""- Manifest file for the echo server
- Create the file
echo.yamlin the folder getting_started/, which contains all resource definitions for the echo server:
Show moreShow lesscopy
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-deployment
labels:
app: echoserver
spec:
replicas: 1
selector:
matchLabels:
app: echoserver
template:
metadata:
labels:
app: echoserver
spec:
containers:
- name: echoserver
image: ealen/echo-server:0.5.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
env:
- name: PORT
value: "8080"
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: echoserver
labels:
app: echoserver
spec:
selector:
app: echoserver
ports:
- name: http-8080
protocol: TCP
port: 8080
targetPort: 8080- Manifest file for Ingress
- Create the file
ingress.yamlin the folder getting_started/, which contains the definition for the Ingress controller:
Show moreShow lesscopy
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: microgateway-ingress
labels:
app: microgateway-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: virtinc.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: microgateway-service
port:
number: 8080- Deploy the Kubernetes resources
- Run the following command to the deploy the Kubernetes resources:
copy
kubectl apply -f getting_started/
Verification
Follow the instructions below to verify that the Helm release could be deployed successfully.
- Check the status of the pods:
- Send a curl request to the echo server:
- The request is sent to the echo server.
- The Airlock Microgateway logs show, that the request has been filtered by Microgateway.
copy
kubectl get pods
All pods have a STATUS of Running.
copy
curl -v -k http://$(minikube ip)/ -H "Host: virtinc.com"
In case that Airlock Microgateway was not deployed in Minikube, replace the part $(minikube ip) with the IP address of the Ingress of your Kubernetes cluster.
Uninstall
Follow the instructions below to uninstall the deployment.
- Uninstall the deployment
copy
kubectl delete -f getting_started/