Deploy with kubectl in OpenShift

Follow this guide to deploy and configure Airlock Microgateway using kubectl.

Deployment

Follow the instructions below to deploy Airlock Microgateway with an echo and a Redis service.

  1. Manifest files for Airlock Microgateway
  2. Create the folder getting_started/.
  3. Create the file microgateway-config.yaml in the folder getting_started/, which contains the ConfigMap with the Airlock Microgateway configuration:
  4. Show moreShow lesscopy
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: microgateway-config
      labels:
        app: microgateway-config
    data:
      config.yaml: |
        log:
          level: info
     
        session:
          redis_hosts: [redis-master]
    
        remote_ip:
          header: X-Forwarded-For
          internal_proxies:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
      
        apps:
          - virtual_host:
              name: virtinc
              hostname: virtinc.com
            mappings:
              - session_handling: enforce_session
                deny_rule_groups:
                  - level: strict
                backend:
                  hosts:
                    - name: echoserver
                      port: 8080
  5. Follow the instructions below to create the file microgateway-secret.yaml in the folder getting_started/.
  6. Create the file microgateway.passphrase in the folder getting_started/, which contains the passphrase for encryption.

    copy
    openssl rand -base64 102 | tr -d '\n' > getting_started/microgateway.passphrase
    
    • For the premium edition, do the following:
    • Copy the Microgateway license file to getting_started/microgateway.lic.
    • The content of the license file looks like:

      -----BEGIN LICENSE----- 
      eJxFkEuzokgUhP+LWyeCAgqRjugFLwURhAvycJgFaAkFWLxBuNH/vY1eTC/z 
      ... 
      ... 
      ...   
      -----END LICENSE-----
    • Run the following command:
    • copy
      kubectl create secret generic microgateway-secret \
        --from-file=license=getting_started/microgateway.lic \
        --from-file=passphrase=getting_started/microgateway.passphrase \
        --dry-run=client \
        -o yaml > getting_started/microgateway-secret.yaml
    • For the community edition, do the following:
    • Run the following command:
    • copy
      kubectl create secret generic microgateway-secret \
        --from-file=passphrase=getting_started/microgateway.passphrase \
        --dry-run=client \
        -o yaml > getting_started/microgateway-secret.yaml
  7. Create the file microgateway-deployment.yaml in the folder getting_started/, which contains the Deployment definition for Airlock Microgateway:
  8. Show moreShow lesscopy
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: microgateway
      labels:
        app: microgateway
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: microgateway
      template:
        metadata:
          labels:
            app: microgateway
          annotations:
            prometheus.io/scrape: "true"
            prometheus.io/port: "9102"
        spec:
          initContainers:
            - name: configbuilder
              image: ergon/airlock-microgateway-configbuilder:3.2.0          
              imagePullPolicy: IfNotPresent
              volumeMounts:
                - name: config
                  mountPath: /config/config.yaml
                  subPath: config.yaml
                - name: secret
                  mountPath: /secret/
                  readOnly: true
                - name: config-files
                  mountPath: /resources-gen
          containers:
            - name: microgateway
              image: ergon/airlock-microgateway:3.2.0          
              imagePullPolicy: IfNotPresent
              ports:
                - name: http
                  containerPort: 8080
                - name: https
                  containerPort: 8443
                - name: probes
                  containerPort: 9090
                - name: metrics
                  containerPort: 9102
              volumeMounts:
                - name: config-files
                  mountPath: /config/
              livenessProbe:
                failureThreshold: 9
                timeoutSeconds: 5
                httpGet:
                  path: /alive
                  port: probes
                initialDelaySeconds: 90
              readinessProbe:
                failureThreshold: 3
                httpGet:
                  path: /healthy
                  port: probes
                initialDelaySeconds: 10
              lifecycle:
                preStop:
                  exec:
                    command:
                      - /usr/bin/sleep
                      - "10"
              resources:
                requests:
                  memory: 256Mi
                  cpu: 30m
                limits:
                  memory: 4048Mi
          volumes:
            - name: config
              configMap:
                name: microgateway-config
            - name: secret
              secret:
                secretName: microgateway-secret
            - name: config-files
              emptyDir: {}
  9. Create the file microgateway-service.yaml in the folder getting_started/, which contains the Service definition for Airlock Microgateway:
  10. Show moreShow lesscopy
    apiVersion: v1
    kind: Service
    metadata:
      name: microgateway-service
      labels:
        app: microgateway
    spec:
      selector:
        app: microgateway
      ports:
        - name: http
          port: 8080
        - name: https
          port: 8443
  1. Manifest file for Redis
  2. Create the file redis.yaml in the folder getting_started/, which contains all resource definitions for Redis:
  3. Show moreShow lesscopy
    --- 
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: redis-master
      labels:
        app: redis
    spec:
      selector:
        matchLabels:
          app: redis
          role: master
      serviceName: redis-headless
      template:
        metadata:
          labels:
            app: redis
            role: master
        spec:
          containers:
            - name: redis
              image: docker.io/bitnami/redis:5.0.9-debian-10-r4
              imagePullPolicy: IfNotPresent
              command:
                - /bin/bash 
                - -c 
                - | 
                  if [[ -n $REDIS_PASSWORD_FILE ]]; then 
                    password_aux=`cat ${REDIS_PASSWORD_FILE}` 
                    export REDIS_PASSWORD=$password_aux 
                  fi 
                  if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then 
                    cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf 
                  fi 
                  if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then 
                    cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf 
                  fi 
                  ARGS=("--port" "${REDIS_PORT}") 
                  ARGS+=("--protected-mode" "no") 
                  ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") 
                  ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") 
                  /run.sh ${ARGS[@]} 
              env: 
                - name: REDIS_REPLICATION_MODE 
                  value: master 
                - name: ALLOW_EMPTY_PASSWORD 
                  value: "yes" 
                - name: REDIS_PORT 
                  value: "6379" 
              ports: 
                - name: redis 
                  containerPort: 6379 
              volumeMounts: 
                - name: redis-data 
                  mountPath: /data 
                  subPath: 
                - name: config 
                  mountPath: /opt/bitnami/redis/mounted-etc 
                - name: redis-tmp-conf 
                  mountPath: /opt/bitnami/redis/etc/ 
          volumes: 
            - name: config 
              configMap: 
                name: redis 
            - name: redis-data 
              emptyDir: {} 
            - name: redis-tmp-conf 
              emptyDir: {} 
    --- 
    apiVersion: v1
    kind: Service
    metadata:
      name: redis-headless
      labels:
        app: redis
    spec:
      ports:
        - name: redis
          port: 6379
          targetPort: redis
      selector:
        app: redis
      clusterIP: None
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: redis-master
      labels:
        app: redis
    spec:
      ports:
        - name: redis
          port: 6379
          targetPort: redis
      selector:
        app: redis
        role: master
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: redis
    data:
      redis.conf: |-
        # User-supplied configuration:
        # Enable AOF https://redis.io/topics/persistence#append-only-file
        appendonly yes
        # Disable RDB persistence, AOF persistence already enabled.
        save ""
      master.conf: |-
        dir /data
      replica.conf: |-
        dir /data
        slave-read-only yes
        rename-command FLUSHDB ""
        rename-command FLUSHALL ""
  1. Manifest file for the echo server
  2. Create the file echo.yaml in the folder getting_started/, which contains all resource definitions for the echo server:
  3. Show moreShow lesscopy
    --- 
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: echo-deployment
      labels:
        app: echoserver
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: echoserver
      template:
        metadata:
          labels:
            app: echoserver
        spec:
          containers:
            - name: echoserver
              image: ealen/echo-server:0.5.1
              imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 8080
              env:
                - name: PORT
                  value: "8080"
          restartPolicy: Always
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: echoserver
      labels:
        app: echoserver
    spec:
      selector:
        app: echoserver
      ports:
        - name: http-8080
          protocol: TCP
          port: 8080
          targetPort: 8080
  1. Manifest file for Route
  2. Create the file route.yaml in the folder getting_started/, which contains the definition for the Route:
  3. Show moreShow lesscopy
    apiVersion: route.openshift.io/v1 
    kind: Route 
    metadata: 
      name: microgateway-route 
      labels: 
        name: microgateway-route   
    spec: 
      host: virtinc.com 
      path: "/" 
      port: 
        targetPort: 8080 
      to: 
        kind: Service 
        name: microgateway-service 
        weight: 100
  1. Deploy the Kubernetes resources
  2. Run the following command the deploy the Kubernetes resources:
  3. copy
    kubectl apply -f getting_started/

Verification

Follow the instructions below to verify that the Helm release could be deployed successfully.

  1. Check the status of the pods:
  2. copy
    kubectl get pods

    All pods have a STATUS of Running.

  3. Send a curl request to the echo server:
  4. copy
    curl -v -k http://$(minishift ip)/ -H "Host: virtinc.com"

    In case that Airlock Microgateway was not deployed in Minishift, replace the part $(minishift ip) with the IP address of the Route of your OpenShift cluster.

  5. The request is sent to the echo server.
  6. The Airlock Microgateway logs show, that the request has been filtered by Microgateway.

Uninstall

Follow the instructions below to uninstall the deployment.

  1. Uninstall the deployment
  2. copy
    kubectl delete -f getting_started/