Annotations for Microgateway Engine injection

The Microgateway Operator injects the Microgateway Engine containers to the upstream application Pods based on annotations. They allow configuring whether the containers should be injected and some general behavior. The table below lists and explains the annotations the Operator is aware of.

Annotation	Default	Possible values	Description
`sidecar.microgateway.airlock.com/inject`	false	true, false	If true, an Microgateway Engine sidecar is injected during Pod creation. Adding the annotation to an existing, running Pod has no effect. Use `kubectl apply -f <deployment.yaml>` to apply the configuration changes and to have the Microgateway Engine injected with a Deployment.
`sidecar.microgateway.airlock.com/excludeInboundPorts`	""	"<int>, ..."	Comma-separated list of inbound ports to be excluded from redirection to the Microgateway Engine by the Microgateway Operator. The Istio default ports for the Istio sidecar proxy are exluded automatically, when setting the annotation `sidecar.microgateway.airlock.com/serviceMesh: istio`. This means ports: `15000`, `15001` `15004` `15006` `15008`, `15009` `15020`, `15021` `15053` `15090`
`sidecar.microgateway.airlock.com/serviceMesh`	`none`	`none, istio`	Annotation to set which service mesh should be used. This annotation is relevant info for the network manager to configure the redirection of the traffic to the Microgateway Engine correctly.
`sidecar.microgateway.airlock.com/engineLogLevel`	`info`	`trace`, `debug`, `info`, `warn`, `error`, `critical`, `off`	Annotation to set the Microgateway Engine log level. See also Engine and Network Manager application log configuration
`sidecar.microgateway.airlock.com/networkManagerLogLevel`	`info`	`debug`, `info`, `warn`, `error`	Annotation to set the Network Manager log level. See also Engine and Network Manager application log configuration

Example configuration for a web application without Istio

The following example Kubernetes manifest file contains annotations to protect the web application with Airlock Microgateway.

copy

apiVersion: apps/v1 
kind: Deployment 
metadata: 
  labels: 
    app: echo-server 
  name: echo-server 
spec: 
  selector: 
    matchLabels: 
      app: echo-server 
  template: 
    metadata: 
      annotations: 
        sidecar.microgateway.airlock.com/inject: "true"      
        sidecar.microgateway.airlock.com/excludeInboundPorts: "9998,9999"
        sidecar.microgateway.airlock.com/serviceMesh: "none" 
      labels: 
        app: echo-server 
        version: 1.0.0 
    spec: 
      containers: 
        - image: ealen/echo-server:latest 
          name: echo-server 
          ports: 
            - containerPort: 5051

Ensure that in such a setup the annotation sidecar.microgateway.airlock.com/serviceMesh is set to none or not set at all.

SidecarGateway configuration to protect a web application:
Our example uses a simple echo application Pod with the label app: echo-server.
The spec.applications.containerPort is the container port of the web application that has to be secured by Airlock Microgateway. The default 8080 can be overridden to connect to the application's HTTP port. In our example, the echo-server Pod listens for requests on port 5051.
The security settings to be applied are referenced in the CR ContentSecurity named content-security-sample.

This setup is still possible if Istio is deployed in your Kubernetes cluster. The important thing is, that the web application Pod does not have Istio injected. Neither through labeling the namespace nor with the corresponding annotation. For more information consult (Istio) Sidecar injection.

Example for a web application with Istio

The following example Kubernetes manifest file contains annotations to protect the web application with Airlock Microgateway alongside Istio service mesh:

copy

apiVersion: apps/v1 
kind: Deployment 
metadata: 
  labels: 
    app: echo-server 
  name: echo-server 
spec: 
  selector: 
    matchLabels: 
      app: echo-server 
  template: 
    metadata: 
      annotations: 
        sidecar.microgateway.airlock.com/inject: "true"      
        sidecar.microgateway.airlock.com/excludeInboundPorts: "9998,9999"
        sidecar.microgateway.airlock.com/serviceMesh: "istio"
        sidecar.istio.io/inject: "true" 
      labels: 
        app: echo-server 
        version: 1.0.0 
    spec: 
      containers: 
        - image: ealen/echo-server:latest 
          name: echo-server 
          ports: 
            - containerPort: 5051

Ensure that in such a setup the annotation sidecar.microgateway.airlock.com/serviceMesh is set to istio.

SidecarGateway configuration to protect a web application:
Our example uses a simple echo application Pod with the label app: echo-server.
The spec.applications.containerPort is the container port of the web application that has to be secured by Airlock Microgateway. The default 8080 can be overridden to connect to the application's HTTP port. In our example, the echo-server Pod listens for requests on port 5051.
The security settings to be applied are referenced in the CR ContentSecurity named content-security-sample.

The web application Pod has Istio injected. The example illustrates the way by annotating the Pod. For more information consult (Istio) Sidecar injection.

Further information and links

Internal links:
Architecture with injected sidecars: Kubernetes cluster without a service mesh
Architecture with injected sidecars and Istio service mesh: Kubernetes cluster with an Istio service mesh