Microgateway Engine

After annotating a Pod with sidecar.microgateway.airlock.com/inject: "true", the Microgateway Operator injects the Microgateway Engine container into the annotated Pod. The Microgateway Engine is injected as a sidecar in the protected Pod to secure them. It is built based on the Envoy proxy and enriched with Airlock-specific features.

Configuration overview

  1. The Microgateway Engine configuration is divided into several parts:
  2. The Kubernetes manifest file for the injection.

    3. The Kubernetes manifest file used for the injection is referenced in the Microgateway Operator configuration file with the parameter deployment.sidecar.engineContainerTemplate.

  3. The Envoy bootstrap configuration.

    4. The Envoy bootstrap configuration is referenced in the Microgateway Operator configuration file with the parameter engine.bootstrapConfigTemplate.

  4. The web application-specific configuration.

    5. To configure the Microgateway Engine, we created some CRs described in this chapter.

Generally, the defaults in the template files should suit all environments and do not need to be adjusted. When integrating or hardening a web application, only the settings within the CRs are required. Nevertheless, there might be reasons to modify the templates mentioned here.

The engineContainerTemplate

  • ImagePullPolicy

    • The behavior, when kubelet should pull (download) an image can be controlled with the imagePullPolicy. See (Kubernetes) ImagePullPolicy.

  • Resource Quotas

    • The resource limits, that should be applied to the container, can be configured with resources.limits. See (Kubernetes) Resource Quotas.

The bootstrapConfigTemplate

The bootstrapConfigTemplate file contains the default configuration for the Engine when starting up.

  • Basically, it contains the following settings:
  • The configuration to connect to the Microgateway Operator.
  • The configuration for the admin interface.
  • The metrics configuration, i.e. the port to scrape Prometheus metrics.
  • The readiness and liveness probe endpoint.

TLS-secured communication with the airlock-microgateway-system namespace

The communication with the airlock-microgateway-system namespace is secured using TLS. The required certificate and keys are stored in a bootstrap secret that is renewed automatically every 48h.

Example:

copy
kubectl get secret 
airlock-microgateway-bootstrap-secret-jt2d2rt2kh5kb6sg7lzh 
...