Microgateway Operator

The Microgateway Operator container injects the Microgateway Engine Container into web application Pods annotated with sidecar.microgateway.airlock.com/inject: "true".

In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

Configuration overview

The Microgateway Operator is configured by different files:
The main configuration file operator_config.yaml.
Files that are referenced in the operator_config.yaml file:

deployment.sidecar.engineContainerTemplate
engine.bootstrapConfigTemplate

These files are stored in the Config Map airlock-microgateway-operator-operator-config in the Microgateway Operator namespace. The Config Map is configured in the Microgateway Operator deployment to be mounted at the correct location.

The configuration files in the Config Map airlock-microgateway-operator-operator-config are only read at startup.

The Microgateway Operator must be restarted once the file operator_config.yaml or the referenced template files has been changed.
The protected Pods must be restarted when the referenced template files have been changed.

Example configuration

The following snippet shows the operator_config.yaml file excerpt with default values in the airlock-microgateway-operator-operator-config Config Map:

copy

// Default Operator configuration 
apiVersion: config.airlock.com/v1alpha1 
kind: OperatorConfig 
log:
  level: info  
health: 
  healthProbeBindAddress: :8081 
metrics: 
  bindAddress: 127.0.0.1:8080 
webhook: 
  port: 9443
  
// Extensions: Airlock Microgateway Operator
deployment: 
  sidecar: 
    engineContainerTemplate: "/sidecar/engine_container_template.yaml" 
engine: 
  bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"

For the defaults and example values of a deployed OperatorConfig, see the Operator Config reference documentation.

TLS certificate generation and renewal

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
webhook-server-cert – the server certificate of the Microgateway Operator.
airlock-microgateway-license-guard-cert – the certificate of the Microgateway License Guard.
airlock-microgateway-license-guard-redis-cert – the certificate of the Microgateway License Guard Redis DB.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.

Logging

The application log level for the Microgateway Operator can be set in the operator config file operator_config.yaml.

Example:

copy

apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
... 
log: 
  level: info
...

See Operator Config reference documentation for the default and possible values of log.level.

Further information and links

Internal links:
Operator Config reference documentation
Annotations for Microgateway Engine injection
mTLS-secured communication with Microgateway Operator
Monitored CRs, see chapter CR SidecarGateway and below.
Microgateway as a data source for Prometheus metrics