Microgateway Operator

The Microgateway Operator container injects the Microgateway Engine Container into web application Pods annotated with sidecar.microgateway.airlock.com/inject: "true".

In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

Configuration overview

  • The Microgateway Operator is configured by different files:
  • The main configuration file operator_config.yaml.
  • Files that are referenced in the operator_config.yaml file:
    • deployment.sidecar.engineContainerTemplate
    • engine.bootstrapConfigTemplate

These files are stored in the Config Map airlock-microgateway-operator-operator-config in the Microgateway Operator namespace. The Config Map is configured in the Microgateway Operator deployment to be mounted at the correct location.

The configuration files in the Config Map airlock-microgateway-operator-operator-config are only read at startup.

  • The Microgateway Operator must be restarted once the file operator_config.yaml or the referenced template files has been changed.
  • The protected Pods must be restarted when the referenced template files have been changed.

Example configuration

The following snippet shows the operator_config.yaml file excerpt with default values in the airlock-microgateway-operator-operator-config Config Map:

// Default Operator configuration 
apiVersion: config.airlock.com/v1alpha1 
kind: OperatorConfig 
  level: info  
  healthProbeBindAddress: :8081 
  port: 9443
// Extensions: Airlock Microgateway Operator
    engineContainerTemplate: "/sidecar/engine_container_template.yaml" 
  bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"

For the defaults and example values of a deployed OperatorConfig, see the Operator Config reference documentation.

TLS certificate generation and renewal

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

  • airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
  • webhook-server-cert – the server certificate of the Microgateway Operator.
  • airlock-microgateway-license-guard-cert – the certificate of the Microgateway License Guard.
  • airlock-microgateway-license-guard-redis-cert – the certificate of the Microgateway License Guard Redis DB.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.


The application log level for the Microgateway Operator can be set in the operator config file operator_config.yaml.


apiVersion: config.airlock.com/v1alpha1
kind: OperatorConfig
  level: info

See Operator Config reference documentation for the default and possible values of log.level.