Licensing and license-dependent behavior

To use Airlock Microgateway, a valid license is required. Airlock Microgateway is available in a Premium and a free Community edition. The available editions are compared in the article Airlock Microgateway editions and support.

Configure/change the license

  1. After the Airlock Microgateway installation, store the license in the Microgateway Operator namespace, in a Kubernetes secret with the name airlock-microgateway-license and the key microgateway-license.txt. Use the following command:
    2. copy
    kubectl -n airlock-microgateway-system \
  create secret generic airlock-microgateway-license \ 
  --from-file=microgateway-license.txt=<my-local-microgateway-license.txt>
  2. To change a license (e.g. when upgrading from Community to Premium), use kubectl apply to apply the new license to the airlock-microgateway-license secret in the airlock-microgateway-system namespace.

There is no need to restart the Airlock Microgateway Operator. Kubernetes Secrets are updated at intervals of about one minute. Wait for the new license to become active.

Monitor license information with metrics and logs

Apart from the community license edition for initial tests, you should always order a premium license that covers your estimated/measured maximum throughput, number of secured web applications, etc.
We have implemented a set of license-related metrics and logs to avoid unwanted blockages due to license volume limits, lifetime, or other factors. Use them to monitor if your current Airlock Microgateway license is still sufficient, to detect potential problems and to update/change your license in time.

  • Metrics:
  • License-related metrics with explanations are listed below in this article.

For a detailed list of available metrics with a short description, see available metrics in Prometheus format.

  • Operator logs:
  • License information on a daily base for
    • license expiration due date,
    • on expired license,
    • when license is missing or invalid.
  • License details at every start of the Microgateway Operator or after license exchange/upgrade.

License details compared

The table below compares the basic license attributes between the Community and Premium editions.

  • Corresponding metrics:
  • airlock_microgateway_license_is_premium
  • airlock_microgateway_license_max_sidecars

License attribute

Community edition

Premium edition

Remarks

minVersion

enforced

ignored

Invalid means that the version of the Airlock Microgateway is older than the minVersion attribute in the license.

maxSidecars

enforced

ignored

Only Pods with injected Microgateway Engine​ sidecar containers are counted.

  • When above the threshold:

    • The protected Pods are sorted by creation date, oldest first.

  • For Pods above the threshold, all traffic is blocked.
  • All other Pods run normally.

licensedModules

enforced

enforced

Airlock Microgateway licenses are modular.

  • Modules are licensed in the licensedModules attribute:
  • base – this module is part of every license.
  • auth 1 – this module can be licensed additionally to allow configuring authentication features. If not licensed, the validation Webhook in Kubernetes rejects and ignores CustomResources of accessControl and their referenced resources.
     
1

Authentication features are planned for upcoming releases and are not yet available.

Behavior with invalid or expired licenses

Licenses are treated either as valid, invalid or expired. Differences between invalid and expired licenses are shown in the following table.

  • Corresponding metrics:
  • airlock_microgateway_license_valid
  • airlock_microgateway_license_expiry_timestamp_seconds

License validity

Definition and behavior

Valid license

  • Definition:
  • Valid (metric airlock_microgateway_license_valid = 1) Community or Premium edition license.
  • Microgateway Engine behavior:
  • Traffic is secured according to the configuration of the Airlock Microgateway Engine and the kind and scope of the license. See section License details compared in this article.

Invalid license

  • Definition:
  • Missing or invalid signed license (metric airlock_microgateway_license_valid = 0).
  • The Airlock Microgateway version does not meet the minVersion license attribute (this applies only to Community Edition).
  • Microgateway Engine behavior:
  • All traffic is blocked.

Expired license

  • Definition
  • The license is expired (metric airlock_microgateway_license_valid = 0) as soon as the license expiry timestamp metric value is reached.
  • Microgateway Engine behavior:
  • Pods created before the license expiry timestamp run normally.
  • Pods created after the license expiry timestamp block all traffic.
  • Operator and Pods are not affected by the license status:
  • The Airlock Microgateway Operator runs normally.
  • Based on the injection annotation, the Airlock Microgateway Operator​ injects the Microgateway Engine container into Pod. Therefore, only these Pods are affected. See also the article Annotations for Microgateway Engine injection.

Behavior if the throughput threshold is reached

The Microgateway Operator configures the Microgateway License Guard for the licensed throughput. During operation, the Microgateway Engine containers report the throughput to the Microgateway License Guard service, which then takes measures if the throughput exceeds the limits.

  • A percentage of requests are blocked with the Community edition license if the real throughput exceeds the licensed throughput.
  • With the Premium edition license, no requests are blocked, but this behavior might be subject to change in the future.
  • Corresponding metrics:
  • airlock_microgateway_license_is_premium
  • airlock_microgateway_license_guard_current_requests_per_second
  • airlock_microgateway_license_max_requests_per_second
  • airlock_microgateway_license_guard_grpc_ratelimit_requests_total

For a complete list of all license-related metrics and their origin, see Available metrics in Prometheus format.