Microgateway Operator

The ​Microgateway Operator​ container injects the ​Microgateway Engine​ Container into web application Pods labeled with sidecar.microgateway.airlock.com/inject: "true".

In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

Configuration overview

The Helm chart configures the Microgateway Operator. Nonetheless, it is possible to perform some expert settings. One can either modify the template file or modify the ConfigMap at runtime.

  • The ConfigMap template file is located at templates/operator/configmap.yaml.
  • The ConfigMap is named airlock-microgateway-operator-config and resides in the airlock-microgateway-system (or the namespace you choose to install the Airlock Microgateway Operator into)

The ConfigMap airlock-microgateway-operator-config is only read at startup, thus you must restart the Microgateway Operator. The Helm template file templates/operator/configmap.yaml is only applied when performing a helm install or helm upgrade.

  • The protected Pods must be restarted when the template file entries have been changed.

Example configuration

For the default and an example configuration including custom rules, see Operator Config reference documentation.

In addition to the API Reference documentation, this article adds useful background information for the available configuration options.

TLS certificate generation and renewal

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

  • airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
  • webhook-server-cert – the server certificate of the Microgateway Operator.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.