Microgateway Operator

The ​Microgateway Operator​ container injects the ​Microgateway Engine​ Container into web application Pods labeled with sidecar.microgateway.airlock.com/inject: "true".

In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

The Helm chart configures the Microgateway Operator. Nonetheless, it is possible to perform some expert settings. One can either modify the template file or modify the ConfigMap at runtime.

• The ConfigMap template file is located at templates/operator/configmap.yaml.
• The ConfigMap is named airlock-microgateway-operator-config and resides in the airlock-microgateway-system (or the namespace you choose to install the Airlock Microgateway Operator into)

The ConfigMap airlock-microgateway-operator-config is only read at startup, thus you must restart the Microgateway Operator. The Helm template file templates/operator/configmap.yaml is only applied when performing a helm install or helm upgrade.

• The protected Pods must be restarted when the template file entries have been changed.

For the default and an example configuration including custom rules, see Operator Config reference documentation.

In addition to the API Reference documentation, this article adds useful background information for the available configuration options.

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

• airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
• webhook-server-cert – the server certificate of the Microgateway Operator.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.

• Internal links:
• Operator Config reference documentation
• Labels and annotations for Airlock Microgateway
• mTLS-secured communication with Microgateway Operator
• Monitored CRs, see chapter CR SidecarGateway and below.
• Microgateway as a data source for Prometheus metrics
• Troubleshooting for network routing issues in the application pod (CNI plugin and Network Validator)