After labeling a Pod with sidecar.microgateway.airlock.com/inject: "true"
, the Microgateway Operator injects the Microgateway Engine container into the labeled Pod. The Microgateway Engine is injected as a sidecar in the protected Pod to secure them. It is built based on the Envoy proxy and enriched with Airlock-specific features.
Configuration overview
- The Microgateway Engine configuration is divided into several parts:
- The Kubernetes manifest file for the injection.
- The Envoy bootstrap configuration.
- The web application-specific configuration.
The Kubernetes manifest file used for the injection is referenced in the Microgateway Operator configuration file with the parameter deployment.sidecar.engineContainerTemplate
.
The Envoy bootstrap configuration is referenced in the Microgateway Operator configuration file with the parameter engine.bootstrapConfigTemplate
.
To configure the Microgateway Engine, we created some CRs described in this chapter. See also the Airlock Microgateway API reference documentation detailed information, such as example configurations and default settings of the CRs.
Generally, the defaults in the template files should suit all environments and do not need to be adjusted. When integrating or hardening a web application, only the settings within the CRs are required. Nevertheless, there might be reasons also to modify the templates mentioned here.
The engineContainerTemplate
- ImagePullPolicy
- Resource Quotas
The behavior, when kubelet should pull (download) an image can be controlled with the imagePullPolicy
. See (Kubernetes) ImagePullPolicy.
The resource limits, that should be applied to the container, can be configured with resources.limits
. See (Kubernetes) Resource Quotas.
The bootstrapConfigTemplate
The bootstrapConfigTemplate
file contains the default configuration for the Engine when starting up.
- Basically, it contains the following settings:
- The configuration to connect to the Microgateway Operator.
- The configuration for the admin interface.
- The metrics configuration, i.e. the port to scrape Prometheus metrics.
- The readiness and liveness probe endpoint.
mTLS-secured communication with Microgateway Operator
Any communication between Microgateway Engine and Microgateway Operator is secured using mTLS. See also TLS certificate generation and renewal.
Further information and links
- API Reference:
- Airlock Microgateway API reference documentation