Microgateway Engine

After labeling a Pod with sidecar.microgateway.airlock.com/inject: "true", the Microgateway Operator injects the Microgateway Engine container into the labeled Pod. The Microgateway Engine is injected as a sidecar in the protected Pod to secure them. It is built based on the Envoy proxy and enriched with Airlock-specific features.

Configuration overview

  1. The Microgateway Engine configuration is divided into several parts:
  2. The Kubernetes manifest file for the injection.

    3. The Kubernetes manifest file used for the injection is referenced in the Microgateway Operator configuration file with the parameter deployment.sidecar.engineContainerTemplate.

  3. The Envoy bootstrap configuration.

    4. The Envoy bootstrap configuration is referenced in the Microgateway Operator configuration file with the parameter engine.bootstrapConfigTemplate.

  4. The web application-specific configuration.

    5. To configure the Microgateway Engine, we created some CRs described in this chapter. See also the Airlock Microgateway API reference documentation detailed information, such as example configurations and default settings of the CRs.

Generally, the defaults in the template files should suit all environments and do not need to be adjusted. When integrating or hardening a web application, only the settings within the CRs are required. Nevertheless, there might be reasons also to modify the templates mentioned here.

The engineContainerTemplate

  • ImagePullPolicy

    • The behavior, when kubelet should pull (download) an image can be controlled with the imagePullPolicy. See (Kubernetes) ImagePullPolicy.

  • Resource Quotas

    • The resource limits, that should be applied to the container, can be configured with resources.limits. See (Kubernetes) Resource Quotas.

The bootstrapConfigTemplate

The bootstrapConfigTemplate file contains the default configuration for the Engine when starting up.

  • Basically, it contains the following settings:
  • The configuration to connect to the Microgateway Operator.
  • The configuration for the admin interface.
  • The metrics configuration, i.e. the port to scrape Prometheus metrics.
  • The readiness and liveness probe endpoint.

mTLS-secured communication with Microgateway Operator

Any communication between Microgateway Engine and Microgateway Operator is secured using mTLS. See also TLS certificate generation and renewal.