This article shows the architecture of a small Istio service mesh with only one Airlock Microgateway-protected web application deployed in a Kubernetes cluster. Istiod converts the high-level routing rules into Envoy-specific configurations of the Envoy proxies that are deployed as sidecars. These Envoy sidecars are injected into each Pod forming the Istio data plane.
However, in Airlock Microgateway, the Microgateway Operator Pod is not a typical manageable web application but a technical component that manages the Microgateway functionality. Hence, the Microgateway Operator does not need to be maintained by the Istio control plane.
The simple example shows a setup with a service mesh of a single web application, the Microgateway Operator and the Istiod Container in a single Node. In the Web application Pod the Microgateway Engine and the Istio-proxy/Istio-init are injected as sidecars.
- Namespaces in our example:
istio-system
working as the Istio control plane.airlock-microgateway-system
with the Microgateway Operator Pod, which is not part of the service mesh (no Istio proxy sidecar).application
with a web application secured by Airlock Microgateway and part of the service mesh (with Istio proxy sidecar).kube-system
used for system processes, i.e., to install a Microgateway CNI plugin in Airlock Microgateway Nodes. This Namespace is not part of the Istio service mesh.
Within the Kubernetes cluster, the Microgateway Operator Container is responsible for injecting and configuring the Airlock Microgateway Containers, i.e., the Microgateway Engine in the Web application Pods. For operating Airlock Microgateway in an Istio setup, the sidecar injection is triggered by a sidecar.microgateway.airlock.com/serviceMesh: "istio"
annotation, which must be added to the Pod definition.