Microgateway Operator

The ​Microgateway Operator​ container injects the ​Microgateway Engine​ Container into web application Pods labeled with sidecar.microgateway.airlock.com/inject: "true". In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

Helm Microgateway Operator chart configuration must take place before or with installation or upgrade. The configuration can be persistently adjusted in a local values.yaml file or passed with every Helm installation using the --set option.

You can find the Airlock Microgateway Helm charts here:

• Airlock Microgateway Helm charts on GitHub
• Airlock Microgateway Helm charts on Artifact Hub

Configuration change	Description
Installation mode types	Airlock Microgateway can be installed in different cluster- and namespace-scoped modes as described in the architecture article Sidecar-based installation mode types. The installation modes can be configured via the Microgateway Operator Helm chart by setting the operator.watchNamespaces and operator.watchNamespaceSelector values. The following example adds the namespace airlock-mgw-system to the watchNamespaces list for an OwnNamespace installation: copy helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway \​ --set operator.watchNamespaces[0]=airlock-microgateway-system --wait --version 4.3.0
Grafana dashboards	Airlock Microgateway offers several preconfigured Helm-based Grafana dashboard templates that can be enabled and individually disabled in the Operator Helm chart. The following example makes the dashboard templates available for Grafana: copy helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway \​ --set dashboards.create=true --version 4.3.0 --wait​ Only one Microgateway Operator per cluster may be configured to provide the Grafana dashboard templates. Grafana must be deployed with sidecar.dashboards.enabled=true to enable the cluster-wide search for the dashboard templates.

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

• airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
• webhook-server-cert – the server certificate of the Microgateway Operator.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.

• Internal links:
• Labels and annotations for Airlock Microgateway
• mTLS-secured communication with Microgateway Operator
• Monitored CRs, see chapter CR SidecarGateway and below.
• Using Microgateway Prometheus metrics
• Troubleshooting for network routing issues in the application pod (CNI plugin and Network Validator)