Microgateway Operator

The ​Microgateway Operator​ container injects the ​Microgateway Engine​ Container into web application Pods labeled with sidecar.microgateway.airlock.com/inject: "true". In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.

Helm chart configuration

Helm Microgateway Operator chart configuration must take place before or with installation or upgrade. The configuration can be persistently adjusted in a local values.yaml file or passed with every Helm installation using the --set option.

Configuration change

Description

Installation mode types

Airlock Microgateway can be installed in different cluster- and namespace-scoped modes as described in the architecture article Installation mode types.

The installation modes can be configured via the Microgateway Operator Helm chart by setting the operator.watchNamespaces and operator.watchNamespaceSelector values.

The following example adds the namespace airlock-mgw-system to the watchNamespaces list for an OwnNamespace installation:

copy
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway \​ 
    --set operator.watchNamespaces[0]=airlock-microgateway-system --wait --version 4.3.0

Grafana dashboards

Airlock Microgateway offers several preconfigured Helm-based Grafana dashboard templates that can be enabled and individually disabled in the Operator Helm chart.

The following example makes the dashboard templates available for Grafana:

copy
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway \​ 
   --set dashboards.create=true --version 4.3.0 --wait​ 
  • Only one Microgateway Operator per cluster may be configured to provide the Grafana dashboard templates.
  • Grafana must be deployed with sidecar.dashboards.enabled=true to enable the cluster-wide search for the dashboard templates.

TLS certificate generation and renewal

Any communication between containers in the airlock-microgateway-system namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.

During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system namespace:

  • airlock-microgateway-ca-cert – the CA certificate to generate self-signed TLS certificates.
  • webhook-server-cert – the server certificate of the Microgateway Operator.

Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.