The Microgateway Operator container injects the Microgateway Engine Container into web application Pods labeled with sidecar.microgateway.airlock.com/inject: "true"
. In addition, the Microgateway Operator monitors these pods and reconfigures them whenever a Custom Resource changes.
Helm chart configuration
Helm Microgateway Operator chart configuration must take place before or with installation or upgrade. The configuration can be persistently adjusted in a local values.yaml
file or passed with every Helm installation using the --set
option.
You can find the Airlock Microgateway Helm charts here:
Configuration change | Description |
---|---|
Installation mode types | Airlock Microgateway can be installed in different cluster- and namespace-scoped modes as described in the architecture article Installation mode types. The installation modes can be configured via the Microgateway Operator Helm chart by setting the The following example adds the namespace |
Grafana dashboards | Airlock Microgateway offers several preconfigured Helm-based Grafana dashboard templates that can be enabled and individually disabled in the Operator Helm chart. The following example makes the dashboard templates available for Grafana:
|
TLS certificate generation and renewal
Any communication between containers in the airlock-microgateway-system
namespace and, i.e., Microgateway Engine containers in web application namespaces, is secured using TLS/mTLS.
During the Microgateway Operator startup, the following self-signed certificates are generated and stored as secrets in the airlock-microgateway-system
namespace:
airlock-microgateway-ca-cert
– the CA certificate to generate self-signed TLS certificates.webhook-server-cert
– the server certificate of the Microgateway Operator.
Each time an Airlock Microgateway Engine sidecar is injected, an airlock-microgateway-bootstrap-secret
is generated and saved to the web application namespace. This secret holds the required certificates and keys for mTLS-based communication between the Microgateway Engine and the Operator. The TLS certificates of the bootstrap secret are renewed automatically every 48h.
Further information and links
- Internal links:
- Labels and annotations for Airlock Microgateway
- mTLS-secured communication with Microgateway Operator
- Monitored CRs, see chapter CR SidecarGateway and below.
- Using Microgateway Prometheus metrics
- Troubleshooting for network routing issues in the application pod (CNI plugin and Network Validator)