Microgateway Engine sidecar injection and configuration

After labeling a Pod with sidecar.microgateway.airlock.com/inject: "true", the Microgateway Operator injects the Microgateway Engine and Session Agent container into the labeled Pod. The Microgateway Engine is injected as a sidecar in the protected Pod to secure them. It is built based on the Envoy proxy and enriched with Airlock-specific features.

Configuration overview

  1. The Microgateway Engine configuration is divided into several parts:
  2. The Engine container configuration. It may be configured in the Microgateway Operator Helm chart, e.g. when using a custom registry or for setting resource limits.
  3. The Envoy bootstrap configuration. It should normally not be modified.
  4. The web application-specific configuration.
  5. To configure the Microgateway Engine, we created some CRs described in this chapter. See also the Airlock Microgateway API reference documentation detailed information, such as example configurations and default settings of the CRs.

When integrating or hardening a web application, only the settings within the CRs are required.

mTLS-secured communication with Microgateway Operator

Any communication between Microgateway Engine and Microgateway Operator is secured using mTLS. See also TLS certificate generation and renewal.