Kubernetes

To use Airlock Microgateway in your Kubernetes cluster, follow this guide to deploy the Airlock Microgateway Operator and its resources.

Prerequisites

 
Info

For installation in OpenShift environments, also see the article OpenShift.

Install a cert-manager

You can install the cert-manager with the commands below in the 'VERSION' that you wish to install. You may use the latest cert-manager version (see cert-manager Helm installation instructions), which should work fine in most cases, or install the version we use for internal testing (see tested version of cert-manager for Microgateway 4.3).

 
Terminal box
# Add the cert-manager repository and perform a Helm-based installation
helm repo add jetstack https://charts.jetstack.io 
helm install cert-manager jetstack/cert-manager --version 'VERSION' -n cert-manager --create-namespace --set crds.enabled=true --wait

Airlock Microgateway CNI installation

Install the CNI DaemonSet and required RBAC (Role Based Access Control) manifests using our Helm charts.

The default values have been tested in our installation environments. However, some values may need to be adapted to meet the requirements of your setup environment. Path information for the CNI config files and binaries can either be found in the documentation of your Kubernetes distribution or CNI provider or queried with the following commands.

The cniNetDir, the directory of the CNI config files on the host, can be queried with:

 
Terminal box
crictl info -o go-template --template '{{.config.cni.confDir}}'

The cniBinDir, the directory of the CNI plugin binaries on the host, can be queried with:

 
Terminal box
crictl info -o go-template --template '{{.config.cni.binDir}}'

Helm-based installation procedure:

  1. Adapt and run the following command with the current CNI Helm chart version.
  2.  
    Terminal box
    helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version 4.3.0
  3. Wait for the Airlock Microgateway CNI DaemonSet to be up and running.
  4.  
    Terminal box
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
  5. Verify the correctness of the installation with helm test.
  6.  
    Terminal box
    helm upgrade airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --set tests.enabled=true --reuse-values --version 4.3.0
  7. Check the log messages.
  8.  
    Terminal box
    helm test airlock-microgateway-cni -n kube-system --logs
  9. On successful installation, the logs should show the message Success. If the installation was not successful, go to Troubleshooting Microgateway CNI Helm test for troubleshooting.
  10. Disable the helm test deployment afterward.
  11.  
    Terminal box
    helm upgrade airlock-microgateway-cni -n kube-system  oci://quay.io/airlockcharts/microgateway-cni --set tests.enabled=false --reuse-values --version 4.3.0

Install the Airlock Microgateway Operator

 
Notice

In order to complete the Airlock Microgateway Operator installation and to run the below helm test successfully, you need to deploy a valid license. See article Configuring and monitoring licenses for more information.

  1. Create the airlock-microgateway-system namespace
  2.  
    Terminal box
    kubectl create namespace airlock-microgateway-system
  3. Store the license in the Microgateway Operator namespace, in a Kubernetes secret with the name airlock-microgateway-license and the key microgateway-license.txt. Use the following command:
  4.  
    Terminal box
    kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license  
--from-file=microgateway-license.txt=<my-local-microgateway-license.txt>
  5. Adapt and run the following command with the current Airlock Microgateway Operator Helm chart version. This will install airlock-microgateway in the airlock-microgateway-system namespace.
  6.  
    Terminal box
    helm install -n airlock-microgateway-system airlock-microgateway oci://quay.io/airlockcharts/microgateway --wait --version 4.3.0
  7. Verify that the Airlock Microgateway Operator started successfully:
  8.  
    Terminal box
    kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m
  9. Verify the correctness of the installation with helm test.
  10.  
    Terminal box
    helm upgrade airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --set tests.enabled=true --reuse-values --version 4.3.0
  11. Check the log messages.
  12.  
    Terminal box
    helm test airlock-microgateway -n airlock-microgateway-system --logs

  13. During installation, the installation status is echoed – i.e., the preliminary cleanup task and scaling the test installation to only 1 replica (to ensure no pods from previous runs are present).

  14. On successful installation, the logs should show the following message: ### Installation of 'airlock-microgateway' succeeded. If the installation was not successful, go to Troubleshooting Microgateway Operator Helm test for troubleshooting.
  15. Disable the helm test deployment afterward.
  16.  
    Terminal box
    helm upgrade airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --set tests.enabled=false --reuse-values --version 4.3.0

What's next

After deploying the Airlock Microgateway Operator in your Cluster, the following steps are required:

  1. Configure/change the Airlock Microgateway license. See article Configuring and monitoring licenses.
  2. Annotate the web application Pods to protect as explained in Labels and annotations for Airlock Microgateway.
  3. Create the CustomResources to configure the Airlock Microgateway as outlined in Configuration.