This instruction is applicable when changing from a previous Airlock Microgateway 4.2 or later sidecar-based data plane mode installation to a Microgateway 4.4 sidecarless K8s Gateway API-based data plane mode installation. In this case, you must uninstall the old version and the CNI plugin, except the CRDs. The following brief sequence describes the upgrade and data plane mode switch procedure.
Note that the instructions must be performed in the correct order.
- Uninstall the Microgateway CNI plugin if it was installed with
kustomize
. Adapt the <environment>
part before running the following command:
- Uninstall Microgateway deployments. Retain previous Microgateway CRDs if you want to retain your custom settings, e.g., custom deny rules in the DenyRules CR.
- Optional: When upgrading from Microgateway 4.2 and earlier, apply a new license. This is important because the license format changed in Microgateway 4.2.
- Update the CRDs. This will not break your current installation if not noted otherwise in the release notes of the new Microgateway version.
- Install the K8s Gateway API resources. Note that the sidecarless data plane mode installation of Airlock Microgateway requires installing the K8s Gateway API standard channel
v1.1.0
. - Wait until the required CRDs for K8s Gateway API usage have been installed.
Example: - Adapt and run the following command with the current Airlock Microgateway Operator Helm chart version. This will upgrade the Operator in the
airlock-microgateway-system
namespace and activate the K8s Gateway API support. - Verify that the Airlock Microgateway Operator started successfully:
- The logs should show the message
Thank you for installing Airlock Microgateway​. ...
including further information on successful installation. - Deploy Microgateway Engine Pods via the Gateway CR and configure the routing through the Microgateway Engine Pod in the HTTPRoute CR.
- At this point you may want to check whether the built-in security settings of the Airlock Microgateway are active and securing your application according to your HTTPRoute configuration.
- Optional: If additional Microgateway CRs (such as Limits, DenyRules etc.) have already been configured for the previous sidecar-based installation and should be preserved, you must replace the old ContentSecurity with a new ContentSecurityPolicy CR. See also the API reference documentation of the CR ContentSecurityPolicy for an example configuration.
The ContentSecurityPolicy CR is a Direct Policy Attachment for the K8s Gateway API. Microgateway CRs covering custom security aspects, such as the Limits and DenyRules CRs, can be referenced in the ContentSecurityPolicy CR.
If additional Microgateway CRs are not explicitly configured and referenced in the ContentSecurityPolicy, default security settings will be applied. Our default security settings are designed to work well with most upstream services and provide a solid level of security.