00d13b5da8
```
Added:
cerbos/cerbos:
- 0.37.0
Updated:
airlock/microgateway:
- 4.3.0
airlock/microgateway-cni:
- 4.3.0
jenkins/jenkins:
- 5.4.2
```
|
||
|---|---|---|
| .. | ||
| crds | ||
| dashboards | ||
| templates | ||
| .helmignore | ||
| Chart.yaml | ||
| README.md | ||
| app-readme.md | ||
| values.schema.json | ||
| values.yaml | ||
README.md
Airlock Microgateway
Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.
Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability. This Helm chart is part of Airlock Microgateway. See our GitHub repo.
Features
- Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
- Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
- Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
- Content security filters for protecting against known attacks (OWASP Top 10)
- Access control to allow only authenticated users to access the protected services
- API security features like JSON parsing or OpenAPI specification enforcement
For a list of all features, view the comparison of the community and premium edition.
Documentation and links
Check the official documentation at docs.airlock.com or the product website at airlock.com/microgateway. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
Quick start guide
The instructions below provide a quick start guide. Detailed information are provided in the manual.
Prerequisites
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
Obtain Airlock Microgateway License
- Either request a community or premium license
- Community license: airlock.com/microgateway-community
- Premium license: airlock.com/microgateway-premium
- Check your inbox and save the license file microgateway-license.txt locally.
See Community vs. Premium editions in detail to choose the right license type.
Deploy cert-manager
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
Deploy Airlock Microgateway Operator
This guide assumes a microgateway-license.txt file is present in the working directory.
-
Install CRDs and Operator.
# Create namespace kubectl create namespace airlock-microgateway-system # Install License kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.0' --wait -
(Recommended) You can verify the correctness of the installation with
helm test.helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0' helm test airlock-microgateway -n airlock-microgateway-system --logs helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0'
Upgrading CRDs
The helm install/upgrade command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.0 --server-side --force-conflicts
Note: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
Support
Premium support
If you have a paid license, please follow the premium support process.
Community support
For the community edition, check our Airlock community forum for FAQs or register to post your question.
Values
| Key | Type | Default | Description |
|---|---|---|---|
| commonAnnotations | object | {} |
Annotations to add to all resources. |
| commonLabels | object | {} |
Labels to add to all resources. |
| crds.skipVersionCheck | bool | false |
Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
| dashboards.config.grafana.dashboardLabel.name | string | "grafana_dashboard" |
Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.dashboardLabel.value | string | "1" |
Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
| dashboards.config.grafana.folderAnnotation.name | string | "grafana_folder" |
Name of the annotation containing the folder name to file dashboards into. |
| dashboards.config.grafana.folderAnnotation.value | string | "Airlock Microgateway" |
Name of the folder dashboards are filed into within the Grafana UI. |
| dashboards.create | bool | false |
Whether to create any ConfigMaps containing Grafana dashboards to import. |
| dashboards.instances.blockLogs.create | bool | true |
Whether to create the block logs dashboard. |
| dashboards.instances.blockMetrics.create | bool | true |
Whether to create the block metrics dashboard. |
| dashboards.instances.license.create | bool | true |
Whether to create the license dashboard. |
| dashboards.instances.overview.create | bool | true |
Whether to create the overview dashboard. |
| engine.image.digest | string | "sha256:f442143294f3138965c9fa2734cafd39ebebe8e289600332b12f8a59c23dd9ef" |
SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| engine.image.pullPolicy | string | "IfNotPresent" |
Pull policy for this image. |
| engine.image.repository | string | "quay.io/airlock/microgateway-engine" |
Image repository from which to pull the Airlock Microgateway Engine image. |
| engine.image.tag | string | "4.3.0" |
Image tag to pull. |
| engine.resources | object | {} |
Resource restrictions to apply to the Airlock Microgateway Engine container. |
| engine.sidecar.podMonitor.create | bool | false |
Whether to create a PodMonitor resource for monitoring. |
| engine.sidecar.podMonitor.labels | object | {} |
Labels to add to the PodMonitor. |
| fullnameOverride | string | "" |
Allows overriding the name to use as full name of resources. |
| imagePullSecrets | list | [] |
ImagePullSecrets to use when pulling images. |
| license.secretName | string | "airlock-microgateway-license" |
Name of the secret containing the "microgateway-license.txt" key. |
| nameOverride | string | "" |
Allows overriding the name to use instead of "microgateway". |
| networkValidator.image.digest | string | "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6" |
SHA256 image digest to pull (in the format "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"). Overrides tag when specified. |
| networkValidator.image.pullPolicy | string | "IfNotPresent" |
Pull policy for this image. |
| networkValidator.image.repository | string | "cgr.dev/chainguard/busybox" |
Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. |
| networkValidator.image.tag | string | "" |
Image tag to pull. |
| operator.affinity | object | {} |
Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
| operator.config.logLevel | string | "info" |
Operator application log level. |
| operator.image.digest | string | "sha256:dc6f0f9a11d0336c10f6b8a5c7f64d98ac91bd90c49aa1dc4fe7b68cfdea8217" |
SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
| operator.image.pullPolicy | string | "IfNotPresent" |
Pull policy for this image. |
| operator.image.repository | string | "quay.io/airlock/microgateway-operator" |
Image repository from which to pull the Airlock Microgateway Operator image. |
| operator.image.tag | string | "4.3.0" |
Image tag to pull. |
| operator.nodeSelector | object | {} |
Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
| operator.podAnnotations | object | {} |
Annotations to add to all Pods. |
| operator.podLabels | object | {} |
Labels to add to all Pods. |
| operator.rbac.create | bool | true |
Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
| operator.replicaCount | int | 2 |
Number of replicas for the operator Deployment. |
| operator.resources | object | {} |
Resource restrictions to apply to the operator container. |
| operator.serviceAccount.annotations | object | {} |
Annotations to add to the ServiceAccount. |
| operator.serviceAccount.create | bool | true |
Whether a ServiceAccount should be created. |
| operator.serviceAccount.name | string | "" |
Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| operator.serviceAnnotations | object | {} |
Annotations to add to the Service. |
| operator.serviceLabels | object | {} |
Labels to add to the Service. |
| operator.serviceMonitor.create | bool | false |
Whether to create a ServiceMonitor resource for monitoring. |
| operator.serviceMonitor.labels | object | {} |
Labels to add to the ServiceMonitor. |
| operator.tolerations | list | [] |
Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
| operator.updateStrategy | object | {"type":"RollingUpdate"} |
Specifies the operator update strategy. |
| operator.watchNamespaceSelector | object | {} |
Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic MultiNamespace installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An AllNamespaces installation or the usage of the watchNamespaces requires the watchNamespaceSelector to be empty. Please note that this feature requires a Premium license. |
| operator.watchNamespaces | list | [] |
Allows to restrict the operator to specific namespaces, depending on your needs. For a OwnNamespace or SingleNamespace installation the list may only contain one namespace (e.g., watchNamespaces: ["airlock-microgateway-system"]). In case of the OwnNamespace installation mode the specified namespace should be equal to the installation namespace. For a static MultiNamespace installation, the complete list of namespaces must be provided in the watchNamespaces. An AllNamespaces installation or the usage of the watchNamespaceSelector requires the watchNamespaces to be empty. Regardless of the installation modes supported by watchNamespaces, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
| sessionAgent.image.digest | string | "sha256:579dfded99145f9c2c1491ff1aeccb08721d63239a8b7f61bb9f455e17e968b2" |
SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
| sessionAgent.image.pullPolicy | string | "IfNotPresent" |
Pull policy for this image. |
| sessionAgent.image.repository | string | "quay.io/airlock/microgateway-session-agent" |
Image repository from which to pull the Airlock Microgateway Session Agent image. |
| sessionAgent.image.tag | string | "4.3.0" |
Image tag to pull. |
| sessionAgent.resources | object | {} |
Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
| tests.enabled | bool | false |
Whether additional resources required for running helm test should be created (e.g. Roles and ServiceAccounts). If set to false, helm test will not run any tests. |
License
View the detailed license terms for the software contained in this image.
- Decompiling or reverse engineering is not permitted.
- Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock® is a security innovation by ergon
