Skip to content

Commit

Permalink
CHG: Sync Artifacts - 4.2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
airlockgithubci committed Apr 17, 2024
1 parent f93b6ad commit 4bbde13
Show file tree
Hide file tree
Showing 170 changed files with 8,488 additions and 3,190 deletions.
117 changes: 76 additions & 41 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Airlock Microgateway



*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*

<picture>
Expand All @@ -12,7 +14,6 @@

Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.


### Features
* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
Expand All @@ -22,7 +23,6 @@ Modern application security is embedded in the development workflow and follows
* API security features like JSON parsing or OpenAPI specification enforcement

For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.

## Labs
We offer a growing number of [Airlock Microgateway labs](https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=github.com) that are designed to be easy-to-follow tutorials. All labs are fully guided and cover aspects of Airlock Microgateway from installation to configuration in a preconfigured cloud-based Kubernetes environment.

Expand All @@ -37,6 +37,9 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
* [Github](https://github.com/airlock/microgateway)
* Artifacthub: [Airlock Microgateway](https://artifacthub.io/packages/helm/airlock-microgateway/microgateway) / [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)

# Quick start guide

Expand All @@ -45,6 +48,7 @@ The instructions below provide a quick start guide. Detailed information are pro
## Prerequisites
* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)

In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
Expand All @@ -56,51 +60,82 @@ For an easy start in non-production environments, you may deploy the same cert-m

> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
### Deploy cert-manager
```
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/
```
```bash
# Install cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/?ref=4.2.0

Wait for the cert-manager to be up and running
```
# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
```

## Deploy Airlock Microgateway CNI
Install the CNI DaemonSet and required RBAC manifests with kustomize:

```
kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl apply -f -
1. Install the CNI Plugin with Helm.
> **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
# Standard setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0'
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# GKE setup
helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml
kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
```bash
# OpenShift setup
helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
**Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).

2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
# Standard and GKE setup
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0'
helm test airlock-microgateway-cni -n kube-system --logs
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0'
```
```bash
# OpenShift setup
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0'
helm test airlock-microgateway-cni -n openshift-operators --logs
helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.0'
```

Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.

## Deploy Airlock Microgateway Operator

> This guide assumes a microgateway-license.txt file is present in the working directory.

1. Install CRDs and Operator.
```bash
# Create namespace
kubectl create namespace airlock-microgateway-system
# Install License
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
# Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.2.0' --wait
```

2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.0'
helm test airlock-microgateway -n airlock-microgateway-system --logs
helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.0'
```

### Upgrading CRDs

The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
```bash
kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.2.0
```

Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) to verify the installation or to see other installation methods.

### OpenShift

- Use the preset environment `openshift` when installing the CNI plugin
- It is recommended to install the CNI plugin into the namespace `openshift-operators` instead of `kube-system`
- **Important**: All pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).

## Deploy Airlock Microgateway
Install the Custom Resource Definitions, the CRD RBAC manifests and the deployment of the Airlock Microgateway Operator.
```
kubectl apply -k https://github.com/airlock/microgateway/deploy/crds/
kubectl apply -k https://github.com/airlock/microgateway/deploy/crd-rbac/
kubectl apply -k https://github.com/airlock/microgateway/deploy/deployment/
```

Wait for the airlock-microgateway-operator deployment to be ready
```
kubectl -n airlock-microgateway-system wait --for=condition=Available deployments --all --timeout=3m
```

> The minimum supported Kustomize version is [v4.5.3](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.3).
## Deploy Airlock Microgateway License
Create the required secret from the license file that you created in the prerequisite step.
```
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license
--from-file=microgateway-license.txt=<my-local-microgateway-license.txt>
```
**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.

## Support

Expand All @@ -127,4 +162,4 @@ Airlock<sup>&#174;</sup> is a security innovation by [ergon](https://www.ergon.c
srcset="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png">
<img alt="Airlock Secure Access Hub" src="https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png" width="150">
</picture>
</a>
</a>
4 changes: 4 additions & 0 deletions cosign/cosign.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7tOwpTZo/Jh2kV4wynwYd+yFcRha
fhQ8lbzW0QuV8BO7421sa0N/AnYhEnlFrCmGrAMDW2i6RQWTfbFUGh32eA==
-----END PUBLIC KEY-----
10 changes: 10 additions & 0 deletions cosign/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generatorOptions:
disableNameSuffixHash: true

secretGenerator:
- name: airlock-microgateway-cosign-public-key
files:
- cosign.pub
7 changes: 1 addition & 6 deletions deploy/README.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
# Description
The following folder contain the Kubernetes manifest files needed to deploy the Airlock Microgateway.
* `charts`: Contains Helm charts for certain Airlock Microgateway components
* `cni`: Contains example Kustomize folders and `values.yaml` files for deploying the Airlock Microgateway CNI plugin into different environments
* `crd-rbac`: Contains the Kubernetes ClusterRoles
* `crds`: Contains the Airlock Microgateway CustomResourceDefinitions
* `deployment`: Contains the Kubernetes manifest files to deploy and run the Airlock Microgateway Operator
* `operator-installation`: Contains a kustomization file to easily deploy `crds`, `crd-rbac` and `deployment` at once
* `charts`: Contains Helm charts for Airlock Microgateway
4 changes: 4 additions & 0 deletions deploy/charts/airlock-microgateway-cni/.helmignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,7 @@
.idea/
*.tmproj
.vscode/

# Helm unit tests
/tests
/validation
36 changes: 32 additions & 4 deletions deploy/charts/airlock-microgateway-cni/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,39 @@
apiVersion: v2
name: airlock-microgateway-cni
name: microgateway-cni
description: A Helm chart for deploying the Airlock Microgateway CNI plugin
type: application
home: https://www.airlock.com/microgateway
version: "0.2.0"
appVersion: "4.1.7"
home: https://www.airlock.com/en/microgateway
version: "4.2.0"
appVersion: "4.2.0"
annotations:
charts.openshift.io/name: Airlock Microgateway CNI
artifacthub.io/category: security
artifacthub.io/links: |
- name: Airlock Microgateway Documentation
url: https://docs.airlock.com/microgateway/4.2/
- name: Airlock Microgateway Labs
url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
artifacthub.io/license: MIT
sources:
- https://github.com/airlock/microgateway
icon: https://raw.githubusercontent.com/airlock/microgateway/main/media/icon.svg
keywords:
- WAF
- Web Application Firewall
- WAAP
- Web Application and API protection
- OWASP
- Airlock
- Microgateway
- Security
- Filtering
- DevSecOps
- shift left
- CNI
maintainers:
- email: [email protected]
name: Airlock
url: https://www.airlock.com/
kubeVersion: ">=1.25.0-0"
Loading

0 comments on commit 4bbde13

Please sign in to comment.