Parameters

The parent key for all of the following parameters is airlock_microgateway.

`namespace`

type	string
default	`syn-airlock-microgateway`

The namespace in which to deploy this component.

`install_method`

type	string
default	`helm`
possible values	`helm`, `olm`

The installation method for Airlock Microgateway. olm will create a subscription for the Airlock Microgateway from catalog.redhat.com/software/container-stacks/detail/67177f927cfedb209761e48f?gs=&q=airlock&rh-tabs-5gjs77yz5=rh-tab-3tk92bl2m#overview. If you use this method, you may want to configure olm. Openshift is required for this to work.

helm will install airlock-microgateway from the official helm chart. If you use this method, you may want to configure helm_values.

`license`

type	string
default	`""`

The license key for Airlock Microgateway.

`network_policy`

type

object

Configuration for network policies related to Airlock Microgateway.

`namespace_selector`

type

object

Selector for namespaces where the network policy should be applied.

`matchLabels`

type	object
default	`appuio.ch/waf: airlock`

Labels used to match namespaces for the network policy.

`gateway_listener_manager`

type

object

Configuration for the Gateway Listener Manager. Gateway Listener Manager allows merging multiple gateway listeners, based on HTTPRoutes into a single gateway.

See Manage Gateway Listeners through HTTPRoutes for more details.

`enabled`

type	boolean
default	`false`

Whether to enable the Gateway Listener Manager.

`create_listener_annotation`

type	string
default	`airlock-microgateway.appuio.io/create-gateway-https-listener`

The annotation to use on HTTPRoute resources to create an HTTPS listener automatically. Must be set to ANNOTATION: "true" in the resource annotations.

`tls_secret_name_annotation`

type	string
default	`airlock-microgateway.appuio.io/tls-secret-name`

The annotation to use on HTTPRoute resources to specify the name of the TLS secret to use for HTTPS listeners.

`httproute_certificate_manager`

type

object

Configuration for the HTTPRoute Certificate Manager. HTTPRoute Certificate Manager allows automatic management of TLS certificates for HTTPRoute resources using cert-manager.

See Manage Gateway Listeners through HTTPRoutes for more details.

`enabled`

type	boolean
default	`false`

Whether to enable the HTTPRoute Certificate Manager.

`tls_secret_name_annotation`

type	string
default	`${airlock_microgateway:gateway_listener_manager:tls_secret_name_annotation}`

The annotation to use on HTTPRoute resources to specify the name of the TLS secret to create the certificate in.

`create_certificate_annotation`

type	string
default	`airlock-microgateway.appuio.io/create-certificate`

The annotation to use on HTTPRoute resources to create a certificate automatically. Must be set to ANNOTATION: "true" in the resource annotations.

`gateway_default_cluster_issuer_annotation`

type	string
default	`airlock-microgateway.appuio.io/gateway-default-cluster-issuer`

The annotation to use on parent Gateway resources to specify the default cluster issuer for certificates. If the resource has no issuer_annotation or cluster_issuer_annotation, this cluster issuer will be used.

`cluster_issuer_annotation`

type	string
default	`airlock-microgateway.appuio.io/cluster-issuer`

The annotation to use on HTTPRoute resources to specify the cluster issuer for certificates.

`issuer_annotation`

type	string
default	`airlock-microgateway.appuio.io/issuer`

The annotation to use on HTTPRoute resources to specify the issuer for certificates.

`gateway_api`

type

object

Configuration for Kubernetes Gateway API integration.

`enabled`

type	boolean
default	`true`

Whether to install the upstream Kubernetes Gateway API.

`version`

type	string
default	`v1.2.1`

The version of Kubernetes Gateway API to install.

`source`

type	string
default	`github.com/kubernetes-sigs/gateway-api/releases/download/${airlock_microgateway:gateway_api:version}/standard-install.yaml`

The source URL for the Kubernetes Gateway API installation.

`airlock_xopenshift`

type

object

Configuration for deploying patched Gateway API CRDs on OpenShift. This parameter allows us to deploy copies of upstream Gateway API CRDs in API group x-openshift.microgateway.airlock.com. This allows us — by leveraging Airlock Mircogateway’s support for CRDs in that API group — to deploy additional Gateway API CRDs on OpenShift without creating conflicts with the ingress-operator-managed Gateway API CRDs that are deployed on OpenShift >= 4.19.

This parameter only has an effect for install_method=olm.

`enabled`

type	boolean
default	`false`

Whether to deploy any patched Gateway API CRDs.

`version`

type	string
default	`v1.3.0`

The upstream Gateway API version of the CRDs that we want to patch.

`channel`

type	string
default	`experimental`

The upstream Gateway API channel for the CRDs to patch. Supported values are standard or experimental. Component compilation will error when another value is provided.

`crds`

type	object
default	`{"backendtlspolicies":"BACKEND_TLS_POLICY"}`

The list of CRD names for which the component will deploy a copy of the CRD in API group x-openshift.microgateway.airlock.com. The keys are expected to be CRD base names, such as backendtlspolicies. The component will always download the full <channel>-install.yaml from the specified Gateway API release but will only create copies of CRDs whose base name matches a key with a non-null value in this parameter.

The values are expected to be the identifying segment for the OLM operator environment variable which switches the CRD from API group gateway.networking.k8s.io to x-openshift.microgateway.airlock.com. For example, value BACKEND_TLS_POLICY results in environment variable GATEWAY_API_BACKEND_TLS_POLICY_API_GROUP=x-openshift.microgateway.airlock.com to be set for the OLM operator.

Users can remove entries in this parameter by setting an entry to null.

`gateway_classes`

type

object

Configuration for Gateway Classes.

`gateway_classes.<name>.parametersRef`

type

string

A reference to a Gateway Parameters object, defined in gateway_parameters.

Example

airlock_microgateway:
  gateway_classes:
    my-gateway-class:
      spec:
        controllerName: microgateway.airlock.com/gatewayclass-controller
        parametersRef:
          group: microgateway.airlock.com
          kind: GatewayParameters
          name: gatewayparameter-mgw-poc
          namespace: airlock-gateway

    my-other-gateway-class:
      parametersRef: airlock

  gateway_parameters:
    airlock: ...

`gateway_parameters`

type

object

Configuration for Gateway Parameters.

Example

airlock_microgateway:
  gateway_parameters:
    airlock:
      spec:
        defaults:
          downstream:
            remoteIP:
              xff:
                numTrustedHops: 1
        kubernetes:
          deployment:
            automountServiceAccountToken: false
            engineContainer: {}
            placement: {}
            replicas: 1
          service:
            type: ClusterIP
        logging:
          level: info

`gateways`

type	object
default	`{}`

This parameter allows users to define Gateway resources to deploy. The component currently doesn’t validate that the value of spec.gatewayClassName is a gateway class that’s managed through parameter gateway_classes.

Airlock Microgateway also supports referencing a GatewayParameters resource directly in spec.infrastructure.parametersRef. If both spec.gatewayClassName and spec.infrastructure.parametersRef are provided, the instance is configured with the parameters referenced in spec.infrastructure.parametersRef.

See the Gateway API and Airlock Microgateway documentation for a full reference of supported configuration options for Gateway resources.

When component cilium is installed in the cluster, the component also creates a CiliumNetworkPolicy which allows traffic from identity world for each managed Gateway resource.

Example

airlock_microgateway:
  gateways:
    airlock/gateway-1:
      spec:
        gatewayClassName: airlock-microgateway
        listeners:
          - allowedRoutes:
              namespaces:
                from: All
            name: http
            port: 80
            protocol: HTTP

  gateway_parameters:
    airlock/gatewayparams: { ... }

  gateway_classes:
    airlock-microgateway:
      parametersRef: "airlock/gatewayparams"

`alerts`

type

object

This parameter allows users to disable or patch alerts managed by the component.

The component currently expects that an openshift4-monitoring-style alert patching library is available for the target cluster’s distribution’s monitoring stack.

`alerts.ignoreNames`

type	list
default	`[]`

Users can add alert names which they want to disable in this list.

`alerts.patches`

type	object
default	`{}`

Users can customize alerts through this parameter. The component looks for alert names it knows in this parameter, and applies the provided value, if any, over the default alert configuration.

`helm_values`

type	object
default

operator:
  gatewayAPI:
    enabled: true
    podMonitor:
      create: true
      labels:
        release: "kube-prometheus-stack"
  serviceMonitor:
    create: true
    labels:
      release: "kube-prometheus-stack"
dashboards:
  create: true

Configuration values for the Helm chart installation. See the official Airlock documentation for more details: docs.airlock.com/microgateway/4.5/index/1726159368039.html

`olm`

type

object

Configuration for OLM (Operator Lifecycle Manager) installation.

`version`

type	string
default	`stable`

The version of the OLM operator to install.

`channel`

type	string
default	`${airlock_microgateway:olm:version}`

The OLM channel to use.

`upgrade_strategy`

type	object
default	`upgrade_strategy: manual_upgrade: false upgrade_job_hook: true upgrade_job_selector: {}`

Configuration for the OLM upgrade strategy.

`manual_upgrade`

type	boolean
default	`false`

Whether to enable manual upgrade approval for OLM installations. When set to true, the OLM subscription will use installPlanApproval: Manual, requiring manual approval for operator upgrades.

`upgrade_job_hook`

type	boolean
default	`true`

If the openshift-upgrade-controller application is present, this will create an UpgradeJobHook that automatically approves install plans during cluster upgrades.

The UpgradeJobHook`compares the creation timestamps of the last `InstallPlan and the UpgradeJob it’s running for. Only the newest install plan which is older than the UpgradeJob for which the hook is running will be approved. This ensures that upgrades to the operator are done in sync with the general upgrade schedule of the cluster.

`upgrade_job_selector`

type	dict
default	`{}`
example	`upgrade_strategy: upgrade_job_selector: matchLabels: appuio-managed-upgrade: 'true'`

Selects which UpgradeJob objects the hook applies to.

`config`

type

object

Configuration for the OLM operator.

`create_pod_monitor`

type	boolean
default	`true`

Whether to create a PodMonitor for the OLM operator.

`charts`

type

object

Configuration for Helm charts.

`microgateway`

type

object

Configuration for the Microgateway chart.

`version`

type	string
default	`4.5.2`

The version of the Microgateway chart to install.

`source`

type	string
default	`oci://quay.io/airlockcharts/microgateway`

The source URL for the Microgateway chart.

Example

parameters:
  airlock_microgateway:
    namespace: syn-airlock-microgateway

    install_method: helm

    license: |
      -----BEGIN LICENSE-----
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAA==
      -----END LICENSE-----
      -- Airlock Microgateway --
      License Type                 Premium
      ID                           aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
      Owner                        OWNER
      Trial                        true
      Email                        foo@foo.bar
      Environment                  Temporary
      Valid Until                  2025-06-30
      Requests per Month           10000000
      Module Base                  on
      Module Auth                  on
      ---------------------

    network_policy:
      namespace_selector:
        matchLabels:
          'appuio.ch/waf': 'airlock'

    gateway_api:
      enabled: true
      version: "v1.2.1"

    charts:
      microgateway:
        version: "4.5.3"