{"id":24567043,"url":"https://github.com/airlock/microgateway-running-example","last_synced_at":"2025-04-22T12:51:10.122Z","repository":{"id":273692777,"uuid":"920104047","full_name":"airlock/microgateway-running-example","owner":"airlock","description":"Running example of Airlock Microgateway, a Kubernetes-native WAAP (Web Application and API Protection) solution","archived":false,"fork":false,"pushed_at":"2025-03-11T10:15:36.000Z","size":2211,"stargazers_count":4,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-29T15:22:52.615Z","etag":null,"topics":["airock","devops","ergon","gateway-api","k8s","kubernetes","microgateway","oidc","openapi","security","waap","waf"],"latest_commit_sha":null,"homepage":"https://www.airlock.com/microgateway","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/airlock.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-21T15:15:44.000Z","updated_at":"2025-03-11T10:15:41.000Z","dependencies_parsed_at":"2025-02-19T13:22:03.781Z","dependency_job_id":"b49021c2-26c4-4c53-a040-4f13bcafa4c1","html_url":"https://github.com/airlock/microgateway-running-example","commit_stats":null,"previous_names":["airlock/microgateway-running-example"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock%2Fmicrogateway-running-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock%2Fmicrogateway-running-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock%2Fmicrogateway-running-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock%2Fmicrogateway-running-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/airlock","download_url":"https://codeload.github.com/airlock/microgateway-running-example/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250243902,"owners_count":21398419,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["airock","devops","ergon","gateway-api","k8s","kubernetes","microgateway","oidc","openapi","security","waap","waf"],"created_at":"2025-01-23T13:15:53.643Z","updated_at":"2025-04-22T12:51:10.108Z","avatar_url":"https://github.com/airlock.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Airlock Microgateway running example\n\n*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*\n\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\"\n          srcset=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight_Negative.svg\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\"\n          srcset=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg\"\u003e\n  \u003cimg alt=\"Microgateway\" src=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Microgateway_Labeled_AlignRight.svg\" align=\"right\" width=\"250\"\u003e\n\u003c/picture\u003e\n\nModern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight WAAP solution (formerly known as WAF), optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.\n\nThis repository contains a running example of Airlock Microgateway in Kubernetes. It shows how to protect a backend application with Airlock Microgateway. The source code is available under the [MIT license](/LICENSE).\n\n## Overview\n![Topology](/media/topology.svg)\n\u003cbr\u003e\n\n**This topology diagram illustrates the deployment architecture of a Kubernetes cluster with focus on Secure access to web applications using the Airlock Microgateway.**\n- Users access the cluster from devices (e.g., laptops or smartphones).\n- Requests are routed through an **Ingress** managed by Traefik, which serves as the cluster's entry point.\n- Traefik handles traffic forwarding based on routing rules.\n- The Juice Shop will be Protected by the **Airlock Microgateway via GatewayAPI**.\n- Nextcloud will be Protected by the **Airlock Microgateway via Sidecar**.\n- Prometheus Collects metrics from the cluster, including all **Airlock Microgateway** instances.\n- PromTail is used to forward logs from the Microgateway to Loki for analysis and storage.\n- Grafana Visualizes metrics and logs collected from Prometheus and Loki.\n\u003cbr\u003e\n\n**Links to access the applications**\n- Grafana via http://grafana-127-0-0-1.nip.io/\n- Prometheus via http://prometheus-127-0-0-1.nip.io/\n- Nextcloud via http://nextcloud-127-0-0-1.nip.io/\n  - Username: admin\n  - Password: changeme\n- Juice Shop unprotected via http://juice-shop-127-0-0-1.nip.io/\n- Juice Shop protected via http://juice-shop-127-0-0-1.nip.io:8080/\n\n## Disclaimer\nAirlock Microgateway is available as community and premium edition. See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. Anyway, this example setup can be deployed with Airlock Microgateway both editions.\n\n\u003e [!WARNING]\n\u003e Be aware that this is an example and some security settings are disabled to make this demo as simple as possible (e.g. authentication enforcement, restrictive deny rule configuration and other security settings).\n\n## General prerequisites\n* Install [Rancher Desktop](https://docs.rancherdesktop.io/getting-started/installation/).\n\n\u003e [!NOTE]\n\u003e This example is built for Rancher Desktop with containerd as container engine. Nevertheless, it should also work with any other Kubernetes distributions. Simply ensure the following:\n\u003e * Ensure the [Airlock Microgateway requirements](https://docs.airlock.com/microgateway/latest/#data/1660804711882.html) are met.\n\u003e * [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) is installed.\n\u003e * [helm](https://helm.sh/docs/intro/install/) is installed.\n\u003e * [kustomize](https://kustomize.io) \u003e= 5.2.1 is installed.\n\u003e * An Ingress Controller (e.g. Traefik, Ingress Nginx, ...) is deployed.\n\n## Airlock Microgateway prerequisites\n\n### Obtain and deploy the Airlock Microgateway license\n1. Either request a community license free of charge or purchase a premium license.\n   * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)\n   * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)\n2. Check your mailbox and save the license file `microgateway-license.txt` locally (replace the existing file).\n3. Deploy the Airlock Microgateway license\n```bash\n# Create the airlock-microgateway-system namespace\nkubectl create ns airlock-microgateway-system --dry-run=client -o yaml | kubectl apply -f -\n\n# Deploy the Airlock Microgateway license\nkubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt --dry-run=client -o yaml | kubectl apply -f -\n```\n\n\u003e [!NOTE]\n\u003e See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.\n\n### Deploy the cert-manager\nFor an easy start in non-production environments, you may deploy the same [cert-manager](https://cert-manager.io/) we are using internally for testing.\n```bash\n# Deploy the cert-manager\nkubectl kustomize --enable-helm manifests/cert-manager | kubectl apply --server-side -f -\n\n# Wait until the cert-manager is up and running\nkubectl -n cert-manager rollout status deployment\n```\n\n## Deploy the example\n\n### Deploy the logging, monitoring and reporting  stack\n```bash\n# Deploy Promtail, Loki, Prometheus and Grafana\nkubectl kustomize --enable-helm manifests/logging-and-reporting | kubectl apply --server-side -f -\n\n# Wait until Promtail, Loki, Prometheus and Grafana are up and running\nkubectl -n monitoring rollout status deployment,daemonset,statefulset\n```\n\n\u003e [!NOTE]\n\u003e You can now access\n\u003e * Prometheus via http://prometheus-127-0-0-1.nip.io/\n\u003e * Grafana via http://grafana-127-0-0-1.nip.io/\n\n### Deploy Airlock Microgateway\n\u003e [!TIP]\n\u003e Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. In case that the CNI plugin does not start properly consult the [Troubleshooting Microgateway CNI article](https://docs.airlock.com/microgateway/latest/#data/1710781909882.html).\n\n\u003e [!NOTE]\n\u003e In case this example is not deployed in Rancher Desktop, most likely the `cniBinDir`and `cniNetDir`in the file `manifests/airlock-microgateway/microgateway-cni-values.yaml` must be adjusted.\n\u003e Example:\n\u003e ```\n\u003e config:\n\u003e   cniBinDir: \"/usr/libexec/cni/\"\n\u003e   cniNetDir: \"/etc/cni/net.d\"\n\u003e ```\n\n```bash\n# Deploy Airlock Microgateway including the CNI plugin\nkubectl kustomize --enable-helm manifests/airlock-microgateway | kubectl apply --server-side -f -\n\n# Wait until Airlock Microgateway is up and running\nkubectl -n kube-system rollout status daemonset airlock-microgateway-microgateway-cni\nkubectl -n airlock-microgateway-system rollout status deployment\n```\n\n### Deploy Nextcloud\n\n```bash\n# Deploy Nextcloud\nkubectl kustomize --enable-helm manifests/nextcloud | kubectl apply --server-side -f -\n\n# Wait until Nextcloud is up and running\nkubectl -n nextcloud rollout status deployment,statefulset\n```\n\n\u003e [!NOTE]\n\u003e You can now access Nextcloud via http://nextcloud-127-0-0-1.nip.io/\n\u003e * Username: admin\n\u003e * Password: changeme\n\n\u003e [!IMPORTANT]\n\u003e The web application is not yet protected by Airlock Microgateway. Protection will be enabled later (see [Protect the web application](#protect-the-web-application)).\n\n### Deploy Juice Shop\n\n```bash\n# Deploy Juice Shop\nkubectl kustomize --enable-helm manifests/juice-shop | kubectl apply --server-side -f -\n\n# Wait until Juice Shop is up and running\nkubectl -n juice-shop rollout status deployment\n```\n\n\u003e [!NOTE]\n\u003e You can now access Juice Shop via http://juice-shop-127-0-0-1.nip.io/\n\n\u003e [!IMPORTANT]\n\u003e The web application is not yet protected by Airlock Microgateway. Protection will be enabled later (see [Protect the web application](#protect-the-web-application)).\n\n## Protect the web application\n\n### Protect Nextcloud (data plane mode 'sidecar')\n\n```bash\n# Deploy the Airlock Microgateway configuration\nkubectl kustomize --enable-helm manifests/nextcloud-microgateway-config | kubectl apply --server-side -f -\n\n# Label the Nextcloud deployment to be protected\nkubectl -n nextcloud patch deployment nextcloud -p '{\n   \"spec\":{ \"template\": {\"metadata\": {\"labels\": {\n               \"sidecar.microgateway.airlock.com/inject\":\"true\"\n            } } } } }'\n\n# Wait until the Nextcloud is rolled out with Microgateway\nkubectl -n nextcloud rollout status deployment\n```\n\n### Protect Juice Shop (data plane mode 'sidecarless')\n```bash\n# Deploy the Airlock Microgateway configuration\nkubectl kustomize --enable-helm manifests/juice-shop-microgateway-config | kubectl apply --server-side -f -\n\n# The Ingress ressource can be deleted as it is no longer needed.\nkubectl -n juice-shop delete ingress juice-shop\n```\n\u003e [!NOTE]\n\u003e You can now access the protected Juice Shop via http://juice-shop-127-0-0-1.nip.io:8080/\n\n### Sidecar vs sidecarless\n\n|                         | Sidecar                         | Sidecareless (Kubernetes Gateway API)                     |\n| :---------------------- | :----------------------------- | :----------------------------------------- |\n| **Total resource consumption (CPU/Memory)** | Low                             | Even lower                                  |\n| **3rd party solutions licensing number of containers** | Higher 3rd party license costs | Lower 3rd party license costs             |\n| **Airlock Microgateway CNI plugin**        | Required                        | Not required                               |\n| **Supported service mesh compatibility**   | Istio and Cilium                | No special compatibility requirements      |\n| **Update Microgateway Engine**             | Rollover of the application Pod | Rollover of Microgateway (no impact on the application) |\n| **Traffic filtering with Airlock Microgateway** | Automatically in-line (traffic is redirected first to Microgateway) | Filtering ensured with routing and NetworkPolicies in Kubernetes |\n| **Protected web application**              | Runs inside of Kubernetes       | Runs inside or outside of Kubernetes       |\n| **North-South traffic**                    | Yes, for the protected Pod      | Yes                                        |\n| **East-West traffic**                      | Yes                             | Yes, by routing the traffic accordingly    |\n\n## Additional Information\n\n* [Microgateway manual](https://docs.airlock.com/microgateway/latest/)\n  * [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)\n  * [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)\n  * [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708713.html)\n  * [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)\n  * [API Reference](https://docs.airlock.com/microgateway/latest/api/index.html)\n* [Release Repository](https://github.com/airlock/microgateway)\n* [Airlock Microgateway labs](https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=github.com)\n\n## License\nView the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.\n* Decompiling or reverse engineering is not permitted.\n* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.\n\n\u003c/details\u003e\n\u003cbr\u003e\n\nAirlock\u003csup\u003e\u0026#174;\u003c/sup\u003e is a security innovation by [ergon](https://www.ergon.ch/en)\n\n\u003c!-- Airlock SAH Logo (different image for light/dark mode) --\u003e\n\u003ca href=\"https://www.airlock.com/en/secure-access-hub/\"\u003e\n\u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\"\n        srcset=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo_Negative.png\"\u003e\n    \u003csource media=\"(prefers-color-scheme: light)\"\n        srcset=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png\"\u003e\n    \u003cimg alt=\"Airlock Secure Access Hub\" src=\"https://raw.githubusercontent.com/airlock/microgateway/main/media/Airlock_Logo.png\" width=\"150\"\u003e\n\u003c/picture\u003e\n\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fairlock%2Fmicrogateway-running-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fairlock%2Fmicrogateway-running-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fairlock%2Fmicrogateway-running-example/lists"}