Advanced K8s Configuration
Cluster Name & URL
Each Gateway instance is uniquely identified by combining the Gateway Access ID Authentication Method and the Cluster Name.
It means that changing the Gateway Access ID or the Cluster Name of your Gateway instance will create an entirely new Gateway instance, and it will not retrieve the settings and data from the previous Gateway instance.
That’s why we recommend setting up a meaningful Cluster Name for your Gateway cluster from the very beginning. By default, your cluster name is defaultCluster.
To do that, you can set the clusterName="meaningful-cluster-name"
field as part of the Gateway deployment.
In addition, to set in advance the Cluster URL, you can set the CLUSTER_URL
under the env
section as an environment variable.
You can also provide a custom display name for the Gateway Instance using the initialClusterDisplayName
variable, which is arbitrary. This name can be changed in the Akeyless Console after the Gateway is installed.
clusterName: <meaningful-cluster-name>
initialClusterDisplayName:
env:
- name: CLUSTER_URL
value: 'https://<Your-Akeyless-GW-URL:8000>'
Encryption Key
To choose an existing Encryption Key to encrypt your Gateway configuration, you can provide the full path to your key using the following setting configProtectionKeyName
.
By default, the Gateway configuration is encrypted with your account's default encryption key.
Warning
This key can be determined on cluster deployment only, and cannot be modified afterward.
Customer fragment
If your Encryption Key works with Zero Knowledge, create a K8s Secret with a base64-encoded JSON
that includes your Customer Fragment.
kubectl create secret generic customer-fragment \
--from-literal=customer-fragments: <base64-encoded-customer-fragment>
Add the secret to the values.yaml
file:
customerFragmentsExistingSecret: customer-fragment
TLS Configuration
We strongly recommend using Akeyless Gateway with TLS to ensure all traffic is encrypted at transit.
Please note that when you're enabling TLS, you must provide a TLS certificate
and a corresponding TLS Private Key
.
To set the TLS settings, create a K8s Secret includes your TLS certificate in base64 encoded
format where the key
of the secret has to be tlsCertificate
:
apiVersion: v1
kind: Secret
metadata:
name: tlsCertificate
type: Opaque
data: tlsCertificate: <base64-encoded-tls-certificate.pem>
Enable TLS:
TLSConf:
enabled: true
minimumTlsVersion: <TLSv1/TLSv1.1/TLSv1.2/TLSv1.3>
tlsExistingSecretName: tlsCertificate
Alternatively, you can also configure TLS settings using the web interface of the Gateway Configuration Manager.
Cache Configuration
You can enable caching of secrets and periodic backup of cached secrets, It is also possible to configure caching in the Gateway Configuration Manager after the Gateway is installed.
To set an internal TLS between the Gateway and cache service set the enableTls: true
option:
clusterCache:
enableTls: false
Alternatively, you can configure the cache using the Gateway Configuration Manager.
To set the cache on your gateway with a default encryption key to support full offline mode, create a K8s Secret that includes your cluster-cache-encryption-key
base64 encoded :
kubectl create secret generic cache-configuration \
--from-literal=cluster-cache-encryption-key=<base64-encoded-cluster-cache-encryption-key>
And add to the values.yaml
file the K8s secret name:
clusterCache:
encryptionKeyExistingSecret: <K8s Secret Name>
enableTls: false
Working With K8s Secrets
To provide the settings of your Gateway deployment directly from your local k8s secrets store, you can set the following settings:
gateway-access-key
gateway-uid-init-token
allowed-access-permissions
tlsCertificate
gateway-certificate
gateway-certificate-key
customer-fragments
Warning
Providing any of those settings using an existing K8s secret, make sure that the corresponding parameters are left empty in your
values.yaml
file.
gatewayCredentialsExistingSecret:
allowedAccessPermissionsExistingSecret:
customerFragmentsExistingSecret:
tlsExistingSecretName:
existingSecretName:
encryptionKeyExistingSecret:
Fixed Artifact Repository
In some environments where an IP address must be whitelisted, to pull Akeyless official artifacts as part of your Gateway deployment, uncomment the fixedArtifactRepository: "artifacts.site2.akeyless.io" setting in your chart:
image:
repository: akeyless/base
pullPolicy: Always
tag: latest
fixedArtifactRepository: "artifacts.site2.akeyless.io"
You can explicitly provide the k8s secret name that contains the credentials for the private registry if needed using the imagePullSecrets
setting:
image:
repository: akeyless/base
pullPolicy: Always
tag: latest
imagePullSecrets:
- name: regcred
fixedArtifactRepository: "artifacts.site2.akeyless.io"
Rate Limit
To set a local rate limit on your Gateway instance you can add the GW_RATE_LIMIT
environment variable where the value will set the maximum calls per minute. When a client reaches that threshold, this will be logged and any additional requests during that minute will be discarded on the Gateway:
env:
- name: GW_RATE_LIMIT
value: 4000
Updated 8 days ago