Gateway Cache
Upon network outage, the Gateway cache can still handle requests for Secrets retrievals (Read only). The cache will start working only after the Gateway is successfully operated. Only users already authenticated can get service from the Gateway cache, where the following Authentication Methods can keep authenticating on offline modes: K8s, email, API Key, LDAP, and Certificate.
Offline Authentciton Cache
The offline authentcation cache supported only via the Cluster Cache mode.
The most straightforward use cases are the following:
-
The Gateway Cache is used to improve performance when fetching secrets.
-
The Proactive Cache enables storing secrets in the Gateway Cache in advance upon successful user authentication.
Gateway Cache
To enable and configure the Gateway Cache:
-
Open the Gateway Console by going to Gateways -> Your-Gateway -> Manage Gateway
-
On the menu bar at the left, click Caching Configuration.
-
Select the Enable Cache checkbox.
-
Set the Stale Timeout value. This is the time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period. By default, cached secrets will expire after 60 minutes.
-
Click Save Changes.
Note
Usually, after the Stale Timeout period expires for a secret, the secret is deleted from the Gateway Cache.
In case there is no internet connection, the Gateway Cache won’t delete old items until the internet connection is restored.
Proactive Gateway Cache
The Proactive Cache fetches all secrets from the Akeyless Cloud and stores them in the Gateway Cache upon successful authentication (based on the user access policy). To manage each user's access policy, the Gateway's default Auth Method must have List permissions for Auth-Methods and Roles, as well as Read permission for the secret intended to be saved in the cache.
To enable and configure the Proactive Cache:
-
Open the Akeyless Gateway Configuration Manager at
https://Your_Akeyless_Gateway_URL:8000
. -
On the menu bar at the left, click Caching Configuration.
-
Select the Enable Proactive Caching checkbox.
Using Legacy Mode
Once you disable Legacy Mode, you won't be able to re-enable it.
- Set the Minimum Fetching Interval value. This setting instructs the system to update secrets in the cache if they are older than the specified value. By default, each secret kept in the cache for more than 5 minutes will be re-requested from the Akeyless Cloud or the local Gateway.
- Set the Secure Backup Interval value. This is the time (in minutes) between the two consecutive backups. By default, every minute, a snapshot with the current contents of the Gateway Cache is saved to the storage file.
- Click Save Changes.
Cluster Cache Mode
When deploying Gateway on K8s, a Cluster Cache can be set in addition to support offline authentication, this results in an additional service that syncs all pods and has a shared storage, to keep the secrets encrypted at rest, this mode requires a K8s encryption key. This feature can be set only during deployment. To set this follow the installation guide under the cache section.
Bypass Cache
When Cache is enabled by default, any client that requests a secret from the relevant Gateway will receive the latest cached value of the secret. To work directly with the Akeyless SaaS, to ensure you are retrieving the latest value of the secret, you can specify the ignore-cache
setting as part of the request to by-pass the cache mechanism :
akeyless get-secret-value -n /mysecret --ignore-cache true
Updated 26 days ago