Gateway Cache

Upon network outage, the Gateway cache can still handle requests for Secrets retrievals (Read only). The cache will start working only after the Gateway is successfully operated. Only users already authenticated can get service from the Gateway cache, where the following Authentication Methods can keep authenticating on offline modes: K8s, email, API Key, LDAP, and Certificate.

👍

Offline Authentciton Cache

The offline authentcation cache supported only via the Cluster Cache mode.

The most straightforward use cases are the following:

  • The Gateway Cache is used to improve performance when fetching secrets.

  • The Proactive Cache enables storing secrets in the Gateway Cache in advance upon successful user authentication.

Gateway Cache

To enable and configure the Gateway Cache:

  1. Open the Gateway Console by going to Gateways -> Your-Gateway -> Manage Gateway

  2. On the menu bar at the left, click Caching Configuration.

  3. Select the Enable Cache checkbox.

  4. Set the Stale Timeout value. This is the time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period. By default, cached secrets will expire after 60 minutes.

  5. Click Save Changes.

👍

Note

Usually, after the Stale Timeout period expires for a secret, the secret is deleted from the Gateway Cache.

In case there is no internet connection, the Gateway Cache won’t delete old items until the internet connection is restored.

Proactive Gateway Cache

The Proactive Cache fetches all secrets from the Akeyless Cloud and stores them in the Gateway Cache upon successful authentication (based on the user access policy). To manage each user's access policy, the Gateway's default Auth Method must have List permissions for Auth-Methods and Roles, as well as Read permission for the secret intended to be saved in the cache.

To enable and configure the Proactive Cache:

  1. Open the Akeyless Gateway Configuration Manager at https://Your_Akeyless_Gateway_URL:8000.

  2. On the menu bar at the left, click Caching Configuration.

  3. Select the Enable Proactive Caching checkbox.

🚧

Using Legacy Mode

Once you disable Legacy Mode, you won't be able to re-enable it.

  1. Set the Minimum Fetching Interval value. This setting instructs the system to update secrets in the cache if they are older than the specified value. By default, each secret kept in the cache for more than 5 minutes will be re-requested from the Akeyless Cloud or the local Gateway.
  2. Set the Secure Backup Interval value. This is the time (in minutes) between the two consecutive backups. By default, every minute, a snapshot with the current contents of the Gateway Cache is saved to the storage file.
  3. Click Save Changes.

Cluster Cache Mode

When deploying Gateway on K8s, a Cluster Cache can be set in addition to support offline authentication, this results in an additional service that syncs all pods and has a shared storage, to keep the secrets encrypted at rest, this mode requires a K8s encryption key. This feature can be set only during deployment. To set this follow the installation guide under the cache section.

Bypass Cache

When Cache is enabled by default, any client that requests a secret from the relevant Gateway will receive the latest cached value of the secret. To work directly with the Akeyless SaaS, to ensure you are retrieving the latest value of the secret, you can specify the ignore-cache setting as part of the request to by-pass the cache mechanism :

akeyless get-secret-value -n /mysecret --ignore-cache true