K8s Gateway Installation & Configuration
- Prerequisites
- Components to be Installed
- Initial Configuration
- Essential configuration Parameters
- Installation
Prerequisites
-
An Akeyless Account (one can register an account using the Akeyless SaaS Console).
-
An Authentication Method linked to this Akeyless Account (the default Authentication Method uses the email/password access method and has Superuser privileges in the Account). Make sure that it has the right access permissions to view and manage the secrets in the Gateway.
-
A Linux or Windows Server instance (e.g. on a Virtual Machine) with the following components installed:
- The following ports need to be open on the server where you're installing the Gateway:
- 8000
- 18888
- 8200
- 8080
- 8081
- 5696
IMPORTANT
Make sure that this server is not accessible from the external network.
- For the Akeyless Gateway to function properly, you need to allow for public network connectivity to the Akeyless SaaS core services on your server.
Components to be Installed
Component | Port |
---|---|
8000 | |
18888 | |
8200 | |
Akeyless V1 Restful API | 8080 |
8081 | |
Key Management Interoperability Protocol server for encryption keys management. | 5696 |
Initial Configuration
Akeyless Gateway can be deployed on a K8s cluster using the Helm package manager.
Akeyless provides an akeyless-gateway Helm chart to bootstrap the Gateway deployment. (This chart has been tested to work with the NGINX Ingress and the cert-manager.)
In the case of k8s deployment, the configuration process takes place before the actual installation. The configuration data is stored in the values.yaml file of the Akeyless Gateway deployment package.
To access the values.yaml file, follow the steps below.
- Add the following repository to your Helm repository list:
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
- Fetch the values.yaml file from the Akeyless repository:
helm show values akeyless/akeyless-api-gateway > values.yaml
- Use your favorite text editor to modify the relevant parameter values in the values.yaml file:
vi values.yaml
Essential Configuration Parameters
Authentication Parameters
Parameter | Description |
---|---|
akeylessUserAuth.adminAccessId | Value: an API Key, an email, a Universal Identity (UID) ID, or a CSP IAM (aws_iam, azure_ad, gcp_gce). This is a required parameter. If left empty, the Gateway will not authorize anyone to act as the Gateway Admin. |
akeylessUserAuth.adminAccessKey | Value: the access key The Access Key needs to match the Access ID. |
akeylessUserAuth.adminPassword | Value: the password This parameter is used if the email was provided as a value of the adminAccessId parameter. |
akeylessUserAuth.adminUIDInitToken | Value: the initial Universal Identity token This parameter is used if the Universal Identity ID was provided as a value of the adminAccessId parameter. |
universalIdentity.uidRotationInterval | Default value: 5 minutes Universal Identity token rotation interval in minutes. |
universalIdentity.uidCreateChildTokenPerPod | Default value: disable |
akeylessUserAuth.allowedAccessIDs | Value: a list of allowed Access IDs from your account that can log into the Gateway Configuration Manager:
This parameter can also work with sub-claims (when a shared authentication method is used in the organization, e.g. SAML). In this case, the Access ID belongs to the authentication method created for the certain Identity Provider. If you don't specify the sub-claims, every user authenticated by this IDP will be able to log in to the Gateway with admin privileges. |
akeylessUserAuth.clusterName | Value: a Gateway cluster name This parameter allows for creating a Gateway instance with a custom Cluster Name instead of the default one (defaultCluster). We recommend providing a meaningful name to your Gateway cluster. |
akeylessUserAuth.initialClusterDisplayName | Value: a Gateway cluster display name This parameter allows for creating a Gateway instance with a custom Display Name. The Display Name replaces the cluster name in the Gateway Console. |
akeylessUserAuth.configProtectionKeyName | Value: Akeyless Protection key name This parameter holds the name of the key from the Akeyless Vault, which will be used to encrypt the API Gateway configuration. If left empty, the account's default encryption key will be used. This key can be provided only during the cluster deployment and cannot be modified afterward. |
akeylessUserAuth.customerFragments | Value: a JSON containing Customer Fragments (see the example below) This parameter holds a JSON with the Customer Fragments. Customer Fragment is a critical component that allows customers to use Zero-Knowledge Encryption. |
existingSecret | Value: the name of the Kubernetes secret You can provide the essential authentication information using the existing secret in Kubernetes. The secret may include:
If you provide all those values using a secret, then the corresponding parameters above must be left blank. |
To add Customer Fragments to the Gateway, insert the following section to the values.yaml file:
# Customer Fragment is a critical component that allow customers to use a Zero-Knowledge Encryption.
# For more information: https://akeyless.readme.io/docs/implement-zero-trust
customerFragments: |
{
"customer_fragments": [
{
"id": "cf-xyzxyzxyzxyzxyzxyz",
"value": "xxxxxxxxxxxxxxxxxxxxxx"
}
]
}
Installation
- To install the Gateway using the edited values.yaml file, run the following command in the CLI of your OS:
helm install akeyless-gw akeyless/akeyless-api-gateway -f values.yaml
- Check if the pods are up and running:
kubectl get pod
NAME READY STATUS RESTARTS AGE
akeyless-gw-akeyless-api-gateway-6554f7c66c-56fgs 1/1 Running 1 (5h2m ago) 5h15m
akeyless-gw-akeyless-api-gateway-6554f7c66c-7jt8r 1/1 Running 0 5h17m
- Verify the Gateway installation:
kubectl logs -f akeyless-gw-akeyless-api-gateway-6554f7c66c-56fgs
==================================================
_ _ _
__ _| | _____ _ _| | ___ ___ ___ (_) ___
/ _` | |/ / _ \ | | | |/ _ \/ __/ __| | |/ _ \
| (_| | < __/ |_| | | __/\__ \__ \_| | (_) |
\__,_|_|\_\___|\__, |_|\___||___/___(_)_|\___/
|___/
AKEYLESS gateway is up and running!
==================================================
...
Starting Akeyless configuration handler on port: 8000 protocol: http
Akeyless API Proxy started running on port 18888 protocol http
Cluster name: Test-Cluster, Access ID: p-XXXXXXXX
- Log in to the Gateway using your browser: http://Your-Akeyless-Gateway-URL:8000 - and your Akeyless admin credentials.
Updated 4 days ago