K8s Gateway Installation & Configuration

Suggest Edits

Prerequisites

  1. An Akeyless Account (one can register an account using the Akeyless SaaS Console).

  2. An Authentication Method linked to this Akeyless Account (the default Authentication Method uses the email/password access method and has Superuser privileges in the Account). Make sure that it has the right access permissions to view and manage the secrets in the Gateway.

  3. A Linux or Windows Server instance (e.g. on a Virtual Machine) with the following components installed:

  1. The following ports need to be open on the server where you're installing the Gateway:
    • 8000
    • 18888
    • 8200
    • 8080
    • 8081
    • 5696

🚧

IMPORTANT

Make sure that this server is not accessible from the external network.

  1. For the Akeyless Gateway to function properly, you need to allow for public network connectivity to the Akeyless SaaS core services on your server.

Components to be Installed

Component

Port

Gateway Configuration Manager

8000

Gateway Console

18888

HVP

8200

Akeyless V1 Restful API

8080

Akeyless V2 Restful API

8081

KMIP Server

Key Management Interoperability Protocol server for encryption keys management.

5696

Initial Configuration

Akeyless Gateway can be deployed on a K8s cluster using the Helm package manager.

Akeyless provides an akeyless-gateway Helm chart to bootstrap the Gateway deployment. (This chart has been tested to work with the NGINX Ingress and the cert-manager.)

In the case of k8s deployment, the configuration process takes place before the actual installation. The configuration data is stored in the values.yaml file of the Akeyless Gateway deployment package.

To access the values.yaml file, follow the steps below.

  1. Add the following repository to your Helm repository list:
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
  1. Fetch the values.yaml file from the Akeyless repository:
helm show values akeyless/akeyless-api-gateway > values.yaml
  1. Use your favorite text editor to modify the relevant parameter values in the values.yaml file:
vi values.yaml

Essential Configuration Parameters

Authentication Parameters

Parameter

Description

akeylessUserAuth.adminAccessId

Value: an API Key, an email, a Universal Identity (UID) ID, or a CSP IAM (aws_iam, azure_ad, gcp_gce).

This is a required parameter. If left empty, the Gateway will not authorize anyone to act as the Gateway Admin.

akeylessUserAuth.adminAccessKey

Value: the access key

The Access Key needs to match the Access ID.

akeylessUserAuth.adminPassword

Value: the password

This parameter is used if the email was provided as a value of the adminAccessId parameter.

akeylessUserAuth.adminUIDInitToken

Value: the initial Universal Identity token

This parameter is used if the Universal Identity ID was provided as a value of the adminAccessId parameter.

universalIdentity.uidRotationInterval

Default value: 5 minutes

Universal Identity token rotation interval in minutes.

universalIdentity.uidCreateChildTokenPerPod

Default value: disable
When enabled, allows the creation of child Universal Identity tokens.

akeylessUserAuth.allowedAccessIDs

Value: a list of allowed Access IDs from your account that can log into the Gateway Configuration Manager:

  • p-1111111 subClaimKey1=subClaimVal1
  • p-2222222 subClaimKey2=subClaimVal2
  • p-3333333 subClaimKey1=subClaimVal1
  • p-4444444

This parameter can also work with sub-claims (when a shared authentication method is used in the organization, e.g. SAML).

In this case, the Access ID belongs to the authentication method created for the certain Identity Provider.

If you don't specify the sub-claims, every user authenticated by this IDP will be able to log in to the Gateway with admin privileges.

akeylessUserAuth.clusterName

Value: a Gateway cluster name

This parameter allows for creating a Gateway instance with a custom Cluster Name instead of the default one (defaultCluster).

We recommend providing a meaningful name to your Gateway cluster.

akeylessUserAuth.initialClusterDisplayName

Value: a Gateway cluster display name

This parameter allows for creating a Gateway instance with a custom Display Name.

The Display Name replaces the cluster name in the Gateway Console.

akeylessUserAuth.configProtectionKeyName

Value: Akeyless Protection key name

This parameter holds the name of the key from the Akeyless Vault, which will be used to encrypt the API Gateway configuration.

If left empty, the account's default encryption key will be used.

This key can be provided only during the cluster deployment and cannot be modified afterward.

akeylessUserAuth.customerFragments

Value: a JSON containing Customer Fragments (see the example below)

This parameter holds a JSON with the Customer Fragments.

Customer Fragment is a critical component that allows customers to use Zero-Knowledge Encryption.

existingSecret

Value: the name of the Kubernetes secret

You can provide the essential authentication information using the existing secret in Kubernetes.

The secret may include:

  • admin-access-id
  • admin-access-key
  • admin-password
  • allowed-access-ids
  • customer-fragments

If you provide all those values using a secret, then the corresponding parameters above must be left blank.

To add Customer Fragments to the Gateway, insert the following section to the values.yaml file:

# Customer Fragment is a critical component that allow customers to use a Zero-Knowledge Encryption.
# For more information: https://akeyless.readme.io/docs/implement-zero-trust
customerFragments: |
  {
      "customer_fragments": [
          {
              "id": "cf-xyzxyzxyzxyzxyzxyz",
              "value": "xxxxxxxxxxxxxxxxxxxxxx"
          }
      ]
  }

Installation

  1. To install the Gateway using the edited values.yaml file, run the following command in the CLI of your OS:
helm install akeyless-gw akeyless/akeyless-api-gateway -f values.yaml
  1. Check if the pods are up and running:
kubectl get pod

NAME                                                READY   STATUS    RESTARTS       AGE
akeyless-gw-akeyless-api-gateway-6554f7c66c-56fgs   1/1     Running   1 (5h2m ago)   5h15m
akeyless-gw-akeyless-api-gateway-6554f7c66c-7jt8r   1/1     Running   0              5h17m
  1. Verify the Gateway installation:
kubectl logs -f akeyless-gw-akeyless-api-gateway-6554f7c66c-56fgs

==================================================
        _              _                 _
   __ _| | _____ _   _| | ___  ___ ___  (_) ___
  / _` | |/ / _ \ | | | |/ _ \/ __/ __| | |/ _ \
 | (_| |   <  __/ |_| | |  __/\__ \__ \_| | (_) |
  \__,_|_|\_\___|\__, |_|\___||___/___(_)_|\___/
                 |___/

      AKEYLESS gateway is up and running!
==================================================
...
Starting Akeyless configuration handler on port: 8000 protocol: http
Akeyless API Proxy started running on port 18888 protocol http 
Cluster name: Test-Cluster, Access ID: p-XXXXXXXX
  1. Log in to the Gateway using your browser: http://Your-Akeyless-Gateway-URL:8000 - and your Akeyless admin credentials.

Updated 4 days ago

What’s Next
Did this page help you?