Prerequisites
To begin you should have kubectl installed.
The below example uses the Azure Kubernetes Service.
Create Azure AKS cluster
- Create Azure AKS cluster with enable-managed-identity flag:
az login
az group create --name myResourceGroup --location westus2
az aks create -g myResourceGroup -n MyManagedCluster --enable-managed-identity
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster
For additional information
https://docs.microsoft.com/en-us/azure/aks/use-managed-identity
Create secret with Akeyless Vault
- Generate static secrets
For the sake of the example we'll generate the first one with CLI:
$ akeyless create-secret --name my_k8s_secret --value my_k8s_secret
And the second one with the UI:


Create Azure Auth method
- Create Azure Auth method (using your Azure Tenant ID):
Create role
- Create role for the new azure-auth:


Configuration file update
- Update configuration file with your az access id:
git clone https://github.com/akeylesslabs/akeyless-secret-injection-helm.git
vi helm-chart/values.yaml
env:
AKEYLESS_URL: "https://vault.akeyless.io"
AKEYLESS_ACCESS_ID: {your az auth method access id}
AKEYLESS_ACCESS_TYPE: "azure_ad"
- In az-cluster:
kubectl create namespace akeyless
helm install aks helm-chart --namespace akeyless -f ./helm-chart/values.yaml
kubectl create -f examples/pod.yaml
- examples/pod.yam:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
replicas: 1
selector:
matchLabels:
app: hello-secrets
template:
metadata:
labels:
app: hello-secrets
annotations:
akeyless/enabled: "true"
spec:
containers:
- name: alpine
image: alpine
command:
- "sh"
- "-c"
- "echo $MY_SECRET && echo $MY_SECRET_2 && echo going to sleep... && sleep 10000"
env:
- name: MY_SECRET
value: akeyless:my_k8s_secret
- name: MY_SECRET_2
value: akeyless:/k8s/my_k8s_secret2
Additional example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-file
spec:
replicas: 1
selector:
matchLabels:
app: hello-secrets-2
template:
metadata:
labels:
app: hello-secrets-2
annotations:
akeyless/enabled: "true"
akeyless/inject_file: "my_k8s_secret,k8s/my_k8s_secret2"
spec:
containers:
- name: alpine
image: alpine
command:
- "sh"
- "-c"
- "cat /akeyless/secrets/my_k8s_secret && cat /akeyless/secrets/k8s/my_k8s_secret2 && echo going to sleep... && sleep 10000"
Cleanup:
helm delete --namespace akeyless aks
kubectl delete -f examples/pod.yaml
kubcetl delete namespace akeyless
Advanced Features
Zero Trust
Set in helm-chart/values.yaml, under env:
AKEYLESS_API_GW_URL: "https://your-api-gw-dns"
Configure File Location
If you choose to save the secrets in the pod's file systems, and you wish to configure the location:
Set in: helm-chart/values.yaml, under env:
AKEYLESS_SECRET_DIR_NAME: ""
default is: “/akeyless/secrets/”
Namespace/Pod granularity
Create main Auth-Methods with type “aws-iam” or “azure_ad”.
For each namespace create:
- New Auth Methods (api-key type)
- Create/associate role to the new auth-method with specific path/secrets


- In the location of your choosing, create a secret with naming conventions: for pod use: , for namespace use:


- Set this secret value to be: <id..key> (zero-trust secret is recommended)


- Associate this secret to the main Auth-Methods
set in: helm-chart/values.yaml
- AKEYLESS_ACCESS_ID - of the main Auth-Methods
- AKEYLESS_ACCESS_TYPE- of the main Auth-Methods
- AKEYLESS_ACCESS_PATH> - location-to-access-secrets
env:
AKEYLESS_URL: "https://vault.akeyless.io"
AKEYLESS_ACCESS_ID: "p-*********"
AKEYLESS_ACCESS_TYPE: "aws_iam"
AKEYLESS_API_GW_URL: "https://rest.akeyless-security.com" #or your-api-gw-url
AKEYLESS_POD_ACCESS_PATH: "<location-to-access-secrets-per-pod-name>"
AKEYLESS_NAMESPACE_ACCESS_PATH: "<location-to-access-secrets-per-namespace-name>"
- Namespace/pod without configuration will inherit its’ permissions from the main-auth-method
- Namespace/pod with configuration will get an access-token valid for 5 min and will be able to access the secrets that associated with the configured auth-method only
Authentication Methods Configuration
Universal Identity
API-Gateway version
Make sure to use API-GW version 1.21.53 or higher.
Get init token:
curl https://api-gw-url -d "cmd=configure&access-id=XXXX&access-key=XXXX"
Configure helm-chart/values.yaml:
AKEYLESS_ACCESS_TYPE: "universal_identity"
AKEYLESS_API_GW_URL: "https://api-gw-url"
AKEYLESS_INIT_TOKEN: "<token>"
Access-id & Access-key
AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url"
AKEYLESS_ACCESS_TYPE: "api_key"
AKEYLESS_API_KEY: "<acc_key>"
AKEYLESS_ACCESS_ID: "<acc_id>"
Azure Active Directory
AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url"
AKEYLESS_ACCESS_TYPE: "azure_ad"
AKEYLESS_ACCESS_ID: "<acc_id>"
# optional
# AKEYLESS_AZURE_OBJ_ID: "<za-obj-id>"
AWS-IAM
AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url"
AKEYLESS_ACCESS_TYPE: "aws_iam"
AKEYLESS_ACCESS_ID: "<acc_id>"
Updated 4 months ago