The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

How to: Provision Secret to your K8s

Prerequisites

To begin you should have kubectl installed.
The below example uses the Azure Kubernetes Service.

Create Azure AKS cluster

  1. Create Azure AKS cluster with enable-managed-identity flag:
az login
az group create --name myResourceGroup --location westus2
az aks create -g myResourceGroup -n MyManagedCluster --enable-managed-identity 
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster

📘

For additional information

https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

Create secret with Akeyless Vault

  1. Generate static secrets
    For the sake of the example we'll generate the first one with CLI:
$ akeyless create-secret --name my_k8s_secret --value my_k8s_secret

And the second one with the UI:

Create Azure Auth method

  1. Create Azure Auth method (using your Azure Tenant ID):

Create role

  1. Create role for the new azure-auth:

Configuration file update

  1. Update configuration file with your az access id:
git clone https://github.com/akeylesslabs/akeyless-secret-injection-helm.git
vi helm-chart/values.yaml

env:
  AKEYLESS_URL: "https://vault.akeyless.io"
  AKEYLESS_ACCESS_ID: {your az auth method access id}
  AKEYLESS_ACCESS_TYPE: "azure_ad"
  1. In az-cluster:
kubectl create namespace akeyless
helm install aks helm-chart --namespace akeyless  -f ./helm-chart/values.yaml
kubectl create -f examples/pod.yaml
  1. examples/pod.yam:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-secrets
  template:
    metadata:
      labels:
        app: hello-secrets
      annotations:
        akeyless/enabled: "true"
    spec:
      containers:
      - name: alpine
        image: alpine
        command:
          - "sh"
          - "-c"
          - "echo $MY_SECRET && echo $MY_SECRET_2 && echo going to sleep... && sleep 10000"
        env:
        - name:  MY_SECRET
          value: akeyless:my_k8s_secret
        - name:  MY_SECRET_2
          value: akeyless:/k8s/my_k8s_secret2

Additional example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-file
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-secrets-2
  template:
    metadata:
      labels:
        app: hello-secrets-2
      annotations:
        akeyless/enabled: "true"
        akeyless/inject_file: "my_k8s_secret,k8s/my_k8s_secret2"
    spec:
      containers:
      - name: alpine
        image: alpine
        command:
          - "sh"
          - "-c"
          - "cat /akeyless/secrets/my_k8s_secret && cat /akeyless/secrets/k8s/my_k8s_secret2 && echo going to sleep... && sleep 10000"

Cleanup:

helm delete --namespace akeyless aks
kubectl delete -f examples/pod.yaml
kubcetl delete namespace akeyless

Advanced Features

Zero Trust
Set in helm-chart/values.yaml, under env:

AKEYLESS_API_GW_URL: "https://your-api-gw-dns"

Configure File Location
If you choose to save the secrets in the pod's file systems, and you wish to configure the location:
Set in: helm-chart/values.yaml, under env:
AKEYLESS_SECRET_DIR_NAME: ""
default is: “/akeyless/secrets/”

Namespace/Pod granularity
Create main Auth-Methods with type “aws-iam” or “azure_ad”.
For each namespace create:

  1. New Auth Methods (api-key type)
  2. Create/associate role to the new auth-method with specific path/secrets
  1. In the location of your choosing, create a secret with naming conventions: for pod use: , for namespace use:
  1. Set this secret value to be: <id..key> (zero-trust secret is recommended)
  1. Associate this secret to the main Auth-Methods
    set in: helm-chart/values.yaml
  • AKEYLESS_ACCESS_ID - of the main Auth-Methods
  • AKEYLESS_ACCESS_TYPE- of the main Auth-Methods
  • AKEYLESS_ACCESS_PATH> - location-to-access-secrets
env:
  AKEYLESS_URL: "https://vault.akeyless.io"
  AKEYLESS_ACCESS_ID: "p-*********"
  AKEYLESS_ACCESS_TYPE: "aws_iam"

  AKEYLESS_API_GW_URL: "https://rest.akeyless-security.com" #or your-api-gw-url
  AKEYLESS_POD_ACCESS_PATH: "<location-to-access-secrets-per-pod-name>"
  AKEYLESS_NAMESPACE_ACCESS_PATH: "<location-to-access-secrets-per-namespace-name>"
  • Namespace/pod without configuration will inherit its’ permissions from the main-auth-method
  • Namespace/pod with configuration will get an access-token valid for 5 min and will be able to access the secrets that associated with the configured auth-method only

Authentication Methods Configuration

Universal Identity

📘

API-Gateway version

Make sure to use API-GW version 1.21.53 or higher.

Get init token:

curl https://api-gw-url -d "cmd=configure&access-id=XXXX&access-key=XXXX"

Configure helm-chart/values.yaml:

AKEYLESS_ACCESS_TYPE: "universal_identity"
AKEYLESS_API_GW_URL: "https://api-gw-url" 
AKEYLESS_INIT_TOKEN: "<token>"

Access-id & Access-key

AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url" 
AKEYLESS_ACCESS_TYPE: "api_key"
AKEYLESS_API_KEY: "<acc_key>"
AKEYLESS_ACCESS_ID: "<acc_id>"

Azure Active Directory

AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url" 
AKEYLESS_ACCESS_TYPE: "azure_ad"
AKEYLESS_ACCESS_ID: "<acc_id>"
# optional
# AKEYLESS_AZURE_OBJ_ID: "<za-obj-id>"

AWS-IAM

AKEYLESS_URL: "https://vault.akeyless.io"
# to use api-gw add:
# AKEYLESS_API_GW_URL: "https://api-gw-url" 
AKEYLESS_ACCESS_TYPE: "aws_iam"
AKEYLESS_ACCESS_ID: "<acc_id>"

Updated 4 months ago

How to: Provision Secret to your K8s


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.