Akeyless
Akeyless Vault
External Secrets Operator integrates with Akeyless API.
Authentication
The API requires an access-id, access-type and access-Type-param.
The supported auth-methods and their params are:
| accessType | accessTypeParam | 
|---|---|
| api_key | The access key. | 
| k8s | The k8s configuration name | 
| aws_iam | - | 
| gcp | The gcp audience | 
| azure_ad | azure object id (optional) | 
form more information about Akeyless Authentication Methods
Akeless credentials secret
Create a secret containing your credentials:
apiVersion: v1
kind: Secret
metadata:
  name: akeylss-secret-creds
type: Opaque
stringData:
  accessId: "p-XXXX"
  accessType:  # k8s/aws_iam/gcp/azure_ad/api_key
  accessTypeParam:  # can be one of the following: k8s-conf-name/gcp-audience/azure-obj-id/access-key
Update secret store
Be sure the akeyless provider is listed in the Kind=SecretStore and the akeylessGWApiURL is set (def: "https://api.akeless.io".
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: akeyless-secret-store
spec:
  provider:
    akeyless:
      # URL of your akeyless API
      akeylessGWApiURL: "https://api.akeyless.io"
      authSecretRef:
        secretRef:
          accessID:
            name: akeylss-secret-creds
            key: accessId
          accessType:
            name: akeylss-secret-creds
            key: accessType
          accessTypeParam:
            name: akeylss-secret-creds
            key: accessTypeParam
ClusterSecretStore, Be sure to provide namespace for accessID, accessType and accessTypeParam with the namespaces where the secrets reside.
Creating external secret
To get a secret from Akeyless and secret it on the Kubernetes cluster, a Kind=ExternalSecret is needed.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: akeyless-external-secret-example
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster
  target:
    name: akeyless-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner
  data:
    - secretKey: secretKey # Key given to the secret to be created on the cluster
      remoteRef:
        key: secret-name # Full path of the secret on Akeyless
Using DataFrom
DataFrom can be used to get a secret as a JSON string and attempt to parse it.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: akeyless-external-secret-example-json
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: akeyless-secret-store # Must match SecretStore on the cluster
  target:
    name: akeyless-secret-to-create-json # Name for the secret to be created on the cluster
    creationPolicy: Owner
  # for json formatted secrets: each key in the json will be used as the secret key in the SECRET k8s target object
  dataFrom:
  - extract:
      key: secret-name # Full path of the secret on Akeyless
Getting the Kubernetes secret
The operator will fetch the secret and inject it as a Kind=Secret.
kubectl get secret akeyless-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d
kubectl get secret akeyless-secret-to-create-json -o jsonpath='{.data}'