align k8s auth conf parameters (encode jwt, trim v2 endpoint

Signed-off-by: Kobbi Gal <[email protected]>

Author: kgal-akl

secretstores/akeyless/README.md

@@ -17,15 +17,15 @@ The Akeyless secret store component supports the following configuration options
 
 | Field | Required | Description | Example |
 |-------|----------|-------------|---------|
-| `gatewayUrl` | No | The Akeyless Gateway URL. Default is https://api.akeyless.io. | `https://your-gateway.akeyless.io` |
+| `gatewayUrl` | No | The Akeyless Gateway API URL. Default is https://api.akeyless.io. | `https://gw.akeyless.svc.cluster.local:8000/api/v2` |
 | `gatewayTLSCA` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. | `LS0tLS1CRUdJTi...` |
 | `accessId` | Yes | The Akeyless authentication access ID. | `p-123456780wm` |
 | `jwt` | No | If using an OAuth2.0/JWT access ID, specify the JSON Web Token | `eyJ...` |
 | `accessKey` | No | If using an API Key access ID, specify the API key | `ABCD123...=` |
 | `k8sAuthConfigName` | No | If using the k8s auth method, specify the name of the k8s auth config. | `k8s-auth-config` |
 | `k8sGatewayUrl` | No | The gateway URL that where the k8s auth config is located. | `http://gw.akeyless.svc.cluster.local:8000` |
 | `k8sServiceAccountToken` | No | If using the k8s auth method, specify the service account token. If not specified,
-      we will try to read it from the default service account token file. | `eyJ...` |
+      we will try to read it from the default service account token file `/var/run/secrets/kubernetes.io/serviceaccount/token`. | `eyJ...` |
 
 
 
@@ -108,7 +108,7 @@ spec:
   - name: gatewayUrl
     value: "http://unified.akeyless.svc.cluster.local:8000/api/v2"
   - name: accessId
-    value: "p-1234Abcdwm"
+    value: "p-1234Abcdkm"
   - name: k8sAuthConfigName
     value: "us-east-1-prod-akeyless-k8s-conf"
   - name: k8sGatewayUrl

secretstores/akeyless/utils.go

@@ -209,12 +209,20 @@ func setK8SAuthConfiguration(metadata akeylessMetadata, authRequest *akeyless.Au
 		}
 		metadata.K8sServiceAccountToken = string(token)
 	}
+
+	// base64 encode the token if it's not already encoded
+	if _, err := base64.StdEncoding.DecodeString(metadata.K8sServiceAccountToken); err != nil {
+		a.logger.Info("k8sServiceAccountToken is not base64 encoded, encoding it...")
+		metadata.K8sServiceAccountToken = base64.StdEncoding.EncodeToString([]byte(metadata.K8sServiceAccountToken))
+	}
+	authRequest.SetK8sServiceAccountToken(metadata.K8sServiceAccountToken)
+
 	if metadata.K8SGatewayURL == "" {
 		a.logger.Debug("k8s gateway url is missing, using gatewayUrl")
 		metadata.K8SGatewayURL = metadata.GatewayURL
 	}
+	metadata.K8SGatewayURL = strings.TrimSuffix(metadata.K8SGatewayURL, "/api/v2")
 	authRequest.SetGatewayUrl(metadata.K8SGatewayURL)
-	authRequest.SetK8sServiceAccountToken(metadata.K8sServiceAccountToken)
 	return nil
 }