add gw tls conf

Signed-off-by: Kobbi Gal <[email protected]>

Author: kgal-akl

secretstores/akeyless/README.md

@@ -18,6 +18,7 @@ The Akeyless secret store component supports the following configuration options
 | Field | Required | Description | Example |
 |-------|----------|-------------|---------|
 | `gatewayUrl` | No | The Akeyless Gateway URL. Default is https://api.akeyless.io. | `https://your-gateway.akeyless.io` |
+| `gatewayTLSCA` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. | `LS0tLS1CRUdJTi...` |
 | `accessId` | Yes | The Akeyless authentication access ID. | `p-123456780wm` |
 | `jwt` | No | If using an OAuth2.0/JWT access ID, specify the JSON Web Token | `eyJ...` |
 | `accessKey` | No | If using an API Key access ID, specify the API key | `ABCD123...=` |
@@ -48,6 +49,8 @@ spec:
   metadata:
   - name: gatewayUrl
     value: "https://your-gateway.akeyless.io"
+  - name: gatewayTLSCA
+    value: "LS0tLS1CRUdJTi...."
   - name: accessId
     value: "p-1234Abcdam"
   - name: accessKey
@@ -67,7 +70,7 @@ spec:
   version: v1
   metadata:
   - name: gatewayUrl
-    value: "https://your-gateway.akeyless.io"
+    value: "http://unified.akeyless.svc.cluster.local:8000/api/v2"
   - name: accessId
     value: "p-1234Abcdom"
   - name: jwt
@@ -86,7 +89,7 @@ spec:
   version: v1
   metadata:
   - name: gatewayUrl
-    value: "https://your-gateway.akeyless.io"
+    value: "http://unified.akeyless.svc.cluster.local:8000/api/v2"
   - name: accessId
     value: "p-1234Abcdwm"
 ```
@@ -103,7 +106,7 @@ spec:
   version: v1
   metadata:
   - name: gatewayUrl
-    value: "https://gw.akeyless.svc.cluster.local"
+    value: "http://unified.akeyless.svc.cluster.local:8000/api/v2"
   - name: accessId
     value: "p-1234Abcdwm"
   - name: k8sAuthConfigName

secretstores/akeyless/akeyless.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"strings"
 	"sync"
@@ -36,6 +37,7 @@ func NewAkeylessSecretStore(logger logger.Logger) secretstores.SecretStore {
 // akeylessMetadata contains the metadata for the Akeyless secret store.
 type akeylessMetadata struct {
 	GatewayURL             string `json:"gatewayUrl" mapstructure:"gatewayUrl"`
+	GatewayTLSCA           string `json:"gatewayTLSCA" mapstructure:"gatewayTLSCA"`
 	JWT                    string `json:"jwt" mapstructure:"jwt"`
 	AccessID               string `json:"accessId" mapstructure:"accessId"`
 	AccessKey              string `json:"accessKey" mapstructure:"accessKey"`
@@ -120,6 +122,22 @@ func (a *akeylessSecretStore) authenticate(ctx context.Context, metadata *akeyle
 	config.UserAgent = USER_AGENT
 	config.AddDefaultHeader(CLIENT_SOURCE, USER_AGENT)
 
+	// Configure TLS if gatewayTLSCA is provided
+	if metadata.GatewayTLSCA != "" {
+		a.logger.Debug("configuring TLS for Akeyless client...")
+		tlsConfig, err := createTLSConfig(metadata.GatewayTLSCA)
+		if err != nil {
+			return errors.New("failed to create TLS configuration: " + err.Error())
+		}
+
+		httpClient := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		}
+		config.HTTPClient = httpClient
+	}
+
 	a.v2 = akeyless.NewAPIClient(config).V2Api
 
 	a.logger.Debug("authenticating with Akeyless...")

secretstores/akeyless/metadata.yaml

@@ -16,6 +16,14 @@ metadata:
     default: "https://api.akeyless.io"
     example: "https://your.akeyless.gw"
     type: string
+  - name: gatewayTLSCA
+    required: false
+    description: |
+      base64-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway
+      with a self-signed or custom CA certificate. 
+    example: "LS0tLS1CRUdJTi..."
+    type: string
+    sensitive: true
   - name: accessId
     required: true
     description: |

secretstores/akeyless/utils.go

@@ -1,7 +1,11 @@
 package akeyless
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -264,3 +268,29 @@ func parseSecretTypes(secretTypes string) ([]string, error) {
 
 	return unique, nil
 }
+
+func createTLSConfig(gatewayTLSCA string) (*tls.Config, error) {
+
+	// Decode base64 to PEM
+	certBytes, err := base64.StdEncoding.DecodeString(gatewayTLSCA)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64-encoded gateway TLS CA: %w", err)
+	}
+
+	// Validate PEM format
+	block, _ := pem.Decode(certBytes)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM certificate: invalid PEM format")
+	}
+
+	// Cereate cert pool and add certificate
+	caCertPool := x509.NewCertPool()
+	if !caCertPool.AppendCertsFromPEM(certBytes) {
+		return nil, errors.New("failed to add certificate to cert pool")
+	}
+
+	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		RootCAs:    caCertPool,
+	}, nil
+}