-
Notifications
You must be signed in to change notification settings - Fork 544
Add Akeyless Secrets Store Component #4036
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
kgal-akl
wants to merge
20
commits into
dapr:main
Choose a base branch
from
akeylesslabs:add-akeyless-secretstore
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+2,993
−0
Open
Changes from all commits
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
fc7b3d1
Add Akeyless Secrets Store Component
kgal-akl 07b2a96
rm dup func
kgal-akl 9a5ee65
cleaned up tests
kgal-akl a86ca40
handle nil response when auth
kgal-akl ae8999e
add gw tls conf
kgal-akl 109dc0a
set access type for auth request
kgal-akl 2f83dc8
align k8s auth conf parameters (encode jwt, trim v2 endpoint
kgal-akl cdc3f94
fix zero-value init of secret response
kgal-akl 5682fd3
added token refresh support
kgal-akl bb84293
readd akeyless dependencies
kgal-akl 704bb4c
Merge branch 'main' into add-akeyless-secretstore
kgal-akl 21d3ae2
implemented get component metadata in store
kgal-akl 91b9871
camelcase gw tls ca field
kgal-akl a63c83e
cont: camelcase gw tls ca field
kgal-akl ff08e2a
cont: camelcase gw tls ca field
kgal-akl e7ddc84
change default auth method
kgal-akl 45d562c
rm whitespace in go codeblock doc
kgal-akl 41db6f7
added 30s timeout to http client when using tls
kgal-akl c2e1b1c
check auth response output for token/expiration
kgal-akl 2598ccf
refactor to use helper for 401 retry
kgal-akl File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,216 @@ | ||
| # Akeyless Secret Store | ||
|
|
||
| This component provides a Dapr secret store implementation for [Akeyless](https://www.akeyless.io/), a cloud-native secrets management platform. | ||
|
|
||
| ## Configuration | ||
|
|
||
| The Akeyless Dapr Secret Store component only supports the following [Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods): | ||
|
|
||
| - [API Key](https://docs.akeyless.io/docs/api-key) | ||
| - [OAuth2.0/JWT](https://docs.akeyless.io/docs/oauth20jwt) | ||
| - [AWS IAM](https://docs.akeyless.io/docs/aws-iam) | ||
| - [Kubernetes](https://docs.akeyless.io/docs/kubernetes-auth) | ||
|
|
||
| ### Authentication | ||
|
|
||
| The Akeyless secret store component supports the following configuration options: | ||
|
|
||
| | Field | Required | Description | Example | | ||
| |-------|----------|-------------|---------| | ||
| | `gatewayUrl` | No | The Akeyless Gateway API URL. Default is https://api.akeyless.io. | `https://gw.akeyless.svc.cluster.local:8000/api/v2` | | ||
| | `gatewayTlsCa` | No | The `base64`-encoded PEM certificate of the Akeyless Gateway. Use this when connecting to a gateway with a self-signed or custom CA certificate. The Akeyless client will be set to a 30 second timeout. | `LS0tLS1CRUdJTi...` | | ||
| | `accessId` | Yes | The Akeyless authentication access ID. | `p-123456780wm` | | ||
| | `jwt` | No | If using an OAuth2.0/JWT access ID, specify the JSON Web Token | `eyJ...` | | ||
| | `accessKey` | No | If using an API Key access ID, specify the API key | `ABCD123...=` | | ||
| | `k8sAuthConfigName` | No | If using the k8s auth method, specify the name of the k8s auth config. | `k8s-auth-config` | | ||
| | `k8sGatewayUrl` | No | The gateway URL that where the k8s auth config is located. | `http://gw.akeyless.svc.cluster.local:8000` | | ||
| | `k8sServiceAccountToken` | No | If using the k8s auth method, specify the service account token. If not specified, | ||
| we will try to read it from the default service account token file `/var/run/secrets/kubernetes.io/serviceaccount/token`. | `eyJ...` | | ||
|
|
||
|
|
||
|
|
||
| ## Examples | ||
|
|
||
| We currently support the following [Authentication Methods](https://docs.akeyless.io/docs/access-and-authentication-methods): | ||
|
|
||
|
|
||
| ## Examples | ||
|
|
||
| ## Example Configuration: API Key | ||
|
|
||
| ```yaml | ||
| apiVersion: dapr.io/v1alpha1 | ||
| kind: Component | ||
| metadata: | ||
| name: akeyless-secretstore | ||
| spec: | ||
| type: secretstores.akeyless | ||
| version: v1 | ||
| metadata: | ||
| - name: gatewayUrl | ||
| value: "https://your-gateway.akeyless.io" | ||
| - name: gatewayTlsCa | ||
| value: "LS0tLS1CRUdJTi...." | ||
| - name: accessId | ||
| value: "p-1234Abcdam" | ||
| - name: accessKey | ||
| value: "ABCD1233...=" | ||
| ``` | ||
|
|
||
|
|
||
| ## Example Configuration: JWT | ||
|
|
||
| ```yaml | ||
| apiVersion: dapr.io/v1alpha1 | ||
| kind: Component | ||
| metadata: | ||
| name: akeyless-secretstore | ||
| spec: | ||
| type: secretstores.akeyless | ||
| version: v1 | ||
| metadata: | ||
| - name: gatewayUrl | ||
| value: "http://unified.akeyless.svc.cluster.local:8000/api/v2" | ||
| - name: accessId | ||
| value: "p-1234Abcdom" | ||
| - name: jwt | ||
| value: "eyJ....." | ||
| ``` | ||
|
|
||
| ## Example Configuration: AWS IAM | ||
|
|
||
| ```yaml | ||
| apiVersion: dapr.io/v1alpha1 | ||
| kind: Component | ||
| metadata: | ||
| name: akeyless | ||
| spec: | ||
| type: secretstores.akeyless | ||
| version: v1 | ||
| metadata: | ||
| - name: gatewayUrl | ||
| value: "http://unified.akeyless.svc.cluster.local:8000/api/v2" | ||
| - name: accessId | ||
| value: "p-1234Abcdwm" | ||
| ``` | ||
|
|
||
| ## Example Configuration: Kubernetes | ||
|
|
||
| ```yaml | ||
| apiVersion: dapr.io/v1alpha1 | ||
| kind: Component | ||
| metadata: | ||
| name: akeyless | ||
| spec: | ||
| type: secretstores.akeyless | ||
| version: v1 | ||
| metadata: | ||
| - name: gatewayUrl | ||
| value: "http://unified.akeyless.svc.cluster.local:8000/api/v2" | ||
| - name: accessId | ||
| value: "p-1234Abcdkm" | ||
| - name: k8sAuthConfigName | ||
| value: "us-east-1-prod-akeyless-k8s-conf" | ||
| - name: k8sGatewayUrl | ||
| value: https://gw.akeyless.svc.cluster.local | ||
| ``` | ||
|
|
||
| ## Usage | ||
|
|
||
| Once configured, you can retrieve secrets using the Dapr secrets API: | ||
|
|
||
| ```bash | ||
| # Get a single secret | ||
| curl http://localhost:3500/v1.0/secrets/akeyless/my-secret | ||
|
|
||
| # Get all secrets (static, dynamic, rotated) from root (/) path | ||
| curl http://localhost:3500/v1.0/secrets/akeyless/bulk | ||
|
|
||
| # Get all secrets static secrets | ||
| curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static | ||
|
|
||
| # Get all static and dynamic secrets from a specific path (/my/org) | ||
| curl http://localhost:3500/v1.0/secrets/akeyless/bulk?metadata.secrets_type=static,dynamic&metadata.path=/my/org | ||
| ``` | ||
|
|
||
| Or using the Dapr SDK. The example below retrieves all static secrets from path `/path/to/department`. | ||
| ```go | ||
| log.Println("Starting test application") | ||
| client, err := dapr.NewClient() | ||
| if err != nil { | ||
| log.Printf("Error creating Dapr client: %v\n", err) | ||
| panic(err) | ||
| } | ||
| log.Println("Dapr client created successfully") | ||
| const daprSecretStore = "akeyless" | ||
|
|
||
| defer client.Close() | ||
| ctx := context.Background() | ||
| akeylessBulkMetadata := map[string]string{ | ||
| "path": "/path/to/department", | ||
| "secrets_type": "static", | ||
| } | ||
| secrets, err := client.GetBulkSecret(ctx, daprSecretStore, akeylessBulkMetadata) | ||
| if err != nil { | ||
| log.Printf("Error fetching secrets: %v\n", err) | ||
| panic(err) | ||
| } | ||
| log.Printf("Found %d secrets: ", len(secrets)) | ||
| for secretName, secretValue := range secrets { | ||
| log.Printf("Secret: %s, Value: %s", secretName, secretValue) | ||
| } | ||
| ``` | ||
|
|
||
| ## Features | ||
|
|
||
| - Supports static, dynamic and rotated secrets. | ||
| - **GetSecret**: Retrieve an individual value secret by path. | ||
| - **BulkGetSecret**: Retrieve all secrets from a specified path (or `/` by default) recursively. | ||
|
|
||
| ## Response Formats | ||
|
|
||
| The Akeyless secret store returns different response formats depending on the secret type: | ||
|
|
||
| ### Static Secrets | ||
| Static secrets return their value directly as a string: | ||
|
|
||
| ```json | ||
| { | ||
| "my-static-secret": "secret-value" | ||
| } | ||
| ``` | ||
|
|
||
| ### Dynamic Secrets | ||
| Dynamic secrets return a JSON string containing the credentials. The exact structure depends on the target system: | ||
|
|
||
| **MySQL Dynamic Secret:** | ||
| ```json | ||
| { | ||
| "my-mysql-secret": "{\"user\":\"generated_username\",\"password\":\"generated_password\",\"ttl_in_minutes\":\"60\",\"id\":\"username\"}" | ||
| } | ||
| ``` | ||
|
|
||
| **Azure AD Dynamic Secret:** | ||
| ```json | ||
| { | ||
| "my-azure-secret": "{\"user\":{\"id\":\"user_id\",\"displayName\":\"user_name\",\"mail\":\"[email protected]\"},\"secret\":{\"keyId\":\"secret_key_id\",\"displayName\":\"secret_name\",\"tenantId\":\"tenant_id\"},\"ttl_in_minutes\":\"60\",\"id\":\"user_id\",\"msg\":\"User has been added successfully...\"}" | ||
| } | ||
| ``` | ||
|
|
||
| **GCP Dynamic Secret:** | ||
kgal-akl marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ```json | ||
| { | ||
| "my-gcp-secret": "{\"encoded_key\":\"base64_encoded_service_account_key\",\"ttl_in_minutes\":\"60\",\"id\":\"service_account_name\"}" | ||
| } | ||
| ``` | ||
|
|
||
| ### Rotated Secrets | ||
| Rotated secrets return a JSON object containing all available fields: | ||
|
|
||
| ```json | ||
| { | ||
| "my-rotated-secret": "{\"value\":{\"username\":\"rotated_user\",\"password\":\"rotated_password\",\"application_id\":\"1234567890\"}}" | ||
| } | ||
| ``` | ||
|
|
||
| **Note:** The exact fields in dynamic and rotated secret responses vary by target system and configuration. Applications should parse the JSON string to extract the specific credentials they need. | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.