Gateway Cache
Overview
When Gateway Cache is enabled, it works for all types of secrets.
The most straightforward use cases are the following:
-
The Gateway Cache is used to improve performance when fetching secrets.
-
The Proactive Cache enables storing all types of secrets in the Gateway Cache in advance upon successful user authentication.
Gateway Cache
To enable and configure the Gateway Cache:
-
Open the Akeyless Gateway Configuration Manager at
https://Your_Akeyless_Gateway_URL:8000
. -
On the menu bar at the left, click Caching.
-
Select the Enable Cache checkbox.
-
Set the Stale Timeout value. This is the time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period. By default, cached secrets will expire after 60 minutes.
-
Click Save Changes.
Note
Usually, after the “Stale Timeout” period expires for a secret, the secret is deleted from the Gateway Cache.
When Proactive Caching is enabled and there is no internet connection, the Gateway Cache won’t delete old items until the internet connection is restored.
Proactive Gateway Cache
The Proactive Cache fetches from the Akeyless Cloud and stores in the Gateway Cache all secrets upon successful authentication (based on the user access policy).
For backup purposes, all those secrets are also saved in an encrypted storage file (~/tmp/cache.dat
).
You might consider working with persistence storage mounted to your instance for Docker deployments to ensure continuous work upon Gateway restart.
To enable and configure the Proactive Cache:
-
Open the Akeyless Gateway Configuration Manager at
https://Your_Akeyless_Gateway_URL:8000
. -
On the menu bar at the left, click Caching.
-
Select the Enable Proactive Caching checkbox.
-
Legacy Mode: Uncheck this option to upgrade the proactive cache to the new mode, which offers:
- Activation by the GW's Admin actions: When the Gateway starts, it will fetch and store the secrets in the cache, including the secret's RBAC information.
- Each pod has the same cache content: As the Gateway Admin is fetching the secrets, each pod running the Gateway will have the same secrets, regardless of whether you are using Redis.
- Note: Unlike Redis, where the pod starts with the cache already inside it, in the new proactive mode, the pod will start first, and then it will fetch the secrets and save them to the cache.
- Note: Unlike Redis, where the pod starts with the cache already inside it, in the new proactive mode, the pod will start first, and then it will fetch the secrets and save them to the cache.
- Secret values can be reused: As the Gateway's Admin fetches the secret, the secret will be stored in the cache only once and will be accessible to each identity with permission, rather than fetching the same secret repeatedly for different identities.
- The Secret's RBAC is fetched for each secret: Each secret item comes with its own set of permissions, which will be fetched to the Gateway along with the secrets.
- Note: To retrieve the Secret's Permissions, the Gateway's Admin must have List permissions for Auth-Methods and Roles, as well as Read permission for the secret intended to be saved in the cache.
- Activation by the GW's Admin actions: When the Gateway starts, it will fetch and store the secrets in the cache, including the secret's RBAC information.
Using Legacy Mode
Once you disable Legacy Mode, you won't be able to re-enable it.
- Set the Minimum Fetching Interval value. This setting instructs the system to update secrets in the cache if they are older than the specified value. By default, each secret kept in the cache for more than 5 minutes will be re-requested from the Akeyless Cloud or the local Gateway.
- Set the Secure Backup Interval value. This is the time (in minutes) between the two consecutive backups. By default, every minute, a snapshot with the current contents of the Gateway Cache is saved to the storage file.
- Optional, You can set the RBAC Fetching Interval by modifying the AKEYLESS_RRBAC_FETCHING_INTERVAL Environment Variable) which by default, is set to 1 hour.
- Click Save Changes.
Redis Cache
Redis can be used for better secrets caching.
Without Redis caching, if a pod crashes, the new pod starts empty. This means the pod will lack data on the previously fetched secrets and will need to fetch them again.
With Redis, if a pod crashes, the new pod starts with all the secrets already cached inside it, eliminating the need for fetching.
Redis Cache Configuration
The following steps are required to set up Redis Cache:
- Set a Redis server with a
password
- Set the following environment variables on your Gateway cluster:
CACHE_ENABLE
- set totrue
USE_CLUSTER_CACHE
- set totrue
REDIS_ADDR
- set the Redis hostname with port (i.e:localhost:6379
)REDIS_PASS
- set the Redis passwordCACHE_ENCRYPTION_KEY
- base64 encoded encryption key (i.e:R+jBj+VqBno5hM1PR3bGMYw5enpM6mmrJ8IYDqrbvq4=
)
Creating an Encryption Key
Run the following command to create 64 bytes
encryption key in base64 encoded
format:
openssl rand -base64 64
Using Redis Cache with akeyless-api-gateway helm chart
Run the following command to create a K8s secret:
kubectl create secret generic my-cache-enc-key \
--from-literal=cluster-cache-encryption-key="$(openssl rand -base64 64)"
Edit the following values in the values.yaml
file:
cachingConf
- Set the enabled
flag to true
clusterCache
- Set the enabled
flag to true
encryptionKeyExistingSecret
- Set the name of the secret that was created earlier my-cache-enc-key
Bypass Cache
When Cache is enabled by default, any client that requests a secret from the relevant Gateway will receive the latest cached value of the secret. To work directly with the Akeyless SaaS, to ensure you are retrieving the latest value of the secret, you can specify the ignore-cache
setting as part of the request to by-pass the cache mechanism :
akeyless get-secret-value -n /mysecret --ignore-cache true
Updated 3 days ago