Gateway Cache

Overview

Suggest Edits

When Gateway Cache is enabled, it works for all types of secrets.

The most straightforward use cases are the following:

  • The Gateway Cache is used to improve performance when fetching secrets.

  • The Proactive Cache enables storing all types of secrets in the Gateway Cache in advance upon successful user authentication.

Gateway Cache

To enable and configure the Gateway Cache:

  1. Open the Akeyless Gateway Configuration Manager at https://Your_Akeyless_Gateway_URL:8000.

  2. On the menu bar at the left, click Caching.

  3. Select the Enable Cache checkbox.

  4. Set the Stale Timeout value. This is the time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period. By default, cached secrets will expire after 60 minutes.

  5. Click Save Changes.

👍

Note

Usually, after the “Stale Timeout” period expires for a secret, the secret is deleted from the Gateway Cache.

When Proactive Caching is enabled and there is no internet connection, the Gateway Cache won’t delete old items until the internet connection is restored.

Proactive Gateway Cache

The Proactive Cache fetches from the Akeyless Cloud and stores in the Gateway Cache all secrets upon successful authentication (based on the user access policy).

For backup purposes, all those secrets are also saved in an encrypted storage file (~/tmp/cache.dat).

You might consider working with persistence storage mounted to your instance for Docker deployments to ensure continuous work upon Gateway restart.

To enable and configure the Proactive Cache:

  1. Open the Akeyless Gateway Configuration Manager at https://Your_Akeyless_Gateway_URL:8000.

  2. On the menu bar at the left, click Caching.

  3. Select the Enable Proactive Caching checkbox.

  4. Legacy Mode: Uncheck this option to upgrade the proactive cache to the new mode, which offers:

    • Activation by the GW's Admin actions: When the Gateway starts, it will fetch and store the secrets in the cache, including the secret's RBAC information.

    • Each pod has the same cache content: As the Gateway Admin is fetching the secrets, each pod running the Gateway will have the same secrets, regardless of whether you are using Redis.

      • Note: Unlike Redis, where the pod starts with the cache already inside it, in the new proactive mode, the pod will start first, and then it will fetch the secrets and save them to the cache.

    • Secret values can be reused: As the Gateway's Admin fetches the secret, the secret will be stored in the cache only once and will be accessible to each identity with permission, rather than fetching the same secret repeatedly for different identities.

    • The Secret's RBAC is fetched for each secret: Each secret item comes with its own set of permissions, which will be fetched to the Gateway along with the secrets.

      • Note: To retrieve the Secret's Permissions, the Gateway's Admin must have List permissions for Auth-Methods and Roles, as well as Read permission for the secret intended to be saved in the cache.

🚧

Using Legacy Mode

Once you disable Legacy Mode, you won't be able to re-enable it.

  1. Set the Minimum Fetching Interval value. This setting instructs the system to update secrets in the cache if they are older than the specified value. By default, each secret kept in the cache for more than 5 minutes will be re-requested from the Akeyless Cloud or the local Gateway.
  2. Set the Secure Backup Interval value. This is the time (in minutes) between the two consecutive backups. By default, every minute, a snapshot with the current contents of the Gateway Cache is saved to the storage file.
  3. Optional, You can set the RBAC Fetching Interval by modifying the AKEYLESS_RRBAC_FETCHING_INTERVAL Environment Variable) which by default, is set to 1 hour.
  4. Click Save Changes.

Redis Cache

Redis can be used for better secrets caching.

Without Redis caching, if a pod crashes, the new pod starts empty. This means the pod will lack data on the previously fetched secrets and will need to fetch them again.

With Redis, if a pod crashes, the new pod starts with all the secrets already cached inside it, eliminating the need for fetching.

Redis Cache Configuration

The following steps are required to set up Redis Cache:

  • Set a Redis server with a password
  • Set the following environment variables on your Gateway cluster:
    • CACHE_ENABLE - set to true
    • USE_CLUSTER_CACHE - set to true
    • REDIS_ADDR - set the Redis hostname with port (i.e: localhost:6379)
    • REDIS_PASS - set the Redis password
    • CACHE_ENCRYPTION_KEY - base64 encoded encryption key (i.e: R+jBj+VqBno5hM1PR3bGMYw5enpM6mmrJ8IYDqrbvq4=)

Creating an Encryption Key

Run the following command to create 64 bytes encryption key in base64 encoded format:

openssl rand -base64 64

Using Redis Cache with akeyless-api-gateway helm chart

Run the following command to create a K8s secret:

kubectl create secret generic my-cache-enc-key \
--from-literal=cluster-cache-encryption-key="$(openssl rand -base64 64)"

Edit the following values in the values.yaml file:

cachingConf - Set the enabled flag to true

clusterCache - Set the enabled flag to true

encryptionKeyExistingSecret - Set the name of the secret that was created earlier my-cache-enc-key

Bypass Cache

When Cache is enabled by default, any client that requests a secret from the relevant Gateway will receive the latest cached value of the secret. To work directly with the Akeyless SaaS, to ensure you are retrieving the latest value of the secret, you can specify the ignore-cache setting as part of the request to by-pass the cache mechanism : 

akeyless get-secret-value -n /mysecret --ignore-cache true

Updated 3 days ago