Using the onprem gateway

[rleffd]

Hello,

I'm trying to use the onprem gateway rather than the public endpoint. Our local gateway has some default rules that are used to encrypt secrets, auth config etc with a local encryption key (DFC).

If I configure the provider to use https://api.akeyless.io I can't encrypt by default the secrets and other resources with the custom DFC key, and I can't create auth config :

command is not available on public gateway 'gateway-create-k8s-auth-config'

If I use the onprem gateway, there is an authentication error (same access_id/access_key):

"ERR! access-id or email must be provided"

How can I use the local gateway for all resources ? Is there a miss configuration on the local gateway ?

Thanks for your help.

[elijah-roberts]

I am also experiencing this issue.

# Akeyless

terraform {
  required_providers {
    akeyless = {
      source = "akeyless-community/akeyless"
      version = ">= 1.0.0"
    }
  }
}

provider "akeyless" {
  api_gateway_address = <private gatway>
    api_key_login {
    access_id  = "redacted"
    access_key = "redacted"
  }
}

resource "akeyless_auth_method_k8s" "k8s" {
  name = "/tests/ns-${local.name}-ie-primary-${local.project_id}"
  bound_namespaces = [kubernetes_namespace.main.metadata[0].name]

}

resource "akeyless_k8s_auth_config" "k8s" {
  access_id = akeyless_auth_method_k8s.k8s.access_id
  name      = akeyless_auth_method_k8s.k8s.name

  k8s_ca_cert = data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate
  k8s_host = "https://${data.google_container_cluster.gke_cluster.private_cluster_config[0].private_endpoint}"
  token_reviewer_jwt = kubernetes_secret_v1.akeyless_gateway_token_reviewer_token.data["token"]
  k8s_issuer = "https://container.googleapis.com/v1/projects/${local.project_id}/locations/${local.location}/clusters/${local.cluster_name}"
  signing_key = akeyless_auth_method_k8s.k8s.private_key
}

# Contextual components that are not a part of the issue

locals {
  name = "secret-store-akeyless"
  project_id = "redacted"
  cluster_name = "redacted"
  location = "us-east1"
}

resource "kubernetes_namespace" "main" {
  metadata {
    name        = local.name
  }
}

resource "kubernetes_service_account_v1" "akeyless_gateway_token_reviewer" {
  metadata {
    name      = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore"
    namespace = kubernetes_namespace.main.metadata[0].name
  }
}

resource "kubernetes_cluster_role_binding_v1" "akeyless_role_tokenreview_binding" {
  metadata {
    name = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore-binding"
  }

  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "system:auth-delegator"
  }

  subject {
    kind      = "ServiceAccount"
    name      = kubernetes_service_account_v1.akeyless_gateway_token_reviewer.metadata[0].name
    namespace = kubernetes_namespace.main.metadata[0].name
  }
}

resource "kubernetes_secret_v1" "akeyless_gateway_token_reviewer_token" {
  metadata {
    name      = "akeyless-${kubernetes_namespace.main.metadata[0].name}-secretstore-token"
    namespace = kubernetes_namespace.main.metadata[0].name
    annotations = {
      "kubernetes.io/service-account.name" = kubernetes_service_account_v1.akeyless_gateway_token_reviewer.metadata[0].name
    }
  }

  type = "kubernetes.io/service-account-token"
}

data "google_container_cluster" "gke_cluster" {
  name     = local.cluster_name
  location = local.location
  project  = local.project_id
}

I get this error:

I suspect that it has to do with the call made here in the provider: https://github.com/akeyless-community/terraform-provider-akeyless/blob/master/akeyless/provider.go#L356

[elijah-roberts]

Following up on this issue.

I ended up resolving by updating my provider config as follows:

provider "akeyless" {
 api_key_login {
   access_id  = "redacted"
   access_key = "redacted"
 }

  api_gateway_address = "https://<private gateway endpoint>/v2"
}