Merge remote-tracking branch 'origin/candidate-9.14.x' into candidate-10.0.x

ghalliday · ghalliday · commit 22bc280ec740 · 2026-03-02T17:14:40.000Z
Signed-off-by: Gavin Halliday &lt;gavin.halliday@lexisnexis.com&gt;

# Conflicts:
#	helm/hpcc/Chart.yaml
#	helm/hpcc/templates/_helpers.tpl
#	version.cmake
diff --git a/docs/EN_US/ContainerizedHPCC/ContainerizedMods/CustomConfig.xml b/docs/EN_US/ContainerizedHPCC/ContainerizedMods/CustomConfig.xml
@@ -1478,6 +1478,30 @@ thor: []
         credentials.</para>
       </sect3>
 
+      <sect3 id="Deploying_AkeylessVault">
+        <title>Deploy the Akeyless Vaultless Platform</title>
+
+        <para>To use Akeyless, set the vault type to <emphasis>akeyless</emphasis>
+        and the kind to <emphasis>akeyless</emphasis>. The URL should point to
+        the Akeyless API endpoint or your gateway. Provide an access ID and
+        access key, typically from environment variables or a secure secret.
+        A token can also be supplied via the client-secret if desired.</para>
+
+        <programlisting lang="YAML">  vaults:
+  authn:
+    - name: my-authn-akeyless
+      type: akeyless
+      kind: akeyless
+      url: https://api.akeyless.io
+      accessId: ${env.AKEYLESS_ACCESS_ID}
+      accessKey: ${env.AKEYLESS_ACCESS_KEY}
+</programlisting>
+
+        <para>The secret name referenced by HPCC (for example, in LDAP settings)
+        is passed to Akeyless as the secret name in the get-secret-value API.
+        If a version is provided, it will be used when retrieving the secret.</para>
+      </sect3>
+
       <sect3 id="REF_HASHICORPVault_LDAP">
         <title>Referencing Vault Stored Authentication</title>
 
diff --git a/helm/hpcc/templates/_helpers.tpl b/helm/hpcc/templates/_helpers.tpl
@@ -781,6 +781,9 @@ vaults:
   {{- range $vault := . }}
     - name: {{ $vault.name }}
       kind: {{ $vault.kind }}
+    {{- if $vault.type }}
+      type: {{ $vault.type }}
+    {{- end }}
     {{- if $vault.namespace }}
       namespace: {{ $vault.namespace }}
     {{- end }}
@@ -797,6 +800,15 @@ vaults:
     {{- if index $vault "appRoleSecret" }}
       appRoleSecret: {{ index $vault "appRoleSecret" }}
     {{- end -}}
+    {{- if index $vault "accessId" }}
+      accessId: {{ index $vault "accessId" }}
+    {{- end -}}
+    {{- if index $vault "accessKey" }}
+      accessKey: {{ index $vault "accessKey" }}
+    {{- end }}
+    {{- if index $vault "accessType" }}
+      accessType: {{ index $vault "accessType" }}
+    {{- end -}}
     {{- if $vaultClientIssuerEnabled }}
      {{- if not (index $vault "client-secret") }}
       {{- if not (index $vault "appRoleId") }}
diff --git a/helm/hpcc/values.schema.json b/helm/hpcc/values.schema.json
@@ -1041,6 +1041,19 @@
           "type": "string",
           "enum": ["kv-v2", "kv-v1"]
         },
+        "type": {
+          "description": "The vault provider type (e.g. 'akeyless' or kv backend)",
+          "type": "string",
+          "enum": ["kv-v2", "kv-v1", "akeyless"]
+        },
+        "accessId": {
+          "description": "Access ID used by Akeyless-style vaults",
+          "type": "string"
+        },
+        "accessKey": {
+          "description": "Access Key used by Akeyless-style vaults",
+          "type": "string"
+        },
         "client-secret": {
           "description": "optional name of kubernetes secret that will provide the vault client token",
           "type": "string"
diff --git a/system/jlib/jsecrets.cpp b/system/jlib/jsecrets.cpp
