diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-volume-mounts.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-volume-mounts.md new file mode 100644 index 000000000..d0b34c546 --- /dev/null +++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-volume-mounts.md @@ -0,0 +1,107 @@ +--- +type: docs +title: "How-to: Mount Pod volumes to the Dapr sidecar" +linkTitle: "How-to: Mount Pod volumes" +weight: 80000 +description: "Configure the Dapr sidecar to mount Pod Volumes" +--- + +## Introduction + +The Dapr sidecar can be configured to mount any Volume attached to the application Pod. These volumes can be accessed by the sidecar in _read-only_ or _read-write_ modes. If a Volume is configured to be mounted but it does not exist in the Pod, Dapr logs a warning and ignores it. +For more information on different types of Volumes, check [Volumes | Kubernetes](https://kubernetes.io/docs/concepts/storage/volumes/). + +## Configuration + +You can set the following annotations in your deployment YAML: +1. **dapr.io/volume-mounts**: for read-only volume mounts +1. **dapr.io/volume-mounts-rw**: for read-write volume mounts + +These annotations are comma separated pairs of `volume:path`. Make sure that the corresponding Volumes exist in the Pod spec. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp + namespace: default + labels: + app: myapp +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + annotations: + dapr.io/enabled: "true" + dapr.io/app-id: "myapp" + dapr.io/app-port: "8000" + dapr.io/volume-mounts: "my-volume1:/tmp/sample1,my-volume2:/tmp/sample2" + dapr.io/volume-mounts-rw: "my-volume3:/tmp/sample3" + spec: + volumes: + - name: my-volume1 + hostPath: + path: /sample + - name: my-volume2 + persistentVolumeClaim: + claimName: pv-sample + - name: my-volume3 + emptyDir: {} +... +``` + +## Example + +### Custom secrets storage using local file secret store +Since any type of Kubernetes Volume can be attached to the sidecar, you can use the local file secret store to read secrets from a variety of places. For example, if you have a Network File Share (NFS) server running at `10.201.202.203`, with secrets stored at `/secrets/stage/secrets.json`, you can use that as a secrets storage. + +1. Configure the application pod to mount the NFS and attach it to the Dapr sidecar. +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp +... +spec: + ... + template: + ... + annotations: + dapr.io/enabled: "true" + dapr.io/app-id: "myapp" + dapr.io/app-port: "8000" + dapr.io/volume-mounts: "nfs-ss-vol:/usr/secrets" + spec: + volumes: + - name: nfs-ss-vol + nfs: + server: 10.201.202.203 + path: /secrets/stage +... +``` +2. Point the local file secret store component to the attached file. +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: local-secret-store + namespace: default +spec: + type: secretstores.local.file + version: v1 + metadata: + - name: secretsFile + value: /usr/secrets/secrets.json +``` +3. Use the secrets. +``` +GET http://localhost:/v1.0/secrets/local-secret-store/my-secret +``` + +## Related links +- [Dapr Kubernetes pod annotations spec]({{< ref arguments-annotations-overview.md >}}) diff --git a/daprdocs/content/en/reference/arguments-annotations-overview.md b/daprdocs/content/en/reference/arguments-annotations-overview.md index e5ec31e8b..1e9160e96 100644 --- a/daprdocs/content/en/reference/arguments-annotations-overview.md +++ b/daprdocs/content/en/reference/arguments-annotations-overview.md @@ -57,3 +57,5 @@ This table is meant to help users understand the equivalent options for running | not supported | not supported | | `dapr.io/sidecar-readiness-probe-period-seconds` | How often (in seconds) to perform the sidecar readiness probe. Read more [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `6`| | not supported | not supported | | `dapr.io/sidecar-readiness-probe-threshold` | When the sidecar readiness probe fails, Kubernetes will try N times before giving up. In this case, the Pod will be marked Unready. Read more about `failureThreshold` [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `3`| | not supported | not supported | | `dapr.io/env` | List of environment variable to be injected into the sidecar. Strings consisting of key=value pairs separated by a comma.| +| not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. | +| not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. | \ No newline at end of file