Add volume mount support to annotations reference (#2455)

* Add docs to reference Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Trigger Build Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Add usage docs under operations Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Refactor Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Move the docs and add example Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Fix typo Signed-off-by: Shubham Sharma <shubhash@microsoft.com> * Incorporate review by @msfussell Signed-off-by: Shubham Sharma <shubhash@microsoft.com> Co-authored-by: Mark Fussell <markfussell@gmail.com>
2022-06-09 03:48:00 +05:30 · 2022-06-09 03:48:00 +05:30 · 0889a11500
parent 51dfc28dd7
commit 0889a11500
2 changed files with 109 additions and 0 deletions
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-volume-mounts.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-volume-mounts.md
@ -0,0 +1,107 @@
+---
+type: docs
+title: "How-to: Mount Pod volumes to the Dapr sidecar"
+linkTitle: "How-to: Mount Pod volumes"
+weight: 80000
+description: "Configure the Dapr sidecar to mount Pod Volumes"
+---
+
+## Introduction
+
+The Dapr sidecar can be configured to mount any Volume attached to the application Pod. These volumes can be accessed by the sidecar in _read-only_ or _read-write_ modes. If a Volume is configured to be mounted but it does not exist in the Pod, Dapr logs a warning and ignores it.
+For more information on different types of Volumes, check [Volumes | Kubernetes](https://kubernetes.io/docs/concepts/storage/volumes/).
+
+## Configuration
+
+You can set the following annotations in your deployment YAML:
+1. **dapr.io/volume-mounts**: for read-only volume mounts
+1. **dapr.io/volume-mounts-rw**: for read-write volume mounts
+
+These annotations are comma separated pairs of `volume:path`. Make sure that the corresponding Volumes exist in the Pod spec.
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: myapp
+  namespace: default
+  labels:
+    app: myapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+      annotations:
+        dapr.io/enabled: "true"
+        dapr.io/app-id: "myapp"
+        dapr.io/app-port: "8000"
+        dapr.io/volume-mounts: "my-volume1:/tmp/sample1,my-volume2:/tmp/sample2"
+        dapr.io/volume-mounts-rw: "my-volume3:/tmp/sample3"
+    spec:
+      volumes:
+        - name: my-volume1
+          hostPath:
+            path: /sample
+        - name: my-volume2
+          persistentVolumeClaim:
+            claimName: pv-sample
+        - name: my-volume3
+          emptyDir: {}
+...
+```
+
+## Example
+
+### Custom secrets storage using local file secret store
+Since any type of Kubernetes Volume can be attached to the sidecar, you can use the local file secret store to read secrets from a variety of places. For example, if you have a Network File Share (NFS) server running at `10.201.202.203`, with secrets stored at `/secrets/stage/secrets.json`, you can use that as a secrets storage.
+
+1. Configure the application pod to mount the NFS and attach it to the Dapr sidecar.
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: myapp
+...
+spec:
+  ...
+  template:
+    ...
+      annotations:
+        dapr.io/enabled: "true"
+        dapr.io/app-id: "myapp"
+        dapr.io/app-port: "8000"
+        dapr.io/volume-mounts: "nfs-ss-vol:/usr/secrets"
+    spec:
+      volumes:
+        - name: nfs-ss-vol
+          nfs:
+            server: 10.201.202.203
+            path: /secrets/stage
+...
+```
+2. Point the local file secret store component to the attached file.
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: local-secret-store
+  namespace: default
+spec:
+  type: secretstores.local.file
+  version: v1
+  metadata:
+  - name: secretsFile
+    value: /usr/secrets/secrets.json
+```
+3. Use the secrets.
+```
+GET http://localhost:<daprPort>/v1.0/secrets/local-secret-store/my-secret
+```
+
+## Related links
+- [Dapr Kubernetes pod annotations spec]({{< ref arguments-annotations-overview.md >}})
--- a/daprdocs/content/en/reference/arguments-annotations-overview.md
+++ b/daprdocs/content/en/reference/arguments-annotations-overview.md
@ -57,3 +57,5 @@ This table is meant to help users understand the equivalent options for running
 | not supported | not supported | | `dapr.io/sidecar-readiness-probe-period-seconds`  | How often (in seconds) to perform the sidecar readiness probe. Read more [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `6`|
 | not supported | not supported | | `dapr.io/sidecar-readiness-probe-threshold`       | When the sidecar readiness probe fails, Kubernetes will try N times before giving up. In  this case, the Pod will be marked Unready. Read more about `failureThreshold` [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `3`|
 | not supported | not supported | | `dapr.io/env`                                     | List of environment variable to be injected into the sidecar. Strings consisting of key=value pairs separated by a comma.|
+| not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
+| not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |