Merge pull request #4382 from antontroshin/dapr-env-vars-from-secrets-docs

Add support for injecting environment variables from a Secret into the Dapr sidecar
2024-10-31 15:09:41 -04:00 · 2024-10-31 15:09:41 -04:00 · 1632f50784
parent 9084988bc2 2fcc845a63
commit 1632f50784
2 changed files with 123 additions and 0 deletions
--- a/daprdocs/content/en/operations/configuration/environment-variables-secrets.md
+++ b/daprdocs/content/en/operations/configuration/environment-variables-secrets.md
@ -0,0 +1,122 @@
+---
+type: docs
+title: "How-To: Configure Environment Variables from Secrets for Dapr sidecar"
+linkTitle: "Environment Variables from Secrets"
+weight: 7500
+description: "Inject Environment Variables from Kubernetes Secrets into Dapr sidecar"
+---
+In special cases, the Dapr sidecar needs an environment variable injected into it. This use case may be required by a component, a 3rd party library, or a module that uses environment variables to configure the said component or customize its behavior. This can be useful for both production and non-production environments.
+
+## Overview
+In Dapr 1.15, the new `dapr.io/env-from-secret` annotation was introduced, [similar to `dapr.io/env`]({{< ref arguments-annotations-overview >}}).
+With this annotation, you can inject an environment variable into the Dapr sidecar, with a value from a secret.
+
+### Annotation format
+The values of this annotation are formatted like so:
+
+- Single key secret: `<ENV_VAR_NAME>=<SECRET_NAME>`
+- Multi key/value secret: `<ENV_VAR_NAME>=<SECRET_NAME>:<SECRET_KEY>`
+
+`<ENV_VAR_NAME>` is required to follow the `C_IDENTIFIER` format and captured by the `[A-Za-z_][A-Za-z0-9_]*` regex:
+- Must start with a letter or underscore
+- The rest of the identifier contains letters, digits, or underscores
+
+The `name` field is required due to the restriction of the `secretKeyRef`, so both `name` and `key` must be set. [Learn more from the "env.valueFrom.secretKeyRef.name" section in this Kubernetes documentation.](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables)
+In this case, Dapr sets both to the same value.
+
+## Configuring single key secret environment variable
+In the following example, the `dapr.io/env-from-secret` annotation is added to the Deployment.
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nodeapp
+spec:
+  template:
+    metadata:
+      annotations:
+        dapr.io/enabled: "true"
+        dapr.io/app-id: "nodeapp"
+        dapr.io/app-port: "3000"
+        dapr.io/env-from-secret: "AUTH_TOKEN=auth-headers-secret"
+    spec:
+      containers:
+      - name: node
+        image: dapriosamples/hello-k8s-node:latest
+        ports:
+        - containerPort: 3000
+        imagePullPolicy: Always
+```
+
+The `dapr.io/env-from-secret` annotation with a value of `"AUTH_TOKEN=auth-headers-secret"` is injected as:
+
+```yaml
+env:
+- name: AUTH_TOKEN
+    valueFrom:
+    secretKeyRef:
+        name: auth-headers-secret
+        key: auth-headers-secret
+```
+This requires the secret to have both `name` and `key` fields with the same value, "auth-headers-secret".
+
+**Example secret**
+
+> **Note:** The following example is for demo purposes only. It's not recommended to store secrets in plain text.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-headers-secret
+type: Opaque
+stringData:
+  auth-headers-secret: "AUTH=mykey"
+```
+
+## Configuring multi-key secret environment variable
+
+In the following example, the `dapr.io/env-from-secret` annotation is added to the Deployment.
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nodeapp
+spec:
+  template:
+    metadata:
+      annotations:
+        dapr.io/enabled: "true"
+        dapr.io/app-id: "nodeapp"
+        dapr.io/app-port: "3000"
+        dapr.io/env-from-secret: "AUTH_TOKEN=auth-headers-secret:auth-header-value"
+    spec:
+      containers:
+      - name: node
+        image: dapriosamples/hello-k8s-node:latest
+        ports:
+        - containerPort: 3000
+        imagePullPolicy: Always
+```
+The `dapr.io/env-from-secret` annotation with a value of `"AUTH_TOKEN=auth-headers-secret:auth-header-value"` is injected as:
+```yaml
+env:
+- name: AUTH_TOKEN
+    valueFrom:
+    secretKeyRef:
+        name: auth-headers-secret
+        key: auth-header-value
+```
+
+**Example secret**
+
+ > **Note:** The following example is for demo purposes only. It's not recommended to store secrets in plain text.
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-headers-secret
+type: Opaque
+stringData:
+  auth-header-value: "AUTH=mykey"
+```
--- a/daprdocs/content/en/reference/arguments-annotations-overview.md
+++ b/daprdocs/content/en/reference/arguments-annotations-overview.md
@ -67,6 +67,7 @@ This table is meant to help users understand the equivalent options for running
 | not supported | not supported | | `dapr.io/sidecar-readiness-probe-period-seconds`  | How often (in seconds) to perform the sidecar readiness probe. Read more [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `6`|
 | not supported | not supported | | `dapr.io/sidecar-readiness-probe-threshold`       | When the sidecar readiness probe fails, Kubernetes will try N times before giving up. In  this case, the Pod will be marked Unready. Read more about `failureThreshold` [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `3`|
 | not supported | not supported | | `dapr.io/env`                                     | List of environment variable to be injected into the sidecar. Strings consisting of key=value pairs separated by a comma.|
+| not supported | not supported | | `dapr.io/env-from-secret`                         | List of environment variables to be injected into the sidecar from secret. Strings consisting of `"key=secret-name:secret-key"` pairs are separated by a comma. |
 | not supported | not supported | | `dapr.io/volume-mounts` | List of [pod volumes to be mounted to the sidecar container]({{< ref "kubernetes-volume-mounts" >}}) in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | not supported | not supported | | `dapr.io/volume-mounts-rw` | List of [pod volumes to be mounted to the sidecar container]({{< ref "kubernetes-volume-mounts" >}}) in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{< ref "kubernetes-secret-store.md" >}}) for details. |