dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

document kubernetes secret store

This commit is contained in:
Bernd Verst 2021-07-06 18:46:40 -07:00
parent 702e38863f
commit 1cb666dc18
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md
View File

@ -18,7 +18,7 @@ Watch this [video](https://youtu.be/j99RN_nxExA?start=2272) for a demo on how to
## Scenario 1 : Deny access to all secrets for a secret store
This example uses Kubernetes. The native Kubernetes secret store is added to you Dapr application by default. In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below:
This example uses Kubernetes. A Kubernetes secret store with name `kubernetes` is added to you Dapr application by default, however, it is strongly encouraged to instead explictly define a Kubernetes secret store (example used here: `mycustomsecretstore`). In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below:
Define the following `appconfig.yaml` configuration and apply it to the Kubernetes cluster using the command `kubectl apply -f appconfig.yaml`.
@ -32,6 +32,8 @@ spec:
scopes:
- storeName: kubernetes
defaultAccess: deny
- storeName: mycustomsecreststore
defaultAccess: deny
```
For applications that need to be denied access to the Kubernetes secret store, follow [these instructions]({{< ref kubernetes-overview.md >}}), and add the following annotation to the application pod.

22
daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md
View File

@ -7,9 +7,27 @@ aliases:
- "/operations/components/setup-secret-store/supported-secret-stores/kubernetes-secret-store/"
---
## Summary
## Create the Kubernetes Secret Store component
Kubernetes has a built-in secrets store which Dapr components can use to retrieve secrets from. No special configuration is needed to setup the Kubernetes secrets store, and you are able to retrieve secrets from the `http://localhost:3500/v1.0/secrets/kubernetes/[my-secret]` URL. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components.
To setup a Kubernetes secret store create a component of type `secretstores.kubernetes`. See [this guide]({{< ref "setup-secret-store.md#apply-the-configuration" >}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components.
```yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: mycustomsecretstore
namespace: default
spec:
type: secretstores.kubernetes
version: v1
metadata:
- name: ""
```
{{% alert title="Warning" color="warning" %}}
When Dapr is deployed to Kubernetes a secret store with name `kubernetes` is automatically provisioned. We discourage use of this secret store.
{{% /alert %}}
>Note: By explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local standalone Dapr installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file.
## Related links
- [Secrets building block]({{< ref secrets >}})