diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md index e0e7e46f7..f719c73ea 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md @@ -18,7 +18,7 @@ Watch this [video](https://youtu.be/j99RN_nxExA?start=2272) for a demo on how to ## Scenario 1 : Deny access to all secrets for a secret store -This example uses Kubernetes. The native Kubernetes secret store is added to you Dapr application by default. In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: +This example uses Kubernetes. A Kubernetes secret store with name `kubernetes` is added to you Dapr application by default, however, it is strongly encouraged to instead explictly define a Kubernetes secret store (example used here: `mycustomsecretstore`). In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: Define the following `appconfig.yaml` configuration and apply it to the Kubernetes cluster using the command `kubectl apply -f appconfig.yaml`. @@ -32,6 +32,8 @@ spec: scopes: - storeName: kubernetes defaultAccess: deny + - storeName: mycustomsecreststore + defaultAccess: deny ``` For applications that need to be denied access to the Kubernetes secret store, follow [these instructions]({{< ref kubernetes-overview.md >}}), and add the following annotation to the application pod. diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index 9c89b4be5..3c6f31893 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -7,9 +7,27 @@ aliases: - "/operations/components/setup-secret-store/supported-secret-stores/kubernetes-secret-store/" --- -## Summary +## Create the Kubernetes Secret Store component -Kubernetes has a built-in secrets store which Dapr components can use to retrieve secrets from. No special configuration is needed to setup the Kubernetes secrets store, and you are able to retrieve secrets from the `http://localhost:3500/v1.0/secrets/kubernetes/[my-secret]` URL. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. +To setup a Kubernetes secret store create a component of type `secretstores.kubernetes`. See [this guide]({{< ref "setup-secret-store.md#apply-the-configuration" >}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: mycustomsecretstore + namespace: default +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: "" +``` +{{% alert title="Warning" color="warning" %}} +When Dapr is deployed to Kubernetes a secret store with name `kubernetes` is automatically provisioned. We discourage use of this secret store. +{{% /alert %}} + +>Note: By explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local standalone Dapr installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. ## Related links - [Secrets building block]({{< ref secrets >}})