From 1cb666dc189b6cc17c825b8129b0d81aed1ca685 Mon Sep 17 00:00:00 2001 From: Bernd Verst Date: Tue, 6 Jul 2021 18:46:40 -0700 Subject: [PATCH 1/4] document kubernetes secret store --- .../building-blocks/secrets/secrets-scopes.md | 4 +++- .../kubernetes-secret-store.md | 22 +++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md index e0e7e46f7..f719c73ea 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md @@ -18,7 +18,7 @@ Watch this [video](https://youtu.be/j99RN_nxExA?start=2272) for a demo on how to ## Scenario 1 : Deny access to all secrets for a secret store -This example uses Kubernetes. The native Kubernetes secret store is added to you Dapr application by default. In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: +This example uses Kubernetes. A Kubernetes secret store with name `kubernetes` is added to you Dapr application by default, however, it is strongly encouraged to instead explictly define a Kubernetes secret store (example used here: `mycustomsecretstore`). In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: Define the following `appconfig.yaml` configuration and apply it to the Kubernetes cluster using the command `kubectl apply -f appconfig.yaml`. @@ -32,6 +32,8 @@ spec: scopes: - storeName: kubernetes defaultAccess: deny + - storeName: mycustomsecreststore + defaultAccess: deny ``` For applications that need to be denied access to the Kubernetes secret store, follow [these instructions]({{< ref kubernetes-overview.md >}}), and add the following annotation to the application pod. diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index 9c89b4be5..3c6f31893 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -7,9 +7,27 @@ aliases: - "/operations/components/setup-secret-store/supported-secret-stores/kubernetes-secret-store/" --- -## Summary +## Create the Kubernetes Secret Store component -Kubernetes has a built-in secrets store which Dapr components can use to retrieve secrets from. No special configuration is needed to setup the Kubernetes secrets store, and you are able to retrieve secrets from the `http://localhost:3500/v1.0/secrets/kubernetes/[my-secret]` URL. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. +To setup a Kubernetes secret store create a component of type `secretstores.kubernetes`. See [this guide]({{< ref "setup-secret-store.md#apply-the-configuration" >}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: mycustomsecretstore + namespace: default +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: "" +``` +{{% alert title="Warning" color="warning" %}} +When Dapr is deployed to Kubernetes a secret store with name `kubernetes` is automatically provisioned. We discourage use of this secret store. +{{% /alert %}} + +>Note: By explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local standalone Dapr installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. ## Related links - [Secrets building block]({{< ref secrets >}}) From fc7bf4c7a36b0cc5f6b2aec4e2aa9b1200cadd5c Mon Sep 17 00:00:00 2001 From: Ori Zohar Date: Fri, 16 Jul 2021 13:35:13 -0700 Subject: [PATCH 2/4] Addressing PR comments --- .../building-blocks/secrets/secrets-scopes.md | 6 ++++-- .../kubernetes-secret-store.md | 14 +++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md index f719c73ea..c476e5188 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md @@ -9,7 +9,7 @@ type: docs You can read [guidance on setting up secret store components]({{< ref setup-secret-store >}}) to configure a secret store for an application. Once configured, by default *any* secret defined within that store is accessible from the Dapr application. -To limit the secrets to which the Dapr application has access to, you can can define secret scopes by adding a secret scope policy to the application configuration with restrictive permissions. Follow [these instructions]({{< ref configuration-concept.md >}}) to define an application configuration. +To limit the secrets to which the Dapr application has access to, you can define secret scopes by adding a secret scope policy to the application configuration with restrictive permissions. Follow [these instructions]({{< ref configuration-concept.md >}}) to define an application configuration. The secret scoping policy applies to any [secret store]({{< ref supported-secret-stores.md >}}), whether that is a local secret store, a Kubernetes secret store or a public cloud secret store. For details on how to set up a [secret stores]({{< ref setup-secret-store.md >}}) read [How To: Retrieve a secret]({{< ref howto-secrets.md >}}) @@ -18,7 +18,9 @@ Watch this [video](https://youtu.be/j99RN_nxExA?start=2272) for a demo on how to ## Scenario 1 : Deny access to all secrets for a secret store -This example uses Kubernetes. A Kubernetes secret store with name `kubernetes` is added to you Dapr application by default, however, it is strongly encouraged to instead explictly define a Kubernetes secret store (example used here: `mycustomsecretstore`). In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: +In this example all secret access is denied to an application running on a Kubernetes cluster which has a configured [Kubernetes secret store]({{}}) named `mycustomsecretstore`. In the case of Kubernetes, aside from the user defined custom store, the default store named `kubernetes` is also addressed to ensure all secrets are denied access (See [here]({{}}) to learn more about the Kubernetes default secret store). + +To add this configuration follow the steps below: Define the following `appconfig.yaml` configuration and apply it to the Kubernetes cluster using the command `kubectl apply -f appconfig.yaml`. diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index 3c6f31893..bdb631f2b 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -7,7 +7,12 @@ aliases: - "/operations/components/setup-secret-store/supported-secret-stores/kubernetes-secret-store/" --- -## Create the Kubernetes Secret Store component +## Default Kubernetes secret store component +When Dapr is deployed to a Kubernetes cluster, a secret store with the name `kubernetes` is automatically provisioned. This is meant to streamline the usage of the native Kubernetes secret store but generally, it is a better practice to create a component definition like the one below with a custom name. Using a custom definition decouples referencing the secret store in your code from the hosting platform (Kubernetes) keeping you code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. + +When limiting access to secrets in your application using [secret scopes]({{}}), it's important to remember this store was automatically created and so to include it in the scope definition. + +## Create a custom Kubernetes secret store component To setup a Kubernetes secret store create a component of type `secretstores.kubernetes`. See [this guide]({{< ref "setup-secret-store.md#apply-the-configuration" >}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. @@ -23,14 +28,9 @@ spec: metadata: - name: "" ``` -{{% alert title="Warning" color="warning" %}} -When Dapr is deployed to Kubernetes a secret store with name `kubernetes` is automatically provisioned. We discourage use of this secret store. -{{% /alert %}} - ->Note: By explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local standalone Dapr installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. - ## Related links - [Secrets building block]({{< ref secrets >}}) - [How-To: Retrieve a secret]({{< ref "howto-secrets.md" >}}) - [How-To: Reference secrets in Dapr components]({{< ref component-secrets.md >}}) - [Secrets API reference]({{< ref secrets_api.md >}}) +- [How To: Use secret scoping]({{}}) From af4eead2334b0b18455d57ca6ab68ffc0bcff2ce Mon Sep 17 00:00:00 2001 From: Ori Zohar Date: Wed, 21 Jul 2021 14:54:43 -0700 Subject: [PATCH 3/4] Update daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md Co-authored-by: Aaron Crawfis --- .../supported-secret-stores/kubernetes-secret-store.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index bdb631f2b..1e193eec4 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -10,7 +10,9 @@ aliases: ## Default Kubernetes secret store component When Dapr is deployed to a Kubernetes cluster, a secret store with the name `kubernetes` is automatically provisioned. This is meant to streamline the usage of the native Kubernetes secret store but generally, it is a better practice to create a component definition like the one below with a custom name. Using a custom definition decouples referencing the secret store in your code from the hosting platform (Kubernetes) keeping you code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. -When limiting access to secrets in your application using [secret scopes]({{}}), it's important to remember this store was automatically created and so to include it in the scope definition. +{{% alert title="Scoping secret store access" color="warning" %}} +When limiting access to secrets in your application using [secret scopes]({{}}), it's important to include this default secret store in the scope definition in order to restrict it. +{{% /alert %}} ## Create a custom Kubernetes secret store component From 04eaa5627351d737d42eeef6f834c14972be281e Mon Sep 17 00:00:00 2001 From: Ori Zohar Date: Wed, 21 Jul 2021 09:55:02 -0700 Subject: [PATCH 4/4] Changing phrasing to default k8s secret store explanation --- .../supported-secret-stores/kubernetes-secret-store.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index 1e193eec4..50ac43c90 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -8,10 +8,12 @@ aliases: --- ## Default Kubernetes secret store component -When Dapr is deployed to a Kubernetes cluster, a secret store with the name `kubernetes` is automatically provisioned. This is meant to streamline the usage of the native Kubernetes secret store but generally, it is a better practice to create a component definition like the one below with a custom name. Using a custom definition decouples referencing the secret store in your code from the hosting platform (Kubernetes) keeping you code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. +When Dapr is deployed to a Kubernetes cluster, a secret store with the name `kubernetes` is automatically provisioned. This pre-provisioned secret store allows you to use the native Kubernetes secret store with no need to author, deploy or maintain a component configuration file for the secret store and is useful for developers looking to simply access secrets stored natively in a Kubernetes cluster. + +A custom component definition file for a Kubernetes secret store can still be configured (See below for details). Using a custom definition decouples referencing the secret store in your code from the hosting platform as the store name is not fixed and can be customized, keeping you code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. {{% alert title="Scoping secret store access" color="warning" %}} -When limiting access to secrets in your application using [secret scopes]({{}}), it's important to include this default secret store in the scope definition in order to restrict it. +When limiting access to secrets in your application using [secret scopes]({{}}), it's important to include the default secret store in the scope definition in order to restrict it. {{% /alert %}} ## Create a custom Kubernetes secret store component