From fca5ba98b11315f6321400d2739d3963e2c2f04a Mon Sep 17 00:00:00 2001 From: Donovan Brown Date: Fri, 9 Apr 2021 07:30:42 -0500 Subject: [PATCH 1/4] Added table to show Kubernetes options When I read this doc it was unclear that the cert could be provided as a secret. The only table on the original version showed `spnCertificateFile` as a required option. I added a second table to make it clear that in Kubernetes there is a `spnCertificate` option that does not require a file on disk. --- .../supported-secret-stores/azure-keyvault.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md index db83a3a7d..c17c2e2a8 100644 --- a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md @@ -40,6 +40,8 @@ The above example uses secrets as plain strings. It is recommended to use a loca ## Spec metadata fields +### Self-Hosted + | Field | Required | Details | Example | |--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| | vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | @@ -47,6 +49,16 @@ The above example uses secrets as plain strings. It is recommended to use a loca | spnClientId | Y | Service Principal App Id | `"spnAppId"` | | spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` | + +### Kubernetes + +| Field | Required | Details | Example | +|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | +| spnClientId | Y | Service Principal App Id | `"spnAppId"` | +| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

See [configure the component](#configure-the-component) for more details | kubectl create secret generic [name] --from-file=[fully_qualified_local_path] | + ## Setup Key Vault and service principal ### Prerequisites From 1c1c7509a574a22dbaa52a752ec50962e5d9d054 Mon Sep 17 00:00:00 2001 From: Donovan Brown Date: Mon, 12 Apr 2021 13:50:02 -0500 Subject: [PATCH 2/4] incorporating feedback --- .../supported-secret-stores/azure-keyvault.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md index 862403f5d..a904b86d3 100644 --- a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md @@ -31,6 +31,8 @@ spec: value: "[your_service_principal_tenant_id]" - name: spnClientId value: "[your_service_principal_app_id]" + - name: spnCertificate + value : "[pfx_certificate_contents_k8s_secret_name]" - name: spnCertificateFile value : "[pfx_certificate_file_fully_qualified_local_path]" ``` @@ -57,7 +59,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca | vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | | spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | | spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

See [configure the component](#configure-the-component) for more details | kubectl create secret generic [name] --from-file=[fully_qualified_local_path] | +| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

kubectl create secret generic [secretName] --from-file=[secretKey]=[fully_qualified_local_path]

See [configure the component](#configure-the-component) for more details | See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components | ## Setup Key Vault and service principal @@ -73,7 +75,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash # Log in Azure az login - + # Set your subscription to the default subscription az account set -s [your subscription id] ``` @@ -90,7 +92,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash az ad sp create-for-rbac --name [your_service_principal_name] --create-cert --cert [certificate_name] --keyvault [your_keyvault] --skip-assignment --years 1 - + { "appId": "a4f90000-0000-0000-0000-00000011d000", "displayName": "[your_service_principal_name]", @@ -106,7 +108,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash az ad sp show --id [service_principal_app_id] - + { ... "objectId": "[your_service_principal_object_id]", @@ -175,11 +177,12 @@ In Kubernetes, you store the certificate for the service principal into the Kube 1. Create a kubernetes secret using the following command: ```bash - kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[pfx_certificate_file_fully_qualified_local_path] + kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[your_k8s_spn_secret_key]=[pfx_certificate_file_fully_qualified_local_path] ``` - `[pfx_certificate_file_fully_qualified_local_path]` is the path of PFX cert file you downloaded above - `[your_k8s_spn_secret_name]` is secret name in Kubernetes secret store +- `[your_k8s_spn_secret_key]` is secret key in Kubernetes secret store 2. Create a `azurekeyvault.yaml` component file @@ -204,7 +207,7 @@ spec: - name: spnCertificate secretKeyRef: name: [your_k8s_spn_secret_name] - key: [pfx_certificate_file_fully_qualified_local_path] + key: [your_k8s_spn_secret_key] auth: secretStore: kubernetes ``` From 77973dc4e08cd094a448a091f5a517e9a345698c Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 09:06:26 -0700 Subject: [PATCH 3/4] Update daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md --- .../supported-secret-stores/azure-keyvault.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md index 624d4fe14..8e5dab046 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md @@ -33,8 +33,7 @@ spec: value: "[your_service_principal_tenant_id]" - name: spnClientId value: "[your_service_principal_app_id]" - - name: spnCertificate - value : "[pfx_certificate_contents_k8s_secret_name]" + value : "[pfx_certificate_contents]" - name: spnCertificateFile value : "[pfx_certificate_file_fully_qualified_local_path]" ``` From 9051058b1ac4998b7e4e034ab84e6f87eb25d680 Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 09:06:33 -0700 Subject: [PATCH 4/4] Update daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md --- .../supported-secret-stores/azure-keyvault.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md index 8e5dab046..eafc94aa0 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md @@ -45,22 +45,23 @@ The above example uses secrets as plain strings. It is recommended to use a loca ### Self-Hosted -| Field | Required | Details | Example | -|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| -| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | -| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | -| spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` | +| Field | Required | Details | Example | +|--------------------|:--------:|---------|---------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` +| spnClientId | Y | Service Principal App Id | `"spnAppId"` +| spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` ### Kubernetes -| Field | Required | Details | Example | -|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| -| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | -| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | -| spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

kubectl create secret generic [secretName] --from-file=[secretKey]=[fully_qualified_local_path]

See [configure the component](#configure-the-component) for more details | See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components | +| Field | Required | Details | Example | +|----------------|:--------:|---------|---------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` +| spnClientId | Y | Service Principal App Id | `"spnAppId"` +| spnCertificate | Y | PKCS 12 encoded bytes of the certificate. See [configure the component](#configure-the-component) for details on encoding this in a Kubernetes secret. | `secretKeyRef: ...`
See [configure the component](#configure-the-component) for more information. + ## Setup Key Vault and service principal