From a0df800d909b536873effd1d49a4791796c838fd Mon Sep 17 00:00:00 2001 From: Hal Spang Date: Thu, 17 Dec 2020 11:28:42 -0800 Subject: [PATCH 1/5] Fix typo in Azure Blob Storage create blob binding https://github.com/dapr/docs/issues/903 --- .../components/setup-bindings/supported-bindings/blobstorage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md b/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md index 49af5d23a..02a38eac2 100644 --- a/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md +++ b/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md @@ -38,7 +38,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr ### Create Blob -To perform a get blob operation, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body: +To perform a create blob operation, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body: ```json { From f3d5fe2ccdd799af6941d0a2405249aeaa1c4d05 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 17 Dec 2020 12:19:33 -0800 Subject: [PATCH 2/5] Fix dapr home directory --- daprdocs/content/en/operations/monitoring/zipkin.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/operations/monitoring/zipkin.md b/daprdocs/content/en/operations/monitoring/zipkin.md index 5939661e5..9221d44f0 100644 --- a/daprdocs/content/en/operations/monitoring/zipkin.md +++ b/daprdocs/content/en/operations/monitoring/zipkin.md @@ -11,7 +11,7 @@ type: docs For self hosted mode, on running `dapr init`: -1. The following YAML file is created by default in `$HOME/dapr/config.yaml` (on Linux/Mac) or `%USERPROFILE%\dapr\config.yaml` (on Windows) and it is referenced by default on `dapr run` calls unless otherwise overridden `: +1. The following YAML file is created by default in `$HOME/.dapr/config.yaml` (on Linux/Mac) or `%USERPROFILE%\.dapr\config.yaml` (on Windows) and it is referenced by default on `dapr run` calls unless otherwise overridden `: * config.yaml @@ -24,7 +24,7 @@ metadata: spec: tracing: samplingRate: "1" - zipkin: + zipkin: endpointAddress: "http://localhost:9411/api/v2/spans" ``` @@ -36,7 +36,7 @@ Launch Zipkin using Docker: docker run -d -p 9411:9411 openzipkin/zipkin ``` -3. The applications launched with `dapr run` will by default reference the config file in `$HOME/dapr/config.yaml` or `%USERPROFILE%\dapr\config.yaml` and can be overridden with the Dapr CLI using the `--config` param: +3. The applications launched with `dapr run` will by default reference the config file in `$HOME/.dapr/config.yaml` or `%USERPROFILE%\.dapr\config.yaml` and can be overridden with the Dapr CLI using the `--config` param: ```bash dapr run --app-id mynode --app-port 3000 node app.js From 8b74120e5e05e62a1ce3e53b4786e9139bad65a6 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 17 Dec 2020 12:20:16 -0800 Subject: [PATCH 3/5] Tab -> spaces --- daprdocs/content/en/operations/monitoring/zipkin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/monitoring/zipkin.md b/daprdocs/content/en/operations/monitoring/zipkin.md index 9221d44f0..cd92af512 100644 --- a/daprdocs/content/en/operations/monitoring/zipkin.md +++ b/daprdocs/content/en/operations/monitoring/zipkin.md @@ -25,7 +25,7 @@ spec: tracing: samplingRate: "1" zipkin: - endpointAddress: "http://localhost:9411/api/v2/spans" + endpointAddress: "http://localhost:9411/api/v2/spans" ``` 2. The [openzipkin/zipkin](https://hub.docker.com/r/openzipkin/zipkin/) docker container is launched on running `dapr init` or it can be launched with the following code. From eba2997c30e6a7145105a8bb75c444cb2847d3dd Mon Sep 17 00:00:00 2001 From: Mukundan Sundararajan Date: Thu, 17 Dec 2020 13:33:19 -0800 Subject: [PATCH 4/5] Update referencing secrets document --- .../components/component-secrets.md | 87 +++++++++++-------- 1 file changed, 49 insertions(+), 38 deletions(-) diff --git a/daprdocs/content/en/operations/components/component-secrets.md b/daprdocs/content/en/operations/components/component-secrets.md index 074b691b0..171161457 100644 --- a/daprdocs/content/en/operations/components/component-secrets.md +++ b/daprdocs/content/en/operations/components/component-secrets.md @@ -1,6 +1,6 @@ --- type: docs -title: "How-To: Reference secret stores in components" +title: "How-To: Reference secrets in components" linkTitle: "How-To: Reference secrets" weight: 200 description: "How to securly reference secrets from a component definition" @@ -18,40 +18,9 @@ When running in Kubernetes, if the `auth.secretStore` is empty, the Kubernetes s Go to [this]({{< ref "howto-secrets.md" >}}) link to see all the secret stores supported by Dapr, along with information on how to configure and use them. -## Non default namespaces - -If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to the namespace: - -```yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-reader - namespace: -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: dapr-secret-reader - namespace: -subjects: -- kind: ServiceAccount - name: default -roleRef: - kind: Role - name: secret-reader - apiGroup: rbac.authorization.k8s.io -``` - ## Examples -Using plain text: +Using plain text secrets (not recommended for production): ```yml apiVersion: dapr.io/v1alpha1 @@ -69,7 +38,7 @@ spec: value: MyPassword ``` -Using a Kubernetes secret: +Referencing secret from a secret store: ```yml apiVersion: dapr.io/v1alpha1 @@ -88,12 +57,14 @@ spec: name: redis-secret key: redis-password auth: - secretStore: kubernetes + secretStore: ``` -The above example tells Dapr to use the `kubernetes` secret store, extract a secret named `redis-secret` and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. +When running in Kubernetes and using a Kubernetes secret store, either the field `auth.SecretStore` can be empty (as it is assumed to be Kubernetes secret store) or it needs to be `kubernetes`. For all other secret store, the `SECRET_STORE_NAME` is the name of the configured secret store component. -### Creating a secret and referencing it in a Component +The above example tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. + +### Creating a Kubernetes secret and referencing it in a Component The following example shows you how to create a Kubernetes secret to hold the connection string for an Event Hubs binding. @@ -126,5 +97,45 @@ Finally, apply the component to the Kubernetes cluster: ```bash kubectl apply -f ./eventhubs.yaml ``` +## Kubernetes -All done! +### Default namespace + +When running in Kubernetes, Dapr, during installtion, defines default Role and RoleBinding for secrets access from Kubernetes secret store in the `default` namespace. For Dapr enabled apps that fetch secrets from `default` namespace, a secret can be defined and referenced in components as shown in the example above. + +### Non default namespaces + +If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to that namespace: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader + namespace: +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-secret-reader + namespace: +subjects: +- kind: ServiceAccount + name: default +roleRef: + kind: Role + name: secret-reader + apiGroup: rbac.authorization.k8s.io +``` + +These resources grant Dapr permissions to get secrets from the Kubernetes secret store for the namespace defined in the Role and RoleBinding. + +{{% alert title="Note" color="warning" %}} +In production scenario to limit Dapr's access to certain secret resources alone, you can use the `resourceNames` field. See this [link](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources) for further explanation. +{{% /alert %}} From 2ad2c7a7b76a3555d3db96832508c142071fbda0 Mon Sep 17 00:00:00 2001 From: Mukundan Sundararajan Date: Thu, 17 Dec 2020 14:10:07 -0800 Subject: [PATCH 5/5] Update docs --- .../components/component-secrets.md | 69 +++++++++---------- 1 file changed, 34 insertions(+), 35 deletions(-) diff --git a/daprdocs/content/en/operations/components/component-secrets.md b/daprdocs/content/en/operations/components/component-secrets.md index 171161457..bd4c4f20f 100644 --- a/daprdocs/content/en/operations/components/component-secrets.md +++ b/daprdocs/content/en/operations/components/component-secrets.md @@ -18,9 +18,9 @@ When running in Kubernetes, if the `auth.secretStore` is empty, the Kubernetes s Go to [this]({{< ref "howto-secrets.md" >}}) link to see all the secret stores supported by Dapr, along with information on how to configure and use them. -## Examples +## Referencing secrets -Using plain text secrets (not recommended for production): +While you have the option to use plain text secrets, this is not recommended for production: ```yml apiVersion: dapr.io/v1alpha1 @@ -38,7 +38,7 @@ spec: value: MyPassword ``` -Referencing secret from a secret store: +Instead create the secret in your secret store and reference it in the component definition: ```yml apiVersion: dapr.io/v1alpha1 @@ -60,50 +60,49 @@ auth: secretStore: ``` -When running in Kubernetes and using a Kubernetes secret store, either the field `auth.SecretStore` can be empty (as it is assumed to be Kubernetes secret store) or it needs to be `kubernetes`. For all other secret store, the `SECRET_STORE_NAME` is the name of the configured secret store component. +`SECRET_STORE_NAME` is the name of the configured [secret store component]({{< ref supported-secret-stores >}}). When running in Kubernetes and using a Kubernetes secret store, the field `auth.SecretStore` defaults to `kubernetes` and can be left empty. -The above example tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. +The above component definition tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. -### Creating a Kubernetes secret and referencing it in a Component +## Example + +### Referencing a Kubernetes secret The following example shows you how to create a Kubernetes secret to hold the connection string for an Event Hubs binding. -First, create the Kubernetes secret: +1. First, create the Kubernetes secret: + ```bash + kubectl create secret generic eventhubs-secret --from-literal=connectionString=********* + ``` -```bash -kubectl create secret generic eventhubs-secret --from-literal=connectionString=********* -``` +2. Next, reference the secret in your binding: + ```yaml + apiVersion: dapr.io/v1alpha1 + kind: Component + metadata: + name: eventhubs + namespace: default + spec: + type: bindings.azure.eventhubs + version: v1 + metadata: + - name: connectionString + secretKeyRef: + name: eventhubs-secret + key: connectionString + ``` -Next, reference the secret in your binding: - -```yaml -apiVersion: dapr.io/v1alpha1 -kind: Component -metadata: - name: eventhubs - namespace: default -spec: - type: bindings.azure.eventhubs - version: v1 - metadata: - - name: connectionString - secretKeyRef: - name: eventhubs-secret - key: connectionString -``` - -Finally, apply the component to the Kubernetes cluster: - -```bash -kubectl apply -f ./eventhubs.yaml -``` -## Kubernetes +3. Finally, apply the component to the Kubernetes cluster: + ```bash + kubectl apply -f ./eventhubs.yaml + ``` +## Kubernetes permissions ### Default namespace When running in Kubernetes, Dapr, during installtion, defines default Role and RoleBinding for secrets access from Kubernetes secret store in the `default` namespace. For Dapr enabled apps that fetch secrets from `default` namespace, a secret can be defined and referenced in components as shown in the example above. -### Non default namespaces +### Non-default namespaces If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to that namespace: