From a0df800d909b536873effd1d49a4791796c838fd Mon Sep 17 00:00:00 2001 From: Hal Spang Date: Thu, 17 Dec 2020 11:28:42 -0800 Subject: [PATCH 1/8] Fix typo in Azure Blob Storage create blob binding https://github.com/dapr/docs/issues/903 --- .../components/setup-bindings/supported-bindings/blobstorage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md b/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md index 49af5d23a..02a38eac2 100644 --- a/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md +++ b/daprdocs/content/en/operations/components/setup-bindings/supported-bindings/blobstorage.md @@ -38,7 +38,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr ### Create Blob -To perform a get blob operation, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body: +To perform a create blob operation, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body: ```json { From f3d5fe2ccdd799af6941d0a2405249aeaa1c4d05 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 17 Dec 2020 12:19:33 -0800 Subject: [PATCH 2/8] Fix dapr home directory --- daprdocs/content/en/operations/monitoring/zipkin.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/operations/monitoring/zipkin.md b/daprdocs/content/en/operations/monitoring/zipkin.md index 5939661e5..9221d44f0 100644 --- a/daprdocs/content/en/operations/monitoring/zipkin.md +++ b/daprdocs/content/en/operations/monitoring/zipkin.md @@ -11,7 +11,7 @@ type: docs For self hosted mode, on running `dapr init`: -1. The following YAML file is created by default in `$HOME/dapr/config.yaml` (on Linux/Mac) or `%USERPROFILE%\dapr\config.yaml` (on Windows) and it is referenced by default on `dapr run` calls unless otherwise overridden `: +1. The following YAML file is created by default in `$HOME/.dapr/config.yaml` (on Linux/Mac) or `%USERPROFILE%\.dapr\config.yaml` (on Windows) and it is referenced by default on `dapr run` calls unless otherwise overridden `: * config.yaml @@ -24,7 +24,7 @@ metadata: spec: tracing: samplingRate: "1" - zipkin: + zipkin: endpointAddress: "http://localhost:9411/api/v2/spans" ``` @@ -36,7 +36,7 @@ Launch Zipkin using Docker: docker run -d -p 9411:9411 openzipkin/zipkin ``` -3. The applications launched with `dapr run` will by default reference the config file in `$HOME/dapr/config.yaml` or `%USERPROFILE%\dapr\config.yaml` and can be overridden with the Dapr CLI using the `--config` param: +3. The applications launched with `dapr run` will by default reference the config file in `$HOME/.dapr/config.yaml` or `%USERPROFILE%\.dapr\config.yaml` and can be overridden with the Dapr CLI using the `--config` param: ```bash dapr run --app-id mynode --app-port 3000 node app.js From 8b74120e5e05e62a1ce3e53b4786e9139bad65a6 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 17 Dec 2020 12:20:16 -0800 Subject: [PATCH 3/8] Tab -> spaces --- daprdocs/content/en/operations/monitoring/zipkin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/operations/monitoring/zipkin.md b/daprdocs/content/en/operations/monitoring/zipkin.md index 9221d44f0..cd92af512 100644 --- a/daprdocs/content/en/operations/monitoring/zipkin.md +++ b/daprdocs/content/en/operations/monitoring/zipkin.md @@ -25,7 +25,7 @@ spec: tracing: samplingRate: "1" zipkin: - endpointAddress: "http://localhost:9411/api/v2/spans" + endpointAddress: "http://localhost:9411/api/v2/spans" ``` 2. The [openzipkin/zipkin](https://hub.docker.com/r/openzipkin/zipkin/) docker container is launched on running `dapr init` or it can be launched with the following code. From c35ea4edef1dc4f109a9b300e5ab06cc9c076293 Mon Sep 17 00:00:00 2001 From: Hal Spang Date: Thu, 17 Dec 2020 13:24:32 -0800 Subject: [PATCH 4/8] Fix link in get How To: Retrieve a secret Link was referencing old github file structure instead of using the hugo link method. https://github.com/dapr/docs/issues/957 --- .../building-blocks/secrets/howto-secrets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md index 512704261..21e679fec 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md @@ -36,7 +36,7 @@ Watch this [video](https://www.youtube.com/watch?v=OtbYCBt9C34&feature=youtu.be& Now that the secret store is set up, you can call Dapr to get the secrets for a given key for a specific secret store. -For a full API reference, go [here](https://github.com/dapr/docs/blob/master/reference/api/secrets_api.md). +For a full API reference, go [here]({{< ref "/operations/components/setup-bindings/supported-bindings/blobstorage.md" >}}). Here are a few examples in different programming languages: From eba2997c30e6a7145105a8bb75c444cb2847d3dd Mon Sep 17 00:00:00 2001 From: Mukundan Sundararajan Date: Thu, 17 Dec 2020 13:33:19 -0800 Subject: [PATCH 5/8] Update referencing secrets document --- .../components/component-secrets.md | 87 +++++++++++-------- 1 file changed, 49 insertions(+), 38 deletions(-) diff --git a/daprdocs/content/en/operations/components/component-secrets.md b/daprdocs/content/en/operations/components/component-secrets.md index 074b691b0..171161457 100644 --- a/daprdocs/content/en/operations/components/component-secrets.md +++ b/daprdocs/content/en/operations/components/component-secrets.md @@ -1,6 +1,6 @@ --- type: docs -title: "How-To: Reference secret stores in components" +title: "How-To: Reference secrets in components" linkTitle: "How-To: Reference secrets" weight: 200 description: "How to securly reference secrets from a component definition" @@ -18,40 +18,9 @@ When running in Kubernetes, if the `auth.secretStore` is empty, the Kubernetes s Go to [this]({{< ref "howto-secrets.md" >}}) link to see all the secret stores supported by Dapr, along with information on how to configure and use them. -## Non default namespaces - -If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to the namespace: - -```yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-reader - namespace: -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- - -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: dapr-secret-reader - namespace: -subjects: -- kind: ServiceAccount - name: default -roleRef: - kind: Role - name: secret-reader - apiGroup: rbac.authorization.k8s.io -``` - ## Examples -Using plain text: +Using plain text secrets (not recommended for production): ```yml apiVersion: dapr.io/v1alpha1 @@ -69,7 +38,7 @@ spec: value: MyPassword ``` -Using a Kubernetes secret: +Referencing secret from a secret store: ```yml apiVersion: dapr.io/v1alpha1 @@ -88,12 +57,14 @@ spec: name: redis-secret key: redis-password auth: - secretStore: kubernetes + secretStore: ``` -The above example tells Dapr to use the `kubernetes` secret store, extract a secret named `redis-secret` and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. +When running in Kubernetes and using a Kubernetes secret store, either the field `auth.SecretStore` can be empty (as it is assumed to be Kubernetes secret store) or it needs to be `kubernetes`. For all other secret store, the `SECRET_STORE_NAME` is the name of the configured secret store component. -### Creating a secret and referencing it in a Component +The above example tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. + +### Creating a Kubernetes secret and referencing it in a Component The following example shows you how to create a Kubernetes secret to hold the connection string for an Event Hubs binding. @@ -126,5 +97,45 @@ Finally, apply the component to the Kubernetes cluster: ```bash kubectl apply -f ./eventhubs.yaml ``` +## Kubernetes -All done! +### Default namespace + +When running in Kubernetes, Dapr, during installtion, defines default Role and RoleBinding for secrets access from Kubernetes secret store in the `default` namespace. For Dapr enabled apps that fetch secrets from `default` namespace, a secret can be defined and referenced in components as shown in the example above. + +### Non default namespaces + +If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to that namespace: + +```yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader + namespace: +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: dapr-secret-reader + namespace: +subjects: +- kind: ServiceAccount + name: default +roleRef: + kind: Role + name: secret-reader + apiGroup: rbac.authorization.k8s.io +``` + +These resources grant Dapr permissions to get secrets from the Kubernetes secret store for the namespace defined in the Role and RoleBinding. + +{{% alert title="Note" color="warning" %}} +In production scenario to limit Dapr's access to certain secret resources alone, you can use the `resourceNames` field. See this [link](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources) for further explanation. +{{% /alert %}} From 2ad2c7a7b76a3555d3db96832508c142071fbda0 Mon Sep 17 00:00:00 2001 From: Mukundan Sundararajan Date: Thu, 17 Dec 2020 14:10:07 -0800 Subject: [PATCH 6/8] Update docs --- .../components/component-secrets.md | 69 +++++++++---------- 1 file changed, 34 insertions(+), 35 deletions(-) diff --git a/daprdocs/content/en/operations/components/component-secrets.md b/daprdocs/content/en/operations/components/component-secrets.md index 171161457..bd4c4f20f 100644 --- a/daprdocs/content/en/operations/components/component-secrets.md +++ b/daprdocs/content/en/operations/components/component-secrets.md @@ -18,9 +18,9 @@ When running in Kubernetes, if the `auth.secretStore` is empty, the Kubernetes s Go to [this]({{< ref "howto-secrets.md" >}}) link to see all the secret stores supported by Dapr, along with information on how to configure and use them. -## Examples +## Referencing secrets -Using plain text secrets (not recommended for production): +While you have the option to use plain text secrets, this is not recommended for production: ```yml apiVersion: dapr.io/v1alpha1 @@ -38,7 +38,7 @@ spec: value: MyPassword ``` -Referencing secret from a secret store: +Instead create the secret in your secret store and reference it in the component definition: ```yml apiVersion: dapr.io/v1alpha1 @@ -60,50 +60,49 @@ auth: secretStore: ``` -When running in Kubernetes and using a Kubernetes secret store, either the field `auth.SecretStore` can be empty (as it is assumed to be Kubernetes secret store) or it needs to be `kubernetes`. For all other secret store, the `SECRET_STORE_NAME` is the name of the configured secret store component. +`SECRET_STORE_NAME` is the name of the configured [secret store component]({{< ref supported-secret-stores >}}). When running in Kubernetes and using a Kubernetes secret store, the field `auth.SecretStore` defaults to `kubernetes` and can be left empty. -The above example tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. +The above component definition tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component. -### Creating a Kubernetes secret and referencing it in a Component +## Example + +### Referencing a Kubernetes secret The following example shows you how to create a Kubernetes secret to hold the connection string for an Event Hubs binding. -First, create the Kubernetes secret: +1. First, create the Kubernetes secret: + ```bash + kubectl create secret generic eventhubs-secret --from-literal=connectionString=********* + ``` -```bash -kubectl create secret generic eventhubs-secret --from-literal=connectionString=********* -``` +2. Next, reference the secret in your binding: + ```yaml + apiVersion: dapr.io/v1alpha1 + kind: Component + metadata: + name: eventhubs + namespace: default + spec: + type: bindings.azure.eventhubs + version: v1 + metadata: + - name: connectionString + secretKeyRef: + name: eventhubs-secret + key: connectionString + ``` -Next, reference the secret in your binding: - -```yaml -apiVersion: dapr.io/v1alpha1 -kind: Component -metadata: - name: eventhubs - namespace: default -spec: - type: bindings.azure.eventhubs - version: v1 - metadata: - - name: connectionString - secretKeyRef: - name: eventhubs-secret - key: connectionString -``` - -Finally, apply the component to the Kubernetes cluster: - -```bash -kubectl apply -f ./eventhubs.yaml -``` -## Kubernetes +3. Finally, apply the component to the Kubernetes cluster: + ```bash + kubectl apply -f ./eventhubs.yaml + ``` +## Kubernetes permissions ### Default namespace When running in Kubernetes, Dapr, during installtion, defines default Role and RoleBinding for secrets access from Kubernetes secret store in the `default` namespace. For Dapr enabled apps that fetch secrets from `default` namespace, a secret can be defined and referenced in components as shown in the example above. -### Non default namespaces +### Non-default namespaces If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to that namespace: From f8eda4cd32ff97d05061be41d5277f0e66c1df9b Mon Sep 17 00:00:00 2001 From: Ori Zohar Date: Thu, 17 Dec 2020 14:51:31 -0800 Subject: [PATCH 7/8] Adding embedded Dapr video to overview --- daprdocs/content/en/concepts/overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/concepts/overview.md b/daprdocs/content/en/concepts/overview.md index 7031fd901..fb1a029b9 100644 --- a/daprdocs/content/en/concepts/overview.md +++ b/daprdocs/content/en/concepts/overview.md @@ -7,7 +7,9 @@ description: > Introduction to the Distributed Application Runtime --- -Dapr is a portable, event-driven runtime that makes it easy for enterprise developers to build resilient, stateless and stateful microservice applications that run on the cloud and edge and embraces the diversity of languages and developer frameworks. +Dapr is a portable, event-driven runtime that makes it easy for any developer to build resilient, stateless and stateful applications that run on the cloud and edge and embraces the diversity of languages and developer frameworks. + +{{< youtube 9o9iDAgYBA8 >}} ## Any language, any framework, anywhere From 6ab4d3bf8ad9ccc59b46891c850c93d421b15e42 Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Thu, 17 Dec 2020 14:57:16 -0800 Subject: [PATCH 8/8] Update link --- .../building-blocks/secrets/howto-secrets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md index 21e679fec..a73f15fe9 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/howto-secrets.md @@ -36,7 +36,7 @@ Watch this [video](https://www.youtube.com/watch?v=OtbYCBt9C34&feature=youtu.be& Now that the secret store is set up, you can call Dapr to get the secrets for a given key for a specific secret store. -For a full API reference, go [here]({{< ref "/operations/components/setup-bindings/supported-bindings/blobstorage.md" >}}). +For a full API reference, go [here]({{< ref secrets_api.md >}}). Here are a few examples in different programming languages: