dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update component-secrets.md

This commit is contained in:
georgestevens99 2021-08-31 15:58:01 -04:00
parent a30adfb062
commit b420062481
1 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
daprdocs/content/en/operations/components/component-secrets.md
View File

@ -20,7 +20,7 @@ Go to [this]({{< ref "howto-secrets.md" >}}) link to see all the secret stores s
## Referencing secrets
While you have the option to use plain text secrets, this is not recommended for production:
While you have the option to use plain text secrets (like MyPassword), as shown in the yaml below for the `value` of `redisPassword`, this is not recommended for production:
```yml
apiVersion: dapr.io/v1alpha1
@ -38,7 +38,9 @@ spec:
value: MyPassword
```
Instead create the secret in your secret store and reference it in the component definition:
Instead create the secret in your secret store and reference it in the component definition. There are 2 cases for this shown below -- A Standard Case and a Special Case.
The Standard Case applies when there is an key embedded within the secret, i.e. the secret is NOT an entire connection string. The below component definition yaml is for the Standard Case.
```yml
apiVersion: dapr.io/v1alpha1
@ -62,7 +64,31 @@ auth:
`SECRET_STORE_NAME` is the name of the configured [secret store component]({{< ref supported-secret-stores >}}). When running in Kubernetes and using a Kubernetes secret store, the field `auth.SecretStore` defaults to `kubernetes` and can be left empty.
The above component definition tells Dapr to extract a secret named `redis-secret` from the defined secret store and assign the value of the `redis-password` key in the secret to the `redisPassword` field in the Component.
The above component definition tells Dapr to extract a secret named `redis-secret` from the defined `secretStore` and assign the value of the `redis-password` key embedded in the secret to the `redisPassword` field in the component.
On the other hand, the below Special Case applies when there is NOT a key embedded in the secret. Rather, the secret is just a string. Therefore, in the `secretKeyRef` section both the secret `name` and the secret `key` will be identical. This is the case when the secret is an entire connection string with no embedded key whose value needs to be extracted. This Special Case is shown in the below component definition yaml.
```yml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: servicec-inputq-azkvsecret-asbqueue
spec:
type: bindings.azure.servicebusqueues
version: v1
metadata:
-name: connectionString
secretKeyRef:
name: asbNsConnString
key: asbNsConnString
-name: queueName
value: servicec-inputq
auth:
secretStore: <SECRET_STORE_NAME>
```
The above Special Case yaml tells Dapr to extract a secret named `asbNsConnstring` from the defined `secretStore` and assign the value of secret to the `connectionString` field in the component since there is no key embedded in the secret because it is a plain string. This requires the secret `name` and secret `key` to be identical.
## Example