Merge branch 'v1.1' into aacrawfi/security-docs

2021-04-28 14:45:01 -07:00 · 2021-04-28 14:45:01 -07:00 · bc24da3580
parent 5d843699e2 8ff1c14743
commit bc24da3580
2 changed files with 42 additions and 14 deletions
--- a/daprdocs/content/en/getting-started/get-started-api.md
+++ b/daprdocs/content/en/getting-started/get-started-api.md
@ -11,7 +11,7 @@ You will now run the sidecar and call the API directly (simulating what an appli

 ## Step 1: Run the Dapr sidecar

-One the most useful Dapr CLI commands is [`dapr run`]({{< ref dapr-run.md >}}). This command launches an application together with a sidecar. For the purpose of this tutorial you'll run the sidecar without an application.
+One of the most useful Dapr CLI commands is [`dapr run`]({{< ref dapr-run.md >}}). This command launches an application together with a sidecar. For the purpose of this tutorial you'll run the sidecar without an application.

 Run the following command to launch a Dapr sidecar that will listen on port 3500 for a blank application named myapp:

@ -23,7 +23,20 @@ With this command, no custom component folder was defined, so Dapr uses the defa

 ## Step 2: Save state

-In a separate terminal run:
+We will now update the state with an object. The new state will look like this:
+
+```json
+[
+  {
+    "key": "name",
+    "value": "Bruce Wayne"
+  }
+]
+```
+
+Notice, the object contained in the state has a `key` assigned with the value `name`. You will use the key in the next step.
+
+Run the command shown below to store the new state.

 {{< tabs "HTTP API (Bash)" "HTTP API (PowerShell)">}}
 {{% codetab %}}
@ -44,7 +57,7 @@ Invoke-RestMethod -Method Post -ContentType 'application/json' -Body '[{ "key":

 ## Step 3: Get state

-Now get the state you just stored using a key with the state management API:
+Now get the object you just stored in the state by using the state management API with the key `name`:

 {{< tabs "HTTP API (Bash)" "HTTP API (PowerShell)">}}

--- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
+++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
@ -33,6 +33,7 @@ spec:
    value: "[your_service_principal_tenant_id]"
  - name: spnClientId
    value: "[your_service_principal_app_id]"
+    value : "[pfx_certificate_contents]"
  - name: spnCertificateFile
    value : "[pfx_certificate_file_fully_qualified_local_path]"
 ```
@ -42,12 +43,25 @@ The above example uses secrets as plain strings. It is recommended to use a loca

 ## Spec metadata fields

-| Field              | Required | Details                                                                 | Example                  |
-|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------|
-| vaultName          | Y        | The name of the Azure Key Vault                                         | `"mykeyvault"`           |
-| spnTenantId        | Y        | Service Principal Tenant Id                                        | `"spnTenantId"`          |
-| spnClientId        | Y        | Service Principal App Id                                           | `"spnAppId"`             |
-| spnCertificateFile | Y        | PFX certificate file path. <br></br> For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`. <br></br> For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.  <br></br> See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"`        |
+### Self-Hosted
+
+| Field              | Required | Details | Example |
+|--------------------|:--------:|---------|---------|
+| vaultName          | Y        | The name of the Azure Key Vault | `"mykeyvault"`
+| spnTenantId        | Y        | Service Principal Tenant Id | `"spnTenantId"`
+| spnClientId        | Y        | Service Principal App Id | `"spnAppId"`
+| spnCertificateFile | Y        | PFX certificate file path. <br></br> For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`. <br></br> For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.  <br></br> See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"`
+
+
+### Kubernetes
+
+| Field          | Required | Details | Example |
+|----------------|:--------:|---------|---------|
+| vaultName      | Y        | The name of the Azure Key Vault | `"mykeyvault"`
+| spnTenantId    | Y        | Service Principal Tenant Id | `"spnTenantId"`
+| spnClientId    | Y        | Service Principal App Id | `"spnAppId"`
+| spnCertificate | Y        | PKCS 12 encoded bytes of the certificate. See [configure the component](#configure-the-component) for details on encoding this in a Kubernetes secret. | `secretKeyRef: ...` <br /> See [configure the component](#configure-the-component) for more information.
+

 ## Setup Key Vault and service principal

@ -63,7 +77,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca
    ```bash
    # Log in Azure
    az login
-    
+
    # Set your subscription to the default subscription
    az account set -s [your subscription id]
    ```
@ -80,7 +94,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca

    ```bash
    az ad sp create-for-rbac --name [your_service_principal_name] --create-cert --cert [certificate_name] --keyvault [your_keyvault] --skip-assignment --years 1
-    
+
    {
       "appId": "a4f90000-0000-0000-0000-00000011d000",
       "displayName": "[your_service_principal_name]",
@ -96,7 +110,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca

    ```bash
    az ad sp show --id [service_principal_app_id]
-    
+
    {
        ...
        "objectId": "[your_service_principal_object_id]",
@ -165,11 +179,12 @@ In Kubernetes, you store the certificate for the service principal into the Kube
 1. Create a kubernetes secret using the following command:

   ```bash
-   kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[pfx_certificate_file_fully_qualified_local_path]
+   kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[your_k8s_spn_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
   ```

 - `[pfx_certificate_file_fully_qualified_local_path]` is the path of PFX cert file you downloaded above
 - `[your_k8s_spn_secret_name]` is secret name in Kubernetes secret store
+- `[your_k8s_spn_secret_key]` is secret key in Kubernetes secret store

 2. Create a `azurekeyvault.yaml` component file

@ -194,7 +209,7 @@ spec:
  - name: spnCertificate
    secretKeyRef:
      name: [your_k8s_spn_secret_name]
-      key: [pfx_certificate_file_fully_qualified_local_path]
+      key: [your_k8s_spn_secret_key]
 auth:
    secretStore: kubernetes
 ```