From fca5ba98b11315f6321400d2739d3963e2c2f04a Mon Sep 17 00:00:00 2001 From: Donovan Brown Date: Fri, 9 Apr 2021 07:30:42 -0500 Subject: [PATCH 1/6] Added table to show Kubernetes options When I read this doc it was unclear that the cert could be provided as a secret. The only table on the original version showed `spnCertificateFile` as a required option. I added a second table to make it clear that in Kubernetes there is a `spnCertificate` option that does not require a file on disk. --- .../supported-secret-stores/azure-keyvault.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md index db83a3a7d..c17c2e2a8 100644 --- a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md @@ -40,6 +40,8 @@ The above example uses secrets as plain strings. It is recommended to use a loca ## Spec metadata fields +### Self-Hosted + | Field | Required | Details | Example | |--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| | vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | @@ -47,6 +49,16 @@ The above example uses secrets as plain strings. It is recommended to use a loca | spnClientId | Y | Service Principal App Id | `"spnAppId"` | | spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` | + +### Kubernetes + +| Field | Required | Details | Example | +|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | +| spnClientId | Y | Service Principal App Id | `"spnAppId"` | +| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

See [configure the component](#configure-the-component) for more details | kubectl create secret generic [name] --from-file=[fully_qualified_local_path] | + ## Setup Key Vault and service principal ### Prerequisites From 1c1c7509a574a22dbaa52a752ec50962e5d9d054 Mon Sep 17 00:00:00 2001 From: Donovan Brown Date: Mon, 12 Apr 2021 13:50:02 -0500 Subject: [PATCH 2/6] incorporating feedback --- .../supported-secret-stores/azure-keyvault.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md index 862403f5d..a904b86d3 100644 --- a/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault.md @@ -31,6 +31,8 @@ spec: value: "[your_service_principal_tenant_id]" - name: spnClientId value: "[your_service_principal_app_id]" + - name: spnCertificate + value : "[pfx_certificate_contents_k8s_secret_name]" - name: spnCertificateFile value : "[pfx_certificate_file_fully_qualified_local_path]" ``` @@ -57,7 +59,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca | vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | | spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | | spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

See [configure the component](#configure-the-component) for more details | kubectl create secret generic [name] --from-file=[fully_qualified_local_path] | +| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

kubectl create secret generic [secretName] --from-file=[secretKey]=[fully_qualified_local_path]

See [configure the component](#configure-the-component) for more details | See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components | ## Setup Key Vault and service principal @@ -73,7 +75,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash # Log in Azure az login - + # Set your subscription to the default subscription az account set -s [your subscription id] ``` @@ -90,7 +92,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash az ad sp create-for-rbac --name [your_service_principal_name] --create-cert --cert [certificate_name] --keyvault [your_keyvault] --skip-assignment --years 1 - + { "appId": "a4f90000-0000-0000-0000-00000011d000", "displayName": "[your_service_principal_name]", @@ -106,7 +108,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca ```bash az ad sp show --id [service_principal_app_id] - + { ... "objectId": "[your_service_principal_object_id]", @@ -175,11 +177,12 @@ In Kubernetes, you store the certificate for the service principal into the Kube 1. Create a kubernetes secret using the following command: ```bash - kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[pfx_certificate_file_fully_qualified_local_path] + kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[your_k8s_spn_secret_key]=[pfx_certificate_file_fully_qualified_local_path] ``` - `[pfx_certificate_file_fully_qualified_local_path]` is the path of PFX cert file you downloaded above - `[your_k8s_spn_secret_name]` is secret name in Kubernetes secret store +- `[your_k8s_spn_secret_key]` is secret key in Kubernetes secret store 2. Create a `azurekeyvault.yaml` component file @@ -204,7 +207,7 @@ spec: - name: spnCertificate secretKeyRef: name: [your_k8s_spn_secret_name] - key: [pfx_certificate_file_fully_qualified_local_path] + key: [your_k8s_spn_secret_key] auth: secretStore: kubernetes ``` From 6eb2b0bdc937a9d19b5d0232e07cd04bf39004ce Mon Sep 17 00:00:00 2001 From: Esteban Luchsinger Date: Sun, 25 Apr 2021 12:44:13 +0200 Subject: [PATCH 3/6] Fix typo Add a missing word --- daprdocs/content/en/getting-started/get-started-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/getting-started/get-started-api.md b/daprdocs/content/en/getting-started/get-started-api.md index 1e684538d..5967d32bf 100644 --- a/daprdocs/content/en/getting-started/get-started-api.md +++ b/daprdocs/content/en/getting-started/get-started-api.md @@ -11,7 +11,7 @@ You will now run the sidecar and call the API directly (simulating what an appli ## Step 1: Run the Dapr sidecar -One the most useful Dapr CLI commands is [`dapr run`]({{< ref dapr-run.md >}}). This command launches an application together with a sidecar. For the purpose of this tutorial you'll run the sidecar without an application. +One of the most useful Dapr CLI commands is [`dapr run`]({{< ref dapr-run.md >}}). This command launches an application together with a sidecar. For the purpose of this tutorial you'll run the sidecar without an application. Run the following command to launch a Dapr sidecar that will listen on port 3500 for a blank application named myapp: From 2205991dc2bd551241f494c71cbbf101b57ea557 Mon Sep 17 00:00:00 2001 From: Esteban Luchsinger Date: Sun, 25 Apr 2021 12:57:34 +0200 Subject: [PATCH 4/6] Clarify state management examples --- .../en/getting-started/get-started-api.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/daprdocs/content/en/getting-started/get-started-api.md b/daprdocs/content/en/getting-started/get-started-api.md index 5967d32bf..f26919738 100644 --- a/daprdocs/content/en/getting-started/get-started-api.md +++ b/daprdocs/content/en/getting-started/get-started-api.md @@ -23,7 +23,20 @@ With this command, no custom component folder was defined, so Dapr uses the defa ## Step 2: Save state -In a separate terminal run: +We will now update the state with an object. The new state will look like this: + +```json +[ + { + "key": "name", + "value": "Bruce Wayne" + } +] +``` + +Notice, the object contained in the state has a `key` assigned with the value `name`. You will use the key in the next step. + +Run the command shown below to store the new state. {{< tabs "HTTP API (Bash)" "HTTP API (PowerShell)">}} {{% codetab %}} @@ -44,7 +57,7 @@ Invoke-RestMethod -Method Post -ContentType 'application/json' -Body '[{ "key": ## Step 3: Get state -Now get the state you just stored using a key with the state management API: +Now get the object you just stored in the state by using the state management API with the key `name`: {{< tabs "HTTP API (Bash)" "HTTP API (PowerShell)">}} From 77973dc4e08cd094a448a091f5a517e9a345698c Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 09:06:26 -0700 Subject: [PATCH 5/6] Update daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md --- .../supported-secret-stores/azure-keyvault.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md index 624d4fe14..8e5dab046 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md @@ -33,8 +33,7 @@ spec: value: "[your_service_principal_tenant_id]" - name: spnClientId value: "[your_service_principal_app_id]" - - name: spnCertificate - value : "[pfx_certificate_contents_k8s_secret_name]" + value : "[pfx_certificate_contents]" - name: spnCertificateFile value : "[pfx_certificate_file_fully_qualified_local_path]" ``` From 9051058b1ac4998b7e4e034ab84e6f87eb25d680 Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 09:06:33 -0700 Subject: [PATCH 6/6] Update daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md --- .../supported-secret-stores/azure-keyvault.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md index 8e5dab046..eafc94aa0 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md @@ -45,22 +45,23 @@ The above example uses secrets as plain strings. It is recommended to use a loca ### Self-Hosted -| Field | Required | Details | Example | -|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| -| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | -| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | -| spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` | +| Field | Required | Details | Example | +|--------------------|:--------:|---------|---------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` +| spnClientId | Y | Service Principal App Id | `"spnAppId"` +| spnCertificateFile | Y | PFX certificate file path.

For Windows the `[pfx_certificate_file_fully_qualified_local_path]` value must use escaped backslashes, i.e. double backslashes. For example `"C:\\folder1\\folder2\\certfile.pfx"`.

For Linux you can use single slashes. For example `"/folder1/folder2/certfile.pfx"`.

See [configure the component](#configure-the-component) for more details | `"C:\\folder1\\folder2\\certfile.pfx"`, `"/folder1/folder2/certfile.pfx"` ### Kubernetes -| Field | Required | Details | Example | -|--------------------|:--------:|-------------------------------------------------------------------------|--------------------------| -| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` | -| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` | -| spnClientId | Y | Service Principal App Id | `"spnAppId"` | -| spnCertificate | Y | Store the certificate for the service principal into the Kubernetes Secret Store.

kubectl create secret generic [secretName] --from-file=[secretKey]=[fully_qualified_local_path]

See [configure the component](#configure-the-component) for more details | See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components | +| Field | Required | Details | Example | +|----------------|:--------:|---------|---------| +| vaultName | Y | The name of the Azure Key Vault | `"mykeyvault"` +| spnTenantId | Y | Service Principal Tenant Id | `"spnTenantId"` +| spnClientId | Y | Service Principal App Id | `"spnAppId"` +| spnCertificate | Y | PKCS 12 encoded bytes of the certificate. See [configure the component](#configure-the-component) for details on encoding this in a Kubernetes secret. | `secretKeyRef: ...`
See [configure the component](#configure-the-component) for more information. + ## Setup Key Vault and service principal