Add support for injecting environment variables from a Secret into the Dapr sidecar #4382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e Dapr sidecar Signed-off-by: Anton Troshin <[email protected]>
|
Stale PR, paging all reviewers |
|
Stale PR, paging all reviewers |
hhunter-ms
requested changes
Oct 23, 2024
| weight: 7500 | ||
| description: "Inject Environment Variables from Kubernetes Secrets into Dapr sidecar" | ||
| --- | ||
| In special cases, Dapr sidecar needs an environment variable injected into it. This use case may be required by a Component, a 3rd party library, or a module that uses environment variables to configure the said Component or customize its behavior. This can be useful for both production and non-production environments. |
There was a problem hiding this comment.
Suggested change
| In special cases, Dapr sidecar needs an environment variable injected into it. This use case may be required by a Component, a 3rd party library, or a module that uses environment variables to configure the said Component or customize its behavior. This can be useful for both production and non-production environments. | |
| In special cases, the Dapr sidecar needs an environment variable injected into it. This use case may be required by a component, a 3rd party library, or a module that uses environment variables to configure the said component or customize its behavior. This can be useful for both production and non-production environments. |
| In special cases, Dapr sidecar needs an environment variable injected into it. This use case may be required by a Component, a 3rd party library, or a module that uses environment variables to configure the said Component or customize its behavior. This can be useful for both production and non-production environments. | ||
|
|
||
| ## Overview | ||
| In Dapr 1.15 the new annotation was introduced, `dapr.io/env-from-secret`, similarly to `dapr.io/env`, see [here]({{<ref arguments-annotations-overview>}}). |
There was a problem hiding this comment.
Suggested change
| In Dapr 1.15 the new annotation was introduced, `dapr.io/env-from-secret`, similarly to `dapr.io/env`, see [here]({{<ref arguments-annotations-overview>}}). | |
| In Dapr 1.15, the new `dapr.io/env-from-secret` annotation was introduced, [similar to `dapr.io/env`]({{< ref arguments-annotations-overview >}}). |
|
|
||
| ## Overview | ||
| In Dapr 1.15 the new annotation was introduced, `dapr.io/env-from-secret`, similarly to `dapr.io/env`, see [here]({{<ref arguments-annotations-overview>}}). | ||
| This annotation allows users to inject an environment variable with a value from a Secret, into the Dapr sidecar. |
There was a problem hiding this comment.
Suggested change
| This annotation allows users to inject an environment variable with a value from a Secret, into the Dapr sidecar. | |
| With this annotation, you can inject an environment variable into the Dapr sidecar, with a value from a secret. |
| The values of this annotation are formatted like so: | ||
|
|
||
| - Single key secret: `<ENV_VAR_NAME>=<SECRET_NAME>` | ||
| - Multi key-value secret: `<ENV_VAR_NAME>=<SECRET_NAME>:<SECRET_KEY>` |
There was a problem hiding this comment.
Suggested change
| - Multi key-value secret: `<ENV_VAR_NAME>=<SECRET_NAME>:<SECRET_KEY>` | |
| - Multi key/value secret: `<ENV_VAR_NAME>=<SECRET_NAME>:<SECRET_KEY>` |
| - Single key secret: `<ENV_VAR_NAME>=<SECRET_NAME>` | ||
| - Multi key-value secret: `<ENV_VAR_NAME>=<SECRET_NAME>:<SECRET_KEY>` | ||
|
|
||
| `<ENV_VAR_NAME>` is required to follow the `C_IDENTIFIER` format and captured by the following regex: `[A-Za-z_][A-Za-z0-9_]*`<br/> |
There was a problem hiding this comment.
Suggested change
| `<ENV_VAR_NAME>` is required to follow the `C_IDENTIFIER` format and captured by the following regex: `[A-Za-z_][A-Za-z0-9_]*`<br/> | |
| `<ENV_VAR_NAME>` is required to follow the `C_IDENTIFIER` format and captured by the `[A-Za-z_][A-Za-z0-9_]*` regex: |
| key: auth-headers-secret | ||
| ``` | ||
| This will require the Secret to have both `name` and `key` fields with the same value, "auth-headers-secret". <br/> | ||
| Example secret (for demo purposes only, don't store secrets in plain text) |
There was a problem hiding this comment.
Suggested change
| Example secret (for demo purposes only, don't store secrets in plain text) | |
| **Example secret** | |
| > **Note:** The following example is for demo purposes only. It's not recommended to store secrets in plain text. | |
|
|
||
| ## Configuring multi-key secret environment variable | ||
|
|
||
| Add the `dapr.io/env-from-secret` annotation to Deployment |
There was a problem hiding this comment.
Suggested change
| Add the `dapr.io/env-from-secret` annotation to Deployment | |
| In the following example, the `dapr.io/env-from-secret` annotation is added to the Deployment. | |
| - containerPort: 3000 | ||
| imagePullPolicy: Always | ||
| ``` | ||
| Annotation: `dapr.io/env-from-secret: "AUTH_TOKEN=auth-headers-secret:auth-header-value"` will be injected as: |
There was a problem hiding this comment.
Suggested change
| Annotation: `dapr.io/env-from-secret: "AUTH_TOKEN=auth-headers-secret:auth-header-value"` will be injected as: | |
| The `dapr.io/env-from-secret` annotation with a value of `"AUTH_TOKEN=auth-headers-secret:auth-header-value"` is injected as: | |
| name: auth-headers-secret | ||
| key: auth-header-value | ||
| ``` | ||
| Example secret (for demo purposes only, don't store secrets in plain text) |
There was a problem hiding this comment.
Suggested change
| Example secret (for demo purposes only, don't store secrets in plain text) | |
| **Example secret** | |
| > **Note:** The following example is for demo purposes only. It's not recommended to store secrets in plain text. |
| @@ -67,6 +67,7 @@ This table is meant to help users understand the equivalent options for running | |||
| | not supported | not supported | | `dapr.io/sidecar-readiness-probe-period-seconds` | How often (in seconds) to perform the sidecar readiness probe. Read more [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `6`| | |||
| | not supported | not supported | | `dapr.io/sidecar-readiness-probe-threshold` | When the sidecar readiness probe fails, Kubernetes will try N times before giving up. In this case, the Pod will be marked Unready. Read more about `failureThreshold` [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes). Default is `3`| | |||
| | not supported | not supported | | `dapr.io/env` | List of environment variable to be injected into the sidecar. Strings consisting of key=value pairs separated by a comma.| | |||
| | not supported | not supported | | `dapr.io/env-from-secret` | List of environment variable to be injected into the sidecar from Secret. Strings consisting of "key=secret-name:secret-key" pairs separated by a comma.| | |||
There was a problem hiding this comment.
Suggested change
| | not supported | not supported | | `dapr.io/env-from-secret` | List of environment variable to be injected into the sidecar from Secret. Strings consisting of "key=secret-name:secret-key" pairs separated by a comma.| | |
| | not supported | not supported | | `dapr.io/env-from-secret` | List of environment variables to be injected into the sidecar from secret. Strings consisting of `"key=secret-name:secret-key"` pairs are separated by a comma. | |
Signed-off-by: Anton Troshin <[email protected]>
…shin/dapr-docs into dapr-env-vars-from-secrets-docs
hhunter-ms
approved these changes
Oct 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thank you for helping make the Dapr documentation better!
Please follow this checklist before submitting:
In addition, please fill out the following to help reviewers understand this pull request:
Description
Issue reference