Dapr: Components - Enable Azure Keyvault Integration

Created on 6 Sep 2019  路  7Comments  路  Source: dapr/dapr

Work items:

  • [x] Writing mini-spec
  • [x] Create Service principal and Keyvault for testing
  • [ ] Implement keyvault secretstore
  • [ ] Add test for keyvault secretstore
  • [ ] Add sample
areruntime kinfeature sizXL

Most helpful comment

Overview

Key vault secretstore authenticates keyvault resource with Service Prinicpal. Key vault secretstore will support not only standalone mode but also kubernetes mode with the shared component yaml. In both modes, user needs to provide tenant Id, client id, and certificate for the app representing service principal. Standalone mode uses PKS#12(PFX) certificate located in local disk while Kubernetes mode uses the certs in Kubeneretes secret store by leveraging the existing Kubernetes secretstore implementation.

Metadata

  • vaultName: Azure Keyvault Name
  • spnTenantId: AAD Tenanat Id which includes the app
  • spnClientId: Application Id
  • spnCertificate

    • (for standalone mode) PKS#12(PFX) certificate file path in local disk

    • (for kubernetes mode) secret name for Kubernetes mode

Register secretstore component

Standalone mode example

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.keyvault
  metadata:
  - name: vaultName
    value: actions-sample-vault
  - name: spnTenantId
    value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
  - name: spnClientId
    value: "61a33746-1198-49ec-91a5-eaa9140889e3"
  - name: spnCertificateFile
    value: ./cert/spn-cert.pfx

Kubernetes mode example

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.keyvault
  metadata:
  - name: vaultName
    value: actions-sample-vault
  - name: spnTenantId
    value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
  - name: spnClientId
    value: "61a33746-1198-49ec-91a5-eaa9140889e3"
  - name: spnCertificate
    secretKeyRef:
      name: keyvaultSecret
      key: spncert
auth:
    secretStore: kubernetes

Use secret via keyvault secret store

The secrets in user's Keyvault are referenced by using secretKeyRef object instead of value property. Unlike one secret in K8S secret store represents a map data type which stores multiple key-values, Azure Keyvault secret is a string data type so that Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault and key property value will be ignored.

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  metadata:
  - name: redisPassword
    secretKeyRef:
      name: redisSecret
  - name: redisHost
    value: "localhost:6379"
auth:
    secretStore: azurekeyvault

Open questions

Reference

All 7 comments

@yaron2 I completed my GTM issues so I will pick it up today.

cc/ @msfussell

Overview

Key vault secretstore authenticates keyvault resource with Service Prinicpal. Key vault secretstore will support not only standalone mode but also kubernetes mode with the shared component yaml. In both modes, user needs to provide tenant Id, client id, and certificate for the app representing service principal. Standalone mode uses PKS#12(PFX) certificate located in local disk while Kubernetes mode uses the certs in Kubeneretes secret store by leveraging the existing Kubernetes secretstore implementation.

Metadata

  • vaultName: Azure Keyvault Name
  • spnTenantId: AAD Tenanat Id which includes the app
  • spnClientId: Application Id
  • spnCertificate

    • (for standalone mode) PKS#12(PFX) certificate file path in local disk

    • (for kubernetes mode) secret name for Kubernetes mode

Register secretstore component

Standalone mode example

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.keyvault
  metadata:
  - name: vaultName
    value: actions-sample-vault
  - name: spnTenantId
    value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
  - name: spnClientId
    value: "61a33746-1198-49ec-91a5-eaa9140889e3"
  - name: spnCertificateFile
    value: ./cert/spn-cert.pfx

Kubernetes mode example

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.keyvault
  metadata:
  - name: vaultName
    value: actions-sample-vault
  - name: spnTenantId
    value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
  - name: spnClientId
    value: "61a33746-1198-49ec-91a5-eaa9140889e3"
  - name: spnCertificate
    secretKeyRef:
      name: keyvaultSecret
      key: spncert
auth:
    secretStore: kubernetes

Use secret via keyvault secret store

The secrets in user's Keyvault are referenced by using secretKeyRef object instead of value property. Unlike one secret in K8S secret store represents a map data type which stores multiple key-values, Azure Keyvault secret is a string data type so that Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault and key property value will be ignored.

apiVersion: actions.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  metadata:
  - name: redisPassword
    secretKeyRef:
      name: redisSecret
  - name: redisHost
    value: "localhost:6379"
auth:
    secretStore: azurekeyvault

Open questions

Reference

@yaron2 @amanbha @Haishi2016 Please review the mini-spec for keyvault secret store - https://github.com/actionscore/actions/issues/372#issuecomment-532908932

BTW, Kudos to @yaron2. the spec is written really well!

Could you please explain following in a bit more detail:
_Unlike Kubernetes secretstore implementation, Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault, but key property value must be default. For example, if component yaml uses the different value for key property, the secret value will be empty string._

Could you please explain following in a bit more detail:
_Unlike Kubernetes secretstore implementation, Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault, but key property value must be default. For example, if component yaml uses the different value for key property, the secret value will be empty string._

In Kubernetes, one secret can have multiple key-values so secretKeyRef object has two properties; name and key.

    secretKeyRef:
      name: redisSecret
      key: password

but in Keyvault, one secret is a string data type unless we serialize object to json.
(in the example, redisSecret is keyvault secret name, password value in key property is useless)

I would like to allow key property to use default or something else. Or maybe it is better ignoring key property value.

@amanbha ignoring key property makes more sense for keyvault. I will update the spec.

Was this page helpful?
0 / 5 - 0 ratings